Re: [openssl-dev] A question DH parameter generation and usage

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] A question DH parameter generation and usage

OpenSSL - User mailing list

You can re-use the keys, but then you get no forward secrecy, and sessions generated with one connection are vulnerable to another.

 

Why are you using DH?  Unless you have compelling reasons (interop with legacy), you really should use ECDHE.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] A question DH parameter generation and usage

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Salz, Rich via openssl-users
> Sent: Wednesday, December 06, 2017 08:50

> You can re-use the keys, but then you get no forward secrecy, and sessions generated with one connection are
> vulnerable to another.

If you reuse keys, yes; but you still get PFS if you only reuse the same group and generate ephemeral keys (assuming sufficient group strength, where "sufficient" depends on the size of the group and its value to well-resourced attackers). I thought that was what the original poster was asking about.

> Why are you using DH?  Unless you have compelling reasons (interop with legacy), you really should use ECDHE.

Interop would be the usual reason. And since supporting DHE properly is a small fixed cost (generate a group or pick one from RFC 7919, hard-code it, and set it in each SSL_CTX), you might as well do it, no?

But I agree that the ECDHE suites are generally preferable when the client supports them. I know there's some NSA FUD around ECC since they pulled it from the Suite B recommendations in 2015.[1] I still think the published evidence supports using ECC, though. On the other hand, and per today's other thread on the subject, there may be legal concerns around the use of ECC.


[1] Matt Green has a nice discussion of this, including a link to the great paper Koblitz and Menezes wrote about it, here: https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] A question DH parameter generation and usage

Jayalakshmi bhat
Hi Michael,

Thanks for very detailed answers. This will surely help me to investigate further.

Regards
Jaya

On Wed, Dec 6, 2017 at 7:37 PM, Michael Wojcik <[hidden email]> wrote:
> From: openssl-users [mailto:[hidden email]] On Behalf Of Salz, Rich via openssl-users
> Sent: Wednesday, December 06, 2017 08:50

> You can re-use the keys, but then you get no forward secrecy, and sessions generated with one connection are
> vulnerable to another.

If you reuse keys, yes; but you still get PFS if you only reuse the same group and generate ephemeral keys (assuming sufficient group strength, where "sufficient" depends on the size of the group and its value to well-resourced attackers). I thought that was what the original poster was asking about.

> Why are you using DH?  Unless you have compelling reasons (interop with legacy), you really should use ECDHE.

Interop would be the usual reason. And since supporting DHE properly is a small fixed cost (generate a group or pick one from RFC 7919, hard-code it, and set it in each SSL_CTX), you might as well do it, no?

But I agree that the ECDHE suites are generally preferable when the client supports them. I know there's some NSA FUD around ECC since they pulled it from the Suite B recommendations in 2015.[1] I still think the published evidence supports using ECC, though. On the other hand, and per today's other thread on the subject, there may be legal concerns around the use of ECC.


[1] Matt Green has a nice discussion of this, including a link to the great paper Koblitz and Menezes wrote about it, here: https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] A question DH parameter generation and usage

Jayalakshmi bhat
In reply to this post by OpenSSL - User mailing list
Hi Rich,

Thanks for the reply. We are planning to use  DHE_RSA based ciphers.

Regards
Jaya

On Wed, Dec 6, 2017 at 7:20 PM, Salz, Rich via openssl-users <[hidden email]> wrote:

You can re-use the keys, but then you get no forward secrecy, and sessions generated with one connection are vulnerable to another.

 

Why are you using DH?  Unless you have compelling reasons (interop with legacy), you really should use ECDHE.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users