Thank you for your response. I hope you can help me get answers to the following questions -
1) Why do we need to deviate from the Diffie-Hellman Key exchange theory - why can't the client calculate the shared secret on its own ? 2) What is the point of generating the DH params and the shared key in the server (Bob) and sending it to the client (Alice) - won't it be accessible to an attacker when it is sent in the clear ? Thanks Ramg On Tue, Aug 25, 2009 at 4:56 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Tue, Aug 25, 2009, Ram G wrote: > > > Hi, > > > > I'm trying to use openSSL without certificates and authentication through > > Anonymous Diffie-Hellman key exchange. I have managed to successfully > > exchange messages between server and client by modifying some of the > sample > > programs available with the source code. > > > > The salient features of the modified client and server test programs are: > > 1) Not loading certificates > > 2) Loading the DH params in the server by reading dhparams.pem > > 3) Setting the cipher to ADH-AES128-SHA on both client and server > > > > I have a question regarding the DH key exchange - don't we have to load > DH > > params on the client side as well ? > > > > What I have been able to gather from online sources on DH key exchange is > > that > > > > 1) Alice and Bob decides on the prime P and generator G > > 2) Alice decides on a random number X and sends G(power of X) mod P to > Bob > > 3) Bob decides on a random number Y and sends G(power of Y) mod P to > Alice > > 4) Both Bob and Alice can calculate the shared secret on their own > > > > In my test program, I did not do anything on the client side to generate > the > > shared key. > > > > I would really appreciate if someone can shed some light on how anonymous > DH > > works in OpenSSL. > > > > The DH parameters are supplied by the server and sent to the client during > the > handshake so the client doesn't need any DH parameters. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
