EKR wrote:
> Andrew Cooke <[EMAIL PROTECTED]> writes:
> > EKR wrote:
> > > Andrew Cooke <[EMAIL PROTECTED]> writes:
> > > > Nicolas Roumiantzeff wrote:
> > > > > Does anybody know why both IE and Netscape browser implement exclusively RSA
> > > > > certificates?
> > > > I have no idea, but one reason might be the need for good random number
> > > > seeds when doing DH key exchange.  It is difficult to get 1K of random
> > > > bytes without trusting your user to follow instructions (and presumably
> > > > they want "idiot proof" software).
> > > I don't think so.
> > [...]
> > > 2. 1024 bits of random data are more than enough to generate a strong
> > > DH key.
> >
> > I seem to be having a hard time typing the right thing on this list.
> > Yes, I meant bits - but I don't really see how this changes my argument.
> > 1024 bits is a lot of bits.
> Yes, it is, but as I said in the section of my message you
> deleted, you need an equivalent number of random bits in order
> to perform the RSA key exchange, so DH is no worse from this
> perspective.

I didn't mean to selectively edit anything - I thought there was a
quantitative difference  in the quality of random number needed for the
two cases.

> > On the other hand, I am involved in writing software for servers as well
> > as clients and I *think* that it is the server side that is critical for
> > random numbers with DH exchange (so this is not so serious for browsers
> > acting as clients).  If I recall correctly, you can expose the server's
> > private key by simply using the same random number twice...
> When you're doing DSS/DHE, there are three places where you
> need random numbers (ignoring ServerRandom and ClientRandom):
> 1. The server's generation of its ephemeral DH key.
> 2. The server's DSA signature.
> 3. The client's generation of its ephemeral DH key.
> 
> If the server botches (2) then it can reveal its DSA private key.
> Botching the random number generation for (1) and (2) simply
> allows compromise of per-connection keys.

I've dug out the nearest I can get to what made me think random numbers
were critical for DH key exchange and it's here:
http://remus.prakinf.tu-ilmenau.de/ssl-users/archive9809/0124.html - the
last quoted section (the main post is from me - I can't find the post I
was replying to).  It's talking about two things (afaik) - is the first
(2) above?

Cheers,
Andrew
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to