Hi, Not too late to change. According to NIST, 2048-bit MODP Group and 224-bit Random ECP Group are MUST NOT use if the information you are protecting have a lifetime longer than 8 years (2031 - today). 1024-bit MODP is two security levels below that. I think IETF in generally way to slow if deprecating stuff. I would love to see the following deprecated as well:
1024-bit MODP Group with 160-bit Prime Order Subgroup 1536-bit MODP Group 192-bit Random ECP Group AUTH_HMAC_SHA1_96 PRF_HMAC_SHA1 Cheers, John From: IPsec <[email protected]> on behalf of Tero Kivinen <[email protected]> Date: Wednesday, 23 November 2022 at 13:11 To: Paul Wouters <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-08.txt Paul Wouters writes: > ps. Re-reading this draft, does anyone remember why we deprecated DH22 > (1024-bit MODP Group with 160-bit Prime Order Subgroup) but not DH2 > (also 1024 bit MODP) >From 8247: ... Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in RFC 4307 to SHOULD NOT. It is known to be weak against sufficiently funded attackers using commercially available mass-computing resources, so its security margin is considered too narrow. It is expected in the near future to be downgraded to MUST NOT. ... Groups 22, 23, and 24 are MODP groups with Prime Order Subgroups that are not safe primes. The seeds for these groups have not been publicly released, resulting in reduced trust in these groups. These groups were proposed as alternatives for groups 2 and 14 but never saw wide deployment. It has been shown that group 22 with 1024-bit MODP is too weak and academia have the resources to generate malicious values at this size. This has resulted in group 22 to be demoted to MUST NOT. Groups 23 and 24 have been demoted to SHOULD NOT and are expected to be further downgraded in the near future to MUST NOT. Since groups 23 and 24 have small subgroups, the checks specified in the first bullet point of Section 2.2 of "Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)" [RFC6989] MUST be done when these groups are used. ... I.e., the main reason being that group 2 was only MUST algorithm before, and moving it from MUST to MUST NOT while we do not have any oher algorithms as MUST was considered bad. Also the group is formed inin a deterministic way which should not make it possible that the group is created to be weak from the beginning. There were no such concerns for the group 22, and also as there is no way of knowing whether that group is generated as weak group that is even more reason to make it MUST NOT. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
