**December 16, 2022:**TXT files containing safe and unsafe primes.**November 2, 2022:**Updated recommendation in the “How is a Diffie-Hellman prime graded?” section.**February 15, 2017:**Published.

Millions of HTTPS, SSH, and VPN servers that use the Diffie-Hellman key exchange protocol, when a client attempts to create a secure connection to a server, do so in a poorly configured way and may be susceptible to passive eavesdropping, depending on server configuration and key strength (as demonstrated by the Logjam attack.)

We assess a server’s Diffie-Hellman configuration if it exists, in order to help evaluate configurations and conditions that are below current security standards, including a server’s vulnerability to the Logjam attack.

## Frequently Asked Questions

### What is a Diffie-Hellman key exchange?

It is a specific method of publicly exchanging cryptographic keys and allows two parties to create a shared secret over insecure channels to establish encrypted communication. It is mathematically easy to generate a shared secret, but quite difficult for third parties to reverse.

A significant component of the key exchange is a static prime number stored on the server for use in generating the public keys during key exchanges, called a “Diffie-Hellman prime.”

### Why are Diffie-Hellman primes evaluated?

The most efficient mathematical algorithm for breaking a Diffie-Hellman connection is dependent only on this prime. After this first step, an attacker can quickly break individual connections for any server using this prime.

An attacker needs to spend a significant amount of time and effort to calculate all the values required to break a set of session keys, but those values only need to be calculated **once per prime**. This means there are advantages to going after common primes (see below), as there is a much bigger ROI (return on investment).

### How are Diffie-Hellman primes assessed?

We evaluate Diffie-Hellman primes based on if servers on a company’s infrastructure use the Diffie-Hellman key exchange protocol, the size of the primes, and if those primes are commonly used by other servers.

### How is information on Diffie-Hellman primes collected?

Primes (prime groups) are sent publicly to clients by servers as part of the Diffie-Hellman key exchange process. We check the prime being sent against lists of known common primes.

### What is a common Diffie-Hellman prime?

A common Diffie-Hellman prime is a published value, sourced from software libraries or other publications, used during key exchange.

Common Diffie-Hellman primes are considered a security hazard because of the ROI on time spent by adversaries on breaking a common prime: Once the prime is broken by an adversary, it is easier for them to passively eavesdrop on encrypted communications from other servers that use the same common primes.

### What is a common Diffie-Hellman key?

A common Diffie-Hellman key is seen on more than one server and is created using the configured Diffie-Hellman prime. Multiple servers that use the same public key (a commonly-seen key) for calculating the “master secret” for encrypting an upcoming session indicates a poorly configured server.

### Why are Diffie-Hellman primes less than or equal to 512 bits considered bad?

Primes less than 1024 bits are estimated to be breakable by groups with resources ranging from consumer-level hardware to those of an academic institution.

### How is a Diffie-Hellman prime graded?

**Strength:** We currently grade primes less than or equal to 512 bits as BAD, and less than 2048 bits as WARN. If a server uses a Diffie-Hellman prime greater than or equal to 2048 bits, it is graded as GOOD.

**Commonality:** Any prime less than or equal to 512 bits that appears on more than 1,000 IP addresses are considered broken, so these findings are graded as BAD. The 2048-bit common primes sub-groups can be vulnerable to small subgroup key recovery attacks. We recommend not using a common subgroup form and generating your own DH/ECDH keys^{[4]}.

##### Resources:

- Weak Diffie-Hellman and the Logjam Attack
- Vulnerability Summary for CVE-2015-4000, National Vulnerability Database
- Cryptanalysis of SHA-1, Schneier.com
- Measuring small subgroup attacks against Diffie-Hellman

##### Additional resources:

- RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
- RFC-4306: Internet Key Exchange(IKEv2) Protocol
- RFC-2409: The Internet Key Exchange
- RFC-5114: Additional Diffie-Hellman Groups for Use with IETF Standards
- NIST Special Publication 800-131A, Revision 1 (DRAFT) -- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (Jul 2015)