Objective
Diffie-Hellman, also known as D-H is named after Whitfield Diffie and Martin Hellman, who proposed this public key exchange scheme in 1976. Diffie-Hellman key exchange is a method for sharing secret between two entities who have no prior knowledge of each other, which can be used for encrypted communication in order to exchange sensitive information in a public channel. Key generation in D-H is relatively faster and thus it is used in Perfect Forward Secrecy, where a unique key is generated for every session a user initiates or if existing session is renegotiated. Even if the key for a particular session is compromised, the past and future sessions will be protected
Use Case
Ramesh wants to communicate with Suresh in a secure manner using DH key exchange mechanism. For Ramesh and Suresh to use D-H key exchange algorithm,
Now, how can Ramesh and Suresh agree up on a common shared secret?
Sharing of secret between the entities happen using one-way function(modulus function).
1) Ramesh calculates 6 3Mod 13 which is 8 and sends it publicly to Suresh. Now Suresh also does the same procedure using his private key, calculates 610Mod 13 which is 4 and sends it publicly to Ramesh.
2) Ramesh takes Suresh’s input and computes 43Mod 13 which is 12. Suresh also does the same procedure using his private key, calculates 8 10 Mod 13 which is also 12.
Thus Ramesh and Suresh has the same secret which can be used for encrypting further communication between them.
Use Case
Ramesh wants to communicate with Suresh in a secure manner using DH key exchange mechanism. For Ramesh and Suresh to use D-H key exchange algorithm,
- They both should agree up on a Prime Modulus and a Generator(Say PM= 13, G=6). This can be disclosed publicly by Ramesh/Suresh.
- They both should have a Private Key (Say Ramesh chooses 3 and Suresh chooses 10)
Now, how can Ramesh and Suresh agree up on a common shared secret?
Sharing of secret between the entities happen using one-way function(modulus function).
1) Ramesh calculates 6 3Mod 13 which is 8 and sends it publicly to Suresh. Now Suresh also does the same procedure using his private key, calculates 610Mod 13 which is 4 and sends it publicly to Ramesh.
2) Ramesh takes Suresh’s input and computes 43Mod 13 which is 12. Suresh also does the same procedure using his private key, calculates 8 10 Mod 13 which is also 12.
Thus Ramesh and Suresh has the same secret which can be used for encrypting further communication between them.
Instructions
How to configure D-H Key on NetScaler
D-H key is disabled by default. For Ciphers that use D-H as key exchange algorithm, it has to be configured explicitly.
Step1: Navigate to Configuration tab -> Traffic Management -> SSL
Under Tools, click “Create Diffie-Hellman (DH) key”
Step 2: Configure SSL DH Param
The D-H file will contain the key inside ----BEGIN DH PARAMETERS----- and -----END DH PARAMETERS----- in the created file.
o check the list of ciphers for which D-H parameters should be set, “show cipher DH“ command has to be used in command prompt.
After generating the key, it has to be enabled in the SSL vserver. DH key can be enabled in SSL profile, which can be enabled in SSL vserver.
Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> select SSL vserver -> click edit
Select SSL Profile and enable DH Parameters as shown below.
Refresh count indicates the number of interactions, between the client and the NetScaler appliance, after which the D-H private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh). This parameter is not applicable when configuring a backend profile.
In order to apply the D-H key directly to vserver using CLI, the below mentioned command has to be used.
>set ssl vserver -dh ENABLED -dhFile /DHkeyfile
Thus by applying the D-H key to vserver using configuration utility or CLI, D-H parameters can be enabled for key exchange.
D-H key is disabled by default. For Ciphers that use D-H as key exchange algorithm, it has to be configured explicitly.
Step1: Navigate to Configuration tab -> Traffic Management -> SSL
Under Tools, click “Create Diffie-Hellman (DH) key”
Step 2: Configure SSL DH Param
- DH Filename indicates the filename which has the DH parameters. The file( in this case “DH_Key”) will get created at path /nsconfig/ssl/ by default.
- DH Parameter Size varies from minimum of 512 to a maximum of 2048.
- DH Generator indicates the random number used for generating the D-H key which was discussed already in the use case.
The D-H file will contain the key inside ----BEGIN DH PARAMETERS----- and -----END DH PARAMETERS----- in the created file.
o check the list of ciphers for which D-H parameters should be set, “show cipher DH“ command has to be used in command prompt.
After generating the key, it has to be enabled in the SSL vserver. DH key can be enabled in SSL profile, which can be enabled in SSL vserver.
Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> select SSL vserver -> click edit
Select SSL Profile and enable DH Parameters as shown below.
Refresh count indicates the number of interactions, between the client and the NetScaler appliance, after which the D-H private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh). This parameter is not applicable when configuring a backend profile.
In order to apply the D-H key directly to vserver using CLI, the below mentioned command has to be used.
>set ssl vserver -dh ENABLED -dhFile /DHkeyfile
Thus by applying the D-H key to vserver using configuration utility or CLI, D-H parameters can be enabled for key exchange.