Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, such as the Internet. Diffie-Hellman key exchange was developed in 1976 by Whitfield Diffie and Martin Hellman. It is based on two facts.
- Asymmetric encryption algorithms are much more secure than symmetric algorithms, which require that two parties exchange secret keys in advance.
- However, asymmetric algorithms are much slower and much more computationally expensive than symmetric algorithms.
In a Diffie-Hellman key exchange, asymmetric cryptography is used at the outset of the communication (IKE Phase 1) to establish a shared key. After the key has been exchanged, it can then be used symmetrically to encrypt subsequent communications (IKE Phase 2).
Diffie-Hellman key exchange uses a group of standardized global unique prime numbers and generators to provide secure asymmetric key exchange. The original specification of IKE defined four of these groups, called Diffie-Hellman groups or Oakley groups. Since then, additional groups have been added.
The vRouter supports the following Diffie-Hellman groups. Groups 19 and 20, introduced with IKEv2, are based on elliptic curve cryptography and provide higher security than the other modular exponentiation (MODP) groups.
|2||MODP with a 1024-bit modulus.|
|5||MODP with a 1536-bit modulus.|
|14||MODP with a 2048-bit modulus.|
|15||MODP with a 3027-bit modulus.|
|16||MODP with a 4096-bit modulus.|
|17||MODP with a 6144-bit modulus.|
|18||MODP with a 8192-bit modulus.|
|19||256-bit elliptic curve group.|
|20||384-bit elliptic curve group.|