Paul Hoffman wrote: > > In Diffie-Hellman key establishment with static keys, even if the PRNG > of one side is bad, the resulting pre-master secret is still sound. TLS needs _more_ than the secrecy of the pre-master secret to be secure. Snippets from rfc-5246 (TLS v1.2): http://tools.ietf.org/html/rfc5246#section-6.2.3.2 6.2.3.2. CBC Block Cipher [...] The Initialization Vector (IV) SHOULD be chosen at random, and MUST be unpredictable. http://tools.ietf.org/html/rfc5246#appendix-F.1.1.3 F.1.1.3. Diffie-Hellman Key Exchange with Authentication [...] If the client has a certificate containing fixed Diffie-Hellman parameters, its certificate contains the information required to complete the key exchange. Note that in this case the client and server will generate the same Diffie-Hellman result (i.e., pre_master_secret) every time they communicate. [...] If the same DH keypair is to be used for multiple handshakes, either because the client or server has a certificate containing a fixed DH keypair or because the server is reusing DH keys, care must be taken to prevent small subgroup attacks. Implementations SHOULD follow the guidelines found in [SUBGROUP]. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf