[openssl-dev] Need CVE-2015-3193 impact explained
Leif Thuresson
leif.thuresson at foxt.com
Mon Dec 7 10:12:56 UTC 2015
On 2015-12-07 10:59, Viktor Dukhovni wrote:
> On Mon, Dec 07, 2015 at 10:53:15AM +0100, Leif Thuresson wrote:
>
>> The description of CVE-2015-3193 in 2015-12-04 security advisory
>> states that EC algorithms are not affected, but attacks against DH are
>> considered feasible.
> DH as distinct from ECDH. The issue affects modular exponentiation
> which is used in RSA and (finite-field) DH, but not ECDSA or ECDH.
>
>> Not being a cryptographer that leaves me a bit confused.
>> Are applications supporting cipher suites with ECDHE- variants vulnerable?
> Only to the extent that they are already vulnerable as a result of
> using RSA certificates to sign the key exchange parameters. The
> key exchange itself is not.
>
Thanks for the quick response.
That is what I needed to know.
regards,
/Leif
More information about the openssl-dev
mailing list