Re: [TLS] DHE key derivation

mrex@sap.com (Martin Rex) Fri, 27 September 2013 15:35 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50B8F11E8166 for <tls@ietfa.amsl.com>; Fri, 27 Sep 2013 08:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.175
X-Spam-Level:
X-Spam-Status: No, score=-10.175 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXw6E6GAx0af for <tls@ietfa.amsl.com>; Fri, 27 Sep 2013 08:34:46 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC4311E814F for <tls@ietf.org>; Fri, 27 Sep 2013 08:34:42 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8RFYdJj002992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 27 Sep 2013 17:34:39 +0200 (MEST)
In-Reply-To: <5245A292.1060909@pobox.com>
To: "Michael D'Errico" <mike-list@pobox.com>
Date: Fri, 27 Sep 2013 17:34:39 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130927153439.54C8A1A9B4@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] DHE key derivation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 15:35:02 -0000

Michael D'Errico wrote:
> Yaron Sheffer wrote:
> > While we're opening (maybe) the negotiation of DHE, I'd like to clarify 
> > an issue that bothers me in the implementation of DHE in TLS:
> > 
> > With DHE, the premaster secret depends only on the DH shared secret. We 
> > know that DHE is commonly used with 1024-bit parameters. So even if you 
> > have a 2048-bit RSA certificate, the session strength will be 1024 bits.
> > 
> > What if we mixed *both* the DH secret and the regular encrypted nonce 
> > that's used in RSA ciphersuites into the premaster secret? Wouldn't we 
> > get forward secrecy, as well as crypto strength equivalent to the higher 
> > of the two lengths?
> 
> In DHE_RSA, RSA is used in signature mode to sign the DH parameters.
> It is not recommended to use the same RSA key for both signing and
> key encipherment.

Isn't that (using the same RSA key for both signing and key encipherment)
what pretty much all TLS Servers do when they support both,
traditional RSA ciphersuites plus DHE_RSA and/or ECDHE_RSA?

-Martin