Diffie-Hellman Re: UK Government to force handover of encryption keys

coderman coderman at gmail.com
Fri May 19 13:42:43 PDT 2006 

On 5/19/06, Bill Stewart <bill.stewart at pobox.com> wrote:
> ...
> Too many online applications currently use
> RSA encryption to transfer an encrypted key,
> which is vulnerable to later disclosure,
> instead of using Diffie-Hellman key exchange
> and some signature algorithm (RSA, EG, whatever),

cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA++


> Email messages are an appropriate use of RSA-encrypted keys,
> but any online two-way communications,
> including VOIP, IPSEC, web forms, and transmission of email,
> really ought to be using Diffie-Hellman instead.

i like the speed of pre-shared keys assuming key mgmt is secure and
rekeying frequent (e.g. scheduled PSK's or one time pad based
ephemeral key exchange).

but anything using ephemeral keys needs to destroy them properly and
this is more robust  with DH (each end responsible for their
respective key destruction) than shared secrets (both ends must
destroy secrets) in addition to the fact that shared secrets are
usually much longer lived as well.


> How many of the popular tools support it or could be configured to do so?

i do it all the time with openvpn, https, etc.  in theory anything
that supports SSLv3/TLSv1 should support a strong ephemeral DH cipher
suite.  as for particular sites and servers, i'd be interested to know
just what the usual distribution of utilized cipher suites is.  RSA
without DHE probably is the most common.


> In most cases, it's probably not hard - you mainly need to choose the
> right options from standard packages, and make the DH versions the
> preferred method instead of a fallback.

yup.
in most cases generating dh parameters and explicitly requiring a DHE
suite is the hardest part of any custom configuration needed.  the
session setup costs are a little higher but anyone doing SSL/TLS in
bulk probably has the necessary hardware acceleration in place
already.

as a side note, i'd really like SHA2-256/512 to be added to SSL/TLS
and widely implemented.  AES256 with SHA1 digest is just a little
funny these days...

More information about the Testlist mailing list