Topic: Diffie Hellman

Hello
I want to set key exchange between client/server using Diffie Hellman. I have read test.c example also all what is written about Diffie-Hellman in Wolfssl manual but I couldn't get how the server/client sends its public key to the other side? 
should the key be stored in DER file first? Or is it sent as it is in Byte Format?

Share

Re: Diffie Hellman

Hi,

Are you interested in using Diffie-Hellman standalone, or in the context of SSL/TLS?  If using DH in SSL/TLS, the TLS protocol takes care of transporting the DH parameters and public keys.

If using DH in a standalone use case, your application will need a way to transfer the DH parameters and public keys to the other party.  Using the dh_test() function in test.c as an example, both the client and server will load the DH parameters into a DhKey structure using one of the two functions:

wc_DhSetKey() - used with individual "p" and "g" parameters
wc_DhKeyDecode() - used with a DH "key" that contains the "p" and "g" parameters

Each side (client and server) will generate their own private and public keys using:

wc_DhGenerateKeyPair()

The public keys from the wc_DhGenerateKeyPair() operations will need to be transferred to the other peer.  The final shared secret will then be derived by each side using:

wc_DhAgree()

Best Regards,
Chris

3 (edited by eng_fatma88 2016-06-29 02:14:44)

Re: Diffie Hellman

excuse me if the questions seems trivial ,I am new to TLS so
I am interested in using Diffie-Hellman in TLS Protocol so i suppose  there is no need to go through this key exchange functions .  I want to use Wolfssl on an Embedded device that connects to server to receive firmware update. the device should use TLS,
diffie Hellman for key exchange , RSA and SHA256 for digital signature and AES for encryption. I have gone through WolfSSL manual and   my question if this is taken care of by TLS protocol, so i only need to set dhkey.der on my embedded devise ?
i want the server too to verify the device so should  every device  have its own certificate? should it send it wolfSSL_CTX_use_certificate_chain_file() or wait for request?
Does WolfSSL support other means of server/client verification other than Certificate?

Share

Re: Diffie Hellman

Hi,

In order to use DH with TLS, you will need to load your DH parameter file into the server.  If using wolfSSL, that is done with the wolfSSL_SetTmpDH() function.  You can see an example of this in the wolfSSL example server (./examples/server/server.c).

Unless you have disabled DH support when compiling wolfSSL, DH cipher suites will be available.  If you want to set a specific cipher list, you can do this with the wolfSSL_CTX_set_cipher_list() function.

To have the server authenticate the client, you will want to enable peer verification on the server side by calling wolfSSL_CTX_set_verify.  For example:

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);

Best Regards,
Chris