cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
192
Views
10
Helpful
1
Replies

DH group and ecryption key

MrBeginner
Enthusiast
Enthusiast

Hi ,

I found some document and website said If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 14,19, 20. If you are using encryption or authentication algorithms with a 256-bit key or higher.

So please let me know is it correct ? why ?

i also want to know if ike phase 1 use 128 key lenght ( aes128, sha128 , and if phase 2 will use 256 ( aes 256,sha256), what will happen ? can i do like that ?

1 Reply 1

Rob Ingram
VIP Master VIP Master
VIP Master

@MrBeginner are you referring to this guide - https://community.cisco.com/t5/security-knowledge-base/diffie-hellman-groups/ta-p/3147010 which states - "If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21 or 24"

I'd go along with that advice, as they are Next Generation Encryption (NGE) algorithms.

Generally you'd would not configure weaker algorithms for Phase 1 and stronger for Phase 2, keep them the same. Use NGE algorithms - AES-GCM, DH group 21 and if required PFS.

Refer to the Cisco live presentation - BRKSEC-3005.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers