How to generate a Diffie-Hellman 4096-bit Key in less time
Quote from HeelpBook on February 5, 2021, 6:51 pmWhile configuring a web server on Linux I would like to generate a Diffie-Hellman 4096-bit Key for my TLS configuration, but when I try generating it using openssl it takes a very long time. Is there a way to generate it in less time?
While configuring a web server on Linux I would like to generate a Diffie-Hellman 4096-bit Key for my TLS configuration, but when I try generating it using openssl it takes a very long time. Is there a way to generate it in less time?
Quote from HeelpBook on February 5, 2021, 6:57 pmDiffie-Hellman keys can take a long time to generate because dhparam requires something known as a strong prime. Strong primes provide little to no security benefit but take a lot of effort to produce.
Instead, we could use the -dsaparam option to decrease generation time by avoiding strong prime effort. Here's an example of that:
openssl dhparam -dsaparam -out dhparam2.pem 4096
In the OpenSSL manpage we can find the definition of the -dsaparam:
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.For a better understanding, the following there are two examples about strong prime numbers:
Input: N = 11
Strong Prime Number?: Yes
Reason: 11 is 5th prime number, the arithmetic mean of 4th and 6th prime number i.e. 7 and 13 is 10. 11 is greater than 10 so 11 is a strong prime.Input: N = 13
Strong Prime Number?: No
Reason: 13 is 6th prime number, the arithmetic mean of 5th (11) and 7th (17) is (11 + 17) / 2 = 14. 13 is smaller than 14 so 13 is not a strong prime.
Diffie-Hellman keys can take a long time to generate because dhparam requires something known as a strong prime. Strong primes provide little to no security benefit but take a lot of effort to produce.
Instead, we could use the -dsaparam option to decrease generation time by avoiding strong prime effort. Here's an example of that:
openssl dhparam -dsaparam -out dhparam2.pem 4096
In the OpenSSL manpage we can find the definition of the -dsaparam:
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
For a better understanding, the following there are two examples about strong prime numbers:
Input: N = 11
Strong Prime Number?: Yes
Reason: 11 is 5th prime number, the arithmetic mean of 4th and 6th prime number i.e. 7 and 13 is 10. 11 is greater than 10 so 11 is a strong prime.
Input: N = 13
Strong Prime Number?: No
Reason: 13 is 6th prime number, the arithmetic mean of 5th (11) and 7th (17) is (11 + 17) / 2 = 14. 13 is smaller than 14 so 13 is not a strong prime.