Join Log in
Score:0
CryptoGuru avatar Crypto

RSA Key Exchange Attack

bm flag
CryptoGuru

I am curious what is an attack that the RSA Key Exchange algorithm is vulnerable to that Diffie Hellman Key Exchange is not vulnerable to? I know Diffie Hellman is prone to Man in the Middle attacks but when performing key exchange with RSA, is it also susceptible to some attacks that Diffie Hellman is not to?

143
1 + 3
Gilles 'SO- stop being evil' avatar
cn flag
Gilles 'SO- stop being evil'
“RSA” is not a key exchange algorithm. It's possible to design key exchange mechanisms based on RSA, but there are several ways to do it, and most of them are key transfers or key encipherment rather than proper key exchanges (where both parties contribute to the key). What “RSA Key Exchange algorithm” are you talking about?
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Meh, terminology. For me key exchange would be more general than key *agreement* where both parties contribute / agree on a key, although key *establishment* is even more generic. Probably the answer *should* be that DH provides forward security. But that's kind of wrong, as that is only the case for fully ephemeral DH, and ephemeral RSA would achieve the same - but nobody in their right mind would want to generate a new RSA key pair for each connection.
1
Reply
honzaik avatar
cn flag
honzaik
Also on a theoretical level. If integer factorization is easy then RSA is broken. Sometimes (afaik if the group has only small subgroups - Pohlig-Hellman) it might implies that discrete logarithm (DH) is easy and therefore DH is broken as well. But in practice this is not the case, therefore DH is still secure if integer factorization is easy but DLP is not (for a quantum computer both are easy).
0
Reply
Score:2
bk2204 avatar Crypto
fr flag
bk2204

Assuming you're discussing the implementations in the TLS or SSH (v1 and v2) protocols, the difference is essentially that various forms of Diffie-Hellman key exchange (whether elliptic curve or finite field) provide forward secrecy, whereas the RSA key exchange mechanisms do not.

Perfect forward secrecy means that if after the connection, the two sides correctly destroy all the secrets associated with the connection, the connection cannot later be decrypted more easily than brute force, even if one or both of the sides is later compromised.

Essentially, with DH, both sides pick a random key pair, and in these two protocols, random salts are generated as well. In TLS, the server signs either its public key or a hash of the messages exchanged so far (depending on version), and in SSH, the server signs a value derived from the successful key exchange. In both situations, assuming the server's public key and signature are correctly verified, a man-in-the-middle attack is not possible.

Technically, TLS provides cipher suites using static Diffie-Hellman certificates before TLS 1.3, and these do not provide perfect forward secrecy. However, as a practical matter, these are extremely infrequently used. The variant which uses new keys each time for both sides is called ephemeral Diffie-Hellman key exchange, or DHE (ECDHE for the elliptic curve variant).

With the RSA key exchange used in these protocols, essentially the client generates a random value and encrypts it with the server's key. This value is used along with the client and server random values to derive the shared secrets. This does not provide perfect forward secrecy because if the server is later compromised, the encrypted value can be recovered. A man-in-the-middle attack is not possible here, either, again assuming that the server's public key is correctly verified.

As mentioned in the comments, it's possible to use an ephemeral RSA key for this purpose, but generating RSA key pairs is expensive due to performing effective primality testing. With DH, a single, secure, precomputed group can be used and the parties only have to generate a single random value within a given range. This is much more efficient and substantially faster than generating a new RSA key, in addition to being easier to verify as secure, and so everybody uses ephemeral DH instead of ephemeral RSA.

In TLS 1.3, the RSA key exchange is no longer available. The benefits of perfect forward secrecy were judged to be substantial, and only (EC)DHE and pre-shared keys are available. Similarly, in SSH v2, RSA key exchange is practically unused and DHE and ECDHE are used instead. RFC 4432 defines ephemeral RSA key exchange, but I'm not aware of any implementations which actually offer it or are even interested in offering it, and it is effectively dead.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.