0

Ok first off I'm very familiar with the TLS handshake, the purpose of PKI and key exchange methods.

My question is why use a complicated key exchange method like Diffie Hellman when the client could just create a random symmetric key and encrypt it using the servers asymmetric public key? Since the server is the only one who can decrypt it (using its private key) then there is no concern of a Man In The Middle attack and you've securely exchanged the symmetric key.

I'm sure there is a reason for complex key exchange methods I just can't see it.

Stuart Sloan
  • 101
  • 4
  • Also https://security.stackexchange.com/questions/35471/is-there-any-particular-reason-to-use-diffie-hellman-over-rsa-for-key-exchange and crossdupe https://crypto.stackexchange.com/questions/37076/why-is-diffie-hellman-used-instead-of-just-rsa-in-key-exchange and https://crypto.stackexchange.com/questions/31291/why-use-diffie-hellman-key-exchange-over-rsa – dave_thompson_085 Jul 21 '18 at 17:01
  • I find it somewhat misleading to call Diffie–Hellman complicated. Diffie–Hellman is actually much simpler than RSA. – kasperd Jul 24 '18 at 04:33

1 Answers1

3

... when the client could just create a random symmetric key and encrypt it using the servers asymmetric public key?

What you are describing is essentially RSA key exchange which is also available, at least until TLS 1.2. The problem is that this kind of key exchange provides no forward secrecy, i.e. if the attacker manages to get the private key of the server he can extract the symmetric key from the key exchange to this server and can thus decrypt any previously sniffed traffic to this server. Contrary to this DH results in a key which is not associated with the servers key or any other static secrets and thus provides forward secrecy.

Even if the attacker has access to the private key and only wants to sniff the current connection DH makes it harder. With DH key exchange the attacker needs to be in the middle, i.e. must create a TLS connection between client and attacker and another one between attacker and server, both using the same certificate and private key so that the victim does not notice. Depending on the position of the attacker in the network this active attack can be easy or not. Also, active MITM is not possible if the client is also using a certificate (mutual authentication) unless the attacker also has access to this certificate. With RSA instead the attacker only needs to passively listen to the direct connection between client and server in order to decrypt it and can do this also when client certificates are involved.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    Note: The importat part here is that the private key is leaked AFTER the transmission was sniffed. EDH, as used in TLS; protects against this. If the key is known before sniffing, of course all is lost. – deviantfan Jul 20 '18 at 18:41
  • Are you saying all is lost even with EDH or just with the method I used above? – Stuart Sloan Jul 20 '18 at 18:56
  • 1
    Not all is lost. If the attacker manages to get the private key he can mount an active man in the middle attack to sniff current connection. Active MITM requires to be somehow in the path between client and server (might be easy or not, depending where the attacker is). RSA key exchange instead allows passive attacks, i.e. the attacker only needs to be able to sniff traffic but does not need actively manipulate the traffic. – Steffen Ullrich Jul 20 '18 at 19:04
  • If the attacker has the private key of the server, he or she can mount full blown MitM attack always because all the public parts can be found from Certificate Transparency logs and active MitM attacker can pretend to be the true server to any client. However, with Perfect Forward Secrecy (e.g. DH key exchange) the attacker must do an active attack instead of simply collecting all traffic silently and decoding it later. – Mikko Rantalainen Apr 14 '22 at 15:10