you can also use RSA for actual encryption (like PGP) or for signing/verifying. ECDHE is better for key exchange, and ECDSA is better for signing/verifying. Check out goodroot's link!
what encryption are you talking about? IIRC, RSA has only been used for key exchange or authentication (sign/verify) in SSL/TLS. Even in the old days up to SSL 3.0, RC4 or (3)DES was used for actual (symmetrical) encryption.
SSL and TLS before 1.3 had a key exchange mode that used RSA encryption, without any DH, DHE, ECDHE, etc [1]. The client would generate a secret, encrypt it to the server's public key (from the certificate) and send that to the server. The server would decrypt it, compute shared secret key and continue.
Being able to decrypt was used to prove server has the private key for the certificate, instead of signature.
RSA was was thus used for both key agreement and authentication.
This of course has the problem of all recorded traffic can be decrypted after you get your hands on the certificate's private key, maybe after the certificate has expired and admins think the key is worthless.
This was known to be a bad idea and was removed from TLS 1.3. Some banks complained, they were told to escrow using ECDHE instead if they had to make the traffic decryptable by someone with a key for some reason.
"RSA key exchange" = "let me think about a secret and I'll encrypt it with your public key". In other words, the RSA cryptosystem does not have a key exchange operation.
tptacek: I think this sub-thread has been mainly to explain what RSA could be used for, not that it would be a good idea. On the side note, I have been positively surprised to see how many devices support ECDHE key exchange.
Also, do you have a good resource that explains the drawbacks of RSA key exchange in more details?
Very good point! I was thinking about other potential drawbacks, but this must be the biggest! We're talking about PFS in the next article - https://fly.io/articles/how-ciphersuites-work/
