I noticed that there are cipher suits,such as "RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES128-GCM-SHA256", in OpenSSL. But there is no cipher suits,such as "ECDSA-PSK-AES256-GCM-SHA384","ECDSA-PSK-AES128-GCM-SHA256". Both RSA and ECDSA can be used to make a certificate. Why cannot use ECDSA with PSK in TLS? Is it for a cryptographic reason?
Asked
Active
Viewed 322 times
1 Answers
0
The way TLS is designed is there is only a single method for server authentication within a TLS handshake. This is just because of protocol design and not because of cryptographic reasons. ECDSA is one way to authenticate the server (using certificates with ECC key), RSA is another (using certificates with RSA key) and PSK is yet another one. The same way you cannot combine ECDSA and RSA based authentication you cannot combine ECDSA and PSK.
Steffen Ullrich
- 114,247
- 10
- 131
- 172
-
That is only partially correct. https://datatracker.ietf.org/doc/html/rfc4279#section-4 describes the RSA_PSK Key Exchange Algorithm, which uses RSA to authenticate the server, in addition to PSK (which makes total sense, as an additional security layer, should there be fear for the PSK to leak unbeknownst). So it would be totally plausible to have a key exchange which uses DHE and a PSK to authenticate the client and server and additionally ECDSA signatures to authenticate the server. Such a combination would also provide forward secrecy against loss of the PSK. – Perseids Aug 11 '21 at 22:21