cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
390934
Views
64
Helpful
17
Comments
Tim Glen
Cisco Employee
Cisco Employee

Diffie-Hellman (DH) allows two devices to establish a shared secret over an unsecure network. In terms of VPN it is used in the in IKE or Phase1 part of setting up the VPN tunnel.  

There are multiple Diffie-Hellman Groups that can be configured in an IKEv2 policy on a Cisco ASA running 9.1(3). In Nov 2016 ASA 9.6(x) is available and there are no new changes to the DH Groups.

 

Diffie-Hellman group 1  -  768 bit modulus  - AVOID
Diffie-Hellman group 2  - 1024 bit modulus  - AVOID
Diffie-Hellman group 5  - 1536 bit modulus  - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

 

Algorithms marked as AVOID do not provide an adequate security level against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.

Next Generation Encryption (NGE) is expected to meet the security and scalability requirements of the next two decades.

If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24.    If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21 or 24.

 

 

This information has been compiled from:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

 

 

Comments
ROBERTO TACCON
Level 4
Level 4
Please also note/check the security concerns vs the HADWARE supported/performance on the ASAs: Hardware and or Software only supported on single or multi-core platforms (check with the TAC)
 
http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/qa_c67-712934.html
Q. Is next generation encryption available on all ASA platforms?
A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.
 
asteffek4
Community Member

the statement about using DH5 as "ok" if the enc is using 128bit key is not accurate. the enc doesnt matter, the issue is in DH5, it's too weak to protect keys regardless of key size, period. there are some Cisco documents out there suggesting that aes256 keys were too big for DH1/2/5 to protect properly, but that too is false. bottom line is, DH1/2/5 is the issue, not the enc algorithm.

abjohnson
Level 1
Level 1

Since DH5 is considered to weak. How would increase to a higher DH group with an IPsec tunnel that is already in production? Is there a newer IOS version that allows for higher DH?

Tim Glen
Cisco Employee
Cisco Employee

What version of IOS are you using and on what platform ? 


Typically DH Keys are configured in the IKE proposal, see below.

 

!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 24
!
abjohnson
Level 1
Level 1

Tim Glen,

This for a Cisco 5525 ASA: Software version 9.6(1).

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2

Tim Glen
Cisco Employee
Cisco Employee


This IKE change would need to take place on this ASA and the other end(s) of the tunnel.  Changing this would be disruptive so make these changes during a maintenance window. 

Changing integrity to sha512 strengthens the ESP integrity.

Right now with group 5 you have a 1536 bit DH key, this is considered weak.
Changing group to 24 will configure the ASA to use the strongest ECDH key possible.

!
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 24
!


After the tunnel comes back up you can verify that you are using a strong DH Key by running sho crypto isakmp sa and looking for 'Hash: SHA512, DH Grp:24'.

Hope this helps. Pleae rate helpful responses.

iai-admins
Level 1
Level 1

I appreciate the info on newer DH groups for ASA. I also find the following IBM document helpful:

IBM z/OS IPSec Documentation - quote from article follows

"Guideline: If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5,14,19,20, or 24. If you are using encryption or authentication algorithms with a key length of 256 bits or greater, use Diffie-Hellman group 21."

This seems to match the ordering of DH groups when specified together in the same IKEv2 policy in an ASA config: group 21 20 19 24 14 5

Notice that it appears the ASA prefers DH Groups 21 through 19 over 24 - perhaps because they are more standard elliptic curve groups while group 24 is an exotic extension to older style "Modular exponentiation group?"

Based on this group ordering within ASA ikev2 policy it looks like the ASA may "do the right thing" and choose group 21 over 24 if they appear in the same policy "group" line? This also makes it appear that network engineers should consider eliminating group 24 from the device config completely if it is not a preferred Diffie Hellman group?

abjohnson
Level 1
Level 1

Yes Tim, this was very helpful. Thanks.

john.pan.s
Level 1
Level 1

I have a question. what is the default DH group on site to site VPN ? As I checked on my ASDM it was 2 but I want to be sure.

Tim Glen
Cisco Employee
Cisco Employee

According to the ASA documentation the default DH group is 2.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/gh.html

Please rate helpful posts.

mthomas
Community Member

What is meant by "partial support" on the ASA 5510? On a 5510 with OS version 9.1(6) it appears that groups 1, 2, and 5 are still the only diffie hellman groups available when looking at the IKEv2 policies through the ASDM. Or am I missing something?

cmedra
Level 1
Level 1

ASDM only displays groups 1, 2, and 5 but you can use the newer DH groups by configuring the IKEv2 policies through the CLI.  Tim Glen posted the appropriate commands above, and they do work on ASA5510 running 9.1.7.  Not sure about previous versions of 9.1.

Hello,

We have an ASA5506X running 9.6.1.

We are currently running a VPN tunnel using: Ikev1 with AES-256, SHA1, and DH 2, and it runs very well.

We are considering changing the config, at the request of the company at the other end of the VPN tunnel, to use: ikev2 with AES-256, SHA256, and DH20.

 

Can anyone tell me if the CPU has enough performance to support this?

 

Your help is appreciated.

 

 

matty-boy
Level 1
Level 1

Just stumbled on this, it's an interesting read: https://tools.ietf.org/html/rfc8247#section-2.4

Seems to suggest using group 14 for standard DH or group 19 for ECDH. Everything else should be avoided if possible.

Hi Matty, thanks for this, it is an excellent document, however it does not specifically address DH20, which is what our partner wants to deploy, however everything I’ve read considers DH20 to be safe, just hoping the CPU on a ASA5506X can handle it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: