Disable ECDH public server param reuse in Windows Server IIS

ECDH public server param reuse is when a server uses the same DH (Diffie-Hellman) key value for multiple handshakes, instead of generating a new one for every handshake. They should be "ephemeral" though which is why it is called "DHE" or "ECDHE", and this means the key is single-use and should never be reused. Windows Server IIS is known for reusing DH key values, but there is a way to disable ECDH public server param reuse in Windows Server IIS.

Generating a new NIST P-256 ECDH or X25519 key is cheap, so there is no need to reuse it for performance reasons, but IIS does this for some reason. Disabling ECDH public server param reuse makes sure a key is not cached a new key is generated for every handshake. Reusing keys might get exploited.

Disable ECDH public server param reuse in the Windows registry

A less documented registry key EphemKeyReuseTime can be set to 0 which forces a new key to be generated for every connection.

Follow these steps:

1. open the Registry Editor (regedit)
2. navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms\ECDH
   • if the registry key ECDH doesn't exist you can create it.
3. in ECDH click New > DWORD (32-bit) value
   • Value name: EphemKeyReuseTime
   • Value data: 0

Using PowerShell:

if(!(Test-Path "hklm:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH")) {  New-Item "hklm:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms" -name "ECDH"}New-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH" -Name EphemKeyReuseTime -Value 0 -PropertyType DWord

You can add your own checks and validation in the PowerShell code to make it more robust.

Sources:

• https://learn.microsoft.com/en-us/answers/questions/781315/ecdh-public-server-param-reuse-in-kestrel
• https://serverfault.com/a/1155857

Thank you very much! <3 ❤️