search

eustasy / Bubbly

BASH: Better SSL in Nginx in 10 minutes. Configuration files and setup scripts for Certbot.
MIT License
218 stars 21 forks source link

Speed up DH Parameter generation. #21

Closed lewisgoddard closed 6 years ago

lewisgoddard commented 6 years ago

Option 1: Use the dsaparam flag on generation.

The reasonable solution would be to add the -dsaparam option.

openssl dhparam -dsaparam -out /etc/ssl/private/dhparam.pem 4096

This option instructs OpenSSL to produce "DSA-like" DH parameters (p is such that p-1 is a multiple of a smaller prime q, and the generator has multiplicative order q). This is considerably faster because it does not need to nest the primality tests, and thus only thousands, not millions, of candidates will be generated and tested.

As far as academics know, DSA-like parameters for DH are equally secure; there is no actual advantage to using "strong primes" (the terminology is traditional and does not actually imply some extra strength).

Similarly, you may also use a 2048-bit modulus, which is already very far into the "cannot break it zone". The 4096-bit modulus will make DH computations slower (which is not a real problem for a VPN; these occur only at the start of the connection), but won't actually improve security.

To some extent, a 4096-bit modulus may woo auditors, but auditors are unlikely to be much impressed by a Raspberry-Pi, which is way too cheap anyway.

Source

Option 2. Use a service

curl https://2ton.com.au/dhparam/4096

Option 3. Install a randomness generator like rng-tools

See https://www.cyberciti.biz/open-source/debian-ubuntu-centos-linux-setup-additional-entropy-for-server-using-aveged-rng-tools-utils/

lewisgoddard commented 6 years ago

Are DSA-like parameters for DH equally secure? If so, that's one easy flag so significantly speed things up.

lewisgoddard commented 6 years ago

If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.

DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.

Source: Linux Man Page

lewisgoddard commented 6 years ago

None of these options seem perfectly secure or guaranteed to work, so I'm going to leave it as is for now.