I'm setting up my OpenVPN server and I was wondering: what's the purpose of the Diffie-Hellman parameters? I understand it's used to exchange cryptographic keys secretly but why is it needed since OpenVPN already uses asymmetric encryption (RSA)?
While writing this post, I ultimately found this thread from the mailing lists: http://openvpn.net/archive/openvpn-user ... 00532.html
It says that RSA is only used for authentication and that D-H is then used to make the keys with which data is encrypted/decrypted. For two reasons:
- D-H is subject to MITM attacks, so it can't be used for authentication
- D-H is much faster than RSA to generate cryptographic keys, so it's better to use D-H to generate session keys