Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Diffie-Hellman groups

Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, such as the Internet. Diffie-Hellman key exchange was developed in 1976 by Whitfield Diffie and Martin Hellman. It is based on two facts.

  • Asymmetric encryption algorithms are much more secure than symmetric algorithms, which require that two parties exchange secret keys in advance.
  • However, asymmetric algorithms are much slower and much more computationally expensive than symmetric algorithms.

In a Diffie-Hellman key exchange, asymmetric cryptography is used at the outset of the communication (IKE Phase 1) to establish a shared key. After the key has been exchanged, it can then be used symmetrically to encrypt subsequent communications (IKE Phase 2).

Diffie-Hellman key exchange uses a group of standardized global unique prime numbers and generators to provide secure asymmetric key exchange. The original specification of IKE defined four of these groups, called Diffie-Hellman groups or Oakley groups. Since then, additional groups have been added.

The vRouter supports the following Diffie-Hellman groups. Groups 19 and 20, introduced with IKEv2, are based on elliptic curve cryptography and provide higher security than the other modular exponentiation (MODP) groups.

Table 1. Supported Diffie-Hellman groups
Diffie-Hellman Group Description
2 MODP with a 1024-bit modulus.
5 MODP with a 1536-bit modulus.
14 MODP with a 2048-bit modulus.
15 MODP with a 3027-bit modulus.
16 MODP with a 4096-bit modulus.
17 MODP with a 6144-bit modulus.
18 MODP with a 8192-bit modulus.
19 256-bit elliptic curve group.
20 384-bit elliptic curve group.