Chris Posted November 17, 2022 Share Posted November 17, 2022 Dear IPSec technical pros, I recently had a discussion about the "best" default configuration for IPSec VPN (we are using FortiGates, but my question is vendor-independent). As we looked deeper into the RFC (https://www.rfc-editor.org/rfc/rfc5114#section-4), we couldn't wrap our heads around the relation between used Diffie Hellmann group and cryptographic keys. For both phases of IPSec, you need to define a DH group and a symmetric cryptographic key algorithm (e.g. AES-256 and SHA-512). In my understanding, the DH exchange is just the basis for a secure channel which then "discusses" about the final symmetric keys. From reading the RFC, it feels like I need to pick a certain DH group to enable a certain symmetric key length at all. Is there a direct dependency between the DH group and the selected key algorithm or are these - as the configuration mask implies - completely unrelated things? What is your understanding here? Extract: Quote Security Considerations The strength of a key derived from a Diffie-Hellman exchange using any of the groups defined here depends on the inherent strength of the group, the size of the exponent used, and the entropy provided by the random number generator used. The groups defined in this document were chosen to make the work factor for solving the discrete logarithm problem roughly comparable to an attack on the subgroup. Using secret keys of an appropriate size is crucial to the security of a Diffie-Hellman exchange. For modular exponentiation groups, the size of the secret key should be equal to the size of q (the size of the prime order subgroup). For elliptic curve groups, the size of the secret key must be equal to the size of n (the order of the group generated by the point g). Using larger secret keys provides absolutely no additional security, and using smaller secret keys is likely to result in dramatically less security. (See [NIST80056A] for more information on selecting secret keys.) When secret keys of an appropriate size are used, an approximation of the strength of each of the Diffie-Hellman groups is provided in the table below. For each group, the table contains an RSA key size and symmetric key size that provide roughly equivalent levels of security. This data is based on the recommendations in [NIST80057]. GROUP | SYMMETRIC | RSA -------------------------------------------+------------+------- 1024-bit MODP with 160-bit Prime Subgroup | 80 | 1024 2048-bit MODP with 224-bit Prime Subgroup | 112 | 2048 2048-bit MODP with 256-bit Prime Subgroup | 112 | 2048 192-bit Random ECP Group | 80 | 1024 224-bit Random ECP Group | 112 | 2048 256-bit Random ECP Group | 128 | 3072 384-bit Random ECP Group | 192 | 7680 521-bit Random ECP Group | 256 | 15360 Best, Chris Link to comment Share on other sites More sharing options...
karlyeurl Posted November 17, 2022 Share Posted November 17, 2022 (edited) Hi Chris, The RFC describes a DH key derivation, which is a means for both parties to derive a shared secret only by knowing the other party's public key. Each party basically¹ computes the following: symmetric_key = their_public_key^my_private_key mod p Both get the same symmetric_key. The choice of the symmetric algorithm which will use that secret key to encrypt the data is yours, but the symmetric key size is "fixed" by the computation. Using a larger key size will be the same as if you padded the secret key, and using a smaller key size truncates it, reducing the strength of the encryption. ¹ The derivation is quite different when using elliptic curves, but modular exponentiation was the "original" example. Edited November 17, 2022 by karlyeurl 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now