[openssl-users] Need help understanding tradeoffs of "-dsaparam" in dhparam

[Ethan Rahn]

Hello,

Pinging again to try and get a response.

Thanks for your time,

Ethan

On Tue, Oct 27, 2015 at 3:35 PM, Ethan Rahn <ethan.rahn at gmail.com> wrote:

> Hello,
>
> I'm trying to understand the tradeoffs of using "-dsaparam" in the openssl
> "dhparam" command. I know that it won't create a strong prime
> <https://en.wikipedia.org/wiki/Strong_prime>, but I'm not understanding
> the tradeoffs with that very well. The wikipedia page says that primes with
> the strong property are not considered necessary by some cryptography
> experts, but I don't know what the tradeoffs of using "-dsaparam" are.
> Please note this is being used for a ( nginx-based ) SSL server if that
> helps provide context.
>
> I know that it is much faster. For generating a 2048-bit diffie-hellman
> parameter using "-dsaparam" takes ~10 seconds vs. ~30 minutes for the
> strong prime defaults on the server I'm testing it on.
>
> The downside is not very clear to me however. I know the man pages say "DH
> parameter generation with the -dsaparam option is much faster, and the
> recommended exponent length is shorter, which makes DH key exchange more
> efficient. Beware that with such DSA-style DH parameters, a fresh DH key
> should be created for each use to avoid small-subgroup attacks that may be
> possible otherwise." This isn't clear to me if each connection the SSL
> server makes should use a different dsaparam based dhparam? Is there
> another meaning here?
>
> Any clarifications on what I should beware of when using -dsaparam and
> what a "new use" is when knowing when to make fresh dh keys would be very
> appreciated.
>
> Thanks,
>
> Ethan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151103/cd94129c/attachment.html>