I have a standard implementation of OpenSSL, with Diffie-Hellman prime in the SSL certificate. The DH cipher suite is enabled. Is it safe to keep one prime there forever, or should I rather periodically regenerate it? Why? If yes, what's some sane period to do so: day, week, month? If the adversary has a log of a passively intercepted DHE-RSA-AES256-SHA secured SSL communication, presuming the ephemeral key was correctly generated and disposed of after the transaction, will the eventual physical retrieval of the DH prime (and the rest of the certificate) allow him to decode the captured log? I am rather inexperienced in this area, don't want to make a mistake, and generation of 2048-bit primes is CPU-hungry enough to not decide to just throw it in without a good reason.
hi, In Diffie Hellman key exchange we choose a large prime in Fp. The prime is publicly known,so is g,preferably a generator in Fp*. The reason that you might need to change the prime frequently is only if you donot choose g(element of)Fp to be a generator in Fp or the prime field be too small. If the attacker knows the prime factorization of p-1, where p-1=q_1*q_2*...*q_n,he can compute which of g^((p-1)/q_i)== 1 mod p and determine the order of g. If it has a lower order, the attack is easier. If you choose g of maximum order in Fp, then you will have maximum security.
physical retrieval of the DH prime (and the rest of the certificate) allow him to decode the captured log?
The diffie-hellman key exchange works under the assumption that knowing only g^a and g^b, it is computationaly infeasible for the attacker to calculate g^(ab) and breaking it is conjenctured to be as hard as the discrete log problem. Sarath. __________________________________ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/
Thomas Shaddack wrote:
I have a standard implementation of OpenSSL, with Diffie-Hellman prime in the SSL certificate. The DH cipher suite is enabled.
Is it safe to keep one prime there forever, or should I rather periodically regenerate it? Why? If yes, what's some sane period to do so: day, week, month?
No need. Kinda. The best known discreet logarithm attacks are such that if they succeed in the attack then they can easily apply their solution to anything encrypted with the same prime. A shared prime attracts attacks. Widely used primes can become a big target. These attacks are generally supposed to be beyond capability for the next X zillion years though. Or perhaps for ten years. This might seem garubonsendese in the naive ""it's safe' or 'it's not safe"" crypto paradigm. However, that isn't how crypto works. Cryptanalysis (the revealing of plaintext against the wishes of the encryptor) is an economic activity. No-one will bother putting in enough resources to break your 2k-bit modexp-based crypto unless they think it worthwhile. But if your prime is shared with several other people who are sending nuclear secrets, then your prime might become subject to attack.
If the adversary has a log of a passively intercepted DHE-RSA-AES256-SHA secured SSL communication, presuming the ephemeral key was correctly generated and disposed of after the transaction, will the eventual physical retrieval of the DH prime (and the rest of the certificate) allow him to decode the captured log?
The prime is public - anyone can know it - so it's retrieval won't affect anything. The question I think you are asking is "if the secret key is retrieved, will I lose forward security", to which the answer is "yes". For long-term forward secrecy you need to change the public key every every day or so. Use a long-term key to sign the daily keys. PGP does this. Once you have deleted the day's public key, you are OK (but see belaw!). The ephemeral keys cannot (or should not) be retrive(able)d. (below!) Or perhaps the question you were asking was "if finding DL's mod _this prime_ becomes possible, will I lose forward security?", in which case the answer is "yer fukked" - as are we all - if one prime gets broken, they all will, sooner or later. -- Peter Fairbrother (Who is right now composing a talk about the uses of modexp in crypto, for those far more knowledgeable than I)
participants (3)
-
Peter Fairbrother
-
Sarad AV
-
Thomas Shaddack