Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor
Jump to solution

Diffie-Hellman groups

Hello CheckMates,

Just wanted to check if someone has any information about plans to support Diffie-Hellman group 21 for s2s vpn's? a quick search on support center showed sk27054, but it talks about other groups and not 21, and it also says they are not recommended. Cisco and Juniper have this group, just wondered why checkpoit does not. Thanks in advance.

Regards

0 Kudos
1 Solution

Accepted Solutions
matangi
Employee
Employee

Hi @RS_Daniel 

Diffie-Hellman group 20 with curve P-384 is good enough alternative to Diffie-Hellman group 21.

Currently there are no plans to add Diffie-Hellman group 21 support.

 

According to NSA, Diffie-Hellman group 20 is secured enough:

https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite

 

See also the following Q & A from NSA | Quantum Computing and Post-Quantum Cryptography FAQs

 

Q: For RSA and Diffie-Hellman based solutions, the CNSA Suite includes only a minimum size. Can I

use the NIST P-521 curve for ECDH or ECDSA on NSS?

A: Cryptographic libraries implementing RSA and DH have long supported multiple key sizes, and there is a

diverse range of sizes already in use. To save costs, the existing use of larger key sizes is allowed to continue

in CNSA. For elliptic curve cryptography, specific parameters must be programmed, and P-384 was the

common parameter set established in Suite B when this technology was first deployed. To enhance system

interoperability, NSA retained the requirement to use only NIST P-384 in the CNSA definition. NSS operators

who wish to use an algorithm outside of the officially specified CNSA Suite should always consult with NSA.

However, if interoperability is not a concern, P-521 would likely be considered acceptable.

 

Thanks,

Matan

View solution in original post

0 Kudos
(1)
4 Replies
the_rock
Legend
Legend

Thats excellent question actually...I noticed that Fortinet also had it while back, but never seen it on CP. This is whats available on Fortigate fw by default:

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin

Not aware of any specific plans.
If this is something you need, I’d open an RFE with your Check Point SE.

0 Kudos
Bob_Zimmerman
Authority
Authority

I'd recommend against any MODP group at this point if you can avoid them.

p521 (actually, all of the P curves, including IKE group IDs 19 and 20) came from NIST in the US, with no explanation for some of the constants used in it. There is some suspicion that the NSA chose these constants in a way which gives them an advantage in attacking the negotiation. The strong evidence of NSA tampering in the Dual_EC_DRBG pseudorandom number generator was seen as confirmation of the suspicions about the P curves. As a result, many serious cryptographers recommend against using them.

Curve25519 (IKE group 31, 128-bit-class) and Curve448 (IKE group 32, 224-bit-class) were designed specifically with constants chosen for clear, mathematical reasons. They're the options I use whenever available.

0 Kudos
matangi
Employee
Employee

Hi @RS_Daniel 

Diffie-Hellman group 20 with curve P-384 is good enough alternative to Diffie-Hellman group 21.

Currently there are no plans to add Diffie-Hellman group 21 support.

 

According to NSA, Diffie-Hellman group 20 is secured enough:

https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite

 

See also the following Q & A from NSA | Quantum Computing and Post-Quantum Cryptography FAQs

 

Q: For RSA and Diffie-Hellman based solutions, the CNSA Suite includes only a minimum size. Can I

use the NIST P-521 curve for ECDH or ECDSA on NSS?

A: Cryptographic libraries implementing RSA and DH have long supported multiple key sizes, and there is a

diverse range of sizes already in use. To save costs, the existing use of larger key sizes is allowed to continue

in CNSA. For elliptic curve cryptography, specific parameters must be programmed, and P-384 was the

common parameter set established in Suite B when this technology was first deployed. To enhance system

interoperability, NSA retained the requirement to use only NIST P-384 in the CNSA definition. NSS operators

who wish to use an algorithm outside of the officially specified CNSA Suite should always consult with NSA.

However, if interoperability is not a concern, P-521 would likely be considered acceptable.

 

Thanks,

Matan

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events