SSL/TLS passive sniffing
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Wed Dec 22 12:10:18 EST 2004
On Sun, Dec 19, 2004 at 05:24:59PM +0100, Florian Weimer wrote:
> * Victor Duchovni:
>
> > The third mode is quite common for STARTTLS with SMTP if I am not
> > mistaken. A one day sample of inbound TLS email has the following cipher
> > frequencies:
> >
> > 8221 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> > 6529 (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
>
> The Debian folks have recently stumbled upon a problem in this area:
> Generating the ephemeral DH parameters is expensive, in terms of CPU
> cycles, but especailly in PRNG entropy. The PRNG part means that it's
> not possible to use /dev/random on Linux, at least on servers. The
> CPU cycles spent on bignum operations aren't a real problem.
>
> Would you recommend to switch to /dev/urandom (which doesn't block if
> the entropy estimate for the in-kernel pool reaches 0), and stick to
> generating new DH parameters for each connection, or is it better to
> generate them once per day and use it for several connections?
>
Actually reasoning along these lines is why Lutz Jaenicke implemented
PRNGD, it is strongly recommended (at least by me) that mail servers
use PRNGD or similar. PRNGD delivers psuedo-random numbers mixing in
real entropy periodically.
EGD, /dev/random and /dev/urandom don't produce bits fast enough. Also
Postfix internally seeds the built-in OpenSSL PRNG via the tlsmgr process
and this hands out seeds for smtp servers and clients, so the demand for
real entropy is again reduced.
Clearly a PRNG is a compromise (if the algorithm is found to be weak we
could have problems), but real entropy is just too expensive.
I use PRNGD.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list