Is there any particular reason to use Diffie-Hellman over RSA for key exchange? posted December 2014
I was wondering why RSA was used in the SSL handshake, and why Diffie-Hellman was used instead in a Perfect Forward Secrecy scheme.
There is, however, an advantage of DH over RSA for generating ephemeral keys: producing a new DH key pair is extremely fast (provided that some "DH parameters", i.e. the group into which DH is computed, are reused, which does not entail extra risks, as far as we know). This is not a really strong issue for big servers, because a very busy SSL server could generate a new "ephemeral" RSA key pair every ten seconds for a very small fraction of his computing power, and keep it in RAM only, and for only ten seconds, which would be PFSish enough.