Which certificate for TLS (EC)DH handshake

+1 vote

Hello,

In lecture 3 on TLS (slide 54), there is a Pingo question: 

"Which certificate do we need for TLS-ECDH-ECDSA cipher suites?"

a) RSA
b) ECDSA
c) DSA.

The correct answer was ECDSA. 

According to RFC 5246 (page 49), the Certificate Key Type for ECDH_ECDSA and ECDH_RSA handshakes is an ECDH-capable public key. As I understand it, for a TLS_ECDH_ECDSA handshake, the certificate must contain a static ECDH public key, and the ECDSA public key of the issuer (CA) is used to verify the signature on the certificate. If the question above required a free-text answer instead of multiple-choice, would this explanation be correct?

in Lecture by
edit history

1 Answer

0 votes
Hi,

excellent question, unfortunately, your answer is not correct.

Consider the following two cipher suites A `ECDH_ECDSA` and B `ECDHE_ECDSA`

CS A requires only a DH key in the server's certificate as the DH key is verified through its presence in the certificate and the CA's DSA signature thereof. The server does not need its own DSA key for any signature here. Note that for DH key exchanges the ServerKexExchange message is omitted completely as all necessary information is contained in the server's certificate.

CS B requires only a DSA key. The server generates an ephemeral DHE key and must sign it with its own static DSA key contained in the server's certificate.

In no case does the server need both keys in its certificate.

I hope this helps!

Cheers,
Niklas
by (2.2k points)
edit history
0
Thank you for the explanation. Does this mean that all of the answers for the Pingo quiz were incorrect?
by
0
I would say the question is asked ambiguously.

"Which certificate do we need for TLS-ECDH-ECDSA cipher suites?"

The certificate has to contain a DH key: in this case the answers are wrong

The certificate has to be signed with a DSA key: in this case the answer is correct
by (2.2k points)