Archived Forum Post

Index of archived forum posts


ECDHE Support

May 29 '17 at 18:18


I am looking to deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE). Elliptic-Curve Diffie-Hellman (ECDH) key exchange avoids all known feasible cryptanalytic attacks, and modern web browsers now prefer ECDHE over the original, finite field, Diffie-Hellman. The discrete log algorithms we used to attack standard Diffie-Hellman groups do not gain as strong of an advantage from precomputation, and individual servers do not need to generate unique elliptic curves.

I plan to use a Strong, Diffie Hellman Group. A few 1024-bit groups are used by millions of servers, which makes them an optimal target for precomputation, and potential eavesdropping. Administrators should use 2048-bit or stronger Diffie-Hellman groups with "safe" primes.

However, I do not see that ChilKat supports ECDHE, yet.

Surely you have this on your roadmap. Can you give me an indication of when you will be officially supporting ECDHE?




I don't fully understand..

Chilkat support ECDHE within the TLS protocol. However, it is the server that chooses the cipher suite. The client-side presents to the server a list of cipher suites it is capable of handling, and then the server chooses the one to be used in the TLS handshake. The Chilkat API has ways to limit which TLS cipher suites can be used, and you could potentially limit it to only ECDHE suites.

Outside of TLS, Chilkat provides classes for both ECC and Diffie-Hellman (in all of the supported programming languages). For example, in C#

Using the combination of the two, you could build your own ECDHE (right?)