[Cryptography] Chrome dropping DHE (was Re: [FORGED] Re: ratcheting DH strengths over time)
Viktor Dukhovni
cryptography at dukhovni.org
Sun Nov 22 00:54:49 EST 2015
On Sun, Nov 22, 2015 at 12:48:22AM -0500, Phillip Hallam-Baker wrote:
> Doing a DHE should never have reduced the effective security.
>
> If the cert has an RSA2048 bit key, you should never have to get less
> than RSA2048 bit security. Instead, the protocol was jiggered so that
> the strong key negotiated with the cert is only used to authenticate
> the ephemeral key and the result of the weaker exchange is used.
>
> I am pretty sure that was an example of 'BULLRUN' in action.
Seems unlikely, rather the protocol is what you'd expect, the public
key of the server signs the key exchange.
In TLS 1.3, the DH groups are standardized, and the client advertises
its supported groups. That way it can avoid advertising weak
groups, and servers don't have to use "lowest common denominator"
primes to stay interoperable.
> The keys should be constructed using H ( StaticAgreed + Ephemeral ).
> It is the obvious way to do it.
There is no, and never was, any "Static Agreed" that got discarded.
You've never clearly explained what "Static Agreed you had in mind".
--
Viktor.
More information about the cryptography
mailing list