Site-to-Site VPNs with Diffie-Hellman Group 14

When talking about VPNs it is almost always clear that they are encrypted. However, it is not so clear on which security level a VPN is established. Since the Perfect Forward Secrecy (PFS) values of “DH group 5” etc. do not clearly specify the “bits of security”, it is a misleadingly assumption that the security is 256 bits due to the symmetric AES-256 cipher. It is not! Diffie-Hellman group 5 has only about 89 bits of security…

Therefore, common firewalls implement DH group 14 which has a least a security level of approximately 103 bits. I tested such a site-to-site VPN tunnel between a Palo Alto and a Juniper ScreenOS firewall which worked without any problems.

Bits of Security

The traffic over a VPN is encrypted with a symmetric cipher such as AES, but the encryption key is generated with an asymmetric cipher such as Diffie-Hellman. An attacker who captures the complete traffic of a VPN might be able to brute-force the used keys of this Diffie-Hellman key exchange OR he could do a brute-force attack of the encrypted traffic with AES. Of course he would do that attack on the weaker cipher, i.e., on DH and not on AES.

On this Crypto++ wiki, a table that lists the bits of security for different symmetric and asymmetric functions can be found, taken from this PDF file from NIST on p. 64. Another resource is the ECRYPT2 Yearly Report on Algorithms and Keysizes (2010) which has the following (lower) values on p. 30:

  • DH with 1024 bits (group 2) has 73 bits of security
  • DH with 1536 bits (group 5) has 89 bits of security
  • DH with 2048 bits (group 14) has 103 bits of security

That is: If a really secure VPN connection is needed, the phase 1 and phase 2 parameters should use at least Diffie-Hellman group 14 to gain 103 bits of security. Furthermore, at least AES-128 can be used, which has a security of almost 128 bits. However, since AES-256 can be used without any troubles, I don’t know why AES-128 should be used instead (except high CPU load issues).

Test VPN Palo <-> Juniper

While I expect that such VPN settings between firewalls of the same vendor work without any problems, I configured DH group 14 with AES-256 and SHA-256 (also new, instead of SHA-1) for both IKE and IPsec (ESP) on my test VPN between a Palo Alto PA-200 (6.0.1) and a Juniper SSG 5 (6.3.0r16a.0) firewall. It worked. 😉

Here is an appropriate listing from the Palo Alto firewall that shows these correct values for the VPN (DH14/…):

 

And similarly, two Juniper listings (grp14/…):

 

I also tried to configure group 14 values on my VPNs to a Cisco ASA 5505 (9.1(4)) firewall, but an error message said that DH14 is only supported on IKEv2. Hm. Maybe the two other vendors implemented it on their own, or Cisco did not want to implement it for IKEv1. I don’t know.

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *