Skip to main content

4.4. Modular Exponential vs. Elliptic Curve DH Cipher Suites

Not all TLS implementations support both modular exponential (MODP) and elliptic curve (EC) Diffie-Hellman groups, as required by Section 4.2. Some implementations are severely limited in the length of DH values. When such implementations need to be accommodated, the following are RECOMMENDED (in priority order):

  1. Elliptic Curve DHE with appropriately negotiated parameters (e.g., the curve to be used) and a Message Authentication Code (MAC) algorithm stronger than HMAC-SHA1 [RFC5289]

  2. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [RFC5288], with 2048-bit Diffie-Hellman parameters

  3. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, with 1024-bit parameters

Rationale: Although Elliptic Curve Cryptography is widely deployed, there are some communities where its adoption has been limited for several reasons, including its complexity compared to modular arithmetic and longstanding perceptions of IPR concerns (which, for the most part, have now been resolved [RFC6090]). Note that ECDHE cipher suites exist for both RSA and ECDSA certificates, so moving to ECDHE cipher suites does not require moving away from RSA-based certificates. On the other hand, there are two related issues hindering effective use of MODP Diffie-Hellman cipher suites in TLS:

  • There are no standardized, widely implemented protocol mechanisms to negotiate the DH groups or parameter lengths supported by client and server.

  • Many servers choose DH parameters of 1024 bits or fewer.

  • There are widely deployed client implementations that reject received DH parameters if they are longer than 1024 bits. In addition, several implementations do not perform appropriate validation of group parameters and are vulnerable to attacks referenced in Section 2.9 of [RFC7457].

Note that with DHE and ECDHE cipher suites, the TLS master key only depends on the Diffie-Hellman parameters and not on the strength of the RSA certificate; moreover, 1024 bit MODP DH parameters are generally considered insufficient at this time.

With MODP ephemeral DH, deployers ought to carefully evaluate interoperability vs. security considerations when configuring their TLS endpoints.

Last updated on