Re: Ephemeral Diffie-Hellman in SSL
- From: Thomas Pornin <pornin@xxxxxxxxx>
- Date: 11 Sep 2007 17:28:40 GMT
According to David Wagner <daw-usenet@xxxxxxxxxxxxxxxxxxxxxxxx>:
As it turns out, naah, you don't have to do that for every SSL connection.
You can pre-generate and fix in advance the prime and generator, and
re-use them for many DH key exchanges. All you need to do to when a new
SSL session is created is to pick a random exponent x and compute y =
g^x. That's pretty fast.
Actually, you need not even get a new random x and compute g^x for each
connection. Nothing prevents the server from reusing the same key with
several connections. The cipher suite is called "ephemeral" so the
intent is that the DH private key shall have a rather short life, but
computing a new key every five minutes is ephemeral enough for most
purposes.
The point of an ephemeral key is that the private key needs not be
stored on any permanent storage area; it is kept in RAM only. This makes
that private key rather strong against future compromise (as opposed to
the permanent server key, the one which public counterpart is in the
server certificate), because the only choice for the attacker is to
cryptographically break the public key. There is no harddisk / smartcard
/ HSM that the attacker may physically open. In that respect, a SSL
server may choose its DH private key (the "x" value) at launch time,
hence only once every few weeks for a robust server.
--Thomas Pornin
.
- Follow-Ups:
- Re: Ephemeral Diffie-Hellman in SSL
- From: James H. Newman
- Re: Ephemeral Diffie-Hellman in SSL
- References:
- Ephemeral Diffie-Hellman in SSL
- From: James H. Newman
- Re: Ephemeral Diffie-Hellman in SSL
- From: David Wagner
- Ephemeral Diffie-Hellman in SSL
- Prev by Date: Re: Ephemeral Diffie-Hellman in SSL
- Next by Date: Re: Ephemeral Diffie-Hellman in SSL
- Previous by thread: Re: Ephemeral Diffie-Hellman in SSL
- Next by thread: Re: Ephemeral Diffie-Hellman in SSL
- Index(es):
Relevant Pages
|
