Today’s post is an excerpt from my CCIE Security notes, and it has a useful table of Diffie Hellman groups, which you can use as a job aid in IPSEC VPN designs. I Hope you find it useful.
About Diffie Hellman
The key bit of magic that makes IKE (Internet Key Exchange) possible is Diffie-Hellman. Diffie-Hellman allows anonymous entities to calculate a shared secret that can’t be discovered by a third party listening to the exchange. What’s amazing about it is the peers are able to do this using two different passwords that they keep private and never exchange. DH is one of the earliest examples of Public Key Cryptography.
- Diffie-Hellman does not provide authentication. It’s used to assist in creating a secure channel for authentication
- Diffie-Hellman does not provide encryption. It provides the keying material for encryption.
- Diffie-Hellman is used for control plane functions only.
At a high level it works like this:
If side a and side b use the same generator and modulus, resulting values from step 5 and 6 should be the same. This shared key is used as an input to the negotiated encryption algorithm.
In the case of Diffie-Hellman The generator and Prime (g,p) are predefined values (defined in a number of different RFCs) which are referenced as Diffie-hellman groups. The larger the Generator and Prime are, the more difficult it is to break. As computational power has increased substantially since the first DH groups were defined, the old groups are no longer safe to use.
The following Table lists the Diffie-Hellman Groups:
*NGE refers to Cisco Next Generation Encryption, which is the vendors set of recommended ciphersuites.
*NSA Suite B refers to the United States the National Security Agency’s published list of list of interoperable modern cryptographic standards.