7

I saw a cipher suite EXP-EDH-RSA-DES-CBC-SHA, EXP stands for export, How do I explain the "export"? What is the different between "EXP-EDH-RSA-DES-CBC-SHA" and "EDH-RSA-DES-CBC-SHA"?

Wayne
  • 71
  • 1
  • 1
  • 4

1 Answers1

15

"Export" means ciphersuites that were designed to be sufficiently weak they could legally be exported from the US back in the 1990s when there were much stricter legal limits on exporting encryption from the US (and some other countries, but Netscape was in the US). See Which SSL/TLS ciphers can be considered secure? for a summary, various sections of TLSv1 for the gory details, and TLSv1.1 for a vestige. TLSv1.2 deleted it altogether except for a reserved alert code.

The difference between EXP-EDH-RSA-DES-CBC-SHA and EDH-RSA-DES-CBC-SHA is that the first uses export-limited ephemeral Diffie-Hellman key exchange with RSA authentication (EDH-RSA) and 40-bit DES in CBC mode symmetric encryption with HMAC-SHA1 integrity (DES-CBC-SHA); the second uses export-limited RSA key exchange and authentication (RSA) (which possibly/usually uses a temporary RSA key for key exchange) and the same symmetric encryption and integrity.

The similarities are that both use a special variant key-derivation function, and both should not be or have been used for any security purpose after about 2002.

Community
  • 1
dave_thompson_085
  • 10,064
  • 1
  • 26
  • 29
  • 1
    Worth mentioning these are not the actual 56-bit export DES cipher suites. The actual EXPORT1024 56-bit ciphersuites was disabled by default in OpenSSL in 2006. It can be reenabled by changing a #define in the source code. – Yuhong Bao Jun 26 '19 at 10:09
  • @YuhongBao: I'm not sure what you mean by 'actual'. The 'EXP' suites in OpenSSL, with 512-bit kx and 40-bit symmetric, were defined by SSL3 and TLS1.0 (officially spelled EXPORT), universally implemented, and widely used in the 1990s. The 'EXPORT1024' suites were a draft that was not adopted, I've never heard of any other implementation, and I've never heard of any actual usage; in fact I don't _think_ there was ever a time using them would have made sense under the regulations. In any case they are completely removed (not enable-able) as of OpenSSL 1.1.0 in 2016. – dave_thompson_085 Jun 27 '19 at 04:01
  • EXPORT1024 was supported by Netscape (NSS) and IE (SChannel) at the time (year 1999). They are less common than the 40-bit ones, but they are important because they used 1024-bit RSA instead of 512-bit. – Yuhong Bao Jun 27 '19 at 08:24