Product Documentation

Achieving Perfect Forward Secrecy With DHE

Jun 24, 2015

Generating the DH key is a CPU-intensive operation. In earlier releases, key generation, on a VPX appliance, took a long time because it was done in the software. In earlier releases, key generation is optimized (as defined by NIST in http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf) by setting the dhKeyExpSizeLimit parameter. You can set this parameter for an SSL virtual server or an SSL profile and then bind the profile to a virtual server.

Additionally, to maintain perfect forward secrecy, DH count must ideally be zero. With this enhancement, you can generate a DH key for each transaction (minimum DHcount is 0) without a significant drop in performance, because the operation is optimized. Earlier, the minimum DH count allowed was 500. That is, you could not regenerate the key for up to 500 transactions.

To optimize DH key generation on a VPX appliance by using the command line

At the command prompt, type commands 1 and 2, or type command 3:

  1. add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )] [-dhCount <positive_integer>] [-dh ( ENABLED | DISABLED) -dhFile <string>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED)]
  2. set ssl vserver <vServerName> [-sslProfile <string>]
  3. set ssl vserver <vServerName> [-dh ( ENABLED | DISABLED) -dhFile <string>] [-dhCount <positive_integer>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED )]

To optimize DH key generation on a VPX appliance by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
  2. In the SSL Parameters section, select Enable DH Key Expire Size Limit.