Ben raises an interesting thought: > There was some question about whether this is possible for connections that > use client-certs, since it looks to me from the spec that those connections > should be using one of the Diffie Hellman cipher suites, which is obviously > not vulnerable to a passive sniffing 'attack'. Active 'attacks' will > obviously still work. Bear in mind that we're talking about deliberate > undermining of the SSL connection by organisations, usually against their > website users (without talking about the goodness, badness or legality of > that), so "how do they get the private keys" isn't relevant.
We have the dichotomy that DH protects against all passive attacks, and a signed cert protects against most active attacks, and most passive attacks, but not passive attacks where the key is leaked, and not active attacks where the key is "forged" (as a cert). But we do not use both DH and certificates at the same time, we generally pick one or the other. Could we however do both? In the act of a public key protected key exchange, Alice generally creates a random key and encrypts that to Bob's public key. That random then gets used for further traffic. However could one do a Diffie Hellman key exchange and do this under the protection of the public key? In which case we are now protected from Bob aggressively leaking the public key. (Or, to put it more precisely, Bob would now have to record and leak all his traffic as well, which is a substantially more expensive thing to engage in.) (This still leaves us with the active attack of a forged key, but that is dealt with by public key (fingerprint) caching.) Does that make sense? The reason I ask is that I've just written a new key exchange protocol element, and I thought I was being clever by having both Bob and Alice provide half the key each, so as to protect against either party being non-robust with secret key generation. (As a programmer I'm more worried about the RNG clagging than the key leaking, but let's leave that aside for now...) Now I'm wondering whether the key exchange should do a DH within the standard public key protected key exchange? Hmmm, this sounds like I am trying to do PFS (perfect forward secrecy). Any thoughts? iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]