What is the purpose of Diffie-Hellman parameters?

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
GuiTeK
OpenVpn Newbie
Posts: 1
Joined: Thu Sep 04, 2014 7:43 pm

What is the purpose of Diffie-Hellman parameters?

Post by GuiTeK » Thu Sep 04, 2014 8:35 pm

Hello,

I'm setting up my OpenVPN server and I was wondering: what's the purpose of the Diffie-Hellman parameters? I understand it's used to exchange cryptographic keys secretly but why is it needed since OpenVPN already uses asymmetric encryption (RSA)?

While writing this post, I ultimately found this thread from the mailing lists: http://openvpn.net/archive/openvpn-user ... 00532.html
It says that RSA is only used for authentication and that D-H is then used to make the keys with which data is encrypted/decrypted. For two reasons:
  • D-H is subject to MITM attacks, so it can't be used for authentication
  • D-H is much faster than RSA to generate cryptographic keys, so it's better to use D-H to generate session keys
So the server and clients certificates are indeed only used for authentication?

glorsh66
OpenVpn Newbie
Posts: 18
Joined: Tue Mar 10, 2020 11:17 am

Re: What is the purpose of Diffie-Hellman parameters?

Post by glorsh66 » Wed Mar 09, 2022 3:51 pm

Sorry for necroposting, but I am wat to ask the same questions!

Goodman74
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 07, 2022 8:12 am

Re: What is the purpose of Diffie-Hellman parameters?

Post by Goodman74 » Thu Jun 09, 2022 3:50 am

If I right remember that i was reached before about VPN:
- PKI and asymmetric keys (private & public) are used for authentication which very safe but not very fast.
- after authentication process is finished and was created a tunnel (VPN) for transportation data will used one symmetric key which very fast, but not very safe. Therefore it will used the unique parameters (a secret value) for every session, which generated for both point after authentication process.
Updated link to some post about it https://security.stackexchange.com/a/65877

Post Reply