SSL/TLS passive sniffing
Greg Rose
ggr at qualcomm.com
Tue Jan 4 15:10:11 EST 2005
At 22:51 2004-12-22 +0100, Florian Weimer wrote:
>* John Denker:
>
> > Florian Weimer wrote:
> >
> >> Would you recommend to switch to /dev/urandom (which doesn't block if
> >> the entropy estimate for the in-kernel pool reaches 0), and stick to
> >> generating new DH parameters for each connection,
> >
> > No, I wouldn't.
>
>Not even for the public parameters?
Am I understanding correctly? Does SSL/TLS really generate a new P and G
for each connection? If so, can someone explain the rationale behind this?
It seems insane to me. And not doing so would certainly ease the problem on
the entropy pool, not to mention CPU load for primality testing.
I must be misunderstanding. Surely. Please?
Greg.
Greg Rose INTERNET: ggr at qualcomm.com
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drive http://people.qualcomm.com/ggr/
San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list