FREAK/Logjam, and SSL protocols to use

Jacques Distler distler at golem.ph.utexas.edu
Wed May 27 16:29:18 UTC 2015


>It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently.

That's not really correct.

If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else).

It is computationally intensive to generate such large primes, p (and corresponding base parameter, g). You need to ensure that p is actually prime (the costly step [1]) and that g is primitive.

Which is why most implementations have used shorter (<= 1024 bit) primes.

Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security.

So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate.


[1] http://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test
[2] https://weakdh.org/sysadmin.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150527/6e9a8f8f/attachment.sig>


More information about the dovecot mailing list