Re: [TLS] TLS 1.2 draft

Martin Rex <martin.rex@sap.com> Tue, 06 March 2007 17:41 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOdfX-0001Vs-Bn; Tue, 06 Mar 2007 12:41:47 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOdfW-0001Vm-D5 for tls@ietf.org; Tue, 06 Mar 2007 12:41:46 -0500
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOdfU-0002e6-0w for tls@ietf.org; Tue, 06 Mar 2007 12:41:46 -0500
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id SAA23872; Tue, 6 Mar 2007 18:41:36 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200703061740.SAA00305@uw1048.wdf.sap.corp>
Subject: Re: [TLS] TLS 1.2 draft
To: ekr@networkresonance.com
Date: Tue, 6 Mar 2007 18:40:46 +0100 (MET)
In-Reply-To: <86abyq2soa.fsf@delta.rtfm.com> from "EKR" at Mar 6, 7 09:22:29 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

EKR wrote:
> 
> Martin Rex <martin.rex@sap.com> writes:
> 
> > EKR wrote:
> >> 
> >>      - Remove ephemeral RSA [issue 3]
> >
> > This makes me sad.
> >
> > I would have SIGNIFICANTLY preferred if temporary/ephemeral RSA
> > had been retained and the restriction to the RSA_EXPORT ciphersuites
> > had been removed instead.
> >
> > As I had previously explained, the use of temporary/ephemeral RSA
> > with same-strength keys as the server's certificate would make
> > key-stealing of the servers' key much less useful for passive
> > attacks.
> 
> The recommendation is to use RSA/DHE for these applications. Can
> you explain why you think ephemeral RSA is superior?

The Server's RSA key is typically used for at least one year
(or longer if renewal just extends the cert lifetime and keeps
 the key/keypair).

If an attacker gets hold of the Servers private RSA key, he can
passively monitor (decrypt) all sessions using a RSA-based ciphersuite.

When a temporary/ephemeral keypair is used for key exchange, then
possession of the private RSA key will not be sufficient to
passively monitor (decrypt) SSL sessions with the server
using an RSA ciphersuite with a temporary/ephemeral keypair.
It will require an active (MITM) attack.

-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls