RFC 3526 (rfc3526) - Page 2 of 10
More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
Alternative Format: Original Text Document
RFC 3526 MODP Diffie-Hellman groups for IKE May 2003
1. Introduction
One of the important protocol parameters negotiated by Internet Key
Exchange (IKE) [RFC-2409] is the Diffie-Hellman "group" that will be
used for certain cryptographic operations. IKE currently defines 4
groups. These groups are approximately as strong as a symmetric key
of 70-80 bits.
The new Advanced Encryption Standard (AES) cipher [AES], which has
more strength, needs stronger groups. For the 128-bit AES we need
about a 3200-bit group [Orman01]. The 192 and 256-bit keys would
need groups that are about 8000 and 15400 bits respectively. Another
source [RSA13] [Rousseau00] estimates that the security equivalent
key size for the 192-bit symmetric cipher is 2500 bits instead of
8000 bits, and the equivalent key size 256-bit symmetric cipher is
4200 bits instead of 15400 bits.
Because of this disagreement, we just specify different groups
without specifying which group should be used with 128, 192 or 256-
bit AES. With current hardware groups bigger than 8192-bits being
too slow for practical use, this document does not provide any groups
bigger than 8192-bits.
The exponent size used in the Diffie-Hellman must be selected so that
it matches other parts of the system. It should not be the weakest
link in the security system. It should have double the entropy of
the strength of the entire system, i.e., if you use a group whose
strength is 128 bits, you must use more than 256 bits of randomness
in the exponent used in the Diffie-Hellman calculation.
Kivinen & Kojo Standards Track