In TLS 1.2 and TLS 1.3, does the EC curve used to generate the ephemeral keys be the same on both client and server sides?

warren

9/1/24, 5:02 AM

In TLS 1.2 and TLS 1.3, does the EC curve used to generate the ephemeral keys at the client side, does it need to be the same as that on the and server sides?

For example can I use secp521r1 at the client side and secp256r1 at the server side, and visa-versa?

I am asking this question, since in TLS 1.2 you can use finite state DHE ciphers to generate the ephemeral keys on the client side and DHE_Export ciphers to generate the ephemeral keys on the server side, thus the Logjam attack.

1 + 3

elliptic-curves

diffie-hellman

DannyNiu

9/1/24, 11:12 AM

Um, no. If the curve's different, you can't make the maths agree.

warren

9/1/24, 1:36 PM

Thank you Danny. This also answers my questions perfectly.

dave_thompson_085

9/2/24, 6:23 AM

Even in Logjam the server and client use the same group, one that may not provide the intended security. For the DHE_EXPORT case (which officially is allowed only in 1.0, but many 1.1 and 1.2 implementations don't correctly deny it) the client _wanted_ to allow a large group but the server is tricked into choosing a small one; the client can either use that group or abort the handshake, but it can't use a different (better) group. The same is true for ECDHE curves. In 1.3 the client can offer any share(s) it wants, but a share is actually used only if the server agrees.

Score:1

Crypto

Marc Ilunga

9/1/24, 11:16 AM

In TLS 1.3, having a successful handshake with clients using different curves is impossible, besides only with negligible collision(s) in the key schedule/key derivation(page 93).

The reason is that the entire handshake which includes the ciphersuites is hashed and used in the key derivation. If the client and the server use different groups, this results in different keys. Furthermore, the server signs the handshake hash, so the CertificateVerify message(s) will likely not be accepted. Even if that was accepted for some reason, the Finished messages are overwhelmingly likely to fail. This is because the keys used to perform these steps are also derived from the handshake hash.

Therefore, because of all the steps that authenticate the handshake, it's nearly impossible to perform a Logjam type attack on TLS1.3. TLS1.2 is different but, it is very unlikely that two curves may successfully interoperate in the key exchange, besides for implementation issues.

+ 2

warren

9/1/24, 1:35 PM

Thank you Marc. That's the answer I was looking for.

kodlu

9/1/24, 2:21 PM

nice answer. @warren, you should accept it if it's satisfactory

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: In TLS 1.2 and TLS 1.3, does the EC curve used to generate the ephemeral keys be the same on both client and server sides?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.