[gnutls-dev] Anonymity lost if same DH params re-used for ephemeral RSA/DSS too?

Nikos Mavroyanopoulos nmav at gnutls.org
Sun Dec 21 10:47:51 CET 2003

On Sun, Dec 21, 2003 at 09:49:08AM +0100, Simon Josefsson wrote:

> This might not be exactly gnutls specific, but the question grow out
> of a usage question of your API: is it OK to use the same D-H
> parameters for both the ANON-DH and DHE-RSA/DSS key exchanges?  It
> takes several seconds to generate the D-H params, so I'd rather not
> generate two sets if it can be avoided.  
Yes it's perfectly fine to use the same DH parameters. It does
not weaken the protocol in any way.

> The issue I'm worried about:
> can someone impersonate a server with DHE-RSA/DSS kx, by using the
> ANON-DH kx against the real server, if the real server is using the
> same D-H parameters for both ANON-DH and DHE-RSA/DSS?  Any other
> problems using the same D-H parameters?
No. In the certificate authenticated ciphersuites (such as DHE-RSA/DSS)
the session parameters are signed with the certificate, so it is
not possible to impersonate the server. 

> I suppose the answer is no, but just wanted to be sure.  I guess I
> need a good TLS textbook...
A glimpse on rfc2246 should be sufficient.

> Thanks.

Nikos Mavroyanopoulos

More information about the Gnutls-devel mailing list