Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Remove Diffie-Hillman key exchange

Created: 28 Oct 2012 | 2 comments

Hi,

I am using universal server 3.20, and we are using WDE (no mail services). I have had a security review recently, and they are asking me to look into removing diffie-hillman key exchanges. We are using RSA key type for WDE, so this shouldn't be a problem. How do I do this though, and can you foresee any problems if I do this i.e. do any pgp services use diffie-hillman by default?

Thanks

Comments 2 CommentsJump to latest comment

NextChris's picture

Hello!

I am very interested in the reason the auditors have to generally declare DH as insecure!?

 To my knowledge the discrete logarithm problem isn´t solved- is it?

The only reason to declare it as insecure could be that the DH itself doesn´t authenticate partners, but if other components guarantee authentication there is no reason for denying the usage of DH. (See IPSec, IKE --> DH in use).

So do you really want to investigate which cryptgraphic algorithms are used for every product you use?

Better ask those auditors or concrete explanation about their concerns about DH.

-------------------------------

btw - if you think DH could be used to encrypt your disk - than the answer is  NO. - DH is a key exchange algorithm to secure an unsecure channel

Regards Chris

JK_117's picture

Hi,

We use RSA for key generation, so I would like to remove the DH/DSS (Diffie-Hillman) is this possible.

Could somone give me the command line or gui screen to do this?

Thanks