Product Documentation

Diffie-Hellman (DH) key generation and achieving PFS with DHE

The Diffie-Hellman (DH) key exchange is a way for two parties involved in an SSL transaction that have no prior knowledge of each other to agree upon a shared secret over an insecure channel. This secret can then be converted into cryptographic keying material for mainly symmetric key cipher algorithms that require such a key exchange.

This feature is disabled by default and should be specifically configured to support ciphers that use DH as the key exchange algorithm.

Note:

Generating a 2048-bit DH key may take a long time (up to 30 minutes).

Generate a DH key by using the CLI

At the command prompt, type the following command:

create ssl dhparam <dhFile> [<bits>] [-gen (2 | 5)]

Example:

create ssl dhparam Key-DH-1 512 -gen 2

Generate a DH key by using the GUI

Navigate to Traffic Management > SSL and, in the Tools group, select Create Diffie-Hellman (DH) key, and generate a DH key.

Note:

For information about DH parameters, see Diffe-Hellman (DH) parameters.

Achieve perfect forward secrecy with DHE

Generating the DH key is a CPU-intensive operation. In earlier releases, key generation, on a VPX appliance, took a long time because it was done in the software. In earlier releases, key generation is optimized by setting the dhKeyExpSizeLimit parameter. You can set this parameter for an SSL virtual server or an SSL profile and then bind the profile to a virtual server.

Additionally, to maintain perfect forward secrecy (PFS), DH count must ideally be zero. With this enhancement, you can generate a DH key for each transaction (minimum DHcount is 0) without a significant drop in performance, because the operation is optimized. Earlier, the minimum DH count allowed was 500. That is, you could not regenerate the key for up to 500 transactions.

Important:

PFS is not supported on a VPX appliance.

Optimize DH key generation by using the CLI

At the command prompt, type commands 1 and 2, or type command 3:

1.  add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )] [-dhCount <positive_integer>] [-dh ( ENABLED | DISABLED) -dhFile <string>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED)]
2.  set ssl vserver <vServerName> [-sslProfile <string>]
3.  set ssl vserver <vServerName> [-dh ( ENABLED | DISABLED) -dhFile <string>] [-dhCount <positive_integer>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED )]

Optimize DH key generation by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
  2. In the SSL Parameters section, select Enable DH Key Expire Size Limit.

Generate a Diffie-Hellman key

The Diffie-Hellman (DH) key exchange is a way for two parties involved in an SSL transaction that have no prior knowledge of each other to agree upon a shared secret over an insecure channel. This secret can then be converted into cryptographic keying material for mainly symmetric key cipher algorithms that require such a key exchange.

This feature is disabled by default and should be specifically configured to support ciphers that use DH as the key exchange algorithm.

Note:

Generating a 2048-bit DH key may take a long time (up to 30 minutes).

Generate a DH key by using the CLI

At the command prompt, type the following command:

create ssl dhparam <dhFile> [<bits>] [-gen (2 | 5)]

Example:

create ssl dhparam Key-DH-1 512 -gen 2

Generate a DH key by using the GUI

Navigate to Traffic Management > SSL and, in the Tools group, select Create Diffie-Hellman (DH) key, and generate a DH key.