RE: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

"Pasi Eronen" <> Fri, 21 July 2006 12:04 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1G3tjh-00062t-9j; Fri, 21 Jul 2006 08:04:05 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1G3tjg-00062Y-M7 for; Fri, 21 Jul 2006 08:04:04 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1G3tVK-0004Vp-L5 for; Fri, 21 Jul 2006 07:49:16 -0400
Received: from ( []) by (Switch-3.1.8/Switch-3.1.7) with ESMTP id k6LBn603012917; Fri, 21 Jul 2006 14:49:10 +0300
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.1830); Fri, 21 Jul 2006 14:49:05 +0300
Received: from 4FIL09356 ([]) by with Microsoft SMTPSVC(5.0.2195.6881); Fri, 21 Jul 2006 14:49:05 +0300
From: "Pasi Eronen" <>
To: "'ext Bodo Moeller'" <>, <>
Subject: RE: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Date: Fri, 21 Jul 2006 14:49:06 +0300
Message-ID: <000101c6acbb$ab8d64f0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcasqeGSFIQMnPbsRCynbVOqS3RLYQAEJJyA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
In-Reply-To: <>
X-OriginalArrivalTime: 21 Jul 2006 11:49:05.0279 (UTC) FILETIME=[AAE760F0:01C6ACBB]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ffa9dfbbe7cc58b3fa6b8ae3e57b0aa3
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Bodo Moeller wrote:

> Is there a good case for definining a DHE_PSK ciphersuite with NULL
> encryption?  RSA_PSK involves server certificates, so it does not
> solely rely on pre-shared keys for authentication.  DHE_PSK, however,
> uses ephemeral Diffie-Hellman without certificate-based
> authentication.  This is very useful when the key exchange is used to
> obtain keys for symmetric encryption.  However, in these NULL
> encryption ciphersuites, the key exchange is only used to derive
> authentication keys, so there is only a very limited need for forward
> security.  (DHE_DSK, when using NULL encryption, provides protection
> against exposure of a pre-shared key if use of said key has been
> stopped, but TLS session based on the key remain active.)

With DHE_PSK, a passive eavesdropper doesn't get the information
required for a dictionary attack against the PSK.

So it might be useful even with NULL encryption in some environments
(where active MitM is not considered a significant threat, and the PSK
is not guaranteed to be "strong enough"). I'm not sure how common
those environments would be, but then again, I didn't think that
anyone would want NULL encryption either...

Best regards,

TLS mailing list