| From: Giles Orr via talk <[email protected]> | And it's considered a bad idea to use a | widely known DH parameter (like the one that ships with the software, | or that sits on a Mozilla server).
I'm not sure that's correct. The counter-argument is that some are weak and some are strong and it would be better to use ones attested to in a process you consider trustable. That seems to be what is recommended the Mozilla link I included and by RFC 7919 that it links to (I haven't read it or the updates and errata). | This is a semi-useful read: | https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters. I don't trust stack exchange but I do find it useful. That isn't actually a contradiction. | I say "semi-useful" because honestly some of it was over my head. And | that leads to reading about Logjam ( https://weakdh.org/ ). The DH (Diffie-Hellman) exchange is the magic that makes privacy on the internet work. It's really cute and simple. Weakness: it cannot defend against an active man-in-the-middle attack. It's actually simple. The SE first answer, second paragraph, explains how it works. Let me fill in some missing bits: The integers, modulo p [a prime], form a mathematical group. g, p are the DH parameters and are publicly known. a is Alice's secret, never to go on the wire. b is Bob's secret, never to go on the wire "^" denotes exponentiation (think repeated multiplication). All arithmetic is modulo p Alice sends Bob: g^a Bob sends Alice g^b Alice can compute (g^b) ^ a Bob Can compute (g^a) ^ b And those are both the same! Now Alice and Bob share a secret that nobody else has. That's all that's needed for bootstrapping privacy. Avoiding an active man-in-the-middle attack is much harder logistically. For that you need some kind of authentication (what one chooses to mean by authentication is a very interesting decision). That's part of why we have the horror show of certificates. They are not necessary but they are sufficient (as long as the certificate system isn't broken). | With Ansible I've automated the generation of a new DH parameter file | on each new server: | | openssl dhparam -out <filename> <size> | | Generating this file takes a significant amount of time (minutes) if | "size" is reasonably large (2096, although I would recommend 4192) | even on a modern machine. You consider the numbers you gave as a typo (according to later mail). Actually, there is an argument to be made that if you are rolling your own, don't use popular powers of two. A bad guy might have hardware optimized for powers of two (they are used in the vast majority of cases). Or precomputed tables. If you don't use a power of two, you through him off his book. The core of this is that we think that g^a is much much much cheaper to compute than the corresponding discrete log (i.e. compute a, given g and g^a). --- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
