Bill Price wrote:
>
> Pardon my dumb question: can you expand on or give a reference regarding
> your "point to note." What temporary RSA key are you referring to: a
> temporary PK RSA or RSA (CORP) symmetric ciphers (RC 2/4) (I presume the
> former)? What is "naughty"? Thanks.
>
Some SSLv3 export ciphers have a limitation on the maximum size of
server key that can be used for key exchange due to US export
regulations at the time (they've since been ammended I believe).
If the key is larger than 512 bits the server will generate a temporary
RSA key (well this is so slow that in practice it will just select one
from a pre-generated "pool") 512 bits in length and SIGN it using the
certified server key. This temporary key is then used for key exchange.
The signature is necessary to thwart man in the middle attacks.
This is part of the server key exchange message, see SSL v3 spec 5.6.3.
Anyway the point is that the certified server key is used to SIGN the
temporary key. Netscape and other SSL clients seem to tolerate this
however strictly speaking its using the server key for a purpose it
hasn't been certified for.
A crypto library asked to verify a signature from a key in a certificate
which had only the keyEncipherment bit set in a critical keyUsage
extension would be justified in rejecting the operation on these
grounds.
Netscapes site also suggests the just keyEncipherment in keyUsage is
acceptable. I'd guess this was written before temporary keys were used.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
