[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

"Khaja E. Ahmed" wrote:

> I thought that using RSA to exchange keys would introduce a "simple" mode
> that would eliminate DH entirely.

Yes, but it would thereby lose much of the security.

Suppose I've broken RSA or acquired your RSA keys by whatever means -- breaking
into your system, bribing or coercing someone, a tempest attack, ... Suppose
I've also built an archive of all your traffic for the last several weeks and
am planning to keep monitoring you.

If your session keys are protected only by RSA encryption, the game ends
there. I can immediately decrypt all the archived session keys and read
the archived traffic. I can also read future traffic (as long as those RSA
keys remain in play) as easily as the person you're communicating with can.

That is, if I get your RSA keys, your security just became zero. One failure
breaks the whole system.

However, if RSA is used only to authenticate a Diffie-Hellman key negotiation
then losing your RSA keys only exposes you to attacks on the authentication.

I can pose as one player and fool the other. This is a disaster, but does
not completely destroy your security. With only one key I cannot pose as
any player except that one and I may not know enough to pose convincingly
as that one.

If I have both keys and can intercept or re-route packets appropriately
(which requires some non-trivial subversion of the network, e.g. DNS or
routers) then I can conduct an active man-in-the-middle that gets me one
session key, and therefore of course everything encrypted with it. 

However, I have to repeat that man-in-the-middle attack, in real time and
undetected, every time you change keys. Moreover, I cannot conduct such
an attack at all against all that lovely traffic I've archived.

So with RSA authentication of DH key negotiations, security is partly
maintained even if the RSA keys are compromised. You're still in trouble,
but at least you're still secure against passive attacks -- even with the
RSA keys a passive snoop gets no session keys, short of breaking DH --
and the enemy cannot read archived messages.

Moreover, the attacker still has work to do before he reads any traffic.
He has to conduct a successful impersonation or a man-in-the-middle

> ... Especially where an RSA key certificate
> is being used for authentication the initiator already has to implement path
> processing and other complex PKI logic.  In such a situation if we just drop
> DH and use RSA instead to exchange the keys _this_ _particular_ exchange
> becomes simpler.

It may simplify this exchange, but not the protocol. To make RSA encryption
of session keys as secure as DH negotiation with RSA authentication you
would have to add some mechanism for frequent changes of the RSA keys
with secure and authenticated notification of partners. I'm not sure if
this is possible. Certainly the resulting protocol would be more complex
than what we have.