During my investigation in decrypting TLS/SSL streams, I was slightly irritated by the lack of clear distinction between the various Diffie-Hellman key exchange types. I recognized one type provided
perfect forward secrecy, but it was unclear why the others did not. The way the Diffie-Hellman Wikipedia article was written, it seemed like these values would be generated on the fly in all cases. Questions were coming up in my head that I could not get answered, such as:
- What is the source material for each Diffie-Hellman type generated from?
- What pseudorandom function is used to generate those random values? Is permanently stored by the end in some DH types?
- What were the actual distinctions between the TLS_DH_* and TLS_DHE_* ciphers in OpenSSL?
- When is RSA public key cryptography used with Diffie-Hellman, with or without authentication?
- Is public-key cryptography with Diffie-Hellman directly used in the transaction for both authentication and determination of the symmetric key in some types?
If you came to this article after reading the abstracted Diffie-Hellman Wikipedia article on the exchange mechanics, you might be confused a bit by where some of the information originates from. In the most practical case of using Diffie-Hellman, within the SSL/TLS negotiation phase, the server is responsible for determining the public parameters for use in that session (for the case where they are not static within a certificate).
Lets take a look at the three types of Diffie-Hellman:
Fixed Diffie-Hellman
Represented as the TLS_(EC)DH_* ciphers in OpenSSL.
The server cryptographic material intended for the client is explicitly contained within the server certificate. The client parameters will be contained with the client certificate, or the client will send it in a subsequent Client Key Exchange if it does not have a certificate. Due to this, this cipher is not considered to be anonymous, as the necessary cryptographic material to establish a master secret is derived from the material contained in at least the server certificate, or the client and server certificates. The Diffie-Hellman parameters (group and generator) must match between the client and server certificates. The keyAgreement bit on the client and server certificate must be set. If a client certificate and server certificate are used in the key exchange, they should consistently result in the same pre-master secret being calculated.
Ephemeral Diffie-Hellman
Represented as the TLS_(EC)DHE_* ciphers in OpenSSL.
This cipher is not an anonymous type, and the ability to verify the authenticity of the server must be provided through the use of an RSA or DSA certificate. A Server Key Exchange message is necessary to give the client material to complete the exchange as the parameters or the public are not contained within the RSA or DSA certificate. The Server Key Message includes what prime modulus and generator (p, g) will be used for the key exchange by the server and client, in addition to the server's calculated public value. The server also includes a signed hash composed of these parameters and the Client and Server's Hello random numbers in order to authenticate itself to the client. The client will also provide a Client Key Exchange message, after sending its own RSA or DSA certificate if requested, containing its own calculated public value. The client uses the Client Verify message to authenticate itself as it does in straight RSA key exchange.
Anonymous Diffie-Hellman
Represented as the TLS_(EC)DH_anon_* ciphers in OpenSSL.
The only case where the server must not send a certificate to the client as the protocol is designed to be a vanilla Diffie-Helman exchange. A Server Key Exchange message is necessary to give the client material to complete the exchange: the prime modulus, generator, and the server's public value. The client will also provide a Client Key Exchange message containing its calculated public value. As stated in many explanations, this is easily susceptible to Man-in-the-Middle attacks, so its use is often not recommended.
More information about the above topics can be found from their associated links contained within the article, in addition the following articles were referenced:
No comments:
Post a Comment