[Ach] Improving Applied Crypto Hardening Draft
Kurt Roeckx
kurt at roeckx.be
Sat Jan 11 00:09:34 CET 2014
On Fri, Jan 10, 2014 at 05:14:15PM -0500, James Cloos wrote:
> >>>>> "KR" == Kurt Roeckx <kurt at roeckx.be> writes:
>
> >> DHE == Diffie-Hellman (key) Exchange
> >> EDH == Ephemeral Diffie-Hellman (key exchange)
> >> ADH == Anonymous Diffie-Hellman (key exchange)
>
> KR> As far as I understand it, all 3 of those are actually ephemeral
> KR> variants, as opposed to the "ECDH" and "DH" versions where there
> KR> is no key exchange but the public key is in the certificate
> KR> itself. But then I think nobody uses certificates like that.
>
> Evidently some do.
>
> Search for Brian's reply to my question about ecdsa on the:
>
> http://mozilla.6506.n7.nabble.com/Proposal-to-Remove-legacy-TLS-Ciphersuits-Offered-by-Firefox-td302861.html
It seems to say they are offering ECDSA certificates, but I don't
see anything about ECDH-ECDSA in there. In fact firefox has
dropped all the ECDH ciphers, but still has the ECDHE-ECDSA ones.
As far as I understand ECDSA can only be used with either ECDH or
ECDHE since the ECDSA key can only be used for signing and not
encrypting.
To do ECDH-ECDSA they would need to be offering certificates that
contain a fixed public part, those certificates do not provide
forward secrecy. In case of ECDHE-ECDSA you would instead be a
generating a temporary value to send to the client in the key
exchange.
In summary, if you want forward secrecy you need DHE, EDH, ADH,
ECDHE, or AECDH. The ADH and AECDH are anonymous/unauthenticated
versions that you want to avoid for most cases.
Kurt
More information about the Ach
mailing list