Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Diffie-Hellman

Hi

I read this in a book, not sure how correct it is, just wondering if someone could advise.

~~~~~~~~~~~~~~~~~~~~~~~~

The DH is used to protect the IPSec tunnel setup process. The DH tunnel is used to encrypt the IPSec negotiations that are required before the tunnel can come up. Several strengths of the DH are available, but most cisco devices support only the two weakest types called group 1(768 bit enc) and group 2 (1024-bit enc). With the approval of the new AES encryption standard, the IETF is working on increasing DH to 8192 bits.

~~~~~~~~~~~~~~~~~~~~~~~~

With regards to the last line, does this mean that vpn setup is possibly compromisable or totally secure. Is cisco planning to support the AES encryption standard.

I also read this with regards to data IPSec encryption.

~~~~~~~~~~~~~~~~~~~~~~~~

Cisco has indicated support for AES and has started integrating it into some products.

~~~~~~~~~~~~~~~~~~~~~~~~

Again does this mean that 3DES can be compromised. Any ideas on when the new standard will be available. I am just trying to identify any possible weakness's.

Best regards

  • Other Security Subjects
4 REPLIES
Cisco Employee

Re: Diffie-Hellman

DH Group 5 (1536 bit) was introduced way back in 12.1 code for client connections.

AES was introduced in 12.2(13)T code, see this http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ft_aes.htm. You can use DH group 5 (1536 bit) with this also.

Even with DH 1 or 2 it's still nigh on impossible to decrypt a packet without a Cray supercomputer and a whole lot of spare time. Always choose 3DES over DES though.

New Member

Re: Diffie-Hellman

Thankyou for reply, what about the pix, any support for DH group 5 in the future?

I beleive AES 256k data encryption is available for the vpn 3000's and as u mention on the routers 12.2(13)T, any idea when this will be supported on the pix's. How secure is 3des? - is it breakable.?.

Best regards

New Member

Re: Diffie-Hellman

I don't know when the Pix will follow, but I'm sure it won't be too far behind the IOS versions.

As far as how secure 3DES is... well I wouldn't worry about that anytime in the next several years.

AES is also much faster in comparison to 3DES, Which is one of its reasons for the change.

New Member

Re: Diffie-Hellman

Thanks for that

248
Views
0
Helpful
4
Replies