On 02-11-2012 21:46, Jeffrey Walton wrote:
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
(continuing TOFU posting to keep the thread somewhat consistent)
Given some of the mathematical restrictions on parameters needed to
keep DSA and ECDSA safe from attackers, I don't think using the same
private key for ECDSA and ECDH is a good/safe idea.
However I am not a genius cryptanalyst, so I cannot guarantee that
this is really dangerous, it is just a somewhat educated guess.
Not at all - its good advice. Its called Key Separation, and its
covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
usually see folks trying to use the same key for signing and
encryption. This is a slight twist in that they want to do signing and
agreement.
The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.
I am aware of the general principle, but that is not my point at all.
My point is that the very specific math of DSA signatures may enable
specific attacks if the same key pair is used as a static DH key.
Information on this possibility (or its absence) is obscured by replies
like yours (and by similar general statements in official Government
materials from NIST etc.).
DSA/ECDSA is an algorithm which (like DES) is engineered "on the edge",
such that almost any modification is unlikely to improve security, and
in fact likely to undermine it. And unlike PKCS#1 RSA operations, there
is very little in the design which limits the ability of an attacker to
use one operation (DH exchange) to help break another (DSA signature)
or the other way round.
On 11/2/2012 9:06 PM, Abhiram Shandilya wrote:
I thought the keys in ECC certificates can be used for both ECDH key
agreement and ECDSA digital signature.
-----Original Message-----
From: Erik Tkal
Sent: Friday, November 02, 2012 8:24 AM
To: openssl-users@openssl.org
Subject: RE: ECDH-RSA and TLS 1.2
What if the server has an ECDH certificate? Would that then be the
appropriate set of suites?
-----Original Message-----
From: Dr. Stephen Henson
Sent: Thursday, November 01, 2012 10:38 PM
To: openssl-users@openssl.org
Subject: Re: ECDH-RSA and TLS 1.2
On Fri, Nov 02, 2012, Abhiram Shandilya wrote:
Hi Steve, Thanks for your response. I'm just trying to figure out what
it takes to get this working - are you of the opinion that an SSL
server should not support TLS 1.2 ECDH-RSA cipher suites? Could you
also mention why?
Well one reason is that the fixed ECDH cipher suites do not support
forward secrecy because they always use the same ECDH key.
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org