[openssl-users] Authentication over ECDHE

Christian c.wehrmeyer at freshlions.de
Mon Dec 24 11:51:17 UTC 2018

Hello, people. I'm a beginner with OpenSSL and with cryptography in 
general, and have been wondering how to best implement an upcoming system.

I apologise in advance for any grammar or orthography mistakes, as 
English isn't my native language.

We have a local network with a databse in which we do most of our 
processing, and a public machine that runs a webserver. Periodically we 
have to connect to that server and query new data to process it. The 
connection to that server is not necessarily trusted.

The problem is that our webserver is slow and clunky and generally just 
issues another process to deal with any request, which is unnecessary 
and slow. We want to streamline that process by having a local program 
run on the server sending a set of predefined queries over a predefined 
protocol, and then just sent that data back to the client. However, only 
a select few machines are supposed to be able to get any data from the 
server, like, those who have a certain private key. If a client can sign 
a ping that can be decrypted with the client side public key, and if the 
server can sign a ping that can be decrypted with the servers public 
key, then both sides are authenticated, and - from my limited understand 
- a MITM scenario is foiled (unless the MITM manages to steal either 
private key, which is why I also want to have password protection for 
the key. I'm away that putting the key into a program compromises the 
security of the key if an attacker manages to gain access to the server, 
but in this case it's just supposed to give us some time to stop the 
programs, close all holes, and generate new keys).

This sounds like a typical RSA scenario, however I also want to have 
forward security, which requires me to use something with temporary keys 
only - I'm having ECDHE in mind for that, ECDHE-RSA-AES128-GCM-SHA256 in 
particular. However, after some research I found out that the "RSA" in 
that cipher only refers to the temporary keys that are being generated 
for this connection, and thus authentication would have to be issued on 
top of TLS, not within the means of TLS itself.

And last, but not least I've read about an attack a little while back 
how some DH parameters (usually those with a size of 1024 bits) have 
become stale. If I want to have extra security,

Speed isn't an incredible huge problem, as there will always be just 
one, at most two connections running with the server. As such its design 
can be incredible simple, and the connection can be more secure in terms 
of cryptography than default (4096 RSA keys and 2048 DH params wouldn't 
be an issue). I expect the bulk of the runtime to be spent on the 
database server side of things anyway.

I don't want to use certificates. Either a client/server has the 
necessary private keys to sign data, or the connection is simply 
refused. I also don't want to use any password, because that requires to 
share a secret over a to this moment still unverified channel.

My question is thusly how to implement authentication over ECDHE in the 
best way. My searches for "openssl c sign data with private key" doesn't 
yield any usable results, which suggests that there is some sort of 
misunderstanding with the concept of "signing ping/pong with respective 
private keys". Are there any functions or further documentation to be of 
help here? Please keep in mind that all of this has been Greek to me 
until last Friday, and that I'm by no way a cryptography expert.

Thank you for your time and effort in advance.

More information about the openssl-users mailing list