In Ephemeral Diffie-Hellman, the key pair is generated every time.
In practice, does this mean I never need a certificate? Or that means I need a new cert every single time?
Asked
Active
Viewed 475 times
0
-
here is short and good explanation how DH works and why: http://crypto.stackexchange.com/questions/3163/why-do-we-need-diffie-hellman – piotrek Jan 25 '15 at 19:27
1 Answers
0
In practice, does this mean I never need a certificate? Or that means I need a new cert every single time?
It means that the generation of the key is independent of the certificate. You could use DH without certificate (anonymous DH), but than the connection would be open to man-in-the-middle attacks. Thus in practices DH is used for key generation but the certificate is still used to make sure we talk to the right peer (identification).
Steffen Ullrich
- 114,247
- 10
- 131
- 172
-
Thanks for your response. Does that mean if I can authenticate the user in the first place e.g. by using OAuth token. I can use anonymous DH? – xcoder Jan 25 '15 at 19:01
-
You need an authentication method which itself is safe against man-in-the-middle attacks (i.e. could be used safely without SSL). I don't think OAuth provides the necessary protection by itself. – Steffen Ullrich Jan 25 '15 at 19:05
-
Right...thats why STS protocol come into play...still need the other party's certificate to verify the signature...um...what a shame – xcoder Jan 25 '15 at 19:16