[openssl-users] [openssl-dev] A question DH parameter generation and usage

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Salz, Rich via openssl-users
> Sent: Wednesday, December 06, 2017 08:50

> You can re-use the keys, but then you get no forward secrecy, and sessions generated with one connection are
> vulnerable to another.

If you reuse keys, yes; but you still get PFS if you only reuse the same group and generate ephemeral keys (assuming sufficient group strength, where "sufficient" depends on the size of the group and its value to well-resourced attackers). I thought that was what the original poster was asking about.

> Why are you using DH?  Unless you have compelling reasons (interop with legacy), you really should use ECDHE.

Interop would be the usual reason. And since supporting DHE properly is a small fixed cost (generate a group or pick one from RFC 7919, hard-code it, and set it in each SSL_CTX), you might as well do it, no?

But I agree that the ECDHE suites are generally preferable when the client supports them. I know there's some NSA FUD around ECC since they pulled it from the Suite B recommendations in 2015.[1] I still think the published evidence supports using ECC, though. On the other hand, and per today's other thread on the subject, there may be legal concerns around the use of ECC.


[1] Matt Green has a nice discussion of this, including a link to the great paper Koblitz and Menezes wrote about it, here: https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus