Which order is correct? ECDSA runs before ECDH or after ECDH?

Question

I am confused about the execution order of ECDSA and ECDH, which one runs first ?

Since ECDH can not avoid MITM attach, therefore ECDSA is used to verify the entity. So ECDSA should run before ECDH ?

Or it doens't matter at all?

Answer 1

Since ECDH can not avoid MITM attack

First, here is one of the many ways you could solve this difficulty using RSA instead of DSA (or ECDSA): the client, before sending its ECDH (or DH) public key on the wire, could encrypt this ECDH (or DH) public key with the public RSA key of the server. And this way, the server is the only peer that knows the client ECDH key. Therefore, both sides are protected against man in the middle attacks. Of course, using RSA to encrypt another key may need OAEP.

Or it doens't matter at all?

In your case, using ECDSA instead of RSA, you can not encrypt anything. So you need to have mutual authentication in the protocol you will design: your server and your client must have previously exchanged their public ECDSA keys or must have some kind of PKI with some kind of root certificate to authenticate the remote public ECDSA key. Finally, the client and the server just need to follow those steps, in this order:

• sign their ECDH public key with their ECDSA private key,
• send this information to the other host,
• receive this information from the other host,
• check the signature,
• if the check failed, stop talking,
• if the signature is correctly checked, perform the end of the DH algorithm.