Question

4. (10’) Describe four key exchange methods used in TLS. Which methods do not need to send server- key-exchange message? Why not needed?

Answer 1

1. Rivest–Shamir–Adleman (RSA)
The server sends a certificate containing an RSA (public)key; the client validates the cert and uses the publickey to RSA encrypt the random premaster secret. The server proves correct decryption (and is implicitly authenticated) with the Finished message. The server can optionally request client authentication; if so the client sends its own cert and uses its matching privatekey to sign a partial transcript, which the server validates and verifies, but this is rarely used. Except possibly the client auth, this is 'pure' RSA.

2. Ephemeral Diffie-Hellman (DHE)
DHE (DH in ephemeral mode) is used in conjunction with a signing certificate, which can be either RSA or DSA. The server sends its cert which client validates, and also its DH group and ephemeral publickey signed under its cert; client generates its ephemeral key in the same group and sends that, plus its cert and signature if client authentication is used.

3. Elliptic Curve Diffie-Hellman (ECDH)
There is also a method to use DH keyagreement without certificates and authentication, which is in effect ephemeral, but SSL/TLS doesn't call it that, it calls it DH-anon instead. This is usually a bad idea; many people imagine only passive eavesdroppers and think they only need encryption, but in today's internet active attacks of many kinds are widespread and if you don't use authentication you probably aren't secure. You could view this as 'pure' DHE even though it isn't called that.

4. Ephemeral Elliptic Curve Diffie-Hellman (ECDHE)
There are elliptic-curve variants ECDHE (ephemeral, RSA or ECDSA signing} and ECDH-anon. The handshake sequence, and security properties, are the same, only the actual crypto computations are different. These are technically optional but in fact nowadays widely implemented and becoming more popular to use.

Methods which does not need to send Server Key Exchange Message:
If RSA is used for key exchange, then the client can retrieve the public key from the server certificate and encrypt the premaster secret with this key. Similarly, if a fixed Diffie-Hellman key exchange is used, then the client can retrieve the server's Diffie-Hellman parameters from the server certificate, employ these parameters to perform a Diffie-Hellman key exchange, and use the result as the premaster secret. In all of these cases, the server's certificate message is sufficient and no additional information is required for the client to securely communicate a premaster secret to the server. In particular, no Server Key Exchange message is needed.