On 05/27/2015 12:29 PM, Jacques Distler wrote:>> It is not at this point emphasized anywhere, including on weakdh.org,
that it is actually of high importance to regenerate your DH parameters
frequently.
> That's not really correct.
>
> If you're using a prime of length at least 2048 bits, then the
corresponding discrete-log problem is well-beyond the pre-computation ability of
the NSA (or anyone else).
>
> It is computationally intensive to generate such large primes, p (and
corresponding base parameter, g). You need to ensure that p is actually prime
(the costly step [1]) and that g is primitive.
>
> Which is why most implementations have used shorter (<= 1024 bit)
primes.
>
> Using shorter primes, and regenerating DH parameters at regular intervals,
is only a linear-time improvement. By contrast, generating longer DH parameters
(without bothering to regenerate) is an EXPONENTIAL improvement in security.
>
> So the best setting is to set ssl_dh_parameters_length as large as feasible
([2] recommends 2048 bits), and NOT to regenerate.
>
>
Well that's certainly what I meant to say. By referring to weakdh.org
(and placing my message in the context of this entire thread) I was at
the very least subtly alluding to the recommendation loudly stated there
to use at least 2048 bits, which has been the recommendation for a very
long time, anyway. The implementation in the various TLS libraries was
never a very good reference point, to put it mildly. Some bad choices
have been made presumably for "pragmatic" (= lazy) reasons and the
harm
is that these things are not transparent to most people.
But when you write NOT to regenerate, are you saying that using larger
primes makes regenerating unnecessary, or are you telling us that it's
somehow harmful?