Diffie-Hellman question

Anonymous cripto at ecn.org
Mon May 17 23:01:12 PDT 2004


Thomas Shaddack writes:

> I have a standard implementation of OpenSSL, with Diffie-Hellman prime in
> the SSL certificate. The DH cipher suite is enabled.
>
> Is it safe to keep one prime there forever, or should I rather
> periodically regenerate it? Why? If yes, what's some sane period to do so:
> day, week, month?
>
> If the adversary has a log of a passively intercepted DHE-RSA-AES256-SHA
> secured SSL communication, presuming the ephemeral key was correctly
> generated and disposed of after the transaction, will the eventual
> physical retrieval of the DH prime (and the rest of the certificate) allow
> him to decode the captured log?

The DH prime is not secret, and will not in general allow an adversary
to decode the message.  Only the private parts of the ephemeral DH keys
used by the two sides are secret, and they are destroyed after use.

The only theoretical concern is that if the DH prime were small enough,
an adversary at some time in the future might be able to break the DH
key exchange by calculating discrete logs mod the prime.  To within a
few orders of magnitude, this is thought to be equally as difficult as
breaking an RSA modulus of the same size.  If your prime is 2000 bits,
then that should be safe for the foreseeable future, unless quantum
computers turn out to be practical for breaking moduli of this size.

In the unlikely event that it becomes possible to break the DH exchange
by attacking the DH prime in this manner, then all key exchanges that
were done using that prime would be broken (assuming they were recorded
for later analysis and attack).  The main work of the break is directed
towards the prime itself.  Once that is done, there is little additional
work to break a key exchange which used that prime.

This is the only reason you might want to think about changing DH primes
occasionally, so that if some super technology of the future were able
to attack even your 2000 bit prime, at least they'd have to run their
program a few times rather than just once.  But really, that's not much
of a security gain, as you're only increasing the attacker's costs by
a relatively small factor.  And at this point the attack would have to
be viewed as extremely speculative anyway.  So there's not much reason
to change your prime.

This is unlike the case with RSA moduli, where you not only have this very
hypothetical risk of a future technology breakthrough to allow factoring,
but you also have to face the genuine threat that the private key will be
exposed or stolen.  Once that happens, all past messages encrypted with
the key will be revealed.  There are good reasons to change RSA moduli
regularly for this reason (of course, most people don't do it anyway,
because of our poor key management tools).  But with DH primes, that is
not a concern, as there is no long-term secret to be lost.  All you have
to worry about is a discrete log breakthrough, and that's not something
to lose any sleep over.





More information about the cypherpunks-legacy mailing list