1. Home
  2. Knowledge Base
  3. Misc
  4. Why Diffie-Hellman keys generation is important?

Why Diffie-Hellman keys generation is important?


Diffie-Hellman key exchange (D-H) is a method to generate a private key between two machines connected through an insecure channel.

When a client begins a connection to a secured web service the SSL negotiation occurs by exchanging the public keys and then, the two parties come into an agreement in regards to the keys and ciphers to be used during the communication.

In this illustration is perfectly explained how the negotiation behaves with colors. Just imagine how it works with large random numbers computed by both communication nodes.


How it’s used in a load balancer

The load balancer creates SSL services when it performs SSL Offload operations, in the form:

SSL Offload Scenario Diagram

SKUDONET Open source Load Balancer uses the OpenSSL tools with dhparam options to generate the Diffie-Hellman keys. Read more about the full options here.

To create a SSL Offload farm (HTTP profile with HTTPS listener in SKUDONET Open SOurce Load Balancer) it’s required to generate a Diffie-Hellman key with the following good practices to ensure a robust key generation.

1. A minimum key length of 2048 bits. More length will mean more difficult to decrypt in a reasonable amount of time.
2. One DH key per SSL farm to make it more difficult to break the communication of several SSL services and isolate the security of every farm.
3. Less predictable in the random generation means more difficult to break communication.

Note that the generation of the Diffie-Hellman keys is usually a computationally costly process due to the random number generation could take too much time, but this ensures a security assurance for our SSL services.

All this procedure is done automatically by the SKUDONET library, it doesn’t require any action by the system administration, the aim of this document is only to inform about the process.




Was this article helpful?

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support

Download Skudonet ADC Load Balancer
Community Edition

Source Code

A versatile and installable ADC system designed for diverse vendor hardware.


Installable ISO 

Load Balancing as a Service alongside an ADC orchestration toolkit.

Download Community Edition

Download Community Edition

“We manage the information you provide with the sole aim of assisting with your requests or queries in regards to our products or services; applying the computer and security procedures to ensure its protection. Your data can be rectified or removed upon request but won’t be offered to any third parties, unless we are legally required to do so.” Responsible: SKUDONET SL - info@skudonet.com