Recommend the use of FFDHE over DHE

[Razerwire]

Dear Sir/Madam,

Regarding the use of Diffie-Hellman ephemeral key exchanges, i think there might be room for improvement to these guidelines.

I'm a bit surprised that the guidance does not recommend the use of 'Finite Field Diffie-Hellman Ephemeral Parameters' (FFDHE).

FFDHE parameters should be preferred to randomly generated or pre-configured groups, these groups have been audited and may be more resistant to attacks than randomly generated or pre-configured groups. [1]

Furthermore, the use of FFDHE is recommended by the IETF in RFC7919 [2] and (for what its worth) is mandated by the Dutch NCSC. [3]

Should one wish to implement the use of FFDHE, copy's of the aformentioned groups can be obtained from the Dutch Internet Standards Platform or from Mozilla

To check if the use FFDHE is properly implemented one might find testssl.sh useful.

With kind regards,
Ruben Hummel

[iadgovuser1]

@Razerwire Hi. Thanks for the feedback! One of our crypto folks is likely going to be tweaking cipher configurations. We already made one change. We will take your comment into account and I'll let you know what is decided.

[Razerwire]

@iadgovuser1
Dear Sir/Madam,

You're welcome, I'll await the decision.

With kind regards,
Ruben Hummel

[Razerwire]

Please note that regarding the guidelines of the Dutch NCSC (NCSC-NL) requiring the use of FFDHE if DHE key-exchange is used, that the Guidelines were updated to v.2.1 today.

This, however, does not change the requirement to implement FFDHE if DHE is configured.
(The biggest change is in the guidelines is downgrading TLS 1.2 from "Good΅ to "Sufficient", as NCSC-NL recommends moving to TLS 1.3)

The most recent version can be found here:
IT Security Guidelines for Transport Layer Security (TLS) version 2.1 | NCSC-NL

[ajlaing]

Use of FFDHE-3072 and FFDHE-4096 are recommended for NSS for use in the recommended DHE ciphersuites.