[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] Please discuss: draft-housley-evidence-extns-00
Mark Brown wrote:
>
> Ephemeral RSA? I hadn't thought about that. In Rescorla's book it seems to
> be a tweak used to adapt to US export limits (512 bit RSA keys for export).
Almost all of the code is already present in existing implementations
in order to support the SSLv3 RSA_EXPORT key exchange methods with
server certs using >512 bit RSA keys.
The weakness in current SSL/TLS with the regular RSA ciphers is,
that when you get your hands on the private key of the Server, then
you can decrypt all archived encrypted sessions that were established
with that key as well as passively attack all new sessions that are
being established with that key.
With temporary/ephemeral RSA keypairs, recovery of previous session is
no longer possible after the server has replaced (and securely purged)
the temporary keypar, and simple passive attacks don't work, either.
An active MITM attack or access to the temporary keypair is required
to attack the communication at the network level.
When the servers longterm authentication keypair is also used directly
for setting up the session keying material, it becomes a much more
attractive target for brute force attacks, for key-stealing and for
secret or non-consensual key-escrow.
-Martin
_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls