[3507] in cryptography@c2.net mail archive
Re: Netscape Wants MS to Weaken IE's SSL/RSA Handshake for Export
daemon@ATHENA.MIT.EDU (EKR)
Sat Oct 17 21:51:51 1998
To: Eric Young <eay@cryptsoft.com>
Cc: Vin McLellan <vin@shore.net>, cryptography@c2.net
From: EKR <ekr@rtfm.com>
Date: 17 Oct 1998 18:28:05 -0700
In-Reply-To: Eric Young's message of "Sun, 18 Oct 1998 11:09:46 +1000 (EST)"
Eric Young <eay@cryptsoft.com> writes:
> On 16 Oct 1998, EKR wrote:
> > Now along comes SSLv3. SSLv3 includes an ephemeral RSA key feature,
> > which means that you can use a 1024 permanent key for authentication
> > but a 512 bit key for key exchange. IIRC Kocher added this feature
> > because he wanted it to be easy to get CJ but he didn't think 512 was
> > good enough. No (export) SSLv3 implementation that I know of will
> > accept a 1024 bit key for key exchange.
>
> I always made this just a server implementation issue. If the client gets
> an RSA key, it will use it reguardless of length.
Right, but this is not what the CJ regulations indicate is appropriate.
(I realize that this isn't relevant for SSLeay).
>> I also implemented no check
> for the ephemeral RSA key, which in theory for SSLv3, could be any size, if it
> was used with a non-export cipher but a signing only server key (I cannot
> remember off the top of my head if TLS still allows this).
It doesn't.
The server key exchange message is sent by the server only when
the server certificate message (if sent) does not contain enough
data to allow the client to exchange a premaster secret. This is
true for the following key exchange methods:
RSA_EXPORT (if the public key in the server certificate is
longer than 512 bits)
DHE_DSS
DHE_DSS_EXPORT
DHE_RSA
DHE_RSA_EXPORT
DH_anon
It is not legal to send the server key exchange message for the
following key exchange methods:
RSA
RSA_EXPORT (when the public key in the server certificate is
less than or equal to 512 bits in length)
DH_DSS
DH_RSA
...
So, server_key_exchange can't be used AT ALL when you're using a non-export
cipher, and can only be used when the public key in the cert is >512 bits.
>So, anyway, anything based on SSLeay will not send a >512 bit key from a
>server doing an export cipher, but the clients will accept anything. This is
> the model that seems to make the most sense.
From a compatibility perspective, yes.
Unfortunately, it's bounded by export regulations and the TLS spec.
> Obviously WebSite was not using
> the Ephemeral RSA stuff for > 512 bit RSA, and netscape has decided to become
> pedantic about it.
I don't believe you have this right. Netscape has always been pedantic
about key sizes for SSLv3, IIRC. (They've certainly been pedantic
about requiring >512 keys when ephemeral is used for quite some time).
It didn't used to be pedantic about SSLv2. I believe that is the behavior
that has changed.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
