Just for everyone's benefit, there is a bug in OpenSSL that prevents ECDH-RSA cipher suites to be negotiated and this has been fixed in the latest stable snapshot.
For all the folks who recommends that ECDH-RSA and ECDH-ECDSA cipher suites should not be supported, can you point to literature that specifically recommends not using these cipher suites - I understand the principle of forward secrecy but why is it such a big concern for ECDH key exchange and not for RSA key exchange? And does OpenSSL provide any mitigation for this apparent weakness of ECDH using static keys. Thanks Abhi ________________________________________ From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Jakob Bohm [jb-open...@wisemo.com] Sent: Tuesday, November 06, 2012 1:34 AM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On 11/5/2012 1:37 AM, Jeffrey Walton wrote: > On Sun, Nov 4, 2012 at 7:15 PM, <jb-open...@wisemo.com> wrote: >> On 02-11-2012 21:46, Jeffrey Walton wrote: >>> >>> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: >>>> >>>> (continuing TOFU posting to keep the thread somewhat consistent) >>>> >>>> Given some of the mathematical restrictions on parameters needed to >>>> keep DSA and ECDSA safe from attackers, I don't think using the same >>>> private key for ECDSA and ECDH is a good/safe idea. >>>> >>>> However I am not a genius cryptanalyst, so I cannot guarantee that >>>> this is really dangerous, it is just a somewhat educated guess. >>> >>> Not at all - its good advice. Its called Key Separation, and its >>> covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I >>> usually see folks trying to use the same key for signing and >>> encryption. This is a slight twist in that they want to do signing and >>> agreement. >>> >>> The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. >>> >> I am aware of the general principle, but that is not my point at all. >> >> My point is that the very specific math of DSA signatures may enable >> specific attacks if the same key pair is used as a static DH key. >> >> Information on this possibility (or its absence) is obscured by replies >> like yours (and by similar general statements in official Government >> materials from NIST etc.). > My apologies. I was not aware I was obscuring results. It was not my > intention. > > The OpenSSL list is a good list, but its OpenSSL implementation > oriented. As such, its not the best place to ask number theoretic > questions. To get your question answered, I would encourage you to ask > on an appropriate list; or visit a university and talk to someone in > the math department or teaching cryptography. (I still keep in touch > with my former crypto instructor, so I would simply send an email). > > As far as I know, there are three such lists. First you can ask on > Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see > David Wagner patrolling sic.crypt on occasion. Both of these lists > will require you to wade though copious amounts of spam. > > Third, you can try Jack Llyod's Cryptography mailing list at > http://lists.randombit.net/mailman/listinfo. Jack is the author of > Botan, and a lot of first class crypto folks are active on his list, > such as Jon Callas and Peter Guttman. > > I have omitted a number of influential and helpful folks, so please > don't take offense if I did not name your favorite cryptographer. For > what its worth, I don't think this is a conspiracy or a concerted > effort to suppress your knowledge. > It is not as much my question as an uncertain basis for my reply to an OpenSSL user about why his OpenSSL related software seems to prevent him from doing this possibly dangerous thing. As I would probably not try to do that myself anyway, I am not that interested in the mathematical proving or disproving of the actual existence of the risk. It was simply a caveat emptor attached to my advice. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
