Paul Hoffman wrote:
In Diffie-Hellman key establishment with static keys, even if the PRNG
of one side is bad, the resulting pre-master secret is still sound.
TLS needs _more_ than the secrecy of the pre-master secret to be secure.
Snippets from rfc-5246 (TLS v1.2):
http://tools.ietf.org/html/rfc5246#section-6.2.3.2
6.2.3.2. CBC Block Cipher
[...]
The Initialization Vector (IV) SHOULD be chosen at random, and
MUST be unpredictable.
http://tools.ietf.org/html/rfc5246#appendix-F.1.1.3
F.1.1.3. Diffie-Hellman Key Exchange with Authentication
[...]
If the client has a certificate containing fixed Diffie-Hellman
parameters, its certificate contains the information required to
complete the key exchange. Note that in this case the client and
server will generate the same Diffie-Hellman result (i.e.,
pre_master_secret) every time they communicate.
[...]
If the same DH keypair is to be used for multiple handshakes, either
because the client or server has a certificate containing a fixed DH
keypair or because the server is reusing DH keys, care must be taken
to prevent small subgroup attacks. Implementations SHOULD follow the
guidelines found in [SUBGROUP].
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf