Re: [TLS] DHE key derivation
mrex@sap.com (Martin Rex) Fri, 27 September 2013 15:35 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50B8F11E8166 for <tls@ietfa.amsl.com>; Fri, 27 Sep 2013 08:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.175
X-Spam-Level:
X-Spam-Status: No, score=-10.175 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXw6E6GAx0af for <tls@ietfa.amsl.com>; Fri, 27 Sep 2013 08:34:46 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC4311E814F for <tls@ietf.org>; Fri, 27 Sep 2013 08:34:42 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8RFYdJj002992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 27 Sep 2013 17:34:39 +0200 (MEST)
In-Reply-To: <5245A292.1060909@pobox.com>
To: Michael D'Errico <mike-list@pobox.com>
Date: Fri, 27 Sep 2013 17:34:39 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130927153439.54C8A1A9B4@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] DHE key derivation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 15:35:02 -0000
Michael D'Errico wrote: > Yaron Sheffer wrote: > > While we're opening (maybe) the negotiation of DHE, I'd like to clarify > > an issue that bothers me in the implementation of DHE in TLS: > > > > With DHE, the premaster secret depends only on the DH shared secret. We > > know that DHE is commonly used with 1024-bit parameters. So even if you > > have a 2048-bit RSA certificate, the session strength will be 1024 bits. > > > > What if we mixed *both* the DH secret and the regular encrypted nonce > > that's used in RSA ciphersuites into the premaster secret? Wouldn't we > > get forward secrecy, as well as crypto strength equivalent to the higher > > of the two lengths? > > In DHE_RSA, RSA is used in signature mode to sign the DH parameters. > It is not recommended to use the same RSA key for both signing and > key encipherment. Isn't that (using the same RSA key for both signing and key encipherment) what pretty much all TLS Servers do when they support both, traditional RSA ciphersuites plus DHE_RSA and/or ECDHE_RSA? -Martin
- [TLS] New Algorithm identifier for EDH > 1024 bit… Phillip Hallam-Baker
- Re: [TLS] New Algorithm identifier for EDH > 1024… Wan-Teh Chang
- Re: [TLS] New Algorithm identifier for EDH > 1024… Yngve N. Pettersen
- Re: [TLS] New Algorithm identifier for EDH > 1024… Yaron Sheffer
- Re: [TLS] New Algorithm identifier for EDH > 1024… Peter Gutmann
- Re: [TLS] New Algorithm identifier for EDH > 1024… Yoav Nir
- [TLS] DHE key derivation Yaron Sheffer
- Re: [TLS] DHE key derivation Michael D'Errico
- Re: [TLS] DHE key derivation Martin Rex
- Re: [TLS] DHE key derivation Daniel Kahn Gillmor
- Re: [TLS] DHE key derivation Michael D'Errico
- Re: [TLS] DHE key derivation Michael D'Errico
- Re: [TLS] DHE key derivation Michael D'Errico
- Re: [TLS] DHE key derivation Daniel Kahn Gillmor
- Re: [TLS] DHE key derivation Hanno Böck
- Re: [TLS] DHE key derivation Hanno Böck
- Re: [TLS] DHE key derivation Yaron Sheffer
- Re: [TLS] DHE key derivation Yoav Nir
- [TLS] Private Key Security [Was Re: DHE key deriv… Michael StJohns
- Re: [TLS] Private Key Security [Was Re: DHE key d… Martin Rex
- Re: [TLS] New Algorithm identifier for EDH > 1024… Martin Rex
- Re: [TLS] New Algorithm identifier for EDH > 1024… Daniel Kahn Gillmor