home

Supported platforms

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Diffie-Hellman groups

Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, such as the Internet. Diffie-Hellman key exchange was developed in 1976 by Whitfield Diffie and Martin Hellman. It is based on two facts.

  • Asymmetric encryption algorithms are much more secure than symmetric algorithms, which require that two parties exchange secret keys in advance.
  • However, asymmetric algorithms are much slower and much more computationally expensive than symmetric algorithms.

In a Diffie-Hellman key exchange, asymmetric cryptography is used at the outset of the communication (IKE Phase 1) to establish a shared key. After the key has been exchanged, it can then be used symmetrically to encrypt subsequent communications (IKE Phase 2).

Diffie-Hellman key exchange uses a group of standardized global unique prime numbers and generators to provide secure asymmetric key exchange. The original specification of IKE defined four of these groups, called Diffie-Hellman groups or Oakley groups. Since then, additional groups have been added.

The vRouter supports the following Diffie-Hellman groups. Groups 19 and 20, introduced with IKEv2, are based on elliptic curve cryptography and provide higher security than the other modular exponentiation (MODP) groups.

Table 1. Supported Diffie-Hellman groups
Diffie-Hellman Group Description
2 MODP with a 1024-bit modulus.
5 MODP with a 1536-bit modulus.
14 MODP with a 2048-bit modulus.
15 MODP with a 3027-bit modulus.
16 MODP with a 4096-bit modulus.
17 MODP with a 6144-bit modulus.
18 MODP with a 8192-bit modulus.
19 256-bit elliptic curve group.
20 384-bit elliptic curve group.