I'm setting up EAP-TLS on my wireless router, and am currently generating DH parameters for FreeRADIUS.
First, what do these parameters do? Also, what size should they be?
I've been generating the current parameters for some time:
openssl dhparam -check -text -5 4096 -out dh
The tutorial I was following recommended a 512-bit DH parameter size, but I'm a bit of a tin-foil-hatter. What are the security implications of the size and strength of these parameters?
Diffie-Hellman is not stronger than the Discrete Logarithm problem in the multiplicative subgroup of integers modulo a prime p. A larger prime p makes DL harder. Current record (in academic circles) is for a 530-bit prime modulus. Though it took quite some computational effort, the lesson is that 512-bit DH is breakable with existing technology. An attacker observing your traffic could thus (at a price) break through the key exchange mechanism, recover the session key, and decrypt your data. Also, DL-breaking algorithms tend to be cumulative, i.e. breaking ulterior sessions with the same modulus would be easier.
Current recommendations from various bodies (including NIST) call for a 2048-bit modulus for DH. Known DH-breaking algorithms would have a cost so ludicrously high that they could not be run to completion with known Earth-based technology. See this site for pointers on that subject.
You don't want to overdo the size because the computational usage cost rises relatively sharply with prime size (somewhere between quadratic and cubic, depending on some implementation details) but a 2048-bit DH ought to be fine (a basic low-end PC can do several hundreds of 2048-bit DH per second).
For a given bit length cracking a set of dh parameters is a bit harder than cracking a RSA key.
Once the set of dh parameters is cracked then cracking individual dh sessions is relatively easy. Therefore you are safer using locally generated dh parameters than using well-known ones.
So the rule of thumb I would use would be to use self-generated dh parameters of the same length as the RSA keys you use.
512 bit is now trivially cracked.
768 bit is probably within the reach of academic high performance computing to crack.
1024 bit is probably within the reach of nation states to crack. There is some evidence that the NSA may have cracked the most common set of 1024 bit dh parameters.
2048 bit is generally expected to be safe. However years ago people expected 1024 bit to be safe so if you are after long term resistance I would go up to 4096 bit (for both RSA keys and DH parameters).
