Public Key Cryptography

Public key cryptography (also called assymmetric cryptography) is a collection of techniques allowing for encryption, signatures, and key agreement.

Key Objects

Public and private keys are represented by classes Public_Key and it’s subclass Private_Key. The use of inheritence here means that a Private_Key can be converted into a reference to a public key.

None of the functions on Public_Key and Private_Key itself are particularly useful for users of the library, because ‘bare’ public key operations are very insecure. The only purpose of these functions is to provide a clean interface that higher level operations can be built on. So really the only thing you need to know is that when a function takes a reference to a Public_Key, it can take any public key or private key, and similiarly for Private_Key.

Types of Public_Key include RSA_PublicKey, DSA_PublicKey, ECDSA_PublicKey, DH_PublicKey, ECDH_PublicKey, RW_PublicKey, NR_PublicKey,, and GOST_3410_PublicKey. There are cooresponding Private_Key classes for each of these algorithms.

Creating New Private Keys

Creating a new private key requires two things: a source of random numbers (see Random Number Generators) and some algorithm specific parameters that define the security level of the resulting key. For instance, the security level of an RSA key is (at least in part) defined by the length of the public key modulus in bits. So to create a new RSA private key, you would call

RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator &rng, size_t bits)

A constructor that creates a new random RSA private key with a modulus of length bits.

Algorithms based on the discrete-logarithm problem uses what is called a group; a group can safely be used with many keys, and for some operations, like key agreement, the two keys must use the same group. There are currently two kinds of discrete logarithm groups supported in botan: the integers modulo a prime, represented by DL_Group, and elliptic curves in GF(p), represented by EC_Group. A rough generalization is that the larger the group is, the more secure the algorithm is, but coorespondingly the slower the operations will be.

Given a DL_Group, you can create new DSA, Diffie-Hellman, and Nyberg-Rueppel key pairs with

DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator &rng, const DL_Group &group, const BigInt &x = 0)
DH_PrivateKey::DH_PrivateKey(RandomNumberGenerator &rng, const DL_Group &group, const BigInt &x = 0)
NR_PrivateKey::NR_PrivateKey(RandomNumberGenerator &rng, const DL_Group &group, const BigInt &x = 0)
ElGamal_PrivateKey::ElGamal_PrivateKey(RandomNumberGenerator &rng, const DL_Group &group, const BigInt &x = 0)

The optional x parameter to each of these contructors is a private key value. This allows you to create keys where the private key is formed by some special technique; for instance you can use the hash of a password (see PBKDF Algorithms for how to do that) as a private key value. Normally, you would leave the value as zero, letting the class generate a new random key.

Finally, given an EC_Group object, you can create a new ECDSA, ECDH, or GOST 34.10-2001 private key with

ECDSA_PrivateKey::ECDSA_PrivateKey(RandomNumberGenerator &rng, const EC_Group &domain, const BigInt &x = 0)
ECDH_PrivateKey::ECDH_PrivateKey(RandomNumberGenerator &rng, const EC_Group &domain, const BigInt &x = 0)
GOST_3410_PrivateKey::GOST_3410_PrivateKey(RandomNumberGenerator &rng, const EC_Group &domain, const BigInt &x = 0)

Generating RSA keys

This example will generate an RSA key of a specified bitlength, and put it into a pair of key files. One is the public key in X.509 format (PEM encoded), the private key is in PKCS #8 format (also PEM encoded), either encrypted or unencrypted depending on if a password was given.

#include <iostream>
#include <fstream>
#include <string>
#include <cstdlib>
#include <memory>

#include <botan/botan.h>
#include <botan/rsa.h>
using namespace Botan;

int main(int argc, char* argv[])
   {
   if(argc != 2 && argc != 3)
      {
      std::cout << "Usage: " << argv[0] << " bitsize [passphrase]"
                << std::endl;
      return 1;
      }

   const size_t bits = std::atoi(argv[1]);
   if(bits < 1024 || bits > 16384)
      {
      std::cout << "Invalid argument for bitsize" << std::endl;
      return 1;
      }

   try
      {
      Botan::LibraryInitializer init;

      std::ofstream pub("rsapub.pem");
      std::ofstream priv("rsapriv.pem");
      if(!priv || !pub)
         {
         std::cout << "Couldn't write output files" << std::endl;
         return 1;
         }

      AutoSeeded_RNG rng;

      RSA_PrivateKey key(rng, bits);
      pub << X509::PEM_encode(key);

      if(argc == 2)
         priv << PKCS8::PEM_encode(key);
      else
         priv << PKCS8::PEM_encode(key, rng, argv[2]);
      }
   catch(std::exception& e)
      {
      std::cout << "Exception caught: " << e.what() << std::endl;
      }
   return 0;
   }

Generate DSA keys

This example generates a 2048 bit DSA key

#include <iostream>
#include <fstream>
#include <string>
#include <botan/botan.h>
#include <botan/dsa.h>
#include <botan/rng.h>
using namespace Botan;

#include <memory>

int main(int argc, char* argv[])
   {
   try
      {
      if(argc != 1 && argc != 2)
         {
         std::cout << "Usage: " << argv[0] << " [passphrase]" << std::endl;
         return 1;
         }

      std::ofstream priv("dsapriv.pem");
      std::ofstream pub("dsapub.pem");
      if(!priv || !pub)
         {
         std::cout << "Couldn't write output files" << std::endl;
         return 1;
         }

      Botan::LibraryInitializer init;

      AutoSeeded_RNG rng;

      DL_Group group(rng, DL_Group::DSA_Kosherizer, 2048, 256);

      DSA_PrivateKey key(rng, group);

      pub << X509::PEM_encode(key);
      if(argc == 1)
         priv << PKCS8::PEM_encode(key);
      else
         priv << PKCS8::PEM_encode(key, rng, argv[1]);
   }
   catch(std::exception& e)
      {
      std::cout << "Exception caught: " << e.what() << std::endl;
      }
   return 0;
   }

Serializing Private Keys Using PKCS #8

The standard format for serializing a private key is PKCS #8, the operations for which are defined in pkcs8.h. It supports both unencrypted and encrypted storage.

SecureVector<byte> PKCS8::BER_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &password, const std::string &pbe_algo = "")

Takes any private key object, serializes it, encrypts it using password, and returns a binary structure representing the private key.

The final (optional) argument, pbe_algo, specifies a particular password based encryption (or PBE) algorithm. If you don’t specify a PBE, a sensible default will be used.

std::string PKCS8::PEM_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, const std::string &pbe_algo = "")

This formats the key in the same manner as BER_encode, but additionally encodes it into a text format with identifying headers. Using PEM encoding is highly recommended for many reasons, including compatibility with other software, for transmission over 8-bit unclean channels, because it can be identified by a human without special tools, and because it sometimes allows more sane behavior of tools that process the data.

Unencrypted serialization is also supported.

Warning

In most situations, using unecrypted private key storage is a bad idea, because anyone can come along and grab the private key without having to know any passwords or other secrets. Unless you have very particular security requirements, always use the versions that encrypt the key based on a passphrase, described above.

SecureVector<byte> PKCS8::BER_encode(const Private_Key &key)

Serializes the private key and returns the result.

std::string PKCS8::PEM_encode(const Private_Key &key)

Serializes the private key, base64 encodes it, and returns the result.

Last but not least, there are some functions that will load (and decrypt, if necessary) a PKCS #8 private key:

Private_Key *PKCS8::load_key(DataSource &in, RandomNumberGenerator &rng, const User_Interface &ui)
Private_Key *PKCS8::load_key(DataSource &in, RandomNumberGenerator &rng, std::string passphrase = "")
Private_Key *PKCS8::load_key(const std::string &filename, RandomNumberGenerator &rng, const User_Interface &ui)
Private_Key *PKCS8::load_key(const std::string &filename, RandomNumberGenerator &rng, const std::string &passphrase = "")

These functions will return an object allocated key object based on the data from whatever source it is using (assuming, of course, the source is in fact storing a representation of a private key, and the decryption was sucessful). The encoding used (PEM or BER) need not be specified; the format will be detected automatically. The key is allocated with new, and should be released with delete when you are done with it. The first takes a generic DataSource that you have to create - the other is a simple wrapper functions that take either a filename or a memory buffer and create the appropriate DataSource.

The versions taking a std::string attempt to decrypt using the password given (if the key is encrypted; if it is not, the passphase value will be ignored). If the passphrase does not decrypt the key, an exception will be thrown.

The ones taking a User_Interface provide a simple callback interface which makes handling incorrect passphrases and such a bit simpler. A User_Interface has very little to do with talking to users; it’s just a way to glue together Botan and whatever user interface you happen to be using.

Note

In a future version, it is likely that User_Interface will be replaced by a simple callback using std::function.

To use User_Interface, derive a subclass and implement:

std::string User_Interface::get_passphrase(const std::string &what, const std::string &source, UI_Result &result) const

The what argument specifies what the passphrase is needed for (for example, PKCS #8 key loading passes what as “PKCS #8 private key”). This lets you provide the user with some indication of why your application is asking for a passphrase; feel free to pass the string through gettext(3) or moral equivalent for i18n purposes. Similarly, source specifies where the data in question came from, if available (for example, a file name). If the source is not available for whatever reason, then source will be an empty string; be sure to account for this possibility.

The function returns the passphrase as the return value, and a status code in result (either OK or CANCEL_ACTION). If CANCEL_ACTION is returned in result, then the return value will be ignored, and the caller will take whatever action is necessary (typically, throwing an exception stating that the passphrase couldn’t be determined). In the specific case of PKCS #8 key decryption, a Decoding_Error exception will be thrown; your UI should assume this can happen, and provide appropriate error handling (such as putting up a dialog box informing the user of the situation, and canceling the operation in progress).

Serializing Public Keys

To import and export public keys, use:

MemoryVector<byte> X509::BER_encode(const Public_Key &key)
std::string X509::PEM_encode(const Public_Key &key)
Public_Key *X509::load_key(DataSource &in)
Public_Key *X509::load_key(const SecureVector<byte> &buffer)
Public_Key *X509::load_key(const std::string &filename)

These functions operate in the same way as the ones described in Serializing Private Keys Using PKCS #8, except that no encryption option is availabe.

DL_Group

As described in Creating New Private Keys, a discrete logarithm group can be shared among many keys, even keys created by users who do not trust each other. However, it is necessary to trust the entity who created the group; that is why organization like NIST use algorithms which generate groups in a deterministic way such that creating a bogus group would require breaking some trusted cryptographic primitive like SHA-2.

Instantiating a DL_Group simply requires calling

DL_Group::DL_Group(const std::string &name)

The name parameter is a specially formatted string that consists of three things, the type of the group (“modp” or “dsa”), the creator of the group, and the size of the group in bits, all delimited by ‘/’ characters.

Currently all “modp” groups included in botan are ones defined by the Internet Engineering Task Force, so the provider is “ietf”, and the strings look like “modp/ietf/N” where N can be any of 768, 1024, 1536, 2048, 3072, 4096, 6144, or 8192. This group type is used for Diffie-Hellman and ElGamal algorithms.

The other type, “dsa” is used for DSA and Nyberg-Rueppel keys. They can also be used with Diffie-Hellman and ElGamal, but this is less common. The currently available groups are “dsa/jce/N” for N in 512, 768, or 1024, and “dsa/botan/N” with N being 2048 or 3072. The “jce” groups are the standard DSA groups used in the Java Cryptography Extensions, while the “botan” groups were randomly generated using the FIPS 186-3 algorithm by the library maintainers.

You can generate a new random group using

DL_Group::DL_Group(RandomNumberGenerator &rng, PrimeType type, size_t pbits, size_t qbits = 0)

The type can be either Strong, Prime_Subgroup, or DSA_Kosherizer. pbits specifies the size of the prime in bits. If the type is Prime_Subgroup or DSA_Kosherizer, then qbits specifies the size of the subgroup.

You can serialize a DL_Group using

SecureVector<byte> DL_Group::DER_Encode(Format format)

or

std::string DL_Group::PEM_encode(Format format)

where format is any of

  • ANSI_X9_42 (or DH_PARAMETERS) for modp groups
  • ANSI_X9_57 (or DSA_PARAMETERS) for DSA-style groups
  • PKCS_3 is an older format for modp groups; it should only be used for backwards compatability.

You can reload a serialized group using

void DL_Group::BER_decode(DataSource &source, Format format)
void DL_Group::PEM_decode(DataSource &source)

EC_Group

An EC_Group is initialized by passing the name of the group to be used to the constructor. These groups have semi-standardized names like “secp256r1” and “brainpool512r1”.

Key Checking

Most public key algorithms have limitations or restrictions on their parameters. For example RSA requires an odd exponent, and algorithms based on the discrete logarithm problem need a generator $> 1$.

Each public key type has a function

bool Public_Key::check_key(RandomNumberGenerator &rng, bool strong)

This function performs a number of algorithm-specific tests that the key seems to be mathematically valid and consistent, and returns true if all of the tests pass.

It does not have anything to do with the validity of the key for any particular use, nor does it have anything to do with certificates that link a key (which, after all, is just some numbers) with a user or other entity. If strong is true, then it does “strong” checking, which includes expensive operations like primality checking.

Encryption

Safe public key encryption requires the use of a padding scheme which hides the underlying mathematical properties of the algorithm. Additionally, they will add randomness, so encrypting the same plaintext twice produces two different ciphertexts.

The primary interface for encryption is

class PK_Encryptor
SecureVector<byte> encrypt(const byte *in, size_t length, RandomNumberGenerator &rng) const
SecureVector<byte> encrypt(const MemoryRegion<byte> &in, RandomNumberGenerator &rng) const

These encrypt a message, returning the ciphertext.

size_t maximum_input_size() const

Returns the maximum size of the message that can be processed, in bytes. If you call PK_Encryptor::encrypt with a value larger than this the operation will fail with an exception.

PK_Encryptor is only an interface - to actually encrypt you have to create an implementation, of which there are currently two available in the library, PK_Encryptor_EME and DLIES_Encryptor. DLIES is a standard method (from IEEE 1363) that uses a key agreement technique such as DH or ECDH to perform message encryption. Normally, public key encryption is done using algorithms which support it directly, such as RSA or ElGamal; these use the EME class:

class PK_Encryptor_EME
PK_Encryptor_EME(const Public_Key &key, std::string eme)

With key being the key you want to encrypt messages to. The padding method to use is specified in eme.

The recommended values for eme is “EME1(SHA-1)” or “EME1(SHA-256)”. If you need compatability with protocols using the PKCS #1 v1.5 standard, you can also use “EME-PKCS1-v1_5”.

class DLIES_Encryptor

Available in the header dlies.h

DLIES_Encryptor(const PK_Key_Agreement_Key &key, KDF *kdf, MessageAuthenticationCode *mac, size_t mac_key_len = 20)

Where kdf is a key derivation function (see Key Derivation Functions) and mac is a MessageAuthenticationCode.

The decryption classes are named PK_Decryptor, PK_Decryptor_EME, and DLIES_Decryptor. They are created in the exact same way, except they take the private key, and the processing function is named decrypt.

Signatures

Signature generation is performed using

class PK_Signer
PK_Signer(const Private_Key &key, const std::string &emsa, Signature_Format format = IEEE_1363)

Constructs a new signer object for the private key key using the signature format emsa. The key must support signature operations. In the current version of the library, this includes RSA, DSA, ECDSA, GOST 34.10-2001, Nyberg-Rueppel, and Rabin-Williams. Other signature schemes may be supported in the future.

Currently available values for emsa include EMSA1, EMSA2, EMSA3, EMSA4, and Raw. All of them, except Raw, take a parameter naming a message digest function to hash the message with. The Raw encoding signs the input directly; if the message is too big, the signing operation will fail. Raw is not useful except in very specialized applications. Examples are “EMSA1(SHA-1)” and “EMSA4(SHA-256)”.

For RSA, use EMSA4 (also called PSS) unless you need compatability with software that uses the older PKCS #1 v1.5 standard, in which case use EMSA3 (also called “EMSA-PKCS1-v1_5”). For DSA, ECDSA, GOST 34.10-2001, and Nyberg-Rueppel, you should use EMSA1.

The format defaults to IEEE_1363 which is the only available format for RSA. For DSA and ECDSA, you can also use DER_SEQUENCE, which will format the signature as an ASN.1 SEQUENCE value.

void update(const byte *in, size_t length)
void update(const MemoryRegion<byte> &in)
void update(byte in)

These add more data to be included in the signature computation. Typically, the input will be provided directly to a hash function.

SecureVector<byte> signature(RandomNumberGenerator &rng)

Creates the signature and returns it

SecureVector<byte> sign_message(const byte *in, size_t length, RandomNumberGenerator &rng)
SecureVector<byte> sign_message(const MemoryRegion<byte> &in, RandomNumberGenerator &rng)

These functions are equivalent to calling PK_Signer::update and then PK_Signer::signature. Any data previously provided using update will be included.

Signatures are verified using

class PK_Verifier
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format = IEEE_1363)

Construct a new verifier for signatures assicated with public key pub_key. The emsa and format should be the same as that used by the signer.

void update(const byte *in, size_t length)
void update(const MemoryRegion<byte> &in)
void update(byte in)

Add further message data that is purportedly assocated with the signature that will be checked.

bool check_signature(const byte *sig, size_t length)
bool check_signature(const MemoryRegion<byte> &sig)

Check to see if sig is a valid signature for the message data that was written in. Return true if so. This function clears the internal message state, so after this call you can call PK_Verifier::update to start verifying another message.

bool verify_message(const byte *msg, size_t msg_length, const byte *sig, size_t sig_length)
bool verify_message(const MemoryRegion<byte> &msg, const MemoryRegion<byte> &sig)

These are equivalent to calling PK_Verifier::update on msg and then calling PK_Verifier::check_signature on sig.

Here is an example of DSA signature generation

#include <iostream>
#include <iomanip>
#include <fstream>
#include <string>
#include <memory>

#include <botan/botan.h>
#include <botan/pubkey.h>
#include <botan/dsa.h>
#include <botan/base64.h>
using namespace Botan;

const std::string SUFFIX = ".sig";

int main(int argc, char* argv[])
   {
   if(argc != 4)
      {
      std::cout << "Usage: " << argv[0] << " keyfile messagefile passphrase"
                << std::endl;
      return 1;
      }

   Botan::LibraryInitializer init;

   try {
      std::string passphrase(argv[3]);

      std::ifstream message(argv[2], std::ios::binary);
      if(!message)
         {
         std::cout << "Couldn't read the message file." << std::endl;
         return 1;
         }

      std::string outfile = argv[2] + SUFFIX;
      std::ofstream sigfile(outfile.c_str());
      if(!sigfile)
         {
         std::cout << "Couldn't write the signature to "
                   << outfile << std::endl;
         return 1;
         }

      AutoSeeded_RNG rng;

      std::auto_ptr<PKCS8_PrivateKey> key(
         PKCS8::load_key(argv[1], rng, passphrase)
         );

      DSA_PrivateKey* dsakey = dynamic_cast<DSA_PrivateKey*>(key.get());

      if(!dsakey)
         {
         std::cout << "The loaded key is not a DSA key!\n";
         return 1;
         }

      PK_Signer signer(*dsakey, "EMSA1(SHA-1)");

      DataSource_Stream in(message);
      byte buf[4096] = { 0 };
      while(size_t got = in.read(buf, sizeof(buf)))
         signer.update(buf, got);

      sigfile << base64_encode(signer.signature(rng)) << "\n";
   }
   catch(std::exception& e)
      {
      std::cout << "Exception caught: " << e.what() << std::endl;
      }
   return 0;
   }

Here is an example that verifies DSA signatures

#include <iostream>
#include <iomanip>
#include <fstream>
#include <cstdlib>
#include <string>
#include <memory>

#include <botan/botan.h>
#include <botan/pubkey.h>
#include <botan/dsa.h>
using namespace Botan;

namespace {

SecureVector<byte> b64_decode(const std::string& in)
   {
   Pipe pipe(new Base64_Decoder);
   pipe.process_msg(in);
   return pipe.read_all();
   }

}

int main(int argc, char* argv[])
   {
   if(argc != 4)
      {
      std::cout << "Usage: " << argv[0]
                << " keyfile messagefile sigfile" << std::endl;
      return 1;
      }


   try {
      Botan::LibraryInitializer init;

      std::ifstream message(argv[2], std::ios::binary);
      if(!message)
         {
         std::cout << "Couldn't read the message file." << std::endl;
         return 1;
         }

      std::ifstream sigfile(argv[3]);
      if(!sigfile)
         {
         std::cout << "Couldn't read the signature file." << std::endl;
         return 1;
         }

      std::string sigstr;
      getline(sigfile, sigstr);

      std::auto_ptr<X509_PublicKey> key(X509::load_key(argv[1]));
      DSA_PublicKey* dsakey = dynamic_cast<DSA_PublicKey*>(key.get());

      if(!dsakey)
         {
         std::cout << "The loaded key is not a DSA key!\n";
         return 1;
         }

      SecureVector<byte> sig = b64_decode(sigstr);

      PK_Verifier ver(*dsakey, "EMSA1(SHA-1)");

      DataSource_Stream in(message);
      byte buf[4096] = { 0 };
      while(size_t got = in.read(buf, sizeof(buf)))
         ver.update(buf, got);

      const bool ok = ver.check_signature(sig);

      if(ok)
         std::cout << "Signature verified\n";
      else
         std::cout << "Signature did NOT verify\n";
   }
   catch(std::exception& e)
      {
      std::cout << "Exception caught: " << e.what() << std::endl;
      return 1;
      }
   return 0;
   }

Key Agreement

You can get a hold of a PK_Key_Agreement_Scheme object by calling get_pk_kas with a key that is of a type that supports key agreement (such as a Diffie-Hellman key stored in a DH_PrivateKey object), and the name of a key derivation function. This can be “Raw”, meaning the output of the primitive itself is returned as the key, or “KDF1(hash)” or “KDF2(hash)” where “hash” is any string you happen to like (hopefully you like strings like “SHA-256” or “RIPEMD-160”), or “X9.42-PRF(keywrap)”, which uses the PRF specified in ANSI X9.42. It takes the name or OID of the key wrap algorithm that will be used to encrypt a content encryption key.

How key agreement works is that you trade public values with some other party, and then each of you runs a computation with the other’s value and your key (this should return the same result to both parties). This computation can be called by using derive_key with either a byte array/length pair, or a SecureVector<byte> than holds the public value of the other party. The last argument to either call is a number that specifies how long a key you want.

Depending on the KDF you’re using, you might not get back a key of the size you requested. In particular “Raw” will return a number about the size of the Diffie-Hellman modulus, and KDF1 can only return a key that is the same size as the output of the hash. KDF2, on the other hand, will always give you a key exactly as long as you request, regardless of the underlying hash used with it. The key returned is a SymmetricKey, ready to pass to a block cipher, MAC, or other symmetric algorithm.

The public value that should be used can be obtained by calling public_data, which exists for any key that is associated with a key agreement algorithm. It returns a SecureVector<byte>.

“KDF2(SHA-256)” is by far the preferred algorithm for key derivation in new applications. The X9.42 algorithm may be useful in some circumstances, but unless you need X9.42 compatibility, KDF2 is easier to use.

An example of using Diffie-Hellman:

#include <botan/botan.h>
#include <botan/dh.h>
#include <botan/pubkey.h>
using namespace Botan;

#include <iostream>
#include <memory>

int main()
   {
   try
      {
      LibraryInitializer init;

      AutoSeeded_RNG rng;

      // Alice and Bob agree on a DH domain to use
      DL_Group shared_domain("modp/ietf/2048");

      // Alice creates a DH key
      DH_PrivateKey private_a(rng, shared_domain);

      // Bob creates a key with a matching group
      DH_PrivateKey private_b(rng, shared_domain);

      // Alice sends to Bob her public key and a session parameter
      MemoryVector<byte> public_a = private_a.public_value();
      const std::string session_param =
         "Alice and Bob's shared session parameter";

      // Bob sends his public key to Alice
      MemoryVector<byte> public_b = private_b.public_value();

      // Now Alice performs the key agreement operation
      PK_Key_Agreement ka_alice(private_a, "KDF2(SHA-256)");
      SymmetricKey alice_key = ka_alice.derive_key(32, public_b, session_param);

      // Bob does the same:
      PK_Key_Agreement ka_bob(private_b, "KDF2(SHA-256)");
      SymmetricKey bob_key = ka_bob.derive_key(32, public_a, session_param);

      if(alice_key == bob_key)
         {
         std::cout << "The two keys matched, everything worked\n";
         std::cout << "The shared key was: " << alice_key.as_string() << "\n";
         }
      else
         {
         std::cout << "The two keys didn't match! Hmmm...\n";
         std::cout << "Alice's key was: " << alice_key.as_string() << "\n";
         std::cout << "Bob's key was: " << bob_key.as_string() << "\n";
         }

      // Now use the shared key for encryption or MACing or whatever
   }
   catch(std::exception& e)
      {
      std::cout << e.what() << std::endl;
      return 1;
      }
   return 0;
   }