Previous: PSK authentication, Up: Shared-key and anonymous authentication [Contents][Index]
The anonymous key exchange offers encryption without any indication of the peer’s identity. This kind of authentication is vulnerable to a man in the middle attack, but can be used even if there is no prior communication or shared trusted parties with the peer. Nevertheless it is useful when complete anonymity is required.
Unless in the above case, it is not recommended to use anonymous authentication. An alternative with better properties is trust on first use (see Verifying a certificate using trust on first use authentication).
The available key exchange algorithms for anonymous authentication are shown below, but note that few public servers support them. They typically have to be explicitly enabled.
ANON_DH:This algorithm exchanges Diffie-Hellman parameters.
ANON_ECDH:This algorithm exchanges elliptic curve Diffie-Hellman parameters. It is more efficient than ANON_DH on equivalent security levels.