[gnutls-help] too few bits from gnutls_dh_params_generate2() ?
Pierre Ossman
ossman at cendio.se
Tue Nov 11 13:35:56 CET 2014
On Tue, 11 Nov 2014 13:32:01 +0100,
Manuel Pégourié-Gonnard wrote:
> On 11/11/2014 12:50, Pierre Ossman wrote:
> > TBH, I've never gotten a good grasp on what a good security policy is with
> > regard to DH params. Some have pregenerated values, but I also see
> > references that they should be regenerated every few hours/days/etc.
> >
> > Got any insight to share?
> >
> The DH params (ie: prime and generator) can totally be static. There are even
> RFCs defining standardising values for them (3526, 5114, maybe more).
>
> The thing that should be regenerated regularly (ideally every key exchange,
> for truly ephemeral DH) is your private-public DH key pair.
>
Is that done by GnuTLS implicitly? I don't see anything in our use of
GnuTLS that generates such things even once.
Rgds
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: </pipermail/attachments/20141111/cfa2e45b/attachment.sig>
More information about the Gnutls-help
mailing list