RFC 3526 (rfc3526) - Page 2 of 10


More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)



Alternative Format: Original Text Document



RFC 3526           MODP Diffie-Hellman groups for IKE           May 2003


1.  Introduction

   One of the important protocol parameters negotiated by Internet Key
   Exchange (IKE) [RFC-2409] is the Diffie-Hellman "group" that will be
   used for certain cryptographic operations.  IKE currently defines 4
   groups.  These groups are approximately as strong as a symmetric key
   of 70-80 bits.

   The new Advanced Encryption Standard (AES) cipher [AES], which has
   more strength, needs stronger groups.  For the 128-bit AES we need
   about a 3200-bit group [Orman01].  The 192 and 256-bit keys would
   need groups that are about 8000 and 15400 bits respectively.  Another
   source [RSA13] [Rousseau00] estimates that the security equivalent
   key size for the 192-bit symmetric cipher is 2500 bits instead of
   8000 bits, and the equivalent key size 256-bit symmetric cipher is
   4200 bits instead of 15400 bits.

   Because of this disagreement, we just specify different groups
   without specifying which group should be used with 128, 192 or 256-
   bit AES.  With current hardware groups bigger than 8192-bits being
   too slow for practical use, this document does not provide any groups
   bigger than 8192-bits.

   The exponent size used in the Diffie-Hellman must be selected so that
   it matches other parts of the system.  It should not be the weakest
   link in the security system.  It should have double the entropy of
   the strength of the entire system, i.e., if you use a group whose
   strength is 128 bits, you must use more than 256 bits of randomness
   in the exponent used in the Diffie-Hellman calculation.






















Kivinen & Kojo              Standards Track