https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162267#M28829 <P>Hello CheckMates,</P> <P>Just wanted to check if someone has any information about plans to support&nbsp;<SPAN>Diffie-Hellman group 21 for s2s vpn's? a quick search on support center showed&nbsp;sk27054, but it talks about other groups and not 21, and it also says they are not recommended. Cisco and Juniper have this group, just wondered why checkpoit does not. Thanks in advance.</SPAN></P> <P><SPAN>Regards</SPAN></P> Wed, 16 Nov 2022 19:33:21 GMT RS_Daniel 2022-11-16T19:33:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162267#M28829 <P>Hello CheckMates,</P> <P>Just wanted to check if someone has any information about plans to support&nbsp;<SPAN>Diffie-Hellman group 21 for s2s vpn's? a quick search on support center showed&nbsp;sk27054, but it talks about other groups and not 21, and it also says they are not recommended. Cisco and Juniper have this group, just wondered why checkpoit does not. Thanks in advance.</SPAN></P> <P><SPAN>Regards</SPAN></P> Wed, 16 Nov 2022 19:33:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162267#M28829 RS_Daniel 2022-11-16T19:33:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162268#M28830 <P>Thats excellent question actually...I noticed that Fortinet also had it while back, but never seen it on CP. This is whats available on Fortigate fw by default:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18435iA8CFB5D56B2C78E0/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Wed, 16 Nov 2022 19:51:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162268#M28830 the_rock 2022-11-16T19:51:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162278#M28834 <P>Not aware of any specific plans.<BR />If this is something you need, I’d open an RFE with your Check Point SE.</P> Wed, 16 Nov 2022 20:52:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162278#M28834 PhoneBoy 2022-11-16T20:52:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162291#M28836 <P>I'd recommend against any MODP group at this point if you can avoid them.</P> <P>p521 (actually, all of the P curves, including IKE group IDs 19 and 20) came from NIST in the US, with no explanation for some of the constants used in it. There is some suspicion that the NSA chose these constants in a way which gives them an advantage in attacking the negotiation. The strong evidence of NSA tampering in the Dual_EC_DRBG pseudorandom number generator was seen as confirmation of the suspicions about the P curves. As a result, many serious cryptographers recommend against using them.</P> <P>Curve25519 (IKE group 31, 128-bit-class) and Curve448 (IKE group 32, 224-bit-class) were designed specifically with constants chosen for clear, mathematical reasons. They're the options I use whenever available.</P> Wed, 16 Nov 2022 21:52:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162291#M28836 Bob_Zimmerman 2022-11-16T21:52:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162584#M28924 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1920">@RS_Daniel</a>&nbsp;</P> <P>Diffie-Hellman group 20 with curve P-384 is good enough alternative to Diffie-Hellman&nbsp;group 21.</P> <P>Currently there are no plans to add&nbsp;Diffie-Hellman group 21 support.</P> <P>&nbsp;</P> <P>According to&nbsp;NSA,&nbsp;Diffie-Hellman group 20 is secured enough:</P> <P><A href="https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite" target="_blank">https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite</A></P> <P>&nbsp;</P> <P>See also the following Q &amp; A from&nbsp;<A href="https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF" target="_blank">NSA | Quantum Computing and Post-Quantum Cryptography FAQs</A></P> <P>&nbsp;</P> <P><STRONG>Q</STRONG>: For RSA and Diffie-Hellman based solutions, the CNSA Suite includes only a minimum size. Can I</P> <P>use the NIST P-521 curve for ECDH or ECDSA on NSS?</P> <P><STRONG>A</STRONG>: Cryptographic libraries implementing RSA and DH have long supported multiple key sizes, and there is a</P> <P>diverse range of sizes already in use. To save costs, the existing use of larger key sizes is allowed to continue</P> <P>in CNSA. For elliptic curve cryptography, specific parameters must be programmed, and P-384 was the</P> <P>common parameter set established in Suite B when this technology was first deployed. To enhance system</P> <P>interoperability, <STRONG>NSA retained the requirement to use only NIST P-384 in the CNSA definition</STRONG>. NSS operators</P> <P>who wish to use an algorithm outside of the officially specified CNSA Suite should always consult with NSA.</P> <P>However, if interoperability is not a concern, P-521 would likely be considered acceptable.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Matan</P> Sun, 20 Nov 2022 19:22:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Diffie-Hellman-groups/m-p/162584#M28924 matangi 2022-11-20T19:22:57Z