On Fri, Jun 25, 1999 at 08:43:14AM -0700, Eric Rescorla wrote:
>> Forward secrecy is exactly the point (that's what the temporary keys
>> are for, if we leave aside export ciphers). You're right that it
>> shouldn't be necessary to create a fresh key every time we need one,
>> but it does not cost a lot;
> I'm not sure what you mean by 'doesn't cost a lot'. It essentially
> doubles the computation cost, because it requires two modular
> exponentiations instead of one.
But this doesn't make it twice as expensive, because for the first
exponentiation the generator is usually 2; and if that's still too
slow (1024 squaring operations), the obvious change would be to use DH
parameters with a 160-bit subprime and a 160-bit secret exponent (160
squarings and ca. 80 full-size multiplications, and even the second
exponentiation will benefit from this). Anyway, if you're not that
concerned about forward-secrecy and standard conformance, then you can
use the same DH key multiple times: OpenSSL allows you to set a flag
to demand either DH key reuse or ephemeral keys.
>> [...] because you can very well imagine
>> situations where an attacker might attack the server physically when
>> they think that something interesting happened.
> I'm not particularly impressed by this attack. The attacker might
> just as well attack the server physically and keep it running
> so he can continue to record transactions.
That depends very much on the particular use scenario, obviously;
sometimes the order in which things happen can be significant,
sometimes not that much.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
