ECDH-RSA and TLS 1.2

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

ECDH-RSA and TLS 1.2

Abhiram Shandilya

I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: “3086918464:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:”. Can someone please tell me why this doesn’t work? Here are the commands I used:

 

Starting s_server:

openssl s_server –accept 4433 –key ./key.pem –cert cert.pem

 

Connecting with s_client:

openssl s_client –connect localhost:4433 –cipher ECDH-RSA-AES128-SHA256

 

Thanks

Abhi

Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Dr. Stephen Henson
On Thu, Nov 01, 2012, Abhiram Shandilya wrote:

> I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: "3086918464:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:". Can someone please tell me why this doesn't work? Here are the commands I used:
>
> Starting s_server:
> openssl s_server -accept 4433 -key ./key.pem -cert cert.pem
>
> Connecting with s_client:
> openssl s_client -connect localhost:4433 -cipher ECDH-RSA-AES128-SHA256
>

You probably don't want ECDH-RSA-AES128-SHA256 as it is a fixed ECDH
ciphersuite (if you do you need to use an appropriate curve in the EE
certificate and include key agreement in the key usage extension, if present).
You should try ECDHE-ECDSA-AES128-SHA256 which uses ephemeral ECDH.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECDH-RSA and TLS 1.2

Abhiram Shandilya
Hi Steve,
Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?

I configured my openssl RSA CA to add the key usage extension for key agreement to the ECC certificate but even then it does not work. Pre-TLS 1.2 cipher suites such as ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher suites with AESGCM.
Thanks
Abhi

 
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Thursday, November 01, 2012 4:40 AM
To: [hidden email]
Subject: Re: ECDH-RSA and TLS 1.2

On Thu, Nov 01, 2012, Abhiram Shandilya wrote:

> I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: "3086918464:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:". Can someone please tell me why this doesn't work? Here are the commands I used:
>
> Starting s_server:
> openssl s_server -accept 4433 -key ./key.pem -cert cert.pem
>
> Connecting with s_client:
> openssl s_client -connect localhost:4433 -cipher
> ECDH-RSA-AES128-SHA256
>

You probably don't want ECDH-RSA-AES128-SHA256 as it is a fixed ECDH ciphersuite (if you do you need to use an appropriate curve in the EE certificate and include key agreement in the key usage extension, if present).
You should try ECDHE-ECDSA-AES128-SHA256 which uses ephemeral ECDH.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Dr. Stephen Henson
On Fri, Nov 02, 2012, Abhiram Shandilya wrote:

> Hi Steve, Thanks for your response. I'm just trying to figure out what it
> takes to get this working - are you of the opinion that an SSL server should
> not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?
>

Well one reason is that the fixed ECDH cipher suites do not support forward
secrecy because they always use the same ECDH key.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECDH-RSA and TLS 1.2

Erik Tkal
What if the server has an ECDH certificate?  Would that then be the appropriate set of suites?

....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Thursday, November 01, 2012 10:38 PM
To: [hidden email]
Subject: Re: ECDH-RSA and TLS 1.2

On Fri, Nov 02, 2012, Abhiram Shandilya wrote:

> Hi Steve, Thanks for your response. I'm just trying to figure out what
> it takes to get this working - are you of the opinion that an SSL
> server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?
>

Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Billy Brumley
In reply to this post by Dr. Stephen Henson
> Well one reason is that the fixed ECDH cipher suites do not support forward
> secrecy because they always use the same ECDH key.

ECDHE cipher suites as implemented in OpenSSL don't necessarily
support forward secrecy either. I wonder what it takes to get
SSL_OP_SINGLE_ECDH_USE option by default in the code base?

BBB
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECDH-RSA and TLS 1.2

Abhiram Shandilya
In reply to this post by Erik Tkal
I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Erik Tkal
Sent: Friday, November 02, 2012 8:24 AM
To: [hidden email]
Subject: RE: ECDH-RSA and TLS 1.2

What if the server has an ECDH certificate?  Would that then be the appropriate set of suites?

....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Thursday, November 01, 2012 10:38 PM
To: [hidden email]
Subject: Re: ECDH-RSA and TLS 1.2

On Fri, Nov 02, 2012, Abhiram Shandilya wrote:

> Hi Steve, Thanks for your response. I'm just trying to figure out what
> it takes to get this working - are you of the opinion that an SSL
> server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?
>

Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Jakob Bohm-7
(continuing TOFU posting to keep the thread somewhat consistent)

Given some of the mathematical restrictions on parameters needed to
keep DSA and ECDSA safe from attackers, I don't think using the same
private key for ECDSA and ECDH is a good/safe idea.

However I am not a genius cryptanalyst, so I cannot guarantee that
this is really dangerous, it is just a somewhat educated guess.

On 11/2/2012 9:06 PM, Abhiram Shandilya wrote:

> I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature.
>
>> -----Original Message-----
>> From: Erik Tkal
>> Sent: Friday, November 02, 2012 8:24 AM
>> To: [hidden email]
>> Subject: RE: ECDH-RSA and TLS 1.2
>>
>> What if the server has an ECDH certificate?  Would that then be the appropriate set of suites?
>>
>>
>>> -----Original Message-----
>>> From: Dr. Stephen Henson
>>> Sent: Thursday, November 01, 2012 10:38 PM
>>> To: [hidden email]
>>> Subject: Re: ECDH-RSA and TLS 1.2
>>>
>>> On Fri, Nov 02, 2012, Abhiram Shandilya wrote:
>>>
>>>> Hi Steve, Thanks for your response. I'm just trying to figure out what
>>>> it takes to get this working - are you of the opinion that an SSL
>>>> server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?
>>>
>>> Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key.
>>


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Jeffrey Walton-3
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <[hidden email]> wrote:
> (continuing TOFU posting to keep the thread somewhat consistent)
>
> Given some of the mathematical restrictions on parameters needed to
> keep DSA and ECDSA safe from attackers, I don't think using the same
> private key for ECDSA and ECDH is a good/safe idea.
>
> However I am not a genius cryptanalyst, so I cannot guarantee that
> this is really dangerous, it is just a somewhat educated guess.
Not at all - its good advice. Its called Key Separation, and its
covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
usually see folks trying to use the same key for signing and
encryption. This is a slight twist in that they want to do signing and
agreement.

The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.

Jeff

> On 11/2/2012 9:06 PM, Abhiram Shandilya wrote:
>>
>> I thought the keys in ECC certificates can be used for both ECDH key
>> agreement and ECDSA digital signature.
>>
>>> -----Original Message-----
>>> From: Erik Tkal
>>> Sent: Friday, November 02, 2012 8:24 AM
>>> To: [hidden email]
>>> Subject: RE: ECDH-RSA and TLS 1.2
>>>
>>> What if the server has an ECDH certificate?  Would that then be the
>>> appropriate set of suites?
>>>
>>>
>>>> -----Original Message-----
>>>> From: Dr. Stephen Henson
>>>> Sent: Thursday, November 01, 2012 10:38 PM
>>>> To: [hidden email]
>>>> Subject: Re: ECDH-RSA and TLS 1.2
>>>>
>>>> On Fri, Nov 02, 2012, Abhiram Shandilya wrote:
>>>>
>>>>> Hi Steve, Thanks for your response. I'm just trying to figure out what
>>>>> it takes to get this working - are you of the opinion that an SSL
>>>>> server should not support TLS 1.2 ECDH-RSA cipher suites? Could you
>>>>> also mention why?
>>>>
>>>>
>>>> Well one reason is that the fixed ECDH cipher suites do not support
>>>> forward secrecy because they always use the same ECDH key.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECDH-RSA and TLS 1.2 [AESGCM]

Dave Thompson-5
In reply to this post by Abhiram Shandilya
> From: [hidden email] On Behalf Of Abhiram Shandilya
> Sent: Thursday, 01 November, 2012 21:31

-dev added

> I configured my openssl RSA CA to add the key usage extension
> for key agreement to the ECC certificate but even then it
> does not work. Pre-TLS 1.2 cipher suites such as
> ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher
> suites with AESGCM.

Looks like a bug to me. (1.0.1c) s3_lib.c ciphers C031 and C032
have kECDHe when it appears they should have kECDHr .


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2 [AESGCM]

Dr. Stephen Henson
On Fri, Nov 02, 2012, Dave Thompson wrote:

> > From: [hidden email] On Behalf Of Abhiram Shandilya
> > Sent: Thursday, 01 November, 2012 21:31
>
> -dev added
>
> > I configured my openssl RSA CA to add the key usage extension
> > for key agreement to the ECC certificate but even then it
> > does not work. Pre-TLS 1.2 cipher suites such as
> > ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher
> > suites with AESGCM.
>
> Looks like a bug to me. (1.0.1c) s3_lib.c ciphers C031 and C032
> have kECDHe when it appears they should have kECDHr .
>

Should be fixed by this:

http://cvs.openssl.org/chngview?cn=22562

just hasn't made it into a release yet.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Jakob Bohm-7
In reply to this post by Jeffrey Walton-3
On 02-11-2012 21:46, Jeffrey Walton wrote:

> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <[hidden email]> wrote:
>> (continuing TOFU posting to keep the thread somewhat consistent)
>>
>> Given some of the mathematical restrictions on parameters needed to
>> keep DSA and ECDSA safe from attackers, I don't think using the same
>> private key for ECDSA and ECDH is a good/safe idea.
>>
>> However I am not a genius cryptanalyst, so I cannot guarantee that
>> this is really dangerous, it is just a somewhat educated guess.
> Not at all - its good advice. Its called Key Separation, and its
> covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
> usually see folks trying to use the same key for signing and
> encryption. This is a slight twist in that they want to do signing and
> agreement.
>
> The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.
>
I am aware of the general principle, but that is not my point at all.

My point is that the very specific math of DSA signatures may enable
specific attacks if the same key pair is used as a static DH key.

Information on this possibility (or its absence) is obscured by replies
like yours (and by similar general statements in official Government
materials from NIST etc.).

DSA/ECDSA is an algorithm which (like DES) is engineered "on the edge",
such that almost any modification is unlikely to improve security, and
in fact likely to undermine it.  And unlike PKCS#1 RSA operations, there
is very little in the design which limits the ability of an attacker to
use one operation (DH exchange) to help break another (DSA signature)
or the other way round.

>> On 11/2/2012 9:06 PM, Abhiram Shandilya wrote:
>>> I thought the keys in ECC certificates can be used for both ECDH key
>>> agreement and ECDSA digital signature.
>>>
>>>> -----Original Message-----
>>>> From: Erik Tkal
>>>> Sent: Friday, November 02, 2012 8:24 AM
>>>> To: [hidden email]
>>>> Subject: RE: ECDH-RSA and TLS 1.2
>>>>
>>>> What if the server has an ECDH certificate?  Would that then be the
>>>> appropriate set of suites?
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Dr. Stephen Henson
>>>>> Sent: Thursday, November 01, 2012 10:38 PM
>>>>> To: [hidden email]
>>>>> Subject: Re: ECDH-RSA and TLS 1.2
>>>>>
>>>>> On Fri, Nov 02, 2012, Abhiram Shandilya wrote:
>>>>>
>>>>>> Hi Steve, Thanks for your response. I'm just trying to figure out what
>>>>>> it takes to get this working - are you of the opinion that an SSL
>>>>>> server should not support TLS 1.2 ECDH-RSA cipher suites? Could you
>>>>>> also mention why?
>>>>> Well one reason is that the fixed ECDH cipher suites do not support
>>>>> forward secrecy because they always use the same ECDH key.

--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Jeffrey Walton-3
On Sun, Nov 4, 2012 at 7:15 PM,  <[hidden email]> wrote:

> On 02-11-2012 21:46, Jeffrey Walton wrote:
>>
>> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <[hidden email]> wrote:
>>>
>>> (continuing TOFU posting to keep the thread somewhat consistent)
>>>
>>> Given some of the mathematical restrictions on parameters needed to
>>> keep DSA and ECDSA safe from attackers, I don't think using the same
>>> private key for ECDSA and ECDH is a good/safe idea.
>>>
>>> However I am not a genius cryptanalyst, so I cannot guarantee that
>>> this is really dangerous, it is just a somewhat educated guess.
>>
>> Not at all - its good advice. Its called Key Separation, and its
>> covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
>> usually see folks trying to use the same key for signing and
>> encryption. This is a slight twist in that they want to do signing and
>> agreement.
>>
>> The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.
>>
> I am aware of the general principle, but that is not my point at all.
>
> My point is that the very specific math of DSA signatures may enable
> specific attacks if the same key pair is used as a static DH key.
>
> Information on this possibility (or its absence) is obscured by replies
> like yours (and by similar general statements in official Government
> materials from NIST etc.).
My apologies. I was not aware I was obscuring results. It was not my intention.

The OpenSSL list is a good list, but its OpenSSL implementation
oriented. As such, its not the best place to ask number theoretic
questions. To get your question answered, I would encourage you to ask
on an appropriate list; or visit a university and talk to someone in
the math department or teaching cryptography. (I still keep in touch
with my former crypto instructor, so I would simply send an email).

As far as I know, there are three such lists. First you can ask on
Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see
David Wagner patrolling sic.crypt on occasion. Both of these lists
will require you to wade though copious amounts of spam.

Third, you can try Jack Llyod's Cryptography mailing list at
http://lists.randombit.net/mailman/listinfo. Jack is the author of
Botan, and a lot of first class crypto folks are active on his list,
such as Jon Callas and Peter Guttman.

I have omitted a number of influential and helpful folks, so please
don't take offense if I did not name your favorite cryptographer. For
what its worth, I don't think this is a conspiracy or a concerted
effort to suppress your knowledge.

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDH-RSA and TLS 1.2

Jakob Bohm-7
On 11/5/2012 1:37 AM, Jeffrey Walton wrote:

> On Sun, Nov 4, 2012 at 7:15 PM,  <[hidden email]> wrote:
>> On 02-11-2012 21:46, Jeffrey Walton wrote:
>>>
>>> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <[hidden email]> wrote:
>>>>
>>>> (continuing TOFU posting to keep the thread somewhat consistent)
>>>>
>>>> Given some of the mathematical restrictions on parameters needed to
>>>> keep DSA and ECDSA safe from attackers, I don't think using the same
>>>> private key for ECDSA and ECDH is a good/safe idea.
>>>>
>>>> However I am not a genius cryptanalyst, so I cannot guarantee that
>>>> this is really dangerous, it is just a somewhat educated guess.
>>>
>>> Not at all - its good advice. Its called Key Separation, and its
>>> covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
>>> usually see folks trying to use the same key for signing and
>>> encryption. This is a slight twist in that they want to do signing and
>>> agreement.
>>>
>>> The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.
>>>
>> I am aware of the general principle, but that is not my point at all.
>>
>> My point is that the very specific math of DSA signatures may enable
>> specific attacks if the same key pair is used as a static DH key.
>>
>> Information on this possibility (or its absence) is obscured by replies
>> like yours (and by similar general statements in official Government
>> materials from NIST etc.).
> My apologies. I was not aware I was obscuring results. It was not my intention.
>
> The OpenSSL list is a good list, but its OpenSSL implementation
> oriented. As such, its not the best place to ask number theoretic
> questions. To get your question answered, I would encourage you to ask
> on an appropriate list; or visit a university and talk to someone in
> the math department or teaching cryptography. (I still keep in touch
> with my former crypto instructor, so I would simply send an email).
>
> As far as I know, there are three such lists. First you can ask on
> Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see
> David Wagner patrolling sic.crypt on occasion. Both of these lists
> will require you to wade though copious amounts of spam.
>
> Third, you can try Jack Llyod's Cryptography mailing list at
> http://lists.randombit.net/mailman/listinfo. Jack is the author of
> Botan, and a lot of first class crypto folks are active on his list,
> such as Jon Callas and Peter Guttman.
>
> I have omitted a number of influential and helpful folks, so please
> don't take offense if I did not name your favorite cryptographer. For
> what its worth, I don't think this is a conspiracy or a concerted
> effort to suppress your knowledge.
>
It is not as much my question as an uncertain basis for my reply to
an OpenSSL user about why his OpenSSL related software seems to
prevent him from doing this possibly dangerous thing.  As I would
probably not try to do that myself anyway, I am not that interested
in the mathematical proving or disproving of the actual existence
of the risk.  It was simply a caveat emptor attached to my advice.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECDH-RSA and TLS 1.2

Abhiram Shandilya
Just for everyone's benefit, there is a bug in OpenSSL that prevents ECDH-RSA cipher suites to be negotiated and this has been fixed in the latest stable snapshot.

For all the folks who recommends that ECDH-RSA and ECDH-ECDSA cipher suites should not be supported, can you point to literature that specifically recommends not using these cipher suites - I understand the principle of forward secrecy but why is it such a big concern for ECDH key exchange and not for RSA key exchange? And does OpenSSL provide any mitigation for this apparent weakness of ECDH using static keys.
Thanks
Abhi

________________________________________
From: [hidden email] [[hidden email]] on behalf of Jakob Bohm [[hidden email]]
Sent: Tuesday, November 06, 2012 1:34 AM
To: [hidden email]
Subject: Re: ECDH-RSA and TLS 1.2

On 11/5/2012 1:37 AM, Jeffrey Walton wrote:

> On Sun, Nov 4, 2012 at 7:15 PM,  <[hidden email]> wrote:
>> On 02-11-2012 21:46, Jeffrey Walton wrote:
>>>
>>> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <[hidden email]> wrote:
>>>>
>>>> (continuing TOFU posting to keep the thread somewhat consistent)
>>>>
>>>> Given some of the mathematical restrictions on parameters needed to
>>>> keep DSA and ECDSA safe from attackers, I don't think using the same
>>>> private key for ECDSA and ECDH is a good/safe idea.
>>>>
>>>> However I am not a genius cryptanalyst, so I cannot guarantee that
>>>> this is really dangerous, it is just a somewhat educated guess.
>>>
>>> Not at all - its good advice. Its called Key Separation, and its
>>> covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
>>> usually see folks trying to use the same key for signing and
>>> encryption. This is a slight twist in that they want to do signing and
>>> agreement.
>>>
>>> The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.
>>>
>> I am aware of the general principle, but that is not my point at all.
>>
>> My point is that the very specific math of DSA signatures may enable
>> specific attacks if the same key pair is used as a static DH key.
>>
>> Information on this possibility (or its absence) is obscured by replies
>> like yours (and by similar general statements in official Government
>> materials from NIST etc.).
> My apologies. I was not aware I was obscuring results. It was not my intention.
>
> The OpenSSL list is a good list, but its OpenSSL implementation
> oriented. As such, its not the best place to ask number theoretic
> questions. To get your question answered, I would encourage you to ask
> on an appropriate list; or visit a university and talk to someone in
> the math department or teaching cryptography. (I still keep in touch
> with my former crypto instructor, so I would simply send an email).
>
> As far as I know, there are three such lists. First you can ask on
> Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see
> David Wagner patrolling sic.crypt on occasion. Both of these lists
> will require you to wade though copious amounts of spam.
>
> Third, you can try Jack Llyod's Cryptography mailing list at
> http://lists.randombit.net/mailman/listinfo. Jack is the author of
> Botan, and a lot of first class crypto folks are active on his list,
> such as Jon Callas and Peter Guttman.
>
> I have omitted a number of influential and helpful folks, so please
> don't take offense if I did not name your favorite cryptographer. For
> what its worth, I don't think this is a conspiracy or a concerted
> effort to suppress your knowledge.
>
It is not as much my question as an uncertain basis for my reply to
an OpenSSL user about why his OpenSSL related software seems to
prevent him from doing this possibly dangerous thing.  As I would
probably not try to do that myself anyway, I am not that interested
in the mathematical proving or disproving of the actual existence
of the risk.  It was simply a caveat emptor attached to my advice.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]