2

I've been asked to enable DHE in our SMTP product. I'm stuck on this question:

How often should the product regenerate its DHE p and g parameters?

I've seen some implementations that use a cron job to regenerate p and g once per day; others (e.g., Postfix) set p and g as source code constants. The most common approach seems to be once at install time.

If I understand it correctly, even if p and g are known to an attacker, recovering the encryption key means solving the discrete logarithm problem. From that I would infer that generating p and g at install time is more than adequate. But I also saw media reports about a year ago suggesting that the discrete logarithm problem might be solved by the end of the decade; that would suggest regenerating p and g regularly might be prudent.

Carl S. Gutekunst
  • 21
  • 2

1 Answers1

2

So p is the modulus, and g is the generator. You are absolutely right. p and g are publicly known values, and the discrete log problem needs to be solved to break the Diffie-Hellman exchange.

Ephemeral Diffie-Hellman

The whole point of Ephemeral Diffie-Hellman is to provide for Perfect Forward Secrecy (PFS). Here's an answer I already wrote up on DHE and PFS for more information.

  • Generators: These are generally fairly small. A protocol like SSH will allow you to exchange the group (RFC4419), but there are two standard values used for SSH; 2 and 5. If you like math stuff, here's an explanation on generators in DH.
  • Moduli: A modulus for DH is a large prime

These parameters need to be generated only once by the server for each size that you're looking to support. I would use OpenSSL's functionality as it's described in their wiki.

Here's OpenSSL's Wiki on DH Parameters.

This article linked to in that wiki gives good information on PFS, and configuring your SSL/TLS enabled server to use it. You need to make sure your server has a version that supports it, and put the PFS cipher suites (DHE and ECDHE) at the top of your list.

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • Ah ha, thank you for the detailed answer and for clearing up my mental block. I realize now I got myself wrapped around the axle thinking of *p* and *g* as if they needed to be kept secret, like a private key. But of course that would defeat the whole purpose of DHE. – Carl S. Gutekunst Sep 18 '14 at 16:22
  • 1
    @Carl Do use p at least 1024 bits and preferably 2048; dlog attacks seem to fairly closely follow factoring/RSA which has reached nearly 800. Also I advise against putting params in source (as the wiki examples do); even though we don't expect to need to replace them, making it unnecessarily difficult to do so is tempting fate. – dave_thompson_085 Sep 19 '14 at 13:12
  • Thanks, all. The implementation was easier that I expected; I just call dhparam from the same startup script that generates the product's SSH keys. PCI requires at least 1024 bits. There is a lively discussion in IETF TLS WG regarding minimum DHE parameter group size; I'll be following their recommendations. – Carl S. Gutekunst Nov 15 '14 at 20:47