[wpseo_breadcrumb]

What’s the purpose of DH Parameters?

Solutons:


What exactly is the purpose of these DH Parameters?

These parameters define how OpenSSL performs the Diffie-Hellman (DH) key-exchange. As you stated correctly they include a field prime p and a generator g. The purpose of the availability to customize these parameter is to allow everyone to use his / her own parameters for this. This can be used to prevent being affected from the Logjam attack (which doesn’t really apply to 4096 bit field primes).
So what do they define?
A Diffie-Hellman key exchange operates as follows (for TLS 1.2 and before1):

The server Bob uses these parameters to calculate B=g^b mod p. He sends (B,g,p) to the client Alice who computes A=g^a mod p on her own along with K=B^a mod p. She sends A to Bob and he computes K=A^b mod p. As A^b=g^(a*b)=g^(b*a)=B^a mod p holds both parties will agree on a shared key. The parameters p and g define the security of this key-exchange. A larger p will make finding the shared secret K a lot harder, defending against passive attackers.

And why do you have to pre-compute them?
Finding the prime p means finding a value for p for which p=2q+1 holds, with q being a prime. p is then called a safe prime.
Finding such primes is really computational intense and can’t be afforded on each connection, so they’re pre-computed.

Can they be public?

Yes, it’s no risk publishing them. In fact they’re sent out for every key-exchange that involves some Diffie-Hellman (DH) key exchange. There are even a few such parameters standardized for example in RFC 5114. The only possible problems with publishing may be that a powerful attacker may be interested in performing some computations on them, enabling him to perform the Logjam attack. However as your parameters use a 4096 bit field prime p this isn’t a risk.
To explain why publishing them isn’t a risk you may want to take a look at the above key-exchange description and note that the parameters are only used as a base for the computations but all the secrets (a,b) are completely independent of g,p.


1: For TLS 1.3, the client first guesses the parameters of the servers from a standardized set. Then it As for all of these parameters to the server who then either responds with a B of his own along with the choice of parameter set or responds with a list of parameters actually supported – which may include the custom generated ones this Q&A is all about.

From the openssl wiki page for the Diffie Hellman Key Exchange:

If Alice and Bob wish to communicate with each other, they first agree between them a large prime number p, and a generator (or base) g (where 0 < g < p).

Alice chooses a secret integer a (her private key) and then calculates g^a mod p (which is her public key). Bob chooses his private key b, and calculates his public key in the same way.

So Alice will always have the same private key, but for each set of DH parameters g and p, she will get a different corresponding public key.


Further down that page it says:

Since parameter generation can be an expensive process this is normally done once in advance and then the same set of parameters are used over many key exchanges.

And on the openssl wiki page for Diffie Hellman Parameters it says:

To use perfect forward secrecy cipher suites, you must set up Diffie-Hellman parameters (on the server side)

When static Diffie Hellman (DH) is used (as opposed to Ephemeral Diffie Hellman (EDH)) the DH parameters are set for the server and can actually be embedded in a certificate, so they are public see this answer. The secrecy comes from Alice and Bob’s private keys.

The purpose of the DH parameters is to exchange a secret(a large prime integer belonging to a prime order group) that will be used to encrypt a transcript of messages within a session.

Ephemeral DH offers forward security, meaning that the session key(exchanged at the beginning of the session) is deleted upon session termination. Thus an attacker could not retrieve the messages exchanged between two parties for more than the last session(as each session has a different secret key which is always deleted upon termination).

Related Solutions

What is D-Bus practically useful for?

dbus does exactly what you said: it allows two-way communication between applications. For your specific example you mentioned terminator. From terminator's man page, we see: --new-tab If this is specified and Terminator is already running, DBus will be used to...

How to check ‘mdadm’ RAIDs while running?

The point of RAID with redundancy is that it will keep going as long as it can, but obviously it will detect errors that put it into a degraded mode, such as a failing disk. You can show the current status of an array with mdadm --detail (abbreviated as mdadm...

What is a “toast notification”?

A Toast is a non modal, unobtrusive window element used to display brief, auto-expiring windows of information to a user. Android OS makes relatively heavy use of them. Here's an example of a Google Chrome toast notification on Mac OS X: A list of descriptions...

Which elliptic curve should I use?

You are misreading Bernstein and Lange's advice (admittedly, their presentation is a bit misleading, with the scary red "False" tags). What they mean is not that some curves are inherently unsafe, but that safe implementation of some curves is easier than for...

How can I find files that are bigger/smaller than x bytes?

Use: find . -type f -size +4096c to find files bigger than 4096 bytes. And : find . -type f -size -4096c to find files smaller than 4096 bytes. Notice the + and - difference after the size switch. The -size switch explained: -size n[cwbkMG] File uses n units of...

Relative imports in Python 3

Explanation From PEP 328 Relative imports use a module's __name__ attribute to determine that module's position in the package hierarchy. If the module's name does not contain any package information (e.g. it is set to '__main__') then relative imports are...

How to add a class to a given element?

If you're only targeting modern browsers: Use element.classList.add to add a class: element.classList.add("my-class"); And element.classList.remove to remove a class: element.classList.remove("my-class"); If you need to support Internet Explorer 9 or lower: Add...

less searches are always case-insensitive

I'm not sure how to enable this from the command line but when you're inside of less you can toggle the behavior you want by giving the -i command to less. toggling -i                searching for /blah and /BLAH               searching for /Blah       ...

Is using nested try-catch blocks an anti-pattern?

This is sometimes unavoidable, especially if your recovery code might throw an exception. Not pretty, but sometimes there are no alternatives. I don't think its an antipattern, just widely misused. Most nested try catch's are indeed avoidable and ugly as hell,...

Create a branch in Git from another branch

If you like the method in the link you've posted, have a look at Git Flow. It's a set of scripts he created for that workflow. But to answer your question: git checkout -b myFeature dev Creates the MyFeature branch off dev. Do your work and then git commit -am...

How can I set customise settings for htop?

htop has a setup screen, accessed via F2, that allows you to customize the top part of the display, including adding or removing a "Load average" field and setting it's style (text, bar, etc.). These seem to be auto saved in $HOME/.config/htop/htoprc, which...

Is there any way to manually bring up the keyboard?

As I see an alternative keyboard may solve your issue, and this seems to be an acceptable solution, and you even mention something you cannot find -- hereby I proudly present: Hacker's Keyboard Checking its Guide, there's in fact a section suggesting such a...

How to get rid of “No match found” when running “rm *”

This behaviour is controlled by several of Zsh's globbing options. By default, if a command line contains a globbing expression which doesn't match anything, Zsh will print the error message you're seeing, and not run the command at all. You can disable this in...

How to append date to backup filename

This isn't working because the command date returns a string with spaces in it. $ date Wed Oct 16 19:20:51 EDT 2013 If you truly want filenames like that you'll need to wrap that string in quotes. $ touch "foo.backup.$(date)" $ ll foo* -rw-rw-r-- 1 saml saml 0...

What does __all__ mean in Python?

Linked to, but not explicitly mentioned here, is exactly when __all__ is used. It is a list of strings defining what symbols in a module will be exported when from <module> import * is used on the module. For example, the following code in a foo.py...