Diffie-Hellman groups
Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, such as the Internet. Diffie-Hellman key exchange was developed in 1976 by Whitfield Diffie and Martin Hellman. It is based on two facts.
- Asymmetric encryption algorithms are much more secure than symmetric algorithms, which require that two parties exchange secret keys in advance.
- However, asymmetric algorithms are much slower and much more computationally expensive than symmetric algorithms.
In a Diffie-Hellman key exchange, asymmetric cryptography is used at the outset of the communication (IKE Phase 1) to establish a shared key. After the key has been exchanged, it can then be used symmetrically to encrypt subsequent communications (IKE Phase 2).
Diffie-Hellman key exchange uses a group of standardized global unique prime numbers and generators to provide secure asymmetric key exchange. The original specification of IKE defined four of these groups, called Diffie-Hellman groups or Oakley groups. Since then, additional groups have been added.
The vRouter supports the following Diffie-Hellman groups. Groups 19 and 20, introduced with IKEv2, are based on elliptic curve cryptography and provide higher security than the other modular exponentiation (MODP) groups.
Diffie-Hellman Group | Description |
---|---|
2 | MODP with a 1024-bit modulus. |
5 | MODP with a 1536-bit modulus. |
14 | MODP with a 2048-bit modulus. |
15 | MODP with a 3027-bit modulus. |
16 | MODP with a 4096-bit modulus. |
17 | MODP with a 6144-bit modulus. |
18 | MODP with a 8192-bit modulus. |
19 | 256-bit elliptic curve group. |
20 | 384-bit elliptic curve group. |