How to enable Fixed Diffie Hellman key exchange mechanism

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to enable Fixed Diffie Hellman key exchange mechanism

Bharathi Prasad
Hello,

I want to use static Diffie Hellman key exchange with RSA authentication
(DH_RSA) in my application.

I am currently using OpenSSL version 1.0.2n. I understand that from version
1.0.2 openSSL supports fixed DH.

Here is what I have tried so far.

Trial 1: I created DH server and client certificates as described in demo
script in master branch demos/certs/mkcerts.sh.
 I need a certificate in PKCS12 file to import into my application. Since DH
certificate do not have private key I used pkcs12 -nokeys option. This
approach failed when I tried to read the certificate from my store.


Trial 2.  I tried to set DH certificates with SSL_CTX_use_certificate_file()
in the client and server applications.
After loading the certificate into my ssl context what should I do?

Trial 3. I came across some articles where it was suggested that for static
DH key exchange append DH parameters to the server certificate. So I
appended my DH parameters (2048 key size) to my server certificate and
created a pkcs12 file.

Import certificate worked however when I tried to read back the certificate
from store into x509 object I was unable to retrieve the DH parameters.

I could not find a way to retrieve my DH parameters from the server
certificate.

Trial 4: I placed DH parameter file in my project folder and read the
parameters using PEM_read_DHparams(). Then I tried to create DH key with
DH_generate_key();

I could not call DH_compute_key as I do not have peer certificate. This
configuration is done before I call ssl_connect. So my SSL object is NULL at
this point of time.

After this I do not know how to proceed.

I cannot use SSL_CTX_set_tmp_dh as this api is used for ephemeral Diffie
Hellman key exchange.

Please let me know where I am going wrong. I need to enable static DH in my
application.

Regards
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enable Fixed Diffie Hellman key exchange mechanism

Viktor Dukhovni


> On Jan 11, 2018, at 4:35 AM, Bharathi Prasad <[hidden email]> wrote:
>
> I want to use static Diffie Hellman key exchange with RSA authentication
> (DH_RSA) in my application.
>
> I am currently using OpenSSL version 1.0.2n. I understand that from version
> 1.0.2 openSSL supports fixed DH.

Support for "fixed DH" ciphers has been withdrawn in OpenSSL 1.1.0.
Also TLS 1.3 drops support for "fixed DH".  You should not use
"fixed DH" ciphers (i.e. any of DH_RSA, DH_DSS, ECDH_ECDSA, ECDH_RSA).

RFC5246 says:

   If the client provided a "signature_algorithms" extension, then all
   certificates provided by the server MUST be signed by a
   hash/signature algorithm pair that appears in that extension.  Note
   that this implies that a certificate containing a key for one
   signature algorithm MAY be signed using a different signature
   algorithm (for instance, an RSA key signed with a DSA key).  This is
   a departure from TLS 1.1, which required that the algorithms be the
   same.  Note that this also implies that the DH_DSS, DH_RSA,
   ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the
   algorithm used to sign the certificate.  Fixed DH certificates MAY be
   signed with any hash/signature algorithm pair appearing in the
   extension.  The names DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are
   historical.

So "RSA authentication" is a misnomer with "fixed DH", the certificate
is a DH or ECDH certificate.  Both authentication and key exchange
are via the same DH or ECDH computation.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enable Fixed Diffie Hellman key exchange mechanism

Jakob Bohm-7
In reply to this post by Bharathi Prasad
On 11/01/2018 10:35, Bharathi Prasad wrote:

> Hello,
>
> I want to use static Diffie Hellman key exchange with RSA authentication
> (DH_RSA) in my application.
>
> I am currently using OpenSSL version 1.0.2n. I understand that from version
> 1.0.2 openSSL supports fixed DH.
>
> Here is what I have tried so far.
>
> Trial 1: I created DH server and client certificates as described in demo
> script in master branch demos/certs/mkcerts.sh.
>   I need a certificate in PKCS12 file to import into my application. Since DH
> certificate do not have private key I used pkcs12 -nokeys option. This
> approach failed when I tried to read the certificate from my store.
DH certificates DO have an associated private key.  A private DH key
which will be the same for every connection (the matching public key
is in the certificate).

>
> Trial 2.  I tried to set DH certificates with SSL_CTX_use_certificate_file()
> in the client and server applications.
> After loading the certificate into my ssl context what should I do?
>
> Trial 3. I came across some articles where it was suggested that for static
> DH key exchange append DH parameters to the server certificate. So I
> appended my DH parameters (2048 key size) to my server certificate and
> created a pkcs12 file.
>
> Import certificate worked however when I tried to read back the certificate
> from store into x509 object I was unable to retrieve the DH parameters.
>
> I could not find a way to retrieve my DH parameters from the server
> certificate.
Start by doing openssl x509 -noout -text -in serverDHcert.pem to see
if they are there, and in what field.  Then start looking for functions
that retrieve that field from an X509 object.  In 1.0.2 that might be
a function or a "public" field in the X509 structure.

> Trial 4: I placed DH parameter file in my project folder and read the
> parameters using PEM_read_DHparams(). Then I tried to create DH key with
> DH_generate_key();
>
> I could not call DH_compute_key as I do not have peer certificate. This
> configuration is done before I call ssl_connect. So my SSL object is NULL at
> this point of time.
Only the TLS *server* would have a DH certificate.  The TLS client would
have a random DH private key for the parameters received from the TLS
server, sending the single-use client DH public key to the TLS server.

The TLS server would combine it's private DH server key with the received
client DH public key in DH_compute_key() called from inside the TLS code.

The TLS client would combine it's random DH private key with the public
DH server key from the received server certificate in a similar way to
get the same shared secret and thus the same shared TLS master secret.


> After this I do not know how to proceed.
>
> I cannot use SSL_CTX_set_tmp_dh as this api is used for ephemeral Diffie
> Hellman key exchange.
>
> Please let me know where I am going wrong. I need to enable static DH in my
> application.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enable Fixed Diffie Hellman key exchange mechanism

Bharathi Prasad
In reply to this post by Viktor Dukhovni
Thank you for the reply.

Let me rephrase my question.

How to support fixed Diffie Hellman key agreement in my application.

OpenSSL 1.0.2 supports fixed DH.
We are currently referring to TLS 1.2 standard and hence need to extend
support for fixed DH and ephemeral DH. I was able to enable EDH but not DH.

Could you please give me pointers on how to extend support for fixed DH in
my code.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enable Fixed Diffie Hellman key exchange mechanism

Viktor Dukhovni


> On Jan 12, 2018, at 1:57 AM, Bharathi Prasad <[hidden email]> wrote:
>
> Let me rephrase my question.
>
> How to support fixed Diffie Hellman key agreement in my application.
>
> OpenSSL 1.0.2 supports fixed DH.
> We are currently referring to TLS 1.2 standard and hence need to extend
> support for fixed DH and ephemeral DH. I was able to enable EDH but not DH.
>
> Could you please give me pointers on how to extend support for fixed DH in
> my code.

Once again, the best thing to do here is to NOT support fixed DH in TLS
1.2.  These are not mandatory ciphersuites, and they proved in retrospect
a bad idea.  So just don't do it.  You will encounter any interoperability
issues by omitting support for these ciphersuites.

Why do you feel a need to support fixed DH?

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enable Fixed Diffie Hellman key exchange mechanism

Bharathi Prasad
I understand your point and also agree with you.

I am not in a position to explain the requirement. This is important and we
need to provide the support. The system supports only DH and EDH.  So could
you please help me and give me pointers on how to implement fixed DH
support.

 



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enable Fixed Diffie Hellman key exchange mechanism

Viktor Dukhovni


> On Jan 15, 2018, at 11:14 PM, Bharathi Prasad <[hidden email]> wrote:
>
> I am not in a position to explain the requirement. This is important and we
> need to provide the support. The system supports only DH and EDH.  So could
> you please help me and give me pointers on how to implement fixed DH
> support.

Are you sure the requirement is stated correctly?  EDH is incompatible with
fixed DH, with EDH you use RSA or ECDSA to authenticate the key exchange.

As for using DH keys, they should just work, but you need to load the certificate
before setting the private key, because the key type is ambiguous in the absence
of the certificate, as there's a distinction between SSL_PKEY_DH_RSA and
SSL_PKEY_DH_DSA, that is resolved by the certificate type.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users