Andrew Cooke <[EMAIL PROTECTED]> writes:
> EKR wrote:
> > Andrew Cooke <[EMAIL PROTECTED]> writes:
> > > Nicolas Roumiantzeff wrote:
> > > > Does anybody know why both IE and Netscape browser implement exclusively RSA
> > > > certificates?
> > > I have no idea, but one reason might be the need for good random number
> > > seeds when doing DH key exchange. It is difficult to get 1K of random
> > > bytes without trusting your user to follow instructions (and presumably
> > > they want "idiot proof" software).
> > I don't think so.
> [...]
> > 2. 1024 bits of random data are more than enough to generate a strong
> > DH key.
>
> I seem to be having a hard time typing the right thing on this list.
> Yes, I meant bits - but I don't really see how this changes my argument.
> 1024 bits is a lot of bits.
Yes, it is, but as I said in the section of my message you
deleted, you need an equivalent number of random bits in order
to perform the RSA key exchange, so DH is no worse from this
perspective.
> On the other hand, I am involved in writing software for servers as well
> as clients and I *think* that it is the server side that is critical for
> random numbers with DH exchange (so this is not so serious for browsers
> acting as clients). If I recall correctly, you can expose the server's
> private key by simply using the same random number twice...
When you're doing DSS/DHE, there are three places where you
need random numbers (ignoring ServerRandom and ClientRandom):
1. The server's generation of its ephemeral DH key.
2. The server's DSA signature.
3. The client's generation of its ephemeral DH key.
If the server botches (2) then it can reveal its DSA private key.
Botching the random number generation for (1) and (2) simply
allows compromise of per-connection keys.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
