Re: [TLS] DHE key derivation

Hanno Böck <> Fri, 27 September 2013 16:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6866C21F9F45 for <>; Fri, 27 Sep 2013 09:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hPZwWcUMsroq for <>; Fri, 27 Sep 2013 09:55:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7017721F9D2A for <>; Fri, 27 Sep 2013 09:55:43 -0700 (PDT)
Received: from localhost ( [::ffff:]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 128bits, AES128-GCM-SHA256) by with ESMTPSA; Fri, 27 Sep 2013 18:55:40 +0200 id 00000000000000B1.000000005245B88C.00006FA9
Date: Fri, 27 Sep 2013 18:55:35 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <op.w30xbev03dfyax@killashandra.invalid.invalid> <> <>
X-Mailer: Claws Mail 3.9.2-dirty (GTK+ 2.24.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA256; protocol="application/pgp-signature"; boundary=""
Subject: Re: [TLS] DHE key derivation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Sep 2013 16:55:49 -0000

On Fri, 27 Sep 2013 18:07:42 +0300
Yaron Sheffer <> wrote:

> While we're opening (maybe) the negotiation of DHE, I'd like to
> clarify an issue that bothers me in the implementation of DHE in TLS:
> With DHE, the premaster secret depends only on the DH shared secret.
> We know that DHE is commonly used with 1024-bit parameters. So even
> if you have a 2048-bit RSA certificate, the session strength will be
> 1024 bits.
> What if we mixed *both* the DH secret and the regular encrypted nonce 
> that's used in RSA ciphersuites into the premaster secret? Wouldn't
> we get forward secrecy, as well as crypto strength equivalent to the
> higher of the two lengths?

I feel this would add even more confusion.

What you'd get:
- Connection Security of the RSA key size, BUT
- Forward Secrecy only with the security of the DHE modulus size

Or to be concrete: an attacker able to steal the certificate's key
AFTER recording a connection and at the same time being able to break
the DHE would still be able to decrypt.

I don't really get why that should make any sense. Okay, it would avoid
that DHE "downgrades" the security of the RSA key.
But: This would require changes to the protocol. Won't work with
existing software, so it won't solve the mess we have today.

If you are already changing the protocol, you can also do something
that makes much more sense: Forbid DHE modulus size smaller than RSA
key size. (which also could be achieved just by server policy without
protocol changes, but then breaks messy clients like java - see past

Hanno Böck