How is theDiffieHellmankey exchange referred to when it is used in IKE phase 2?
ADiffie-Hellmanexchange allows the participants to produce a shared secret value. The strength of the technique is that it allows the participants to create the secret value over an unsecured medium without passing the secret value through the wire. There are fiveDiffie-Hellman(DH) groups (NetScreensupports groups 1, 2, and 5). The size of the prime modulus used in each group’s calculation differs as follows:
DH Group 1: 768-bit modulus4
DH Group 2: 1024-bit modulus
DH Group 5: 1536-bit modulus
The larger the modulus, the more secure the generated key is considered to be; however, the thelonger the key-generation process takes. Because the modulus for each DH group is a different size, the
participantsmust agree to use the same group5.
After the participants have established a secure and authenticated channel, they proceed through Phase 2, in which they negotiate theSAsto secure the data to be transmitted through theIPSec tunnel.
Like the process for Phase 1, the participants exchange proposals to determine which security parameters to
employin the S
A. A Phase 2 proposal also includes a security protocol-either Encapsulating Security Payload
(ESP) or Authentication Header (AH), and selected encryption and authentication algorithms. The proposal can also specify aDiffie-Hellmangroup, if Perfect Forward Secrecy (PFS) is desired.
Perfect Forward Secrecy (PFS) is a method for deriving Phase 2 keys independent from and unrelated to the
precedingkeys. Alternatively, the Phase 1 proposal creates the key (theSKEYID_dkey) from which all Phase 2
keysare derived. TheSKEYID_dkey can generate Phase 2 keys with a minimum of CPU processing.
Unfortunately, if an unauthorized party gains access to theSKEYID_dkey, all your encryption keys are
compromised. PFS addresses this security risk by forcing a newDiffie-Hellmankey exchange to occur for each Phase 2 tunnel. Using PFS is thus more secure, although therekeyingprocedure in Phase 2 might take slightly longer with PFS enabled.