DHE_DSS vs. DHE_RSA

8

Ho studiato per conoscere diverse suite di cifrari e le loro prestazioni; Mi sto interrogando sulla differenza tra DHE_DSS_AES256_CBC ciphersuites e DHE_RSA_AES256_CBC ciphersuites. Ho capito che il DSS è efficiente se confrontato con RSA. È corretto, e qualcuno può spiegare in modo più dettagliato quali sono le differenze e come si comportano?

    
posta chris 22.03.2015 - 03:28
fonte

1 risposta

3

DSS è uno schema di firma digitale pubblicato (ma non inventato) dalla NSA. In TLS ( TLS1.0 , PKIX ) ha la stessa funzione di RSA e ECDSA: le firme digitali dimostrano che il server con cui stai parlando ha la chiave privata corrispondente alla chiave pubblica in il certificato e che le informazioni nel certificato (compresa la chiave pubblica del server) sono esattamente ciò che la CA ha esaminato e approvato.

Per ragioni che non conosco, in pratica, il DSS in TLS ha perso un concorso di popolarità con RSA e si è estinto. Non sono riuscito a trovare un'AC che vende certificati DSS. OpenSSL (incluso Android), MSIE e Java supportano ancora TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032), ma Chrome, Firefox e Safari (desktop e mobile) no, quindi è abbastanza inutile.

L'algoritmo DSA è vivo e vegeto, ma in questi giorni è usato con curve ellittiche, nel qual caso è chiamato ECDSA . È preferibile a RSA per motivi di prestazioni e viene utilizzato da Google e CloudFlare, se il client lo supporta. Le CA venderanno i certificati ECDSA.

DSA e ECDSA hanno un difetto nel fatto che richiedono un nuovo nonce casuale per ogni operazione di segno e se non è abbastanza casuale la firma espone la chiave privata (!). Le firme digitali deterministiche sono state sviluppate per non richiedere buoni valori casuali per le operazioni di firma.

Un algoritmo di firma digitale deterministico veloce e sicuro chiamato EdDSA, in particolare ed25519, è diventato di recente popolare (usato nelle versioni più recenti di openssh e un mucchio di strumenti di crittografia new-ish). Il CFRG dovrebbe, eventualmente, raccomandare chiavi e certificati EdDSA per TLS, insieme a Scambio chiave di Curve25519, in modo che TLS_CURVE25519_ED25519_CHACHA20_POLY1305 diventi la ciphersuite consigliata per TLS 1.3 e DJB sarà in grado di dichiarare la vittoria e andare in pensione.

Ho affermato che il test del server SSL Qualys dice "DHE_DSS non può essere utilizzato per PFS perché richiede le chiavi DSS , che sono effettivamente limitati a 1024 bit ".

Per l'esperimento, ho configurato Apache 2.4.7 con OpenSSL 1.0.1f per utilizzare DHE_DSS_AES128_CBC e DHE_RSA_AES128_CBC. Il certificato RSA è reale mentre il certificato DSS è autofirmato, ma questo non ha importanza ai fini di questo esercizio. Sono stato connesso dal 192.168.1.101 al server in esecuzione su 192.168.1.103 utilizzando OpenSSL 1.0.1m (openssl s_client), registrato l'handshake ed esportato una dissezione usando WireShark.

Entrambe le configurazioni funzionavano, quindi almeno tra due chiavi DSA OpenSSL 1.0.1, 2048 bit funzionano. Questo ovviamente non significa che tu voglia utilizzare un certificato DSS per un sito web, anche se potessi comprarne uno.

DHE RSA dissezione di handshake:

Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103) Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Client Hello

    Content Type: Handshake (22)

    Version: TLS 1.0 (0x0301)

    Length: 94

    Handshake Protocol: Client Hello

        Handshake Type: Client Hello (1)

        Length: 90

        Version: TLS 1.2 (0x0303)

        Random

        Session ID Length: 0

        Cipher Suites Length: 4

        Cipher Suites (2 suites)

            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

            Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

        Compression Methods Length: 1

        Compression Methods (1 method)

        Extensions Length: 45

        Extension: SessionTicket TLS

        Extension: signature_algorithms

        Extension: Heartbeat

Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Server Hello

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 58

    Handshake Protocol: Server Hello

        Handshake Type: Server Hello (2)

        Length: 54

        Version: TLS 1.2 (0x0303)

        Random

        Session ID Length: 0

        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

        Compression Method: null (0)

        Extensions Length: 14

        Extension: renegotiation_info

        Extension: SessionTicket TLS

        Extension: Heartbeat

Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Certificate

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 1630

    Handshake Protocol: Certificate

        Handshake Type: Certificate (11)

        Length: 1626

        Certificates Length: 1623

        Certificates (1623 bytes)

            Certificate Length: 1620

            Certificate (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect,id-at-commonName=www.zeev.pw,id-at-countryName=IL)

                signedCertificate

                    version: v3 (2)

                    serialNumber: 1127576

                    signature (sha256WithRSAEncryption)

                        Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)

                    issuer: rdnSequence (0)

                        rdnSequence: 4 items (id-at-commonName=StartCom Class 1 Primary Intermediate Server C,id-at-organizationalUnitName=Secure Digital Certificate Signing,id-at-organizationName=StartCom Ltd.,id-at-countryName=IL)

                            RDNSequence item: 1 item (id-at-countryName=IL)

                                RelativeDistinguishedName item (id-at-countryName=IL)

                                    Id: 2.5.4.6 (id-at-countryName)

                                    CountryName: IL

                            RDNSequence item: 1 item (id-at-organizationName=StartCom Ltd.)

                                RelativeDistinguishedName item (id-at-organizationName=StartCom Ltd.)

                                    Id: 2.5.4.10 (id-at-organizationName)

                                    DirectoryString: printableString (1)

                                        printableString: StartCom Ltd.

                            RDNSequence item: 1 item (id-at-organizationalUnitName=Secure Digital Certificate Signing)

                                RelativeDistinguishedName item (id-at-organizationalUnitName=Secure Digital Certificate Signing)

                                    Id: 2.5.4.11 (id-at-organizationalUnitName)

                                    DirectoryString: printableString (1)

                                        printableString: Secure Digital Certificate Signing

                            RDNSequence item: 1 item (id-at-commonName=StartCom Class 1 Primary Intermediate Server C)

                                RelativeDistinguishedName item (id-at-commonName=StartCom Class 1 Primary Intermediate Server CA)

                                    Id: 2.5.4.3 (id-at-commonName)

                                    DirectoryString: printableString (1)

                                        printableString: StartCom Class 1 Primary Intermediate Server CA

                    validity

                        notBefore: utcTime (0)

                        notAfter: utcTime (0)

                    subject: rdnSequence (0)

                        rdnSequence: 3 items (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect,id-at-commonName=www.zeev.pw,id-at-countryName=IL)

                            RDNSequence item: 1 item (id-at-countryName=IL)

                                RelativeDistinguishedName item (id-at-countryName=IL)

                                    Id: 2.5.4.6 (id-at-countryName)

                                    CountryName: IL

                            RDNSequence item: 1 item (id-at-commonName=www.zeev.pw)

                                RelativeDistinguishedName item (id-at-commonName=www.zeev.pw)

                                    Id: 2.5.4.3 (id-at-commonName)

                                    DirectoryString: printableString (1)

                                        printableString: www.zeev.pw

                            RDNSequence item: 1 item (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect)

                                RelativeDistinguishedName item (pkcs-9-at-emailAddress=5b2ca5a024054a47bfcc565a8737db21.protect@whoisguard.com)

                                    Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)

                                    IA5String: [email protected]

                    subjectPublicKeyInfo

                        algorithm (rsaEncryption)

                            Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)

                        Padding: 0

                        subjectPublicKey: 3082010a0282010100c1c8ada6e3526a74da3f873b2352be...

                    extensions: 10 items

                algorithmIdentifier (sha256WithRSAEncryption)

                    Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)

                Padding: 0

                encrypted: 54980c6f342bc4de5641df814fe88634ec110461e260e212...

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 783

    Handshake Protocol: Server Key Exchange

        Handshake Type: Server Key Exchange (12)

        Length: 779

        Diffie-Hellman Server Params

            p Length: 256

            p: ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd1...

            g Length: 1

            g: 02

            Pubkey Length: 256

            Pubkey: 606134278d8b25b3367d3e15b2b46a3419cbe596721d446d...

            Signature Hash Algorithm: 0x0601

                Signature Hash Algorithm Hash: SHA512 (6)

                Signature Hash Algorithm Signature: RSA (1)

            Signature Length: 256

            Signature: 48b69b547860511e36830041f7e7aee3d97ced1144f190d4...

TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 4

    Handshake Protocol: Server Hello Done

        Handshake Type: Server Hello Done (14)

        Length: 0

Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 262

    Handshake Protocol: Client Key Exchange

        Handshake Type: Client Key Exchange (16)

        Length: 258

        Diffie-Hellman Client Params

            Pubkey Length: 256

            Pubkey: 020621c1846fa567392b2fa1b55868a65389400ee80f3594...

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    Content Type: Change Cipher Spec (20)

    Version: TLS 1.2 (0x0303)

    Length: 1

    Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 64

    Handshake Protocol: Encrypted Handshake Message

Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 202

    Handshake Protocol: New Session Ticket

        Handshake Type: New Session Ticket (4)

        Length: 198

        TLS Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    Content Type: Change Cipher Spec (20)

    Version: TLS 1.2 (0x0303)

    Length: 1

    Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 64

    Handshake Protocol: Encrypted Handshake Message

DHE DSS handshake dissezione:

Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Client Hello

    Content Type: Handshake (22)

    Version: TLS 1.0 (0x0301)

    Length: 94

    Handshake Protocol: Client Hello

        Handshake Type: Client Hello (1)

        Length: 90

        Version: TLS 1.2 (0x0303)

        Random

        Session ID Length: 0

        Cipher Suites Length: 4

        Cipher Suites (2 suites)

            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

            Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

        Compression Methods Length: 1

        Compression Methods (1 method)

        Extensions Length: 45

        Extension: SessionTicket TLS

        Extension: signature_algorithms

        Extension: Heartbeat

Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Server Hello

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 58

    Handshake Protocol: Server Hello

        Handshake Type: Server Hello (2)

        Length: 54

        Version: TLS 1.2 (0x0303)

        Random

        Session ID Length: 0

        Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

        Compression Method: null (0)

        Extensions Length: 14

        Extension: renegotiation_info

        Extension: SessionTicket TLS

        Extension: Heartbeat

TLSv1.2 Record Layer: Handshake Protocol: Certificate

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 1180

    Handshake Protocol: Certificate

        Handshake Type: Certificate (11)

        Length: 1176

        Certificates Length: 1173

        Certificates (1173 bytes)

            Certificate Length: 1170

            Certificate (id-at-commonName=zeev.pw,id-at-organizationName=Internet Widgits Pty Ltd,id-at-stateOrProvinceName=Some-State,id-at-countryName=US)

                signedCertificate

                    serialNumber: -5833175930474264775

                    signature (joint-iso-itu-t.16.840.1.101.3.4.3.2)

                        Algorithm Id: 2.16.840.1.101.3.4.3.2 (joint-iso-itu-t.16.840.1.101.3.4.3.2)

                    issuer: rdnSequence (0)

                        rdnSequence: 4 items (id-at-commonName=zeev.pw,id-at-organizationName=Internet Widgits Pty Ltd,id-at-stateOrProvinceName=Some-State,id-at-countryName=US)

                            RDNSequence item: 1 item (id-at-countryName=US)

                                RelativeDistinguishedName item (id-at-countryName=US)

                                    Id: 2.5.4.6 (id-at-countryName)

                                    CountryName: US

                            RDNSequence item: 1 item (id-at-stateOrProvinceName=Some-State)

                                RelativeDistinguishedName item (id-at-stateOrProvinceName=Some-State)

                                    Id: 2.5.4.8 (id-at-stateOrProvinceName)

                                    DirectoryString: uTF8String (4)

                                        uTF8String: Some-State

                            RDNSequence item: 1 item (id-at-organizationName=Internet Widgits Pty Ltd)

                                RelativeDistinguishedName item (id-at-organizationName=Internet Widgits Pty Ltd)

                                    Id: 2.5.4.10 (id-at-organizationName)

                                    DirectoryString: uTF8String (4)

                                        uTF8String: Internet Widgits Pty Ltd

                            RDNSequence item: 1 item (id-at-commonName=zeev.pw)

                                RelativeDistinguishedName item (id-at-commonName=zeev.pw)

                                    Id: 2.5.4.3 (id-at-commonName)

                                    DirectoryString: uTF8String (4)

                                        uTF8String: zeev.pw

                    validity

                        notBefore: utcTime (0)

                        notAfter: utcTime (0)

                    subject: rdnSequence (0)

                        rdnSequence: 4 items (id-at-commonName=zeev.pw,id-at-organizationName=Internet Widgits Pty Ltd,id-at-stateOrProvinceName=Some-State,id-at-countryName=US)

                            RDNSequence item: 1 item (id-at-countryName=US)

                                RelativeDistinguishedName item (id-at-countryName=US)

                                    Id: 2.5.4.6 (id-at-countryName)

                                    CountryName: US

                            RDNSequence item: 1 item (id-at-stateOrProvinceName=Some-State)

                                RelativeDistinguishedName item (id-at-stateOrProvinceName=Some-State)

                                    Id: 2.5.4.8 (id-at-stateOrProvinceName)

                                    DirectoryString: uTF8String (4)

                                        uTF8String: Some-State

                            RDNSequence item: 1 item (id-at-organizationName=Internet Widgits Pty Ltd)

                                RelativeDistinguishedName item (id-at-organizationName=Internet Widgits Pty Ltd)

                                    Id: 2.5.4.10 (id-at-organizationName)

                                    DirectoryString: uTF8String (4)

                                        uTF8String: Internet Widgits Pty Ltd

                            RDNSequence item: 1 item (id-at-commonName=zeev.pw)

                                RelativeDistinguishedName item (id-at-commonName=zeev.pw)

                                    Id: 2.5.4.3 (id-at-commonName)

                                    DirectoryString: uTF8String (4)

                                        uTF8String: zeev.pw

                    subjectPublicKeyInfo

                        algorithm (id-dsa)

                            Algorithm Id: 1.2.840.10040.4.1 (id-dsa)

                            DSS-Params

                                p : 0x009f922489033a4317d074675e70a4573184f810a441e7c373ea2562dcadb93f636393453bc144c57e773a8f66e58274663cf3fd5c2588aee86d36104e83a81cbc47704d623662e7b48d620315c3145ed0313397b58bd84494ad2b02c2c3124648ca29e490bb81a5a2d1fc52900ccc1c511256690

                                q : 0x00dac80ee885e74b0e56d9cac7d9a6e0efaaf5155bfb2e1426d99a0d4235d60359

                                g : 0x55234ba34d71468ff4c90a06c74ddebc0b882f0f77efadf45e1fc5ede292d31b19457746555616318755e5fdc5819041c16c6c2cbd8d9af9eca62046d533e232591596b9e74adb05662f66f72009e6f7742f81c35bdbf7c2ebb249a6aa9cf20a6c330b8dd214835d6aa2e330cb2b4a866a74ff438

                        Padding: 0

                        subjectPublicKey: 028201001fea1029b1edbbb83e8b92a56f4c34926a617fcd...

                algorithmIdentifier (joint-iso-itu-t.16.840.1.101.3.4.3.2)

                    Algorithm Id: 2.16.840.1.101.3.4.3.2 (joint-iso-itu-t.16.840.1.101.3.4.3.2)

                Padding: 0

                encrypted: 304402201d495bb07b7e000bd5c4b4f0a9b6a9183cbef0cf...

Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 598

    Handshake Protocol: Server Key Exchange

        Handshake Type: Server Key Exchange (12)

        Length: 594

        Diffie-Hellman Server Params

            p Length: 256

            p: ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd1...

            g Length: 1

            g: 02

            Pubkey Length: 256

            Pubkey: da0d4624e78f6f72d08f973ff3482bc92c758b6cb86b1812...

            Signature Hash Algorithm: 0x0602

                Signature Hash Algorithm Hash: SHA512 (6)

                Signature Hash Algorithm Signature: DSA (2)

            Signature Length: 71

            Signature: 3045022057fc39446c326c9b3e5f3f0f08e161daa45823a1...

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 4

    Handshake Protocol: Server Hello Done

        Handshake Type: Server Hello Done (14)

        Length: 0

Internet Protocol Version 4, Src: 192.168.1.101 (192.168.1.101), Dst: 192.168.1.103 (192.168.1.103)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 262

    Handshake Protocol: Client Key Exchange

        Handshake Type: Client Key Exchange (16)

        Length: 258

        Diffie-Hellman Client Params

            Pubkey Length: 256

            Pubkey: 8060234a6b4dee8a815d648df47b020b5f24ab800b20bd4b...

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    Content Type: Change Cipher Spec (20)

    Version: TLS 1.2 (0x0303)

    Length: 1

    Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 64

    Handshake Protocol: Encrypted Handshake Message

Internet Protocol Version 4, Src: 192.168.1.103 (192.168.1.103), Dst: 192.168.1.101 (192.168.1.101)

Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 202

    Handshake Protocol: New Session Ticket

        Handshake Type: New Session Ticket (4)

        Length: 198

        TLS Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    Content Type: Change Cipher Spec (20)

    Version: TLS 1.2 (0x0303)

    Length: 1

    Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

    Content Type: Handshake (22)

    Version: TLS 1.2 (0x0303)

    Length: 64

    Handshake Protocol: Encrypted Handshake Message
    
risposta data 22.03.2015 - 12:07
fonte

Leggi altre domande sui tag