Yes it is independent and what I meant is that It is either one and I doubt
you one to go for such hybrid to be consistent and for key provisioning.
Actually ECDSA or ECC is another efficient crypto also worth exploring.
Overall it is up to you how you will want to make it operational efficient.
... not forgetting the troubleshooting hassle and multiple users.
:D
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Nou Dadoun
Sent: Wednesday, July 25, 2012 12:38 PM
To: janders...@widener.edu
Cc: openssl-users@openssl.org
Subject: RE: DSA certificates from windows certificate store into openssl
Thanks very much for your clearly laid out and informative note; most of
this matches my intuitive understanding of the differences but having it
elucidated backed with experience is invaluable, thanks again ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-----Original Message-----
From: Jaaron Anderson [mailto:janders...@widener.edu]
Sent: July 25, 2012 8:05 AM
To: openssl-users@openssl.org
Cc: Nou Dadoun
Subject: Re: DSA certificates from windows certificate store into openssl
Importance: High
Replying to the DSA inquiry yesterday Nou Dadoun
First thing is RSA certificate has RSA keys and DSA certificate has
Diffie-Hellman (DH) keys. In SSL, Diffie-Hellman is done for key exchange to
create in each end a common shared secret. Thereafter, the channel is secure
using the secret not the DH keys. DSA is primarily for digital signature to
check the authenticity as well as integrity.
Under OpenSSL, you can load both RSA and DSA certificates and key pairs in
the SSL_CTX and SSL structure. If you use a DSA certificate, you must load
DH keys. Although the RSA algorithm is used for both key exchange and
signing operations, DSA can be used only for signing. Therefore, DH is used
as the key agreement algorithm with a DSA certificate in an SSL application.
Nonetheless, see this link on using the DH keys @
http://h71000.www7.hp.com/doc/83final/ba554_90007/ch06s06.html
@ http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#DESCRIPTION
DSA is not really used interchanged with RSA. Is either former or latter.
RSA and DSA certificates and keys are incompatible. An SSL client that has
only an RSA certificate and key cannot establish a connection with an SSL
server that has only a DSA certificate and key. Check out this article which
used DSA or RSA as server certificate.
Java based
@http://www.novell.com/documentation/extend52/Docs/help/AppServer/books/admS
ecurity.html#1021296
Openssl based
@ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html#d0e3109
See the Table of cipher suites in the above article which illustrate the
encryption strength avail. E.g. DSA cert - TLS_DHE_DSS_WITH_AES_256_CBC_SHA
or RSA cert - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Now there is also TLS1.2. Coming back, RSA certificates are commonly used
for SSL, SSL servers that use DSA certificates are rare. Just a quick
compare is that, DSA is faster at signing. RSA is faster at verifying. I see
DSA for key exchange/sign only purpose while RSA can encrypt and sign.
Hth
Aaron Anderson
janders...@widener.edu
Widener University
610-499-1049
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
