Diffiego-Hellmana (DH Group) protocol and Azure

Protokół Diffiego-Hellmana – protokół uzgadniania kluczy szyfrujących przy użyciu publicznych środków komunikacji. W przypadku IPSEC obecnie zalecana DH Grupa to 24. Wcześniejsze, a więc domyślna w wypadku Azure DH Grupa 5 nie jest zalecana ze względów bezpieczeństwa.

Za pomocą portalu Azure nie możemy zdefiniować preferowanej DH Grupy, a powinniśmy zrobić to z PowerShell’a, tak jak poniżej:

$connection = Get-AzureRmVirtualNetworkGatewayConnection -Name “MojePolaczenie” -ResourceGroupName “ResoureGroupa”
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS24 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 204800
Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy

 

Diffie-Hellman protocol – a protocol for reconciliation of encryption keys using public means of communication. In the case of IPSEC, the DH Group currently recommended is 24. The previous, and therefore the default for Azure DH Group 5 is not recommended for security reasons.

Using the Azure portal, we cannot define the preferred DH Group, and we should do it with PowerShell, as below:

$connection = Get-AzureRmVirtualNetworkGatewayConnection -Name “MojePolaczenie” -ResourceGroupName “ResoureGroupa”
$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS24 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 204800
Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy

DH specyfication:

  • Diffie-Hellman group 1 – 768 bit modulus – AVOID
  • Diffie-Hellman group 2 – 1024 bit modulus – AVOID
  • Diffie-Hellman group 5 – 1536 bit modulus – AVOID
  • Diffie-Hellman group 14 – 2048 bit modulus – MINIMUM ACCEPTABLE
  • Diffie-Hellman group 19 – 256 bit elliptic curve – ACCEPTABLE
  • Diffie-Hellman group 20 – 384 bit elliptic curve – Next Generation Encryption
  • Diffie-Hellman group 21 – 521 bit elliptic curve – Next Generation Encryption
  • Diffie-Hellman group 24 – modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption