[Ach] New study on Forward Secrecy

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Dec 30 20:08:37 CET 2014

On 12/30/2014 12:25 PM, Aaron Zauner wrote:

> We should - maybe - think about removing DHE (or, at the very least, not
> prefer it over ECDHE handshakes anymore) from our current
> recommendations.

fwiw, i agree with this change in prioritization. Systems that can
support ECDHE should prefer it over traditional finite-field DHE
(FFDHE), unless they are configured with strong FFDHE parameters.

> Now for DHE there's a draft by DKG in the IETF
> standardization process, but nothing exists right /now/. Also: there are
> still issues with DH params with a lot of server daemon implementations
> for various protocols.

The draft [0] provides a mechanism to ensure that adequately-strong
FFDHE parameters can be negotiated between compatible peers.  Without
it, the TLS endpoints have no way of ensuring that the other endpoint
can handle strong crypto, resulting in either weak key exchange or
aborted handshakes with some peers.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141230/24cc2003/attachment.sig>

More information about the Ach mailing list