I don't recall having ever seen that in the wild, though, and it is a moot point since US export regulations on key sizes were lifted. (*) Ephemeral RSA keys were possible with old versions of SSL as part of the "export" cipher suites, meant to comply with the pre-2000 US export regulations: the server could have a 1024-bit signature RSA key, and generate an ephemeral 512-bit RSA key pair for key exchange, used in encryption mode. Technically, it would be possible to have "ephemeral RSA" but it is not done in practice(*) because generating a new RSA key pair is kinda expensive, whereas producing a new DH key pair is cheap. In "ephemeral DH", the PFS is obtained through "ephemeral", not through "DH". Stealing the DH private key of one party involved in a DH key exchange allows ulterior reconstruction of the shared secret, just like RSA. signed) by a Certification Authority who uses a RSA key". When a cipher suites is called "DH_RSA", it means "the server key is a DH key, and the server certificate was issued (i.e. The server cannot see its RSA key be stolen because the server does not have a RSA key. The server certificate contains the DH public key. With DH cipher suites, the permanent server private key is a DH private key. The server generates a new random DH key pair (the private key will not be stored, which is how perfect forward secrecy is achieved: a private key cannot be stolen afterwards if it has never been stored), and sends the public key to the client, in a message which the server signs with its RSA or DSS private key. With DHE, the server private key (the permanent one, the one which is stored in a file, and whose public key is in the server certificate) is of type RSA (DHE_RSA cipher suites) or DSS (DHE_DSS cipher suites), and is used only for signatures. In SSL, there are "ephemeral DH cipher suites" (DHE) and "non-ephemeral DH cipher suites" (DH). First let's be sure that we talk about the same thing.
0 kommentar(er)
