Regenerating DHparams

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Regenerating DHparams

Postfix User-2
Is there any recommended schedule for regenerating DHparams for Postfix? I
could not find anything specific about it.

--
Jerry
Reply | Threaded
Open this post in threaded view
|

Re: Regenerating DHparams

Viktor Dukhovni
> > On Nov 7, 2018, at 1:39 PM, Postfix User <[hidden email]> wrote:
>
> Is there any recommended schedule for regenerating DHparams for Postfix? I
> could not find anything specific about it.

Since the parameters are not secret (in fact sent to the client with every
full handshake), there's no risk of compromise through disclosure.  So the
only risk is a successful "index method" pre-computation that makes subsequent
discrete logarithms easier to compute.

I am not aware of any research that suggests such attacks are feasible for
2048-bit DH parameters, so there's no specific guidance on rotation frequency.
Most users probably just run with the default compiled-in parameters, but you
can rotate yours periodically.  Just generating parameters once that are not
the same as those of most other users is probably good enough, but it is also
cheap to rotate them.  It is easy to set up a cron job that runs every 30 days,
so that might be reasonable.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Regenerating DHparams

A. Schulze

Viktor Dukhovni:

> It is easy to set up a cron job that runs every 30 days,

Hello,

that's the first time I personally note a specific time windows.
Thanks for sharing your position.

I also regenerate dhparameter on monthly base,
not every month but approximately every half year...

   if [ "$( hexdump -n 1 -e '/2 "%u"' /dev/urandom )" -gt 42 ]; then
     echo 'skip dh generation this month'
   else
     ... new dh parameter
   fi

Andreas

dln
Reply | Threaded
Open this post in threaded view
|

Re: Regenerating DHparams

dln
I picked this up from documentation somewhere:-

/etc/cron.daily/postfix_pfs_edh_regenerate
#!/bin/bash
cd /etc/postfix
umask 022
for legth in 512 1024 2048
do
openssl dhparam -out dh_$legth.tmp $legth && mv dh_$legth.tmp dh_$legth.pem
chmod 644 dh_$legth.pem
done


--
Regards =dn