Vincent Levesque wrote:
>
> Hello,
>
> I've looked around and I'm still a little bit confused about a few
> details of Diffie-Hellman. (This is not specific to openssl so feel free
> to ignore me :-). First of all, my "experimentations" seem to show that
> only the server side needs Diffie-Hellman parameters: why is that? Also
> I'd like to know if the Diffie-Hellman parameters can be safely stored
> as cleartext in a file. (I'm pretty sure they can but I'd like to be
> 100% sure.) Finally is hardcoding the Diffie-Hellman parameters into an
> application safe?
>
The two keys that are used to produce the DH shared secret have to have
the same parameters. The standard states that the server provides them.
The client then uses these parameters and generates/uses a DH key with
the same parameters.
DH parameters can be safely stored in a world readable file. This stuff
is sent out unencrypted during the SSL/TLS handshake anyway.
As for hard coding parameters... hmm thats is debatable. Probably better
to allow them to be overridden. When parameters are hard coded there is
always the suspicion that there is some sinister motive, such as a back
door of some sort.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
