DSA Advanced

Diffie-Hellman Key Exchange — Logjam and DH Group Pitfalls

Q: Does DH authenticate the parties?

No — basic DH is vulnerable to man-in-the-middle attacks. An attacker can intercept both parties' public keys, replace them with their own, and establish separate shared secrets with each party. TLS solves this by authenticating the server's DH public key with a certificate signed by a trusted CA.

Q: What is the difference between DHE and ECDHE?

DHE uses classic modular exponentiation over a finite field (prime p). ECDHE uses elliptic curve cryptography. ECDHE is faster, uses smaller keys (256-bit vs 2048-bit), and is the default in TLS 1.3. DHE is slower but offers better compatibility with older systems that lack ECC support. Both provide forward secrecy when ephemeral keys are used.

Q: Why can't we just use RSA for key exchange?

RSA key exchange doesn't provide forward secrecy. The session key is encrypted with the server's RSA public key. If an attacker records traffic and later obtains the server's RSA private key (e.g., via Heartbleed), they can decrypt all past sessions. DH/ECDH with ephemeral keys avoids this because the private key used for each session is temporary and discarded. TLS 1.3 removed RSA key exchange entirely.

Q: Is DH still secure against quantum computers?

No. Shor's algorithm solves the discrete logarithm problem in polynomial time. Both classic DH and ECDH are completely broken by a sufficiently large quantum computer. Post-quantum alternatives like CRYSTALS-Kyber (key encapsulation mechanism) are being standardized. In 2026, hybrid deployments using ECDHE + Kyber are recommended for long-term security. NIST selected Kyber in 2024 as the primary KEM.

Q: How do I check my server's DH group size?

Use OpenSSL: `openssl s_client -connect yourserver.com:443 -cipher 'DHE' -tls1_2 2>/dev/null | grep 'Server Temp Key'` — this shows the DH group size in bits. For a broader scan, use `nmap --script ssl-dh-params -p 443 yourserver.com`. If the size is below 2048, regenerate your dhparams.pem file with `openssl dhparam 2048` and update your web server config.

📅 March 24, 2026 ⏱ 3 min read 🎯 Advanced

Where developers are forged. · Structured learning · Free forever.

📍 Part of: Cryptography → Topic 4 of 10

512-bit DH groups let attackers decrypt TLS sessions in real time via Logjam.

🔥 Advanced — solid DSA foundation required

In this tutorial, you'll learn

512-bit DH groups let attackers decrypt TLS sessions in real time via Logjam.

DH protocol: share p,g publicly. Each party raises g to their private exponent mod p. Shared secret = g^(ab) mod p — same from both sides.
Security = discrete logarithm hardness: easy to compute g^x mod p, hard to recover x.
Forward secrecy: ephemeral DH generates fresh key pairs per session — past sessions secure even if long-term key is later compromised.

✦ Plain-English analogy ✦ Real code with output ✦ Interview questions

⚡Quick Answer

Diffie-Hellman lets two parties agree on a shared secret over an insecure channel
Uses modular exponentiation: both compute g^(a*b) mod p without exposing a or b
Security = discrete log problem: recovering a from g^a mod p is infeasible for 2048+ bit primes
Ephemeral DH (DHE/ECDHE) provides forward secrecy — past sessions safe even if long-term key leaks
TLS 1.3 mandates ECDHE; classic DH is obsolete due to performance and attack surface
Biggest mistake: using static DH key pairs or insufficient prime size (e.g. 512 bits)

🚨 START HERE

DH / ECDH Troubleshooting Cheat Sheet

Commands to diagnose DH group issues in TLS handshakes and verify forward secrecy.

🟡

Server uses export-grade DH (512 bits)

Immediate ActionBlock all EXPORT cipher suites in the server config immediately.

Commands

nmap --script ssl-dh-params -p 443 <target>

openssl s_client -connect <target>:443 -cipher 'EXPORT' -tls1

Fix NowEdit webserver config: set SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DH:!DHE; restart service.

🟡

TLS handshake fails with 'no shared cipher'

Immediate ActionCheck which cipher suites the server offers and what the client supports.

Commands

openssl s_client -connect <target>:443 -tls1_2 -cipher 'ECDHE' 2>&1 | grep -i 'Cipher is'

nmaps --script ssl-enum-ciphers -p 443 <target>

Fix NowEnable ECDHE cipher suites and ensure the server has proper elliptic curve support (e.g. X25519).

🟡

Performance impact from large DH groups on high-traffic servers

Immediate ActionSwitch from classic DHE to ECDH (X25519) for faster key exchange.

Commands

openssl speed ecdh

openssl speed dh2048

Fix NowConfigure ECDHE curves: ssl_ecdh_curve X25519:prime256v1 in nginx; restart service.

Production Incident

Logjam Attack: When DH Export-Grade Primes Broke TLS

In 2015, researchers showed that a man-in-the-middle could downgrade TLS connections to use 512-bit export-grade DH parameters, which they could break in minutes using precomputed discrete log tables.

SymptomTLS connections that negotiate DHE_EXPORT cipher suites accept 512-bit DH groups. Attackers can decrypt the session in real time after a one-time precomputation of the discrete log for a given prime.

AssumptionMost administrators believed that disabling export ciphers was sufficient. They didn't realise that many servers still accepted DHE_EXPORT even when not explicitly configured.

Root causeThe TLS protocol allows a server to downgrade to export-grade DH (512-bit) if the client advertises it. Many servers had export cipher suites enabled by default for backward compatibility.

FixDisable all export-grade cipher suites. Enforce minimum DH group size of 2048 bits. Use ECDHE which doesn't suffer from the same precomputation attacks.

Key Lesson

Export-grade cryptography should never be trusted — it was deliberately weakened to allow government decryption.Always test with tools like nmap's ssl-dh-params script to verify DH group sizes in production.Prefer ECDHE (X25519) over classic DHE to avoid group size debates entirely.

Production Debug Guide

Symptom → Action grid for detecting and fixing DH-related TLS failures

TLS handshake fails with 'dh key too small' error in server logs→Check the DH group size the server is offering. Run: openssl s_client -connect host:443 -cipher 'DHE' -tls1_2 | grep 'Server Temp Key'

Client reports 'unsupported protocol' or handshake timeout→Verify that the server advertises any DH ciphers. Use nmap: nmap --script ssl-enum-ciphers -p 443 host

Audit flags DH group smaller than 2048 bits→Check server configuration files (nginx/apache) for ssl_dhparam directive. Generate a new 2048-bit group: openssl dhparam -out dhparams.pem 2048

ECDHE handshake fails on old clients (e.g. Java 6, IE 8)→Fall back to DHE with a 2048-bit group for legacy compatibility. Set ssl_ecdh_curve X25519:prime256v1 in web server config.

Whitfield Diffie and Martin Hellman published 'New Directions in Cryptography' in 1976 — the paper that invented public key cryptography. The Diffie-Hellman key exchange protocol solves the fundamental key distribution problem: how do two parties who have never met establish a shared secret over a public channel?

The protocol is used in every TLS handshake (HTTPS), every SSH connection, every Signal message. Its security rests on the discrete logarithm problem: given g^x mod p, computing x is computationally infeasible for large p. Ephemeral Diffie-Hellman (DHE/ECDHE) in TLS provides forward secrecy — past sessions remain secure even if the server's long-term key is later compromised.

The Protocol

Public parameters: large prime p, generator g. Alice chooses private a, sends A = g^a mod p. Bob chooses private b, sends B = g^b mod p. Shared secret = A^b = B^a = g^(ab) mod p. An eavesdropper sees p, g, A, B but cannot compute g^(ab) without solving the discrete log problem.

diffie_hellman.py · PYTHON

12345678910111213141516171819202122232425

import random

# Using small numbers for demonstration — real DH uses 2048+ bit primes
P = 23   # prime modulus (real: 2048+ bits)
G = 5    # generator

# Alice
alice_private = random.randint(2, P-2)
alice_public  = pow(G, alice_private, P)

# Bob
bob_private = random.randint(2, P-2)
bob_public  = pow(G, bob_private, P)

# Exchange public keys over insecure channel
# Alice computes shared secret
alice_secret = pow(bob_public, alice_private, P)
# Bob computes shared secret
bob_secret   = pow(alice_public, bob_private, P)

print(f'Alice public: {alice_public}')
print(f'Bob public:   {bob_public}')
print(f'Alice secret: {alice_secret}')
print(f'Bob secret:   {bob_secret}')
print(f'Match: {alice_secret == bob_secret}')

▶ Output

Alice public: 8
Bob public: 19
Alice secret: 2
Bob secret: 2
Match: True

Mental Model

Think of DH as a lock that only works with two keys

Each party has a private key (their exponent) and a public lock (g^exponent mod p). Combining both locks yields the same secret key — but no one can reverse the lock to find the private key.

Both parties agree on a shared paint color (p,g) — that's public.
Each adds their own secret color (a or b) and gets a mixed color (g^a or g^b).
They exchange mixed colors, then each adds their secret again — final color matches (g^(ab)).
Eavesdropper sees all mixed paints but can't separate them — that's discrete log.

📊 Production Insight

Classic DH uses modular exponentiation which is CPU-intensive.

A 2048-bit DH key exchange adds ~2ms to TLS handshake on modern hardware.

ECDH (Curve25519) is 10x faster — switch if latency matters.

🎯 Key Takeaway

DH outputs the same shared secret from both sides via modular exponentiation.

Security requires that discrete log stays hard — use 2048+ bits.

For performance-critical services, ECDH (X25519) is the right default.

Choose between DH and ECDH based on performance and compatibility

IfNeed maximum speed and modern clients

→

UseUse ECDHE with X25519 curve — fastest, small keys, most secure

IfMust support legacy systems (Java 6, Windows XP)

→

UseUse DHE with 2048-bit group — slower but compatible

IfCompliance demands parameter validation (e.g. FIPS)

→

UseUse classic DH with FIPS-approved groups (2048+ bit) — avoid static DH

The Discrete Logarithm Problem

DH security rests on: given g, p, and g^x mod p, find x. This is the discrete logarithm problem. The best classical algorithms (Index Calculus, Number Field Sieve) run in sub-exponential time — which is why 2048-bit DH parameters are needed even though AES-128 is considered equivalent security.

Note: Shor's quantum algorithm solves discrete log in polynomial time. Elliptic curve Diffie-Hellman (ECDH) suffers the same quantum vulnerability. Post-quantum key encapsulation (CRYSTALS-Kyber) is the replacement being deployed in TLS 1.3 and Signal.

⚠ Use ECDH, not classic DH

Classic DH requires 2048-bit parameters for security equivalent to 112-bit symmetric encryption. Elliptic curve DH (ECDH with Curve25519) achieves equivalent security with 256-bit keys — 8x smaller keys, dramatically faster. TLS 1.3 mandates ECDHE and removed static DH entirely.

📊 Production Insight

Discrete log sub-exponential algorithms make 2048-bit DH the minimum safe size.

QA performance: 512-bit DH can be broken in minutes with precomputation and cloud instances.

Never rely on DH for long-term security — forward secrecy is the real win.

🎯 Key Takeaway

Discrete log is one-way: easy to compute forward, hard to invert.

Quantum computing breaks both DH and ECDH — plan migration to PQC.

For now, 2048-bit DH or X25519 ECDH are the production standards.

Key size selection for DH parameters

IfClassic DH, 2026 standard security

→

UseUse 2048-bit modulus — meets most compliance reqs (NIST SP 800-131A)

IfClassic DH, highest security (classified)

→

UseUse 3072-bit or 4096-bit — performance penalty ~30% over 2048-bit

IfPost-quantum safety required

→

UseUse hybrid key exchange: ECDHE + Kyber-768. DH alone is quantum-vulnerable

Forward Secrecy

DH enables forward secrecy — a property that makes past sessions immune to future key compromise. In classic RSA key exchange, the server's RSA private key encrypts the session key. If an attacker records encrypted traffic and later obtains the RSA key, they can decrypt all past sessions.

DHE (ephemeral DH): each TLS session generates a fresh DH key pair. Even if the server's certificate key is compromised, past session keys cannot be derived — they were never stored and the ephemeral DH keys are discarded after use. TLS 1.3 mandates ephemeral key exchange (ECDHE) and removed all non-forward-secret cipher suites.

🔥Forward secrecy is not optional in 2026

Every modern TLS library defaults to ECDHE. If your server still supports RSA key exchange (TLS_RSA_WITH_*), you're leaking past sessions. Remove those cipher suites today.

📊 Production Insight

Forward secrecy means an attacker can't retroactively decrypt recorded traffic.

Without it, a single server compromise exposes years of encrypted data.

Audit your TLS config: run 'openssl s_client -cipher 'ADH' -tls1_2' — if it connects, you have no forward secrecy.

🎯 Key Takeaway

Forward secrecy makes past sessions safe from future key compromise.

Ephemeral keys are discarded after each session — an attacker gets nothing.

TLS 1.3 enforces this. If you're on TLS 1.2, verify your cipher suites include ECDHE.

Key exchange selection based on forward secrecy requirements

IfService handles sensitive user data (banking, healthcare)

→

UseMandate ECDHE-only cipher suites. Disable all RSA key exchange.

IfNeed to support very old clients (pre-2006)

→

UseAllow DHE + RSA as fallback but configure 2048-bit DH groups — still forward secret.

IfInternal microservices with TLS termination inside cluster

→

UseUse mTLS with ECDHE — forward secrecy protects intra-cluster traffic from side-channel attacks.

Vulnerabilities and Attacks

Basic DH is vulnerable to man-in-the-middle attacks — an attacker can intercept both parties' public keys, replace them with their own, and establish separate shared secrets with each party. This is why TLS authenticates the DH public key using a certificate signed by a trusted CA.

Other attacks on DH implementations

Logjam: Downgrade to export-grade 512-bit DH (CVE-2015-4000).
Weak primes: Using a composite modulus instead of prime, or a generator that doesn't generate a large subgroup.
Static DH: Reusing the same DH key pair across sessions destroys forward secrecy and enables replay attacks.
Parameter injection: If the server doesn't validate the received public key is not 0, 1, or p-1, the shared secret can be forced to a known value (small subgroup attack).

⚠ Validate received public keys

Always check that the peer's public key is in the range [2, p-2] and that g^x mod p != 1. The OpenSSL function DH_check_pub_key() does this. Missing validation allows an attacker to force the shared secret to 1.

📊 Production Insight

MITM is the #1 threat to raw DH — always use authenticated channels (TLS).

Logjam taught us that server default configurations are often insecure.

Static DH is still found in legacy financial systems — migrate to ECDHE.

🎯 Key Takeaway

Raw DH has no authentication — MITM is trivial.

Always validate DH parameters and public keys on both sides.

Forward secrecy and authenticated key exchange are non-negotiable.

Attack type → primary mitigation

IfMan-in-the-middle on raw DH

→

UseUse TLS with certificate authentication binding the DH public key

IfDowngrade to export-grade DH (Logjam)

→

UseDisable all EXPORT ciphers. Enforce DH group size >= 2048 bits

IfSmall subgroup attack (forced shared secret = 1)

→

UseValidate received public key: DH_check_pub_key(). Use a safe prime (p=2q+1)

Implementation Best Practices

When implementing or deploying DH:

Parameter generation: Use well-known groups (RFC 3526) instead of generating your own prime — DH parameter generation is slow and error-prone. For ECDH, use X25519 (RFC 7748) which has built-in guard against twist attacks.
Key validation: Always verify received public keys are not in the trivial subgroup. For classic DH, check that 1 < pub_key < p-1 and that pub_key^q mod p != 1 (where q is the subgroup order).
Ephemeral keys: Generate fresh DH key pairs for each session. Never reuse a static DH key pair across sessions.
TLS configuration: Prefer ECDHE cipher suites with X25519. If classic DHE is required for legacy clients, use at least 2048-bit groups (RFC 7919).
Fallback safety: If DHE key exchange fails (e.g., no compatible parameters), fail closed — do not fall back to RSA key exchange which breaks forward secrecy.

io/thecodeforge/check_dh_params.py · PYTHON

1234567891011121314151617181920212223

import math

def validate_dh_public_key(pub_key, p, q):
    """Validate received DH public key against small subgroup attack."""
    if pub_key <= 1 or pub_key >= p - 1:
        return False
    # Check that pub_key is in the prime-order subgroup
    if pow(pub_key, q, p) != 1:
        return False
    return True

# Example using a safe prime (p = 2*q + 1)
P = 0x00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff  # RFC 3526 2048-bit MODP group
G = 2
# q = (p-1)//2  (since p is a safe prime)
Q = (P - 1) // 2

# Assume bob_public is received from peer
bob_public = pow(G, 123456, P)
if validate_dh_public_key(bob_public, P, Q):
    print("Valid public key")
else:
    print("INVALID — possible small subgroup attack! Do not proceed.")

▶ Output

Valid public key

💡Prefer X25519 over classic DH for new systems

X25519 (Curve25519) is faster, uses constant-time operations, has smaller keys, and is immune to many implementation pitfalls. It's the default in OpenSSL 1.1.1+ and required by TLS 1.3.

📊 Production Insight

DH parameter generation is slow — use RFC 3526 groups, never generate your own.

X25519 reduces code complexity and eliminates subgroup attacks entirely.

Failing to validate public keys is a CVE waiting to happen.

🎯 Key Takeaway

Stop generating DH parameters — use standard groups.

Validate public keys or switch to X25519 which does it for you.

Ephemeral keys are cheap — never reuse them.

Key exchange algorithm selection decision

IfNeed maximum speed and security for modern clients

→

UseUse ECDHE with X25519 — no parameter generation, constant-time, fast

IfMust support legacy hardware that lacks ECC

→

UseUse DHE with 2048-bit MODP group from RFC 3526 (group 14)

IfPost-quantum preparation required

→

UseUse hybrid: ECDHE (X25519) + Kyber-768; tune performance with session resumption

🗂 DH Variants Comparison

Classic DH vs ECDH vs Post-Quantum KEM

Feature	Classic DH (DHE)	ECDHE (X25519)	Post-Quantum (Kyber-768)
Key size (public)	256 bytes (2048-bit)	32 bytes	1,184 bytes
Key generation speed	~2ms	~0.05ms	~0.08ms
Forward secrecy	Yes (if ephemeral)	Yes	Yes
Quantum-resistant	No	No	Yes
Implementation pitfalls	Parameter generation, subgroup attacks	Twist security (handled by X25519)	Large keys, network overhead
Recommended usage	Legacy compatibility only	Default for TLS 1.3	Future-proof hybrid deployments

🎯 Key Takeaways

DH protocol: share p,g publicly. Each party raises g to their private exponent mod p. Shared secret = g^(ab) mod p — same from both sides.
Security = discrete logarithm hardness: easy to compute g^x mod p, hard to recover x.
Forward secrecy: ephemeral DH generates fresh key pairs per session — past sessions secure even if long-term key is later compromised.
Use ECDH (Curve25519) not classic DH — equivalent security with 8x smaller keys.
TLS 1.3 mandates ECDHE and removed all cipher suites without forward secrecy.
Always validate received DH public keys to prevent small subgroup attacks.
Logjam: never allow export-grade DH in production; enforce 2048+ bit groups.
Post-quantum: DH and ECDH are both broken by Shor's algorithm — plan migration to hybrid KEM (ECDHE + Kyber).

⚠ Common Mistakes to Avoid

✕Using static DH key pairs across sessions

Symptom

No forward secrecy — if the static private key is ever compromised, all past sessions can be decrypted.

Fix

Always generate ephemeral key pairs per session. In TLS, ensure cipher suites use DHE or ECDHE, not DH (static) or ECDH (static). Check server config: no DH or ECDH without 'E' in cipher name.

✕Not validating received public key (small subgroup attack)

Symptom

Shared secret can be forced to 1 by sending y=1, y=p-1, or y in small subgroup. Attacker then knows the secret.

Fix

Validate public key: check 1 < y < p-1 and y^q mod p != 1 (where q is subgroup order). Use DH_check_pub_key() in OpenSSL, or switch to X25519 which enforces validation.

✕Using small primes (< 2048 bits) for production

Symptom

TLS handshake succeeds but discrete log can be computed in minutes using cloud instances and precomputation tables.

Fix

Enforce minimum DH group size of 2048 bits in server configuration. In Nginx: ssl_dhparam /path/to/dhparams.pem (generate with 'openssl dhparam 2048'). In Apache: SSLOpenSSLConfCmd DHParameters.

✕Generating DH parameters on every server restart

Symptom

Startup time increases by several seconds to minutes. Random parameters may be weak if not enough entropy available.

Fix

Use well-known groups from RFC 3526 (MODP groups) or RFC 7919 (FFDHE). Generate once and reuse. Better yet, use ECDHE which doesn't need parameter generation at all.

Interview Questions on This Topic

QExplain the Diffie-Hellman key exchange from scratch — what do the parties share, what do they keep private?JuniorReveal
Alice and Bob publicly agree on a prime p and generator g (known to everyone, including the attacker). Alice picks a private random a, computes A = g^a mod p, and sends A to Bob. Bob picks private b, computes B = g^b mod p, sends B to Alice. Alice computes B^a mod p = (g^b)^a = g^(ab) mod p. Bob computes A^b mod p = (g^a)^b = g^(ab) mod p. Both get the same shared secret. The private a and b are never transmitted; only A and B are public. An attacker sees p, g, A, B but cannot compute g^(ab) without solving discrete log.
QWhat is forward secrecy and why does ephemeral DH provide it?SeniorReveal
Forward secrecy means that if an attacker records encrypted traffic today and later obtains the server's long-term private key (e.g., the TLS certificate private key), they cannot decrypt the recorded traffic. Ephemeral DH (DHE/ECDHE) provides this because each session uses a fresh DH key pair generated solely for that session. The ephemeral private key is discarded immediately after the handshake. Even if the long-term signing key is compromised, the attacker never gets the ephemeral keys. In contrast, RSA key exchange uses the server's RSA private key to encrypt the session key — compromise of that key allows decryption of all past sessions.
QWhat is the discrete logarithm problem and why is it hard?Mid-levelReveal
Given a prime p, a generator g, and a value A = g^x mod p, the discrete log problem asks to find x. It's considered hard because no classical algorithm can solve it in polynomial time. The best known algorithms (Index Calculus, Number Field Sieve) run in sub-exponential time ~exp(c (ln p)^(1/3) (ln ln p)^(2/3)). That's why DH requires 2048-bit primes to reach 112-bit security level. Quantum computers (Shor's algorithm) can solve it in polynomial time, which is why post-quantum cryptography is being standardized.
QWhy is ECDH preferred over classic Diffie-Hellman?SeniorReveal
ECDH (using elliptic curves, especially Curve25519) offers equivalent security with much smaller keys: 256-bit ECC provides ~128-bit security, whereas classic DH needs 3072-bit keys for the same level. This makes ECDH faster (less CPU, less bandwidth), better for mobile/low-latency, and easier to implement securely (no parameter generation, built-in twist security on X25519). Additionally, ECDHE is mandatory in TLS 1.3, while classic DH was deprecated. The only downside is that ECC is not quantum-resistant either, but that's a shared vulnerability. For legacy compatibility, classic DH may still be required, but ECDH is the modern default.
QHow does the Logjam attack work and what could have prevented it?SeniorReveal
Logjam (CVE-2015-4000) exploits the fact that many TLS servers still accepted DHE_EXPORT cipher suites using 512-bit DH parameters. An attacker in the middle downgrades the connection from a strong DH group to export-grade 512-bit DH by modifying the ClientHello to advertise only export ciphers. The attacker then computes the discrete log of the 512-bit public key — with precomputation (using the Number Field Sieve) they can break a 512-bit DH key in minutes. Prevention: disable all EXPORT cipher suites, enforce a minimum DH group size of 2048 bits, and prefer ECDHE which doesn't use large-group DH params.

Frequently Asked Questions

Does DH authenticate the parties?

No — basic DH is vulnerable to man-in-the-middle attacks. An attacker can intercept both parties' public keys, replace them with their own, and establish separate shared secrets with each party. TLS solves this by authenticating the server's DH public key with a certificate signed by a trusted CA.

What is the difference between DHE and ECDHE?

DHE uses classic modular exponentiation over a finite field (prime p). ECDHE uses elliptic curve cryptography. ECDHE is faster, uses smaller keys (256-bit vs 2048-bit), and is the default in TLS 1.3. DHE is slower but offers better compatibility with older systems that lack ECC support. Both provide forward secrecy when ephemeral keys are used.

Why can't we just use RSA for key exchange?

RSA key exchange doesn't provide forward secrecy. The session key is encrypted with the server's RSA public key. If an attacker records traffic and later obtains the server's RSA private key (e.g., via Heartbleed), they can decrypt all past sessions. DH/ECDH with ephemeral keys avoids this because the private key used for each session is temporary and discarded. TLS 1.3 removed RSA key exchange entirely.

Is DH still secure against quantum computers?

No. Shor's algorithm solves the discrete logarithm problem in polynomial time. Both classic DH and ECDH are completely broken by a sufficiently large quantum computer. Post-quantum alternatives like CRYSTALS-Kyber (key encapsulation mechanism) are being standardized. In 2026, hybrid deployments using ECDHE + Kyber are recommended for long-term security. NIST selected Kyber in 2024 as the primary KEM.

How do I check my server's DH group size?

Use OpenSSL: openssl s_client -connect yourserver.com:443 -cipher 'DHE' -tls1_2 2>/dev/null | grep 'Server Temp Key' — this shows the DH group size in bits. For a broader scan, use nmap --script ssl-dh-params -p 443 yourserver.com. If the size is below 2048, regenerate your dhparams.pem file with openssl dhparam 2048 and update your web server config.

🔥

Naren Founder & Author

Developer and founder of TheCodeForge. I built this site because I was tired of tutorials that explain what to type without explaining why it works. Every article here is written to make concepts actually click.

About Naren Get in touch

Forged with 🔥 at TheCodeForge.io — Where Developers Are Forged