Jump to content

Deep dive into IPSec VPN


Recommended Posts

Dear IPSec technical pros,

I recently had a discussion about the "best" default configuration for IPSec VPN (we are using FortiGates, but my question is vendor-independent).
As we looked deeper into the RFC (https://www.rfc-editor.org/rfc/rfc5114#section-4), we couldn't wrap our heads around the relation between used Diffie Hellmann group and cryptographic keys.

For both phases of IPSec, you need to define a DH group and a symmetric cryptographic key algorithm (e.g. AES-256 and SHA-512). In my understanding, the DH exchange is just the basis for a secure channel which then "discusses" about the final symmetric keys. From reading the RFC, it feels like I need to pick a certain DH group to enable a certain symmetric key length at all. Is there a direct dependency between the DH group and the selected key algorithm or are these - as the configuration mask implies - completely unrelated things?

What is your understanding here?



Security Considerations
   The strength of a key derived from a Diffie-Hellman exchange using
   any of the groups defined here depends on the inherent strength of
   the group, the size of the exponent used, and the entropy provided by
   the random number generator used.  The groups defined in this
   document were chosen to make the work factor for solving the discrete
   logarithm problem roughly comparable to an attack on the subgroup.
   Using secret keys of an appropriate size is crucial to the security
   of a Diffie-Hellman exchange.  For modular exponentiation groups, the
   size of the secret key should be equal to the size of q (the size of
   the prime order subgroup).  For elliptic curve groups, the size of
   the secret key must be equal to the size of n (the order of the group
   generated by the point g).  Using larger secret keys provides
   absolutely no additional security, and using smaller secret keys is
   likely to result in dramatically less security.  (See [NIST80056A]
   for more information on selecting secret keys.)
   When secret keys of an appropriate size are used, an approximation of
   the strength of each of the Diffie-Hellman groups is provided in the
   table below.  For each group, the table contains an RSA key size and
   symmetric key size that provide roughly equivalent levels of
   security.  This data is based on the recommendations in [NIST80057].
   GROUP                                      |  SYMMETRIC |   RSA
   1024-bit MODP with 160-bit Prime Subgroup  |        80  |   1024
   2048-bit MODP with 224-bit Prime Subgroup  |       112  |   2048
   2048-bit MODP with 256-bit Prime Subgroup  |       112  |   2048
   192-bit Random ECP Group                   |        80  |   1024
   224-bit Random ECP Group                   |       112  |   2048
   256-bit Random ECP Group                   |       128  |   3072
   384-bit Random ECP Group                   |       192  |   7680
   521-bit Random ECP Group                   |       256  |  15360



Link to comment
Share on other sites

Hi Chris,

The RFC describes a DH key derivation, which is a means for both parties to derive a shared secret only by knowing the other party's public key. Each party basically¹ computes the following:

symmetric_key = their_public_key^my_private_key mod p

Both get the same symmetric_key.

The choice of the symmetric algorithm which will use that secret key to encrypt the data is yours, but the symmetric key size is "fixed" by the computation. Using a larger key size will be the same as if you padded the secret key, and using a smaller key size truncates it, reducing the strength of the encryption.


¹ The derivation is quite different when using elliptic curves, but modular exponentiation was the "original" example.

Edited by karlyeurl
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...