Diffie Hellman Group Matching to IPSec Encryption Algorithm

Update 21 Oct 2017. I found some useful info in RFC 5114 under Section 4 "Security Considerations". Based on this recommendation, we can consider DH Groups 14 and 24 as too weak to protect AES 128 Symmetric Keys - this leaves DH Groups 19 through 21 ECP as the minimum acceptable Diffie Hellman groups for generating AES symmetric keys (128 bit and higher).

When secret keys of an appropriate size are used, an approximation of the strength of each of the Diffie-Hellman groups is provided in the table below. For each group, the table contains an RSA key size and symmetric key size that provide roughly equivalent levels of security. This data is based on the recommendations in [NIST80057].

GROUP                                      |  SYMMETRIC |   RSA
-------------------------------------------+------------+-------
1024-bit MODP with 160-bit Prime Subgroup  |        80  |   1024
2048-bit MODP with 224-bit Prime Subgroup  |       112  |   2048
2048-bit MODP with 256-bit Prime Subgroup  |       112  |   2048
192-bit Random ECP Group                   |        80  |   1024
224-bit Random ECP Group                   |       112  |   2048
256-bit Random ECP Group                   |       128  |   3072
384-bit Random ECP Group                   |       192  |   7680
521-bit Random ECP Group                   |       256  |  15360

Group Numbers mapped to DH algorithm names from RFC 5114 "IKE" Section.

NAME                                                    | NUMBER
--------------------------------------------------------+---------
1024-bit MODP Group with 160-bit Prime Order Subgroup   |   22
2048-bit MODP Group with 224-bit Prime Order Subgroup   |   23
2048-bit MODP Group with 256-bit Prime Order Subgroup   |   24
192-bit Random ECP Group                                |   25
224-bit Random ECP Group                                |   26
256-bit Random ECP Group                                |   19
384-bit Random ECP Group                                |   20
521-bit Random ECP Group                                |   21

I was able to find some pairing suggestions in the strongSwan Security Recommendations document under the "Cipher Selection" heading.

  • "aes128-sha256-modp3072 (AES-CBC-128, SHA-256 as HMAC and DH key exchange with 3072 bit key length)" DH-Group-15 (not available on my device)
  • "aes128gcm16-prfsha256-ecp256 (AES-GCM-128 AEAD, SHA-256 as PRF and ECDH key exchange with 256 bit key length)" DH-Group-19
  • "aes256gcm16-prfsha384-ecp384 (AES-GCM-256 AEAD, SHA-384 as PRF and ECDH key exchange with 384 bit key length)" DH-Group-20

It seems that the pairing recommendations may be loosely based on algorithm strength analysis listed on the Belgian BlueKrypt keylength.com site.

This is the closest I could get to a diffie-hellman algorithm pairing recommendation. Please post if you find other reputable sources for selecting well-matched diffie-hellman groups for use with IPSec encryption.