8

1 Does Ephemeral Diffie-Hellman support authentication?
Quote from www.rsa.com/products/bsafe/documentation/mesuite21html/dev_guide/group_EPH_DH.html

Ephemeral Diffie-Hellman does NOT provide authentication, since neither party has guarantees about the entity with which it is communicating.

However, Quote from the book ,Cryptography Decrypted (Author: H.X.Mel), P225

Fixed and Ephemeral Diffie-Hellman support authentication.

So, does Ephemeral Diffie-Hellman support authentication?

2 Which differences are between Ephemeral Diffie-Hellman and Static Diffie-Hellman?

Matt Elson
  • 269
  • 1
  • 3
  • 7
  • Surprised this question came here, and not [Cryptography](http://crypto.stackexchange.com/). I've seen IT.Sec questions about crypto "Athentication" be confused with completely different types of auth – makerofthings7 Feb 23 '12 at 18:19

2 Answers2

4

Presumably, this is a follow-up of your previous question.

EDH differs from static DH in that static DH always uses the same DH keys. In contrast, when using EDH, keys are temporary and re-generated every time (or their re-use should be avoided, at least).

EDH doesn't provide authentication on its own, but the fact that the server signs the content of its server key exchange message which contains "a Diffie-Hellman public key with which the client can complete a key exchange (with the result being the premaster secret)" implies that this DH public key is authenticated by this signature.

This is described in TLS 1.1 Section F.1.1.3:

When Diffie-Hellman key exchange is used, the server can either
supply a certificate containing fixed Diffie-Hellman parameters or
use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSS or RSA certificate
.
Temporary parameters are hashed with the hello.random values before
signing to ensure that attackers do not replay old parameters. In
either case, the client can verify the certificate or signature to
ensure that the parameters belong to the server.

Bruno
  • 10,765
  • 1
  • 39
  • 59
2

Ephermal Diffie-Hellman by itself does not provide authentication. Those are the (EC)DHE_Anon_* suites.

But you can combine ephermal Diffie-Hellman with a digital signature algorithm (RSA, DSA, ECDSA) to provide authentication. These are suites like DHE_RSA_*.

Those modes generate an unauthenticated, new Diffie-Hellman key, and then sign that key with their authentication key.


Ephermal Diffie-Hellman generates a new key for every connection, which enables perfect-forward-privacy. Which means if the private key of the server gets leaked, his past communications are secure.

Fixed Diffie-Hellman on the other hand uses the same diffie-hellman key every time. Without any DH exchange, you can only use RSA in encryption mode. To use a signature based authentication you need some kind of DH exchange(fixed or ephermal), to exchange the session key. And then you sign that for authentication.

DSA and ECDSA require DH or DHE, since they don't offer an encryption mode. This is why there are no DSA_* suites, only DH(E)_DSA_* suites.

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50