11-04-2012 06:42 PM
There are some folks saying that SHA1 (160 bit) should not be used any longer on IPSEC implementations since it is broken.
Can anybody comment on this? For phase 2 there is sha1 + hmac(cannot be broken yet), what about Phase1?
Whole world is still running IKE v1 VPN IPSEC using SHA1 hash.
11-04-2012 07:13 PM
Hi Ruterford,
Indeed IKEv1 security has been improved by IKEv2.
In order to have some more secure algorithms, then you will need to consider IKEv2, an ASA running 8.4 or later should give the following integrity algorithms:
ciscoasa(config)# crypto ikev2 policy 10
ciscoasa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
IKEv1 does not only support SHA1.
Thanks.
Portu.
Please rate any helpful posts
11-05-2012 06:05 AM
Portu, it is all clear that IKEv2 provides improvements on IKE v1.
But your reply does not answer my question.
Can SHA1 be cracked on IPSEC implementation on Phase 1 and Phase 2 currently?
11-05-2012 08:46 AM
to answer that question you need to know what hashing is doing in IPsec.
It's not that algorithm cannot be broken (altough I still need to see a real-time attack).
Have a look at IPsec (ESP, most commony used) header structure.
You can even find it out on wikipedia:
http://en.wikipedia.org/wiki/IPsec
EVEN if you're able to break the integrity check, you are still going to face problem encrypting spoofing the actual payload.
M.
11-05-2012 10:37 AM
Thanks Marcin.
Is SHA 256, as well as groups higher than DH-group 5 (like 14, 16)supported on ASA only with IKEv2?
I know that IOS supports SHA256 and Group 14, 16 on IKEv1, but it looks like ASA only supports them with IKEv2.
11-05-2012 11:55 AM
In practice suite-B etc. has been only added for IKEv2.
Check.
http://tools.ietf.org/html/rfc6379
and
http://www.nsa.gov/ia/programs/suiteb_cryptography/
You will notice that while in theory there is no reason for IKEv1 not to implement those "new" algorithms it's with IKEv2 they are required to be accredited.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide