anonymous DH & MITM
Bodo Moeller
bmoe at cdc.informatik.tu-darmstadt.de
Fri Oct 17 08:21:00 EDT 2003
Ian Grigg <iang at systemics.com>:
> I agree. As a side note, I think it is probably
> a good idea for TLS to deprecate ADH, simply
> because self-signed certs are more or less
> equivalent, and by unifying the protocol around
> certificates, it reduces some amount of complexity
> without major loss of functionality.
Actually the "anonymous" DH ciphersuites can be (and are) employed to
implement *authenticated* DH by using non-TLS means for authentication.
(Specifically, what you can do is authenticate the TLS Finished
messages, which involve hashes of the complete handshake.) This can
be useful for using TLS in protocols without tainting them with X.509,
and without creating specific new TLS ciphersuites.
It is true that TLS would be (slightly) less complex if it didn't have
both certificate-based and certificate-less ciphersuites. But TLS as
employed in such protocols would become more complex if you had to use
self-signed certificates (meaning that implementations would have to
be able to parse X.509 stuff that currently can do without it).
Also note that using a self-signed certificate means that you actually
have to sign it (after all, the peer might try and "verify" it). This
means additional private-key operations, and thus makes the protocol
slower.
Bottom line: Deprecating TLS ADH in favor of self-signed certificates
would reduce complexity in a certain sense, but add complexity in
other contexts. It also would make the handshake slower. I don't
think it would be a good idea.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list