16.10 - DHKeyP and DHKeyG - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017

The Diffie-Hellman encryption key (DH Key) is made up of two values, P and G, which allows two hosts to create and share a secret key to ensure the confidentiality of the encryption key exchange between initiator and acceptor.

The P and G parameters are both public to the system. P is a large prime number, and G is chosen so it is a small primitive root of P, that is, G is a primitive root if and only if G^((P-1)/q) mod P > 1 for all prime divisors q of P-1.

The basic calculation is: G^X mod (P).

The variable X is a private number that each user keeps to themselves. Each uses their private key X to calculate their public key, such that:

PublicKeyUser1 = G^x mod (P)
PublicKeyUser2 = G^y mod (P)

Each user transmits their Public key so that User 2 has PublicKeyUser1 and User 1 has PublicKeyUser2.

User1 computes: K1 = (PublicKeyUser2) ^x mod (P)

User2 computes: K2 = (PublicKeyUser1) ^y mod (P)

There are two sets of DH keys: DHKeyP/DHkeyG and DHKeyP2048/DHKeyG2048. The first pair is 640 bit, which is only supported for compatibility with pre-TD 14.0 systems. In cases where the client and server are both TD 14.0 or higher, the 640 bit keys are never used.

Default Property Value for DHKeyP2048

This 2048 bit DHKeyP is supplied with Teradata Database (represented in hex code):


Default Property Value for DHKeyG2048

This 2048 bit DHKeyG is supplied with Teradata Database (represented in hex code):


Default Property Values for Legacy DHKeyG and DHKeyP

<!-- DHKeyP and DHKeyG are for legacy (pre-14.0) use only -->

Supporting Mechanisms for DHKeyP and DHKeyG

Mechanisms that are not listed in the table do not support this property. The Property Editable column indicates if the setting for a property may be edited.
Mechanism Property Editable?
TD2 May Be Edited

Editing Guidelines

  • In high security environments, you can replace the preset key and/or rotate keys periodically to minimize the chance that the key can be compromised.
  • If you edit DHKeyP2048, you should also edit DHKeyG2048.
  • You can edit this property only on all nodes and on the Unity server. Also see Coordinating Mechanism Property Values.
  • You can use any DH Key with a supported key length. See KeyLength.