Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Diffie Hellman for Email?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Diffie Hellman for Email?

Just as with OTR for XMPP, would it be possible, or feasable to implement something like that for email, as a server-side addition?

  • User [email protected] types and sends email for [email protected]
  • Mailserver from example.com contacts mailserver at server.com
  • They do a Diffie Hellman key exchange and MTA at example.com uses that key to encrypt this specific email message
  • It passes as encrypted plaintext over the internet
  • The MTA at server.com recieves the encrypted message, decrypts it, and discards the key.

It would have a few of the drawbacks of MTA ssl, because both ends have to support it, but it does provide better protection against private key leakage. With MTA SSL, if the private key leaks all recorded traffic can be decrypted, with a DHKE nothing can be decrypted.

What are your thoughts and opinions on this?

Comments

  • xsetxset Member

    When can I use it?

  • perennateperennate Member, Host Rep

    http://www.postfix.org/TLS_README.html

    If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead of using the built-in DH parameters for both 1024-bit (non-export ciphers) and 512-bit (export ciphers), it is better to generate your own parameters, since otherwise it would "pay" for a possible attacker to start a brute force attack against parameters that are used by everybody. Postfix defaults to compiled-in parameters that are shared by all Postfix users who don't generate their own settings.

Sign In or Register to comment.