- Posts: 67
- Thank you received: 0
IKE and Diffie-Hellman
17 years 10 months ago #18320
by Maki
"Appear weak when you are strong and strong when you are weak"
Replied by Maki on topic Re: IKE and Diffie-Hellman
Just to support what Smurf has described...have a look at the following link:
docs.hp.com/en/J4256-90003/ch01s04.html
Diffie-Hellman was one of the first algorithms used for encryption using public keys. SSL comunications over the internet incorporates a Diffie-Hellman exchange at some point. The famous RSA algorithm follows the same method. Here is an extract from the RFC2246:
RFC 2246 The TLS Protocol Version 1.0 January 1999
F.1.1.3. Diffie-Hellman key exchange with authentication
When Diffie-Hellman key exchange is used, the server can either
supply a certificate containing fixed Diffie-Hellman parameters or
can use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSS or RSA certificate.
Temporary parameters are hashed with the hello.random values before
signing to ensure that attackers do not replay old parameters. In
either case, the client can verify the certificate or signature to
ensure that the parameters belong to the server.
If the client has a certificate containing fixed Diffie-Hellman
parameters, its certificate contains the information required to
complete the key exchange. Note that in this case the client and
server will generate the same Diffie-Hellman result (i.e.,
pre_master_secret) every time they communicate. To prevent the
pre_master_secret from staying in memory any longer than necessary,
it should be converted into the master_secret as soon as possible.
Client Diffie-Hellman parameters must be compatible with those
supplied by the server for the key exchange to work.
If the client has a standard DSS or RSA certificate or is
unauthenticated, it sends a set of temporary parameters to the server
in the client key exchange message, then optionally uses a
certificate verify message to authenticate itself.
Cheers
Maki
docs.hp.com/en/J4256-90003/ch01s04.html
Diffie-Hellman was one of the first algorithms used for encryption using public keys. SSL comunications over the internet incorporates a Diffie-Hellman exchange at some point. The famous RSA algorithm follows the same method. Here is an extract from the RFC2246:
RFC 2246 The TLS Protocol Version 1.0 January 1999
F.1.1.3. Diffie-Hellman key exchange with authentication
When Diffie-Hellman key exchange is used, the server can either
supply a certificate containing fixed Diffie-Hellman parameters or
can use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSS or RSA certificate.
Temporary parameters are hashed with the hello.random values before
signing to ensure that attackers do not replay old parameters. In
either case, the client can verify the certificate or signature to
ensure that the parameters belong to the server.
If the client has a certificate containing fixed Diffie-Hellman
parameters, its certificate contains the information required to
complete the key exchange. Note that in this case the client and
server will generate the same Diffie-Hellman result (i.e.,
pre_master_secret) every time they communicate. To prevent the
pre_master_secret from staying in memory any longer than necessary,
it should be converted into the master_secret as soon as possible.
Client Diffie-Hellman parameters must be compatible with those
supplied by the server for the key exchange to work.
If the client has a standard DSS or RSA certificate or is
unauthenticated, it sends a set of temporary parameters to the server
in the client key exchange message, then optionally uses a
certificate verify message to authenticate itself.
Cheers
Maki
"Appear weak when you are strong and strong when you are weak"
Time to create page: 0.117 seconds