13

I'm aware that Diffie-Hellman is a key exchange algorithm whereas RSA is an asymmetric encryption algorithm.

I have the following questions:

  1. During TLS handshake, will both RSA and DH be used? (I don't see the use of it, either RSA or DH, we will be using it to end up with a safe symmetric key for AES or DES.)

  2. An example of a cipher suite is EDH-RSA-DES-CBC3-SHA. That is pretty confusing. Should it not be RSA-DES-CBC3-SHA and EDH-DES-CBC3-SHA, two separate cipher suites?

  3. Apart from historical reasons, is there a reason for us still to use DH?

  4. When would I use DH over RSA? (Thinking as a practitioner)

If my understanding of TLS is wrong, please do correct me.

psmears
  • 904
  • 7
  • 9
Vinod Pn
  • 395
  • 1
  • 4
  • 11

1 Answers1

20

DH is a key exchange algorithm, it is used to derive the session key that's later used in the symmetric encryption. DH by itself is not authenticated, so while you can derive the session key without a MITM being intercepted, there's no guarantee that the guy on the other end that you're deriving keys together with is whoever they say they are. Not being able to authenticate the other party means that you'd still be vulnerable to MITM anyway.

RSA is an asymmetric encryption algorithm. RSA can be used as a key exchange algorithm too (without DH), however the RSA key exchange algorithm lacks the property of Forward Secrecy. Forward Secrecy is the property that an attacker that recorded your encrypted communication and then later obtained your private key, they shouldn't be able to decrypt the previously recorded communication. However, RSA can be used for signing and authentication.

DH is used together with RSA so that you get a communication channel that are both authenticated and is forward secure.

Lie Ryan
  • 31,459
  • 6
  • 70
  • 94
  • 1
    Using RSA first i would authenticate the server , then i will use DH to derive the symmetric key.. is this how it is?.. If in future a tweaked RSA is created which can provide forward secrecy, then we need not use DH right? – Vinod Pn Jun 16 '17 at 04:33
  • 8
    @VinodPn: there is no tweaked RSA key exchange providing forward secrecy. And, to have a look at the future look at the TLS 1.3 proposal which completely abandons RSA key exchange (RSA authentication still there) and only uses DH. You might also have a look at https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13/ which explains both TLS 1.2 and TLS 1.3 handshakes and the role RSA and DH play. – Steffen Ullrich Jun 16 '17 at 04:53