I have been studying to learn about various cipher suites and their performance; I'm wondering about the difference between DHE_DSS_AES256_CBC
ciphersuites and DHE_RSA_AES256_CBC
ciphersuites. I gathered that DSS is efficient when compared with RSA. Is that correct, and can anyone explain in more detail what the differences are and how they perform?
1 Answers
DSS is a digital signature scheme published (but not invented) by the NSA. In TLS (TLS1.0, PKIX) it serves the same function as RSA and ECDSA: digital signatures prove that the server you're talking to has the private key corresponding to the public key in the certificate and that the information in the certificate (including the server's public key) is exactly what the CA reviewed and approved.
For reasons I do not know, in practice, DSS in TLS lost a popularity contest with RSA and went extinct. I failed to find a CA that sells DSS certificates. OpenSSL (including Android), MSIE and Java still support TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032), but Chrome, Firefox and Safari (desktop and mobile) don't, so it is fairly useless.
The algorithm DSA is alive and well, but these days it is used with elliptic curves, in which case it is called ECDSA. It is preferred to RSA for reasons of performance and is used by Google and CloudFlare, if the client supports it. CAs will sell you ECDSA certificates.
DSA and ECDSA have a flaw in that they require a new random nonce for each sign operation and if it's not random enough the signature exposes the private key (!). Deterministic digital signatures were developed to not require good random values for sign operations.
A fast and secure deterministic digital signature algorithm called EdDSA, in particular ed25519, recently became popular (used in newer versions of openssh and a bunch of new-ish crypto tools). The CFRG should, eventually, recommend EdDSA keys and certificates for TLS, together with Curve25519 key exchange, so that TLS_CURVE25519_ED25519_CHACHA20_POLY1305 will become the recommended ciphersuite for TLS 1.3 and DJB will be able to declare victory and retire.
I have said that the Qualys SSL server test says "DHE_DSS can't be used for PFS because they require DSS keys, which are effectively limited to 1024 bits".
For the experiment, I have configured Apache 2.4.7 with OpenSSL 1.0.1f to use DHE_DSS_AES128_CBC and DHE_RSA_AES128_CBC. The RSA certificate is real while the DSS certificate is self signed, but this doesn't matter for the purpose of this exercise. I have connected from 192.168.1.101 to the server running on 192.168.1.103 using OpenSSL 1.0.1m (openssl s_client), recorded the handshake and exported a dissection using WireShark.
Both configurations worked, so at least between two OpenSSL 1.0.1, 2048 bit DSA keys work. This of course does not mean you want to use a DSS certificate for a web site, even if you could buy one.
(EDIT 5 years later: I don't want to change this answer, it's not wrong, but I do want to link to some more info about this on crypto.SE: https://crypto.stackexchange.com/a/50260/24949)
DHE RSA handshake dissection:
Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103) Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 94 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 90 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suites Length: 4 Cipher Suites (2 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 45 Extension: SessionTicket TLS Extension: signature_algorithms Extension: Heartbeat
Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 54 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Compression Method: null (0) Extensions Length: 14 Extension: renegotiation_info Extension: SessionTicket TLS Extension: Heartbeat
Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 1630 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1626 Certificates Length: 1623 Certificates (1623 bytes) Certificate Length: 1620 Certificate (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect,id-at-commonName=www.zeev.pw,id-at-countryName=IL) signedCertificate version: v3 (2) serialNumber: 1127576 signature (sha256WithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=StartCom Class 1 Primary Intermediate Server C,id-at-organizationalUnitName=Secure Digital Certificate Signing,id-at-organizationName=StartCom Ltd.,id-at-countryName=IL) RDNSequence item: 1 item (id-at-countryName=IL) RelativeDistinguishedName item (id-at-countryName=IL) Id: 2.5.4.6 (id-at-countryName) CountryName: IL RDNSequence item: 1 item (id-at-organizationName=StartCom Ltd.) RelativeDistinguishedName item (id-at-organizationName=StartCom Ltd.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: StartCom Ltd. RDNSequence item: 1 item (id-at-organizationalUnitName=Secure Digital Certificate Signing) RelativeDistinguishedName item (id-at-organizationalUnitName=Secure Digital Certificate Signing) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Secure Digital Certificate Signing RDNSequence item: 1 item (id-at-commonName=StartCom Class 1 Primary Intermediate Server C) RelativeDistinguishedName item (id-at-commonName=StartCom Class 1 Primary Intermediate Server CA) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: StartCom Class 1 Primary Intermediate Server CA validity notBefore: utcTime (0) notAfter: utcTime (0) subject: rdnSequence (0) rdnSequence: 3 items (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect,id-at-commonName=www.zeev.pw,id-at-countryName=IL) RDNSequence item: 1 item (id-at-countryName=IL) RelativeDistinguishedName item (id-at-countryName=IL) Id: 2.5.4.6 (id-at-countryName) CountryName: IL RDNSequence item: 1 item (id-at-commonName=www.zeev.pw) RelativeDistinguishedName item (id-at-commonName=www.zeev.pw) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: www.zeev.pw RDNSequence item: 1 item (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect) RelativeDistinguishedName item (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect@whoisguard.com) Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress) IA5String: 5b2ca5a024054a47bfcc565a8737db21.protect@whoisguard.com subjectPublicKeyInfo algorithm (rsaEncryption) Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) Padding: 0 subjectPublicKey: 3082010a0282010100c1c8ada6e3526a74da3f873b2352be... extensions: 10 items algorithmIdentifier (sha256WithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) Padding: 0 encrypted: 54980c6f342bc4de5641df814fe88634ec110461e260e212...
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 783 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 779 Diffie-Hellman Server Params p Length: 256 p: ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd1... g Length: 1 g: 02 Pubkey Length: 256 Pubkey: 606134278d8b25b3367d3e15b2b46a3419cbe596721d446d... Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Length: 256 Signature: 48b69b547860511e36830041f7e7aee3d97ced1144f190d4... TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 262 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 258 Diffie-Hellman Client Params Pubkey Length: 256 Pubkey: 020621c1846fa567392b2fa1b55868a65389400ee80f3594... TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 64 Handshake Protocol: Encrypted Handshake Message
Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 202 Handshake Protocol: New Session Ticket Handshake Type: New Session Ticket (4) Length: 198 TLS Session Ticket TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 64 Handshake Protocol: Encrypted Handshake Message
DHE DSS handshake dissection:
Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 94 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 90 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suites Length: 4 Cipher Suites (2 suites) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 45 Extension: SessionTicket TLS Extension: signature_algorithms Extension: Heartbeat
Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 54 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Compression Method: null (0) Extensions Length: 14 Extension: renegotiation_info Extension: SessionTicket TLS Extension: Heartbeat TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 1180 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1176 Certificates Length: 1173 Certificates (1173 bytes) Certificate Length: 1170 Certificate (id-at-commonName=zeev.pw,id-at-organizationName=Internet Widgits Pty Ltd,id-at-stateOrProvinceName=Some-State,id-at-countryName=US) signedCertificate serialNumber: -5833175930474264775 signature (joint-iso-itu-t.16.840.1.101.3.4.3.2) Algorithm Id: 2.16.840.1.101.3.4.3.2 (joint-iso-itu-t.16.840.1.101.3.4.3.2) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=zeev.pw,id-at-organizationName=Internet Widgits Pty Ltd,id-at-stateOrProvinceName=Some-State,id-at-countryName=US) RDNSequence item: 1 item (id-at-countryName=US) RelativeDistinguishedName item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US RDNSequence item: 1 item (id-at-stateOrProvinceName=Some-State) RelativeDistinguishedName item (id-at-stateOrProvinceName=Some-State) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: uTF8String (4) uTF8String: Some-State RDNSequence item: 1 item (id-at-organizationName=Internet Widgits Pty Ltd) RelativeDistinguishedName item (id-at-organizationName=Internet Widgits Pty Ltd) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: uTF8String (4) uTF8String: Internet Widgits Pty Ltd RDNSequence item: 1 item (id-at-commonName=zeev.pw) RelativeDistinguishedName item (id-at-commonName=zeev.pw) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: zeev.pw validity notBefore: utcTime (0) notAfter: utcTime (0) subject: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=zeev.pw,id-at-organizationName=Internet Widgits Pty Ltd,id-at-stateOrProvinceName=Some-State,id-at-countryName=US) RDNSequence item: 1 item (id-at-countryName=US) RelativeDistinguishedName item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US RDNSequence item: 1 item (id-at-stateOrProvinceName=Some-State) RelativeDistinguishedName item (id-at-stateOrProvinceName=Some-State) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: uTF8String (4) uTF8String: Some-State RDNSequence item: 1 item (id-at-organizationName=Internet Widgits Pty Ltd) RelativeDistinguishedName item (id-at-organizationName=Internet Widgits Pty Ltd) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: uTF8String (4) uTF8String: Internet Widgits Pty Ltd RDNSequence item: 1 item (id-at-commonName=zeev.pw) RelativeDistinguishedName item (id-at-commonName=zeev.pw) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: zeev.pw subjectPublicKeyInfo algorithm (id-dsa) Algorithm Id: 1.2.840.10040.4.1 (id-dsa) DSS-Params p : 0x009f922489033a4317d074675e70a4573184f810a441e7c373ea2562dcadb93f636393453bc144c57e773a8f66e58274663cf3fd5c2588aee86d36104e83a81cbc47704d623662e7b48d620315c3145ed0313397b58bd84494ad2b02c2c3124648ca29e490bb81a5a2d1fc52900ccc1c511256690 q : 0x00dac80ee885e74b0e56d9cac7d9a6e0efaaf5155bfb2e1426d99a0d4235d60359 g : 0x55234ba34d71468ff4c90a06c74ddebc0b882f0f77efadf45e1fc5ede292d31b19457746555616318755e5fdc5819041c16c6c2cbd8d9af9eca62046d533e232591596b9e74adb05662f66f72009e6f7742f81c35bdbf7c2ebb249a6aa9cf20a6c330b8dd214835d6aa2e330cb2b4a866a74ff438 Padding: 0 subjectPublicKey: 028201001fea1029b1edbbb83e8b92a56f4c34926a617fcd... algorithmIdentifier (joint-iso-itu-t.16.840.1.101.3.4.3.2) Algorithm Id: 2.16.840.1.101.3.4.3.2 (joint-iso-itu-t.16.840.1.101.3.4.3.2) Padding: 0 encrypted: 304402201d495bb07b7e000bd5c4b4f0a9b6a9183cbef0cf...
Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 598 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 594 Diffie-Hellman Server Params p Length: 256 p: ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd1... g Length: 1 g: 02 Pubkey Length: 256 Pubkey: da0d4624e78f6f72d08f973ff3482bc92c758b6cb86b1812... Signature Hash Algorithm: 0x0602 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: DSA (2) Signature Length: 71 Signature: 3045022057fc39446c326c9b3e5f3f0f08e161daa45823a1...
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 262 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 258 Diffie-Hellman Client Params Pubkey Length: 256 Pubkey: 8060234a6b4dee8a815d648df47b020b5f24ab800b20bd4b... TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 64 Handshake Protocol: Encrypted Handshake Message
Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 202 Handshake Protocol: New Session Ticket Handshake Type: New Session Ticket (4) Length: 198 TLS Session Ticket TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 64 Handshake Protocol: Encrypted Handshake Message
-
Can anyone please explain in detail about the two ciphersuites given above by comparing it? – chris Mar 24 '15 at 01:46
-
@chris I edited my answer and gave the explanation I could. I cannot explain the math, but I can tell you the practicalities. – Z.T. Mar 24 '15 at 23:46