[Help-gnutls] Diffy-Hellman: Regeneration of prime and primitive root

[Nikos Mavrogiannopoulos]

Martin Knappe wrote:
> Hi
> 
> I have seen source code examples of servers implementing Diffie Hellman and
> noticed that these often regenerate the prime and primitive root used to
> generate the shared secret. My questions:
> 1) Under what conditions is this necessary?

There are pros and cons with both approaches of generating random
parameters and using the included ones.

The included parameters have no known weakness. However if a weakness is
found it applies to all servers using them.

By generating random parameters (that pass some tests) you are positive
that there are no known weaknesses yet, but because the prime is random,
the group might have properties that will allow an attacker to mount a
group specific attack. To avoid having an attacker trying to break the
specific group you selected randomly you change the random prime often
(once per month/season etc.).

> 2) Why is this necessary?
It is not necessary. For many people the included are ok.

> 3) How to find out the correct interval at which regeneration becomes
> necessary?
The suit answer would be to calculate the probability p(n) of one
breaking your specific prime in n months and multiply with the losses
you might have if he breaks it. This gives you a number you are expected
to lose in that time. If it is acceptable regenerate them every n
months. Otherwise increase the n.

The normal answer would be not to bother. Probabilities such as these
are nice to show in presentations but hardly offer anything in that case.

regards,
Nikos