[openssl-users] Need help understanding tradeoffs of "-dsaparam" in dhparam

[Ethan Rahn]

Hello,

I'm trying to understand the tradeoffs of using "-dsaparam" in the openssl "dhparam" command. I know that it won't create a strong prime, but I'm not understanding the tradeoffs with that very well. The wikipedia page says that primes with the strong property are not considered necessary by some cryptography experts, but I don't know what the tradeoffs of using "-dsaparam" are. Please note this is being used for a ( nginx-based ) SSL server if that helps provide context.

I know that it is much faster. For generating a 2048-bit diffie-hellman parameter using "-dsaparam" takes ~10 seconds vs. ~30 minutes for the strong prime defaults on the server I'm testing it on.

The downside is not very clear to me however. I know the man pages say "DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise." This isn't clear to me if each connection the SSL server makes should use a different dsaparam based dhparam? Is there another meaning here?

Any clarifications on what I should beware of when using -dsaparam and what a "new use" is when knowing when to make fresh dh keys would be very appreciated.

Thanks,

Ethan

[Ethan Rahn]

Hello,

Pinging again to try and get a response.

Thanks for your time,

Ethan