Here's my shot. I'm not completely happy with it. I'd appreciate criticism.
At least pubkey/privkey. Sometimes params.
I don't think this is nicely defined. But I have NO sources to back this up. (If someone can show me a standards document I'd be pleased to be shown wrong. Anything is better than uncertainty there for me.)
The TLS1.2 RFC says that the server gets to pick these three:
struct {
opaque dh_p<1..2^16-1>;
opaque dh_g<1..2^16-1>;
opaque dh_Ys<1..2^16-1>;
} ServerDHParams; /* Ephemeral DH parameters */
So the server COULD change ANY of the three.
But I think that actually only the server's pubkey (dh_Ys
) will change. And this should be enough to give forward secrecy.
But only if your
opaque dh_p<1..2^16-1>;
opaque dh_g<1..2^16-1>;
are unlikely to be broken anytime soon. (Like if they are 2048 bits.)
(And Thomas Pornin said on a different question: To get bad DH parameters, you have to do it on purpose.)
F5's "Single DH use"
Now I've looked at F5's website to find out how their load balancers implement EDH.
And they have an option called Single DH use
which I think regenerates the dh_p/dh_g pair.
Here's the quote. I don't understand why I would want that. Confuses me.
Single DH use
This option creates a new key when using temporary/ephemeral DH parameters. You must use this option if you want to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example, when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but we do recommend this. You should enable the Single DH use option whenever temporary/ephemeral DH parameters are used.
F5 Keys generated hourly
F5 has an article that says Beginning in BIG-IP 11.4.0, the generation of new ephemeral keys occurs hourly.
I suspect they are using "keys" and "parameters" interchangably.
CryptoPP calls the "regenerated keypair" method ephemeral.
When CryptoPP talks about EDH they mean: group stays the same. Keypair changes.
Citrix NetScaler I'm not sure.
Again, I'm not sure if they completely differentiate between dhparams and dh-keypair.
dhFile
Name for and, optionally, path to the PEM-format DH parameter file to be installed. /nsconfig/ssl/ is the default path.
This parameter is not applicable when configuring a backend profile.
dhCount
Number of interactions, between the client and the NetScaler appliance, after which the DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh).
This parameter is not applicable when configuring a backend profile.
Minimum value: 0
Maximum value: 65534
dhKeyExpSizeLimit
This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.
Possible values: ENABLED, DISABLED
Default value: DISABLED
Here dhKeyExpSizeLimit
confuses me. I don't understand why you would allow that part to be user-definable.