[Ach] New study on Forward Secrecy
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Dec 30 20:08:37 CET 2014
On 12/30/2014 12:25 PM, Aaron Zauner wrote:
> We should - maybe - think about removing DHE (or, at the very least, not
> prefer it over ECDHE handshakes anymore) from our current
fwiw, i agree with this change in prioritization. Systems that can
support ECDHE should prefer it over traditional finite-field DHE
(FFDHE), unless they are configured with strong FFDHE parameters.
> Now for DHE there's a draft by DKG in the IETF
> standardization process, but nothing exists right /now/. Also: there are
> still issues with DH params with a lot of server daemon implementations
> for various protocols.
The draft  provides a mechanism to ensure that adequately-strong
FFDHE parameters can be negotiated between compatible peers. Without
it, the TLS endpoints have no way of ensuring that the other endpoint
can handle strong crypto, resulting in either weak key exchange or
aborted handshakes with some peers.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: OpenPGP digital signature
More information about the Ach