[16484] in cryptography@c2.net mail archive
Re: SSL/TLS passive sniffing
daemon@ATHENA.MIT.EDU (Ian Grigg)
Wed Dec 1 02:21:10 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <200412010325.iB13PQtJ027248@taverner.CS.Berkeley.EDU>
Date: Wed, 1 Dec 2004 01:10:36 -0500 (EST)
From: "Ian Grigg" <iang@systemics.com>
To: "David Wagner" <daw@cs.berkeley.edu>
Cc: cryptography@metzdowd.com
Reply-To: iang@systemics.com
> Ian Grigg writes:
>>I note that disctinction well! Certificate based systems
>>are totally vulnerable to a passive sniffing attack if the
>>attacker can get the key. Whereas Diffie Hellman is not,
>>on the face of it. Very curious...
>
> No, that is not accurate. Diffie-Hellman is also insecure if the "private
> key" is revealed to the adversary. The "private key" for Diffie-Hellman
> is the private exponent. If you learn the private exponent that one
> endpoint used for a given connection, and if you have intercepted that
> connection, you can derive the session key and decrypt the intercepted
> traffic.
I wasn't familiar that one could think in those terms. Reading
here: http://www.rsasecurity.com/rsalabs/node.asp?id=2248 it
says:
In recent years, the original Diffie-Hellman protocol
has been understood to be an example of a much more
general cryptographic technique, the common element
being the derivation of a shared secret value (that
is, key) from one party's public key and another
party's private key. The parties' key pairs may be
generated anew at each run of the protocol, as in
the original Diffie-Hellman protocol.
It seems the compromise of *either* exponent would lead to
solution.
> Perhaps the distinction you had in mind is forward secrecy. If you use
> a different "private key" for every connection, then compromise of one
> connection's "private key" won't affect other connections. This is
> true whether you use RSA or Diffie-Hellman. The main difference is
> that in Diffie-Hellman, "key generation" is cheap and easy (just an
> exponentiation), while in RSA key generation is more expensive.
Yes. So if a crypto system used the technique of using
Diffie-Hellman key exchange (with unique exponents for each
session), there would be no lazy passive attack, where I
am defining the lazy attack as a once-off compromise of a
private key. That is, the attacker would still have to
learn the individual exponent for that session, which
(assuming the attacker has to ask for it of one party)
would be equivalent in difficulty to learning the secret
key that resulted and was used for the secret key cipher.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
