[Ach] Improving Applied Crypto Hardening Draft

Kurt Roeckx kurt at roeckx.be
Sat Jan 11 00:09:34 CET 2014

On Fri, Jan 10, 2014 at 05:14:15PM -0500, James Cloos wrote:
> >>>>> "KR" == Kurt Roeckx <kurt at roeckx.be> writes:
> >> DHE == Diffie-Hellman (key) Exchange
> >> EDH == Ephemeral Diffie-Hellman (key exchange)
> >> ADH == Anonymous Diffie-Hellman (key exchange)
> KR> As far as I understand it, all 3 of those are actually ephemeral
> KR> variants, as opposed to the "ECDH" and "DH" versions where there
> KR> is no key exchange but the public key is in the certificate
> KR> itself.  But then I think nobody uses certificates like that.
> Evidently some do.
> Search for Brian's reply to my question about ecdsa on the:
>   http://mozilla.6506.n7.nabble.com/Proposal-to-Remove-legacy-TLS-Ciphersuits-Offered-by-Firefox-td302861.html

It seems to say they are offering ECDSA certificates, but I don't
see anything about ECDH-ECDSA in there.  In fact firefox has
dropped all the ECDH ciphers, but still has the ECDHE-ECDSA ones.

As far as I understand ECDSA can only be used with either ECDH or
ECDHE since the ECDSA key can only be used for signing and not

To do ECDH-ECDSA they would need to be offering certificates that
contain a fixed public part, those certificates do not provide
forward secrecy.  In case of ECDHE-ECDSA you would instead be a
generating a temporary value to send to the client in the key

In summary, if you want forward secrecy you need DHE, EDH, ADH,
ECDHE, or AECDH.  The ADH and AECDH are anonymous/unauthenticated
versions that you want to avoid for most cases.


More information about the Ach mailing list