2

I'm trying to understand and evaluate the security impact of DH in TLS.

As far as I can tell, there are four major different implementations of DH in TLS.

  • DH
  • DHE
  • ECDH
  • ECDHE

With the ephemeral DH's, forward secrecy is possible, which I consider a huge bonus to security.

What I'm not too sure about is the elliptic curve part. With elliptic curves, the public certificate (?), used for DH, can be smaller than without elliptic curves and still be considered secure.

I have something in my mind like, non-elliptic-curve DH should have at least 2048 bit, to be considered secure.

Is my information correct?

How can I determine the key length (or public certificate size, I'm not sure what exactly I'm looking for here), of my server?

Can I use the information from the .pem file, used for DH (see comment below)?

openssl dhparam -inform PEM -in ./file.pem -check -text
DH Parameters: (4096 bit)
        prime:
             [...]
        generator: 2 (0x2)
DH parameters appear to be ok.
-----BEGIN DH PARAMETERS-----
[...]
-----END DH PARAMETERS-----

So in this case the DH key length/public certificate size would be 4096, correct?

SaAtomic
  • 289
  • 3
  • 10

1 Answers1

2

With elliptic curves, the public certificate (?), used for DH, can be smaller than without elliptic curves and still be considered secure.

Yes, you can achieve the same level of security with shorter keys and thus shorter certificates with EC-based crypto and as an additional bonus: we tend to encode the full field (ie order, prime, generator) for standard DH but only a name (an OID to be precise) for elliptic curves.

I have something in my mind like, non-elliptic-curve DH should have at least 2048 bit, to be considered secure.

Is my information correct?

Yes, standard key size considerations (based on the GNFS) apply to finite-field DH.

So in this case the DH key length/public certificate size would be 4096, correct?

Yes, the size of the public key / the field prime is 4096 bit, the size of an actual DH certificate would be quite a bit larger though, due to the additional encoding of owner information, issuing CA information, field information, ...

Chances are that you are actually looking at your server's DH parameters that are used for the ephemeral key exchange.

SEJPM
  • 46,697
  • 9
  • 103
  • 214