4

Static Diffie-Hellman (cipher suites with DH in their name but neither DHE or DH_anon - requires that the server owns a certificate with a DH public key in it.

When static DH key exchange is used, the server provides a certificate containing fixed Diffie-Hellman parameters signed by the certificate authority (CA) - (ServerKeyExchange message is not used in this case).

Examples of static DH cipher suites:

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA     
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA      
TLS_DH_RSA_WITH_AES_128_CBC_SHA  
TLS_DH_DSS_WITH_AES_256_CBC_SHA256   
TLS_DH_RSA_WITH_AES_256_CBC_SHA256

From Diffie–Hellman key exchange Alice and Bob publicly agree to use a modulus p = 23 and base g = 5 (which is a primitive root modulo 23) where p is prime, and g is a primitive root modulo p. My question is.

Are the fixed Diffie-Hellman parameters provided in the certificate p and g ?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
blabla_trace
  • 173
  • 6

1 Answers1

6

This has been (re-)defined in RFC 3279: "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". For DH section 2.3.3: "Diffie-Hellman Key Exchange Keys" applies:

Here is the ASN.1 module (which was copied from X9.42, so this is at least a copy of a copy):

  DomainParameters ::= SEQUENCE {

        p       INTEGER, -- odd prime, p=jq +1
        g       INTEGER, -- generator, g
        q       INTEGER, -- factor of p-1
        j       INTEGER OPTIONAL, -- subgroup factor
        validationParms  ValidationParms OPTIONAL }

  ValidationParms ::= SEQUENCE {

        seed             BIT STRING,
        pgenCounter      INTEGER }

So it at least $p$, $g$ and $q$, but the co-factor $q$ is usually set to 1. This set has been defined for OID 1.2.840.10046.2.1 ("dhpublicnumber").

However, when trying this for myself using openssl command line, I only got two parameters, $p$ and $g$. Turns out openssl is using PKCS#3 instead:

  DHParameter ::= SEQUENCE {

        prime    INTEGER, -- p
        base     INTEGER, -- g
        privateValueLength INTEGER OPTIONAL }

which has been defined for OID 1.2.840.113549.1.3.1 ("dhKeyAgreement").

So yeah, $p$ and $g$ are certainly in there, which set of parameters are in there depends on the OID that defines the key type of the public key and the choices of the organization implementing it. That's a lot of options for something that is barely used.

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323