cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


125
Views
0
Helpful
1
Replies
Highlighted

How to a unique Diffie-Hellman moduli of 2048 bits or greater.

 

Hi team,

A recent Vulnerability scan has detected the below Vulnerabilities in our stealth watch device(Lancope)

"The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits"

And they have provided solution as "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048
bits or greater."

Am working with TAC since a week but no +ve suggestion received yet. Can some help me to get this VA closed . or Any suggestion would be much appreciated.

Stealthwatch Version is 6.10.3 SMC and FC .



1 REPLY
Rising star

Re: How to a unique Diffie-Hellman moduli of 2048 bits or greater.

Hi @Mohammed Saleem,

 

I found this in this link:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book/sec-key-exch-ipsec.html

 

Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. It supports 768-bit (the default), 1024-bit, 1536-bit, 2048-bit, 3072-bit, and 4096-bit DH groups. It also supports a 2048-bit DH group with a 256-bit subgroup, and 256-bit and 384-bit elliptic curve DH (ECDH). Cisco recommends using 2048-bit or larger DH key exchange, or ECDH key exchange.

 

Step 7group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24


Example:
Router(config-isakmp)# group 14
 

Specifies the Diffie-Hellman (DH) group identifier.

  • By default, DH group 1 is used.
    • 1—768-bit DH (No longer recommended.)
    • 2—1024-bit DH (No longer recommended)
    • 5—1536-bit DH (No longer recommended)
    • 14—Specifies the 2048-bit DH group.
    • 15—Specifies the 3072-bit DH group.
    • 16—Specifies the 4096-bit DH group.
    • 19—Specifies the 256-bit elliptic curve DH (ECDH) group.
    • 20—Specifies the 384-bit ECDH group.
    • 24—Specifies the 2048-bit DH/DSA group.

The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Group 14 or higher (where possible) can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.

 

I hope this can help you.

 

Regards

CreatePlease to create content
Content for Community-Ad
Blog-Cisco Community Designated VIP Dinner CLEUR2019