3

I am using openssl 1.0.1e-fips. When I ran the following against my server, I get a line in the output that begins with Server Temp Key:

$ openssl s_client -cipher DHE-RSA-AES128-SHA -connect myserver.com:443 -state -tls1 -msg
...snipped...
Server Temp Key: DH, 2048 bits
...snipped...

$ openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect myserver.com:443 -state -tls1 -msg
...snipped...
Server Temp Key: ECDH, prime256v1, 256 bits
...snipped...

Can I conclude that ECDHE-RSA-AES128-SHA is "weaker" than DHE-RSA-AES128-SHA given that its length is smaller than 2014 bits ? Is the Server TEMP key the negotiated protocol key i.e. the session key.

Z.T.
  • 7,963
  • 1
  • 22
  • 36
Bon Ami
  • 133
  • 1
  • 7
  • 1
    See http://crypto.stackexchange.com/questions/25577/ecc-vs-rsa-how-to-compare-key-sizes and canonically http://www.keylength.com . The DHE _result_ (not the server key) is used as the premaster secret, which is used to _derive_ the session key values (always at least 2, and for the ciphersuites you named either 4 or 6) see http://security.stackexchange.com/a/138559/39571 – dave_thompson_085 Nov 10 '16 at 05:22

1 Answers1

3

The ephemeral (= temporary) key used for Diffie Hellman key exchange.

You should configure it to be as strong as the key for the certificate.

DHE with 2048 bits provides 112 "bits of security". ECDHE with 256 bits provides 128 "bits of security". So ECDHE over P-256 is more secure than 2048 bit DHE. There are also fewer bad implementations of ECDHE and TLS allows to negotiate its strength (the curve), which is why Google Chrome removed support for DHE so you should switch to ECDHE (i.e. make the server support and prefer ECDHE).

Z.T.
  • 7,963
  • 1
  • 22
  • 36