cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1794
Views
10
Helpful
6
Replies

commonly used Diffie-Hellman primes risk

chengl031
Beginner
Beginner

Hi,

 

We have a FPR1010 device with FTD image and manage by FDM.

A risk was found in VPN service (outside interface and port 443) that it's using a commonly used Diffie-Hellman primes for SSL key exchange. How can I change that DH primes?

 

The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session.

 

Thanks!

6 Replies 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@chengl031 

您需要升级到 FDM 7.0 版,该版本现在支持更改远程访问 VPN 的 SSL 密码设置。

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

 

Which should translate to - "You will need to upgrade to FDM 7.0, which now supports changing SSL cipher settings for remote access VPN."

 

 

 

 

是的,我们使用的是7.0.0.1-15,ssl密码设置好像只是更改cipher和协议,dh素数不知道怎么搞

这会更改 DH(Diffie Hellman)设置

 

This changes the DH (Diffie Hellman) settings

 

111111.PNG

Yes, but this can not fix the risk of commonly DH primes. We already set to 15 and 21.

Hello,

Were you able to resolve this issue. We are using FMC to manage FTD and getting the same issue while doing network security scan from outside.

Thanks

 

Just disable insecure ssl cipher. We only use:ECDHE_RSA_AES256_GCM_SHA384

ECDHE will not use the dh primes, so we can avoid the risk
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers