On 5/19/06, Bill Stewart <bill.stewart@pobox.com> wrote:
... Too many online applications currently use RSA encryption to transfer an encrypted key, which is vulnerable to later disclosure, instead of using Diffie-Hellman key exchange and some signature algorithm (RSA, EG, whatever),
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA++
Email messages are an appropriate use of RSA-encrypted keys, but any online two-way communications, including VOIP, IPSEC, web forms, and transmission of email, really ought to be using Diffie-Hellman instead.
i like the speed of pre-shared keys assuming key mgmt is secure and rekeying frequent (e.g. scheduled PSK's or one time pad based ephemeral key exchange). but anything using ephemeral keys needs to destroy them properly and this is more robust with DH (each end responsible for their respective key destruction) than shared secrets (both ends must destroy secrets) in addition to the fact that shared secrets are usually much longer lived as well.
How many of the popular tools support it or could be configured to do so?
i do it all the time with openvpn, https, etc. in theory anything that supports SSLv3/TLSv1 should support a strong ephemeral DH cipher suite. as for particular sites and servers, i'd be interested to know just what the usual distribution of utilized cipher suites is. RSA without DHE probably is the most common.
In most cases, it's probably not hard - you mainly need to choose the right options from standard packages, and make the DH versions the preferred method instead of a fallback.
yup. in most cases generating dh parameters and explicitly requiring a DHE suite is the hardest part of any custom configuration needed. the session setup costs are a little higher but anyone doing SSL/TLS in bulk probably has the necessary hardware acceleration in place already. as a side note, i'd really like SHA2-256/512 to be added to SSL/TLS and widely implemented. AES256 with SHA1 digest is just a little funny these days...