Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
4
Replies

Diffie-Hellman

karl.jones
Level 1
Level 1

‎01-20-2003 02:20 PM - edited ‎03-09-2019 01:45 AM

Hi

I read this in a book, not sure how correct it is, just wondering if someone could advise.

~~~~~~~~~~~~~~~~~~~~~~~~

The DH is used to protect the IPSec tunnel setup process. The DH tunnel is used to encrypt the IPSec negotiations that are required before the tunnel can come up. Several strengths of the DH are available, but most cisco devices support only the two weakest types called group 1(768 bit enc) and group 2 (1024-bit enc). With the approval of the new AES encryption standard, the IETF is working on increasing DH to 8192 bits.

~~~~~~~~~~~~~~~~~~~~~~~~

With regards to the last line, does this mean that vpn setup is possibly compromisable or totally secure. Is cisco planning to support the AES encryption standard.

I also read this with regards to data IPSec encryption.

~~~~~~~~~~~~~~~~~~~~~~~~

Cisco has indicated support for AES and has started integrating it into some products.

~~~~~~~~~~~~~~~~~~~~~~~~

Again does this mean that 3DES can be compromised. Any ideas on when the new standard will be available. I am just trying to identify any possible weakness's.

Best regards

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎01-21-2003 08:39 PM

DH Group 5 (1536 bit) was introduced way back in 12.1 code for client connections.

AES was introduced in 12.2(13)T code, see this http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ft_aes.htm. You can use DH group 5 (1536 bit) with this also.

Even with DH 1 or 2 it's still nigh on impossible to decrypt a packet without a Cray supercomputer and a whole lot of spare time. Always choose 3DES over DES though.

0 Helpful

karl.jones
Level 1
Level 1
In response to gfullage

‎01-22-2003 01:01 AM

Thankyou for reply, what about the pix, any support for DH group 5 in the future?

I beleive AES 256k data encryption is available for the vpn 3000's and as u mention on the routers 12.2(13)T, any idea when this will be supported on the pix's. How secure is 3des? - is it breakable.?.

Best regards

0 Helpful

pdentico
Level 1
Level 1
In response to karl.jones

‎01-22-2003 08:45 AM

I don't know when the Pix will follow, but I'm sure it won't be too far behind the IOS versions.

As far as how secure 3DES is... well I wouldn't worry about that anytime in the next several years.

AES is also much faster in comparison to 3DES, Which is one of its reasons for the change.

0 Helpful

karl.jones
Level 1
Level 1
In response to pdentico

‎01-22-2003 08:49 AM

Thanks for that

0 Helpful
Customers Also Viewed These Support Documents