[gnutls-help] too few bits from gnutls_dh_params_generate2() ?

Manuel Pégourié-Gonnard mpg at elzevir.fr
Tue Nov 11 13:32:01 CET 2014


On 11/11/2014 12:50, Pierre Ossman wrote:
> TBH, I've never gotten a good grasp on what a good security policy is with
> regard to DH params. Some have pregenerated values, but I also see 
> references that they should be regenerated every few hours/days/etc.
> 
> Got any insight to share?
> 
The DH params (ie: prime and generator) can totally be static. There are even
RFCs defining standardising values for them (3526, 5114, maybe more).

The thing that should be regenerated regularly (ideally every key exchange,
for truly ephemeral DH) is your private-public DH key pair.

Manuel.



More information about the Gnutls-help mailing list