Ephemeral keying

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Ephemeral keying

Jagannadha Bhattu
Hi,

I have some questions on ephemeral keying.

1. In the man page for SSL_CTX_set_tmp_dh_callback the example shows
that the same params are used for all connections. Is it safe?

2. I have seen the man page for dhparam. The generators can be 2 or 5.
Why only two generators are used? Which one is preferred out of 2 and
5?

3. I have seen some implementations like PostgreSQL hard coding the dh
params in case a file generated using dhparam is not available. Is it
safe to do it?

4. Will the callback supplied to SSL_CTX_set_tmp_rsa_callback be
called for each connection or will it be called only once in the life
time of the application? If it is called only once then does it mean
the same key is used for all connections? The example in the man page
for SSL_CTX_set_tmp_rsa_callback shows that only one time the key is
generated.

5. The man page for SSL_CTX_set_tmp_rsa_callback says that we need to
seed the PRNG. How do we do that typically?


Thanks
JB
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ephemeral keying

Vadym Fedyukovych
Jagannadha Bhattu wrote:
> Hi,
>
> I have some questions on ephemeral keying.
>
> 1. In the man page for SSL_CTX_set_tmp_dh_callback the example shows
> that the same params are used for all connections. Is it safe?

Hardness of (computational) Diffie-Hellman problem does not suffer from
using the same group (that is, parameters).
Well, unless someone could force parties into using a known-weak group.

> 2. I have seen the man page for dhparam. The generators can be 2 or 5.
> Why only two generators are used? Which one is preferred out of 2 and
> 5?

A reasonable requirement here would be computational Diffie-Hellman
(CDH) problem is hard enough for the group defined by parameters
(modulus and generator).

> 3. I have seen some implementations like PostgreSQL hard coding the dh
> params in case a file generated using dhparam is not available. Is it
> safe to do it?

see #1

> 4. Will the callback supplied to SSL_CTX_set_tmp_rsa_callback be
> called for each connection or will it be called only once in the life
> time of the application? If it is called only once then does it mean
> the same key is used for all connections? The example in the man page
> for SSL_CTX_set_tmp_rsa_callback shows that only one time the key is
> generated.
>
> 5. The man page for SSL_CTX_set_tmp_rsa_callback says that we need to
> seed the PRNG. How do we do that typically?
>
>
> Thanks
> JB
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ephemeral keying

Jagannadha Bhattu
Can some one answer the 4th and 5th questions

On 7/8/05, Vadym Fedyukovych <[hidden email]> wrote:

> Jagannadha Bhattu wrote:
> > Hi,
> >
> > I have some questions on ephemeral keying.
> >
> > 1. In the man page for SSL_CTX_set_tmp_dh_callback the example shows
> > that the same params are used for all connections. Is it safe?
>
> Hardness of (computational) Diffie-Hellman problem does not suffer from
> using the same group (that is, parameters).
> Well, unless someone could force parties into using a known-weak group.
>
> > 2. I have seen the man page for dhparam. The generators can be 2 or 5.
> > Why only two generators are used? Which one is preferred out of 2 and
> > 5?
>
> A reasonable requirement here would be computational Diffie-Hellman
> (CDH) problem is hard enough for the group defined by parameters
> (modulus and generator).
>
> > 3. I have seen some implementations like PostgreSQL hard coding the dh
> > params in case a file generated using dhparam is not available. Is it
> > safe to do it?
>
> see #1
>
> > 4. Will the callback supplied to SSL_CTX_set_tmp_rsa_callback be
> > called for each connection or will it be called only once in the life
> > time of the application? If it is called only once then does it mean
> > the same key is used for all connections? The example in the man page
> > for SSL_CTX_set_tmp_rsa_callback shows that only one time the key is
> > generated.
> >
> > 5. The man page for SSL_CTX_set_tmp_rsa_callback says that we need to
> > seed the PRNG. How do we do that typically?
> >
> >
> > Thanks
> > JB
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ephemeral keying

Vadym Fedyukovych
Jagannadha Bhattu wrote:
> Can some one answer the 4th and 5th questions

Why not read the source?

ssl3_send_server_key_exchange() would call SSL->cert->rsa_tmp_cb()
set by ssl3_callback_ctrl(, SSL_CRTL_SET_TMP_RSA_CB, )
or by ssl3_ctx_callback_ctrl().

SSL_CTX_set_tmp_rsa_callback() is just
SSL_CTX_callback_ctrl(, SSL_CRTL_SET_TMP_RSA_CB, )

So, this callback is called on each key exchange.

Man page says this callback is called whenever a temporary RSA key
is required.

ssltest.c generate a new fresh RSA key for each call of this callback.

Seeding PRNG is well documented in the FAQ

>
> On 7/8/05, Vadym Fedyukovych <[hidden email]> wrote:
>
>>Jagannadha Bhattu wrote:
>>
>>>Hi,
>>>
>>>I have some questions on ephemeral keying.
>>>
>>>1. In the man page for SSL_CTX_set_tmp_dh_callback the example shows
>>>that the same params are used for all connections. Is it safe?
>>
>>Hardness of (computational) Diffie-Hellman problem does not suffer from
>>using the same group (that is, parameters).
>>Well, unless someone could force parties into using a known-weak group.
>>
>>
>>>2. I have seen the man page for dhparam. The generators can be 2 or 5.
>>>Why only two generators are used? Which one is preferred out of 2 and
>>>5?
>>
>>A reasonable requirement here would be computational Diffie-Hellman
>>(CDH) problem is hard enough for the group defined by parameters
>>(modulus and generator).
>>
>>
>>>3. I have seen some implementations like PostgreSQL hard coding the dh
>>>params in case a file generated using dhparam is not available. Is it
>>>safe to do it?
>>
>>see #1
>>
>>
>>>4. Will the callback supplied to SSL_CTX_set_tmp_rsa_callback be
>>>called for each connection or will it be called only once in the life
>>>time of the application? If it is called only once then does it mean
>>>the same key is used for all connections? The example in the man page
>>>for SSL_CTX_set_tmp_rsa_callback shows that only one time the key is
>>>generated.
>>>
>>>5. The man page for SSL_CTX_set_tmp_rsa_callback says that we need to
>>>seed the PRNG. How do we do that typically?
>>>
>>>
>>>Thanks
>>>JB
>>>______________________________________________________________________
>>>OpenSSL Project                                 http://www.openssl.org
>>>User Support Mailing List                    [hidden email]
>>>Automated List Manager                           [hidden email]
>>
>>______________________________________________________________________
>>OpenSSL Project                                 http://www.openssl.org
>>User Support Mailing List                    [hidden email]
>>Automated List Manager                           [hidden email]
>>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]