[openssl-users] Authentication over ECDHE
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Dec 24 15:10:54 UTC 2018
On Mon, Dec 24, 2018 at 12:51:17PM +0100, Christian wrote:
> This sounds like a typical RSA scenario, however I also want to have
> forward security, which requires me to use something with temporary keys
> only - I'm having ECDHE in mind for that, ECDHE-RSA-AES128-GCM-SHA256 in
> particular. However, after some research I found out that the "RSA" in
> that cipher only refers to the temporary keys that are being generated
> for this connection, and thus authentication would have to be issued on
> top of TLS, not within the means of TLS itself.
Your research has led you astray. The ECDHE-RSA-AES128-GCM-SHA25
ciphersuiteo *is* RSA authenticated and offers forward secrecy,
the same is true also of its 256-bit twin:
$ openssl ciphers -v kECDHE+AESGCM+aRSA | sed 's/ */ /g'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
they are both quite strong, use 128-bit to optimize for speed or
256-bit against hypothetical attacks on 128-bit AES that don't break
AES-256. These ciphers are for TLS 1.2. With OpenSSL 1.1.1 you
might also consider TLS 1.3 ciphers, where the public algorithm is
negotiated separately,
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
and you could use Ed25519 certificates and/or X25519 key exchange.
--
Viktor.
More information about the openssl-users
mailing list