Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Encryption algorithms such as DES /3DES

In reading about Diffie Hellman Exchanges and Symmetric Encryption between Cisco Routers, and studying Cisco IOS architecture white papers, I noticed that the two large prime numbers used on Cisco Routers for the Diffie-Hellman Key Exchange(s) (which generates keying material for symmetric encryption algorithms such as DES and 3DES) are hard-coded on the devices. That got me a little excited. But I'm not sure if this is possible mathematically, as the modulus function truncates the original value prior to exchanging it over the wire.

Could somebody clarify if these large prime values differ from router to router?

Also, if it turns out that they are, in fact hard coded (and accessible) wouldn't that give you access to the same mechanism (DH) that generates the keying material for the encryption engine, and thereby decode transmissions between devices using your locally generated key?

Does the modulus function eliminate this type of attack? And with SA lifetimes being 86,400 seconds, that gives you 24 hours to crack sessions.

Maybe I'm thinking about this too much.

Thanks for your thoughts


Re: Encryption algorithms such as DES /3DES


The prime number at each site has to be the same since the actual DH key is generate using this formule:

g^(XbXa) mod (p) = K

where Xa is the private key of site A and Xb the private key of site B

Kind Regards,