Diffie Hellman Groups

Tim Glen · ‎08-11-2014

Diffie-Hellman (DH) allows two devices to establish a shared secret over an unsecure network. In terms of VPN it is used in the in IKE or Phase1 part of setting up the VPN tunnel.

There are multiple Diffie-Hellman Groups that can be configured in an IKEv2 policy on a Cisco ASA running 9.1(3). In Nov 2016 ASA 9.6(x) is available and there are no new changes to the DH Groups.

Diffie-Hellman group 1 - 768 bit modulus - AVOID

Diffie-Hellman group 2 - 1024 bit modulus - AVOID

Diffie-Hellman group 5 - 1536 bit modulus - AVOID

Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE

Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE

Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption

Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption

Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

Algorithms marked as AVOID do not provide an adequate security level against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.

Next Generation Encryption (NGE) is expected to meet the security and scalability requirements of the next two decades.

If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21 or 24.

This information has been compiled from:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

ROBERTO TACCON · ‎08-15-2014

Please also note/check the security concerns vs the HADWARE supported/performance on the ASAs: Hardware and or Software only supported on single or multi-core platforms (check with the TAC)

http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/qa_c67-712934.html

Q. Is next generation encryption available on all ASA platforms?

A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.

asteffek4 · ‎10-02-2015

the statement about using DH5 as "ok" if the enc is using 128bit key is not accurate. the enc doesnt matter, the issue is in DH5, it's too weak to protect keys regardless of key size, period. there are some Cisco documents out there suggesting that aes256 keys were too big for DH1/2/5 to protect properly, but that too is false. bottom line is, DH1/2/5 is the issue, not the enc algorithm.

abjohnson · ‎10-20-2016

Since DH5 is considered to weak. How would increase to a higher DH group with an IPsec tunnel that is already in production? Is there a newer IOS version that allows for higher DH?

Tim Glen · ‎11-15-2016

What version of IOS are you using and on what platform ?

Typically DH Keys are configured in the IKE proposal, see below.

!
crypto ikev2 proposal IKEV2-PROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 24
!

abjohnson · ‎11-15-2016

Tim Glen,

This for a Cisco 5525 ASA: Software version 9.6(1).

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2

Tim Glen · ‎11-15-2016

This IKE change would need to take place on this ASA and the other end(s) of the tunnel. Changing this would be disruptive so make these changes during a maintenance window.

Changing integrity to sha512 strengthens the ESP integrity.

Right now with group 5 you have a 1536 bit DH key, this is considered weak.
Changing group to 24 will configure the ASA to use the strongest ECDH key possible.

!
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 24
!

After the tunnel comes back up you can verify that you are using a strong DH Key by running sho crypto isakmp sa and looking for 'Hash: SHA512, DH Grp:24'.

Hope this helps. Pleae rate helpful responses.

iai-admins · ‎12-15-2016

I appreciate the info on newer DH groups for ASA. I also find the following IBM document helpful:

IBM z/OS IPSec Documentation - quote from article follows

"Guideline: If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5,14,19,20, or 24. If you are using encryption or authentication algorithms with a key length of 256 bits or greater, use Diffie-Hellman group 21."

This seems to match the ordering of DH groups when specified together in the same IKEv2 policy in an ASA config: group 21 20 19 24 14 5

Notice that it appears the ASA prefers DH Groups 21 through 19 over 24 - perhaps because they are more standard elliptic curve groups while group 24 is an exotic extension to older style "Modular exponentiation group?"

Based on this group ordering within ASA ikev2 policy it looks like the ASA may "do the right thing" and choose group 21 over 24 if they appear in the same policy "group" line? This also makes it appear that network engineers should consider eliminating group 24 from the device config completely if it is not a preferred Diffie Hellman group?

abjohnson · ‎12-16-2016

Yes Tim, this was very helpful. Thanks.

john.pan.s · ‎05-16-2017

I have a question. what is the default DH group on site to site VPN ? As I checked on my ASDM it was 2 but I want to be sure.

Tim Glen · ‎05-23-2017

According to the ASA documentation the default DH group is 2.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/gh.html

Please rate helpful posts.

mthomas · ‎06-08-2017

What is meant by "partial support" on the ASA 5510? On a 5510 with OS version 9.1(6) it appears that groups 1, 2, and 5 are still the only diffie hellman groups available when looking at the IKEv2 policies through the ASDM. Or am I missing something?

cmedra · ‎10-02-2017

ASDM only displays groups 1, 2, and 5 but you can use the newer DH groups by configuring the IKEv2 policies through the CLI. Tim Glen posted the appropriate commands above, and they do work on ASA5510 running 9.1.7. Not sure about previous versions of 9.1.

northtexasnetworks · ‎02-12-2019

Hello,

We have an ASA5506X running 9.6.1.

We are currently running a VPN tunnel using: Ikev1 with AES-256, SHA1, and DH 2, and it runs very well.

We are considering changing the config, at the request of the company at the other end of the VPN tunnel, to use: ikev2 with AES-256, SHA256, and DH20.

Can anyone tell me if the CPU has enough performance to support this?

Your help is appreciated.

matty-boy · ‎02-13-2019

Just stumbled on this, it's an interesting read: https://tools.ietf.org/html/rfc8247#section-2.4

Seems to suggest using group 14 for standard DH or group 19 for ECDH. Everything else should be avoided if possible.

northtexasnetworks · ‎02-13-2019

Hi Matty, thanks for this, it is an excellent document, however it does not specifically address DH20, which is what our partner wants to deploy, however everything I’ve read considers DH20 to be safe, just hoping the CPU on a ASA5506X can handle it.