2

When setting up a web server with TLS support I've generated my dhparams with openssl dhparam -C 2048 some.pem. I understand that the output in some.pem are the parameters by which DH key exchange will be done and that they are by nature public values. With empirical testing it seems that I can rotate the dh parameters without clients programs complaining, but a few questions arise that I can't find answers to.

  • If I rotate the parameters with some cadence is there any benefit to doing so?
  • Is there any downside to rotation? ie could an attacker more easily masquerade as my web server?

Naively it seems that rotation of parameters would marginally increase security in the event that one particular set of parameters is compromised, but this seems unlikely. Does anyone have input on this?

mehov
  • 421
  • 4
  • 9
Darakian
  • 135
  • 5
  • If you use very popular parameters you run the risk of some massive organization precomputing results for it. Recomputing different parameters can take lots of CPU power and time on weaker hardware. – user Oct 09 '19 at 17:32
  • @user, that sounds like it could be made into a good answer (where it can be voted on and earn you reputation). – Toby Speight Oct 09 '19 at 18:13
  • @user that's a good point. In this case I am generating my own parameters, but I hadn't considered that popular parameters might be a target. – Darakian Oct 09 '19 at 19:00
  • Mostly dupe https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters and https://security.stackexchange.com/questions/43355/what-are-the-implications-of-using-the-same-dh-parameters-in-a-tls-server also note TLS1.3 no longer supports user-generated groups/parameters at all; if you still use DHE you must use the standardized rfc7917 groups, see rfc8446. PS Diffie with two 'i' – dave_thompson_085 Oct 10 '19 at 04:11

1 Answers1

1

Naively it seems that rotation of parameters would marginally increase security in the event that one particular set of parameters is compromised, but this seems unlikely. Does anyone have input on this?

This is correct. Rotating parameters protects from precomputation attacks against Diffie-Hellman. Any individual DH group can be subject to an extremely intensive precomputation after which each individual key agreement step can be broken very rapidly (sometimes even in real time).

The biggest danger is in using small, popular groups which various government agencies have very likely managed to attack, judging by analysis of the Snowden leaks. Generating your own group, even if you do it just once, is sufficient to protect against all but the most serious cryptanalysis efforts.

Of course, the best solution is to just use a large group (at least 3072 bits) and call it a day.

forest
  • 64,616
  • 20
  • 206
  • 257