[cryptography] Diffie-Hellman Params Best Practice on Web Server?

Jeffrey Walton noloader at gmail.com
Sun Dec 8 20:23:19 EST 2013

Hi All,

Is there a best practice for Diffie-Hellman parameters (p, g, and q)
used on a web server?

The server is using ephemeral keys, but should the parameters be
rotated on a regular basis ? Is it OK for the server to keep them
fixed for years (in the source code)? Or should they be generated
uniquely for each site?

This server does not appear to be under NIST and FIPS, so I don't
believe they need to be fixed for compliance.


More information about the cryptography mailing list