Showing results for 
Search instead for 
Did you mean: 

How to a unique Diffie-Hellman moduli of 2048 bits or greater.


Hi team,

A recent Vulnerability scan has detected the below Vulnerabilities in our stealth watch device(Lancope)

"The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits"

And they have provided solution as "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048
bits or greater."

Am working with TAC since a week but no +ve suggestion received yet. Can some help me to get this VA closed . or Any suggestion would be much appreciated.

Stealthwatch Version is 6.10.3 SMC and FC .


Re: How to a unique Diffie-Hellman moduli of 2048 bits or greater.

Hi @Mohammed Saleem,


I found this in this link:


Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. It supports 768-bit (the default), 1024-bit, 1536-bit, 2048-bit, 3072-bit, and 4096-bit DH groups. It also supports a 2048-bit DH group with a 256-bit subgroup, and 256-bit and 384-bit elliptic curve DH (ECDH). Cisco recommends using 2048-bit or larger DH key exchange, or ECDH key exchange.


Step 7group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24

Router(config-isakmp)# group 14

Specifies the Diffie-Hellman (DH) group identifier.

  • By default, DH group 1 is used.
    • 1—768-bit DH (No longer recommended.)
    • 2—1024-bit DH (No longer recommended)
    • 5—1536-bit DH (No longer recommended)
    • 14—Specifies the 2048-bit DH group.
    • 15—Specifies the 3072-bit DH group.
    • 16—Specifies the 4096-bit DH group.
    • 19—Specifies the 256-bit elliptic curve DH (ECDH) group.
    • 20—Specifies the 384-bit ECDH group.
    • 24—Specifies the 2048-bit DH/DSA group.

The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Group 14 or higher (where possible) can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.


I hope this can help you.



CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards