97

What is the difference between ECDHE-RSA and DHE-RSA?

I know that DHE-RSA is (in one sentence) Diffie Hellman signed using RSA keys. Where DH is used for forward secrecy and RSA guards against MITM, but where do the elliptic curves in ECDHE-RSA are exactly used? What upsides has ECDHE-RSA over DHE-RSA?

AviD
  • 72,138
  • 22
  • 136
  • 218
Hubert Kario
  • 3,708
  • 3
  • 27
  • 34
  • I notice all the security sites don't use elliptic curve. They favor RSA for key exchange. – ron Dec 25 '13 at 07:42
  • @ron Send them a complaint about their bad choice. Using either DHE or ECDHE not RSA for key-exchange improves security a lot (Lavabit is a prominent example). If you don't trust ECC, use DHE_RSA not plain RSA. – CodesInChaos Dec 25 '13 at 12:15
  • @CodesInChaos: just make sure your server doesn't hardcode DH params and allows only 1024bit ones (like apache did before 2.4.7). – Hubert Kario Jan 30 '14 at 16:10
  • I prefer RSA over ECDHE, if possible, for easier maintenance and troubleshooting. I can decrypt SSL connection error messages (Encrypted Alerts) more easily with non-DHE ciphers using only the private key in Wireshark. Logging session keys to decrypt DHE is more of a pain. – Curtis Yallop Jun 05 '17 at 14:44
  • 1
    While decrypting non-DHE ciphers is easier, if you have access to server private key, it removes forward secrecy for the exact same reason that makes it easier. Also, that option will be removed with TLSv1.3 so logging session keys will be the only possibility. – Hubert Kario Jun 06 '17 at 14:11

4 Answers4

88

ECDHE suites use elliptic curve diffie-hellman key exchange, where DHE suites use normal diffie-hellman. This exchange is signed with RSA, in the same way in both cases.

The main advantage of ECDHE is that it is significantly faster than DHE. This blog article talks a bit about the performance of ECDHE vs. DHE in the context of SSL.

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
59

To add a bit of information on what @CodesInChaos says:

When you use ECDHE instead of DHE, you may obtain the following advantages:

  • Better performance. ECDHE is faster, for a given security level; @CodesInChaos points to an article which gives figures; see also this answer for why elliptic curve offer better performance.
  • Smaller messages. An ECDH public key, with a 224-bit curve, will be encoded over 56 bytes, whereas a classical DH public key of similar strength must use a 2048-bit modulus and will use 256 bytes. Since there are two such message in a SSL handshake, ECDHE saves you about 400 bytes. That's not a lot, but it can make a difference in some contexts.
  • Biodiversity. ECDH relies on the hardness of a mathematical problem which is distinct from the one used for classical DH. To some extent, classical DH can be viewed as a very specific sub-case of ECDH (computations modulo a prime are isomorphic to curve point addition in an anomalous curve) so we can handwave an argument about how ECDH is inherently at least as strong as DH (if ECDH is broken, so is DH). In practice, there are sub-exponential (i.e. faster) algorithms for solving discrete logarithm, which is why we must use a 2048-bit modulus instead of a 224-bit modulus for plain DH; while no such "faster" algorithm is known to break the elliptic-curve variant.
  • Fashionability. Elliptic curves are cool. This is an important advantage, although it is customarily expressed with a more serious-looking and boring terminology ("compliance", "Approved algorithm"...).
  • Cleansing. If you enforce ECDHE usage, you will automatically reject old implementations which do not know how to do ECDHE. If you use ECDHE for your Web server, you no longer have to worry about IE 6.0 or 7.0 ! The cryptographic arguments for ECDHE are a good excuse to kill off such dinosaurs which should have fossilized away long ago.
Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 4
    Unfortunately Opera doesn't support ECC even in the latest version :( – CodesInChaos Jan 11 '13 at 19:42
  • 3
    ECDHE is also resistant to [recently published attacks](https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf) against traditional DH cipher-suites in TLS. – kravietz Oct 20 '15 at 10:15
  • 2
    +1 for "Elliptic Curves are cool" and +1 for fossilizing IE6.0 and 7.0 :) Why do you say sometimes ECDH and not ECDHE? What's that last E for? ("Exchange"?) – El Mac Jul 21 '16 at 09:30
  • 3
    The E (in both DHE and ECDHE) stands for "ephemeral". This refferes to the fact that the secrets used for the key exchange are freshly generated for each session, thus providing forward secrecy. – Peter Green Jan 01 '17 at 01:54
  • 1
    "if ECDH is broken, so is DH" that would be true if we used comparable keysizes for both DH and ECDH but we don't. So a general attack that worked on both could be far more harmful in practice to ECDH than to DH. – Peter Green Jan 01 '17 at 01:56
  • Nitpick: for DHE-2048 both send y and server also sends p,g (but g is small) so about 768 bytes total; for ECDHE almost everyone uses 'named' at least P-256 (specified in only 2 bytes) and both send Q so about 130 bytes uncompressed or 66 bytes compressed. If anyone actually uses an ECDHE 'explicit' curve, which I doubt, that's much larger. Also, as the Logjam people found, DHE implementations can wrongly (now) use deliberately weak 512-bit params that were needed in the past for export suites; there were never export ECDHE suites that might provoke a similar error there. – dave_thompson_085 Jan 01 '17 at 04:56
6

I see two questions

"where do the elliptic curves in ECDHE-RSA are exactly used?"

I see this is as "How are elliptic curves used when it's RSA in ECDHE_RSA?". Well, check RFC 4492, Section 2, ECDHE_RSA - it's pretty good. Essentially, the server certificate is an RSA certificate (i.e. with long term RSA keys) but during the TLS handshake it instead agrees a transient/temporary/Ephemeral (the E is DHE) EC public key with DH. So the long term authenticity is confirmed via the server cert's RSA signature but the transient keys are derived via ephemeral EC keys (which then generate the symmetric key)

What upsides has ECDHE-RSA over DHE-RSA?

This is already addressed in the other answers.

Community
  • 1
DeepSpace101
  • 2,143
  • 3
  • 22
  • 35
4

What is the difference between ECDHE-RSA and DHE-RSA?

Lets start with the similarities.

  • Both ciphersuites use ephemeral keys for the Diffie-Hellman process. (that is the "E" in the name). This provides forward secrecy.
  • Both ciphersuites use RSA to sign the server's emphermeral keys and thus protect the exchange against man-in-the-middle attacks (that is the RSA in the name).

Now for the difference.

  • ECDHE-RSA uses Diffie-Hellman on an elliptic curve group while DHE-RSA uses Diffie-Hellman on a modulo-prime group.

What upsides has ECDHE-RSA over DHE-RSA?

There is a well-known attack that works for conventional DH but not for ECDH.

As a result to get the same level of assumed security* DH needs a much bigger group than ECDH. That means slower computations and more network traffic.

Getting into the messy world of practicalities some clients only support conventional DHE while other clients only support ECDHE. Furthermore Java 7 will fail the handshake if DHE is used with a prime larger than 1024 bits**.

So if you want wide client compatibility, strong cryptography and forward secrecy with as many clients as possible than you should use ECDHE as your preferred option and DHE (with a suitably big prime) as the second choice.

* That is amount of computational effort needed to crack it given the best currently known attacks.
** Noone has publicly admitted to cracking it but it is suspected that well-resourced attackers could do so.

Peter Green
  • 4,918
  • 1
  • 21
  • 26