14

I have read some textbooks and not found a convincing explanation.

In the cipher suite ECDHE-RSA-AES128-GCM-SHA256, what is the role of RSA in the first part (ECDHE-RSA)? This part of the cipher suite indicates the key exchange algorithm, right? That is what ECDHE is used for: key exchange, so why do we need RSA?

Are both algorithms used to exchange the keys? I’m a bit confused about that.

Obviously, it is not necessary to explain ECDHE or RSA separately. I just want an explanation of how they work in this context.

TRiG
  • 609
  • 5
  • 14
Johnny Willer
  • 409
  • 1
  • 4
  • 13

4 Answers4

11

ECDHE by itself is worthless against an active attacker -- there's no way to tie the received ECDH key to the site you're trying to visit, so an attacker could just send their own ECDH key. This is because ECDHE is ephemeral, meaning that the server's ECDH key isn't in its certificate. So, the server signs its ECDH key using RSA, with the RSA public key being the thing in the server's certificate.

cpast
  • 7,223
  • 1
  • 29
  • 35
  • For the signature with RSA, which scheme is applied ? with Appendix `SSA` or with recovery `PSSR` ? – 3isenHeim Sep 09 '15 at 10:14
  • @SteffenUllrich: the certificated key which here is RSA is used to authenticate by signing nonces plus the body of the ServerKeyExchange message which here is the ECDHE curve+publickey. See rfc4492 5.4 (skipping over 2+ pages about explicit curves that no one uses and 1.3 will discard). – dave_thompson_085 Nov 23 '17 at 01:02
  • (late but) @Eisenheim: the RSA signature currently used is RSASSA-PKCS1v1_5 which is appendix (in TLS1.1 and below with nonstandard _concatenated_ SHA1 and MD5; TLS1.0 permitted old PKCS1 block type 0 which is no longer standard, but I don't think anyone used it); 1.3 will prefer RSA-PSS which is also appendix. – dave_thompson_085 Nov 23 '17 at 01:02
  • @dave_thompson_085: you are right and thanks for enlightening me. I've removed my wrong comment. – Steffen Ullrich Nov 23 '17 at 05:58
8
 $ openssl ciphers -V ECDHE-RSA-AES128-GCM-SHA256
 ... Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

That means the key exchange (Kx) is ECDH, but the authentication part (Au, i.e. the validation of the certificate) is RSA, so it expects a certificate with a RSA key inside.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
5

Cipher suite name is made up of :

  • TLS prefix
  • Key Exchange algorithm
  • Authentication algorithm
  • Encryption algorithm
  • Encryption strength
  • Encryption mode
  • MAC or PRF function (depending on TLS version)

In your case elliptic curve diffie-hellman key exchange will be used in ephemeral mode (which provides forward secrecy) and this exchange will be authenticated with RSA signature.

chamoute
  • 71
  • 4
4

RSA is used to authenticate the server while ECDHE is used to generate a shared secret between the client and server.

Concretely, this means the server signs with its RSA private key the ephemeral ECDH parameters (public key) it sends to the client.

This is how the client knows the ECDH public key belongs to the server and not to some MITM.

You could see this as the server acting as an CA of sorts, one which signs single use public keys.

Erwan Legrand
  • 401
  • 2
  • 13