SSL/TLS passive sniffing
David Wagner
daw at cs.berkeley.edu
Tue Nov 30 22:25:26 EST 2004
Ian Grigg writes:
>I note that disctinction well! Certificate based systems
>are totally vulnerable to a passive sniffing attack if the
>attacker can get the key. Whereas Diffie Hellman is not,
>on the face of it. Very curious...
No, that is not accurate. Diffie-Hellman is also insecure if the "private
key" is revealed to the adversary. The "private key" for Diffie-Hellman
is the private exponent. If you learn the private exponent that one
endpoint used for a given connection, and if you have intercepted that
connection, you can derive the session key and decrypt the intercepted
traffic.
Perhaps the distinction you had in mind is forward secrecy. If you use
a different "private key" for every connection, then compromise of one
connection's "private key" won't affect other connections. This is
true whether you use RSA or Diffie-Hellman. The main difference is
that in Diffie-Hellman, "key generation" is cheap and easy (just an
exponentiation), while in RSA key generation is more expensive.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list