[gnutls-dev] Anonymity lost if same DH params re-used for
ephemeral RSA/DSS too?
Nikos Mavroyanopoulos
nmav at gnutls.org
Sun Dec 21 11:47:51 CET 2003
On Sun, Dec 21, 2003 at 09:49:08AM +0100, Simon Josefsson wrote:
> This might not be exactly gnutls specific, but the question grow out
> of a usage question of your API: is it OK to use the same D-H
> parameters for both the ANON-DH and DHE-RSA/DSS key exchanges? It
> takes several seconds to generate the D-H params, so I'd rather not
> generate two sets if it can be avoided.
Yes it's perfectly fine to use the same DH parameters. It does
not weaken the protocol in any way.
> The issue I'm worried about:
> can someone impersonate a server with DHE-RSA/DSS kx, by using the
> ANON-DH kx against the real server, if the real server is using the
> same D-H parameters for both ANON-DH and DHE-RSA/DSS? Any other
> problems using the same D-H parameters?
No. In the certificate authenticated ciphersuites (such as DHE-RSA/DSS)
the session parameters are signed with the certificate, so it is
not possible to impersonate the server.
> I suppose the answer is no, but just wanted to be sure. I guess I
> need a good TLS textbook...
A glimpse on rfc2246 should be sufficient.
> Thanks.
--
Nikos Mavroyanopoulos
More information about the Gnutls-dev
mailing list