Deep dive into IPSec VPN

[Chris]

Dear IPSec technical pros,

I recently had a discussion about the "best" default configuration for IPSec VPN (we are using FortiGates, but my question is vendor-independent).
As we looked deeper into the RFC (https://www.rfc-editor.org/rfc/rfc5114#section-4), we couldn't wrap our heads around the relation between used Diffie Hellmann group and cryptographic keys.

For both phases of IPSec, you need to define a DH group and a symmetric cryptographic key algorithm (e.g. AES-256 and SHA-512). In my understanding, the DH exchange is just the basis for a secure channel which then "discusses" about the final symmetric keys. From reading the RFC, it feels like I need to pick a certain DH group to enable a certain symmetric key length at all. Is there a direct dependency between the DH group and the selected key algorithm or are these - as the configuration mask implies - completely unrelated things?

What is your understanding here?

 

Extract:

Quote

Security Considerations

   The strength of a key derived from a Diffie-Hellman exchange using

   any of the groups defined here depends on the inherent strength of

   the group, the size of the exponent used, and the entropy provided by

   the random number generator used.  The groups defined in this

   document were chosen to make the work factor for solving the discrete

   logarithm problem roughly comparable to an attack on the subgroup.

 

   Using secret keys of an appropriate size is crucial to the security

   of a Diffie-Hellman exchange.  For modular exponentiation groups, the

   size of the secret key should be equal to the size of q (the size of

   the prime order subgroup).  For elliptic curve groups, the size of

   the secret key must be equal to the size of n (the order of the group

   generated by the point g).  Using larger secret keys provides

   absolutely no additional security, and using smaller secret keys is

   likely to result in dramatically less security.  (See [NIST80056A]

   for more information on selecting secret keys.)

 

   When secret keys of an appropriate size are used, an approximation of

   the strength of each of the Diffie-Hellman groups is provided in the

   table below.  For each group, the table contains an RSA key size and

   symmetric key size that provide roughly equivalent levels of

   security.  This data is based on the recommendations in [NIST80057].

 

   GROUP                                      |  SYMMETRIC |   RSA

   -------------------------------------------+------------+-------

   1024-bit MODP with 160-bit Prime Subgroup  |        80  |   1024

   2048-bit MODP with 224-bit Prime Subgroup  |       112  |   2048

   2048-bit MODP with 256-bit Prime Subgroup  |       112  |   2048

   192-bit Random ECP Group                   |        80  |   1024

   224-bit Random ECP Group                   |       112  |   2048

   256-bit Random ECP Group                   |       128  |   3072

   384-bit Random ECP Group                   |       192  |   7680

   521-bit Random ECP Group                   |       256  |  15360

 

Best,
Chris

[karlyeurl]

Hi Chris,

The RFC describes a DH key derivation, which is a means for both parties to derive a shared secret only by knowing the other party's public key. Each party basically¹ computes the following:

symmetric_key = their_public_key^my_private_key mod p

Both get the same symmetric_key.

The choice of the symmetric algorithm which will use that secret key to encrypt the data is yours, but the symmetric key size is "fixed" by the computation. Using a larger key size will be the same as if you padded the secret key, and using a smaller key size truncates it, reducing the strength of the encryption.

 

¹ The derivation is quite different when using elliptic curves, but modular exponentiation was the "original" example.

Edited November 17, 2022 by karlyeurl