2

In TLS, we use DHKE for establishing the session key & then encrypt the actual communication with session key using symmetric encryption. While reading about DHKE, I learnt that you could use the key as a AES Key & encrypt the session with AES. Or you could use something like Elgamal encryption.

So in practice, what is used more commonly? Is it something like AES or is it something like Elgamal?

AES seems to be quite complicated as compared to Elgamal - Elgamal is just multiplication with the key modulo. So how come it provides security comparable to AES with all it's s-boxes, p-boxes etc? Is it because for every message a new session key is used with Elgamal?

user93353
  • 2,191
  • 3
  • 23
  • 43

1 Answers1

3

I learnt that you could use the key as a AES Key & encrypt the session with AES. Or you could use something like Elgamal encryption.

Elgamal encryption could be used directly with a static private key. The key type would be identical to the one used for (static or ephemeral) Diffie-Hellman. However, it would not be efficient both when it comes to space nor CPU.

So in practice, what is used more commonly? Is it something like AES or is it something like Elgamal?

AES is used much more. Elgamal is not used much because it has drawbacks even compared to e.g. RSA encryption using PKCS#1 or ECIES. One main issue is mapping the message to the cyclic group G, another is the required ciphertext expansion.

AES seems to be quite complicated as compared to Elgamal - Elgamal is just multiplication with the key modulo.

No, that's an oversimplification, please check the Wikipedia page on Elgamal encryption. Beware that these calculations are using huge numbers. Exponentiation and multiplication over such inmense values are not very fast. And, unfortunately, unlike DH, it's not easy to use Elgamal with Elliptic Curves - ECIES is more useful for encryption with Elliptic Curves.

So how come it provides security comparable to AES with all it's s-boxes, p-boxes etc? Is it because for every message a new session key is used with Elgamal?

No, Elgamal is not used with session keys at all. Session keys are symmetric keys derived from a shared secret. Elgamal is for asymmetric encryption. As mentioned, AES is now commonly used within authenticated encryption, which provides semantic security, something that is really important in a transport protocol.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Does above solve your question, user93353? Or have I missed something? – Maarten Bodewes Oct 27 '20 at 17:28
  • So if I use my browser to connect to a https site, it will most probably be RSA/PKI certificates for server authentication, then DHKE for session key creation & then AES for encryption of the sessions. I want to know what will commonly happen on most browsers unless the user changes some browser settings – user93353 Oct 30 '20 at 04:42
  • It depends mainly on the server settings what happens in the browser. Browsers need to support both RSA and ECDSA certs. Furthermore, any browser is likely to support most of the cipher suites to maintain compatibility (at least with TLS 1.2, 1.3 and likely TLS 1.1, with the rest disabled by default). Most servers will default to ECDHE rather than DHE for performance and higher (non-quantum) security. – Maarten Bodewes Oct 30 '20 at 11:24
  • For my current Google connections: The connection to this site is encrypted and authenticated using QUIC (UDP instead of TCP), ECDHE using X25519 instead of DHE, and - indeed - AES_128_GCM (I was expecting ChaCha20/Poly1305 instead of GCM to be honest). The server certificate is ECDSA with P256 domain parameters, but the other certificates are RSA signed. So yeah, better look up some reports on TLS / HTTPS instead. – Maarten Bodewes Oct 30 '20 at 11:28