Shulou(Shulou.com)06/01 Report--

A friend asked, "dh is used for key negotiation and exchange. why is there a dh.pem file only on the server, but not in the client? I don't understand. Both the client and the server have rsa public and private keys and can transfer symmetric keys. Why do you need dh to calculate the symmetric keys?"

Let's start with how Open × × man help says the dh option.

-- dh file

File containing Diffie Hellman parameters in. PEM format (required for-- tls-server only).

Set file=none to disable Diffie Hellman key exchange (and use ECDH only). Note that this requires peers to be using an SSL library that supports ECDH TLS cipher suites (e.g. OpenSSL 1.0.1, or mbed TLS 2.0 +).

Use openssl dhparam-out dh3048.pem 2048 to generate 2048-bit DH parameters. Diffie Hellman parameters may be considered public.

1. The use stage is different: DH is used during the TLS handshake and RSA is used in the data communication stage.

2. If this option is not available, starting the Open × × server will cause an error Options error: You must define DH file (--dh)

So what is a Diffie-Hellman parameter file?

Diffie Herman key Exchange (Diffie-Hellman key exchange, abbreviated as "Dmurh") is a security protocol. It allows both parties to create a key through an insecure channel without any prior information from each other. This key can be used as a symmetric key to encrypt communication content in subsequent communications. This DH parameter is not security-sensitive, so as long as you have a copy on the Open server, and even if a third party gets it, it doesn't matter.

If you want to go a little deeper, you can understand it like this:

1. Both RSA and DH are based on asymmetric algorithms.

2. RSA: a common example is that Alice sends a message to Bob and encrypts the message using Bob's public key. Send a message to Bob. Bob decrypted it with his private key. Verify the signature to ensure that Alice sends the signature. The message will become a symmetric encryption key. This is what is used to protect the connection.

3. The DH Diffie Hellman exchange relies on two separate entities that generate secret values. Through some mathematical algorithms, they can all produce a common key value. This is a symmetric key.

4. Using RSA, you can encrypt and sign key pairs. With DH, only encryption is performed, and there is no signature mechanism.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.