Diffie-Hellman Group Use in IKE

Diffie-Hellman (DH) is a key exchange algorithm that allows two devices to establish a shared secret over an unsecured network without having shared anything beforehand. Diffie-Hellman is used in IKE, TLS, SSH, SMIME, and likely other protocols. When used in VPNs, it is used in the in IKE or Phase1 part of setting up the VPN tunnel.

In modern implementations of IKEv1, the following DH groups are available for use, Group 1, 2, 5 & 7. In modern implementations of IKEv2, the following DH Groups are available for use, Group 1, 2, 5, 14, 19, 20, 21, & 24.

Note: IKEv1 should be avoided unless absolutely necessary. DH Group 7 should also not be used. 

There are multiple Diffie-Hellman Groups that can be configured in an IKE policy on a Cisco IOS & ASA.

Diffie Hellman Groups
DH
Group #
Group DescriptionRFCRecommendation
1768 bit modulusRFC 2049AVOID
Available for use in IKEv1 & IKEv2
21024 bit modulusRFC 2049AVOID
Available for use in IKEv1 & IKEv2
51536 bit modulusRFC 3526AVOID
Available for use in IKEv1 & IKEv2
7EC2N group over GF[2^163]IETF DraftAVOID
Available for use in IKEv1
142048-bit modulusRFC 3526MINIMUM ACCEPTABLE
Available for use in IKEv2
19256-bit random elliptic curveRFC 5903Available for use in IKEv2
20384-bit random elliptic curveRFC 5903Available for use in IKEv2
21521-bit random elliptic curveRFC 5903Available for use in IKEv2
242048-bit modulus with 256-bit prime order subgroupRFC 5114AVOID
Available for use in IKEv2

 

A full list of ALL Diffie-Hellman Groups is here.

Algorithms marked as AVOID do not provide an adequate security against modern threats and should not be used.

AES needs stronger Diffie-Hellman Groups than DES or 3DES. If we were using a modular based key to protect 128-bit AES we would need a key about 3200-bits long and if we were using a modular based key to protect 256-bit AES we would need a key 15400-bits long.  That’s not practical, so instead, we are now using elliptic curve Diffie-Hellman Groups. If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20.    If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21. RFC 5114 Sec 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, so I also mark that as AVOID.

 

References

Brief comparison of RSA and diffie-hellman (public key) algorithm

Cisco – Next-Generation Encryption

How Diffie-Hellman Fails in Practice

IANA – Internet Key Exchange (IKE) Attributes

RFC 2409 – The Internet Key Exchange (IKE)

RFC 3526 – More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)

RFC – 3766 –  Determining Strengths For Public Keys Used For Exchanging Symmetric Keys

RFC 5114 – Additional Diffie-Hellman Groups for Use with IETF Standards

 

2 thoughts on “Diffie-Hellman Group Use in IKE”

Leave a Reply to TimmayG Cancel reply

Your email address will not be published. Required fields are marked *