Is it common to negotiate which DH group is used during a Diffie-Hellman key exchange?

Question

When I read descriptions about how DH key exchange works, there's no mention of how the key-exchangers came to an agreement on which "group" (the p and g parameters) should be used to compute the public and private values. Looking at RFC 5114, it seems like there are quite a few choices.

I'd like to know if this negotiation is typically done during the exchange itself, and if not, if there's a description somewhere regarding how the algorithm would be different if it included that step.

Thanks for reading.

Answer 1

The p and g values are safe to pass unencrypted. If client/server is on a network, either the client or server generates the p/g values and passes them via network sockets. As long as the secret number for each client/server is kept a secret (duh..) the Diffie-Hellman exchange can said to be safe as a attacker would have to compute g^(ab) mod p = g^(ba) mod p (which leads to a infinite amount of solutions that is infeasible to compute given that the p value is big enough).

Essentially the most basic D-H exchange goes as follows:

Party A generates p, g, a values. Where g is the base/generator, p is the prime modulo, a is the secret power.

Party B (concurrently) generates secret value b.

Party A computes g^a mod p (we call this value thereafter A)

Party A and sends p, g and A across the transmission medium.

Party B receives p, g, A.

Party B computes g^b mod p (we call this value thereafter B).

Party B sends B across the transmission medium.

Party A receives B.

Party A computes B^a mod p and obtains the shared secret.

Party B (concurrently) computes A^b mod p and obtains the shared secret.

Note: if the p value is too small, it may be computational cheaper to just iterate through 0 to p - 1 but this all depends on what you do after you generate the common secret.