Tag Archives: Bits of Security

Site-to-Site VPNs with Diffie-Hellman Groups 19 & 20 (Elliptic Curve)

Similar to my test with Diffie-Hellman group 14 shown here I tested a VPN connection with elliptic curve Diffie-Hellman groups 19 and 20. The considerations why to use these DH groups are listed in the just mentioned post – mainly because of the higher security level they offer. I tested the site-to-site IPsec connections with a Juniper ScreenOS firewall and a Fortinet FortiGate firewall. (Currently, neither Palo Alto Networks nor Cisco ASA support these groups.)

Continue reading Site-to-Site VPNs with Diffie-Hellman Groups 19 & 20 (Elliptic Curve)

Site-to-Site VPNs with Diffie-Hellman Group 14

When talking about VPNs it is almost always clear that they are encrypted. However, it is not so clear on which security level a VPN is established. Since the Perfect Forward Secrecy (PFS) values of “DH group 5” etc. do not clearly specify the “bits of security”, it is a misleading assumption that the security is 256 bits due to the symmetric AES-256 cipher. It is not! Diffie-Hellman group 5 has only about 89 bits of security…

Therefore, common firewalls implement DH group 14 which has a least a security level of approximately 103 bits. I tested such a site-to-site VPN tunnel between a Palo Alto and a Juniper ScreenOS firewall which worked without any problems.

Continue reading Site-to-Site VPNs with Diffie-Hellman Group 14