More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
RFC 3526

Document Type RFC - Proposed Standard (May 2003; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3526 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Jeffrey Schiller
IESG note Responsible: Jeff
Send notices to (None)
Network Working Group                                         T. Kivinen
Request for Comments: 3526                                       M. Kojo
Category: Standards Track                    SSH Communications Security
                                                                May 2003

         More Modular Exponential (MODP) Diffie-Hellman groups
                    for Internet Key Exchange (IKE)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document defines new Modular Exponential (MODP) Groups for the
   Internet Key Exchange (IKE) protocol.  It documents the well known
   and used 1536 bit group 5, and also defines new 2048, 3072, 4096,
   6144, and 8192 bit Diffie-Hellman groups numbered starting at 14.
   The selection of the primes for theses groups follows the criteria
   established by Richard Schroeppel.

Table of Contents

   1.   Introduction. . . . . . . . . . . . . . . . . . . . . . .  2
   2.   1536-bit MODP Group . . . . . . . . . . . . . . . . . . .  3
   3.   2048-bit MODP Group . . . . . . . . . . . . . . . . . . .  3
   4.   3072-bit MODP Group . . . . . . . . . . . . . . . . . . .  4
   5.   4096-bit MODP Group . . . . . . . . . . . . . . . . . . .  5
   6.   6144-bit MODP Group . . . . . . . . . . . . . . . . . . .  6
   7.   8192-bit MODP Group . . . . . . . . . . . . . . . . . . .  6
   8.   Security Considerations . . . . . . . . . . . . . . . . .  8
   9.   IANA Considerations . . . . . . . . . . . . . . . . . . .  8
   10.  Normative References. . . . . . . . . . . . . . . . . . .  8
   11.  Non-Normative References. . . . . . . . . . . . . . . . .  8
   12.  Authors' Addresses  . . . . . . . . . . . . . . . . . . .  9
   13.  Full Copyright Statement. . . . . . . . . . . . . . . . . 10

Kivinen & Kojo              Standards Track                     [Page 1]
RFC 3526           MODP Diffie-Hellman groups for IKE           May 2003

1.  Introduction

   One of the important protocol parameters negotiated by Internet Key
   Exchange (IKE) [RFC-2409] is the Diffie-Hellman "group" that will be
   used for certain cryptographic operations.  IKE currently defines 4
   groups.  These groups are approximately as strong as a symmetric key
   of 70-80 bits.

   The new Advanced Encryption Standard (AES) cipher [AES], which has
   more strength, needs stronger groups.  For the 128-bit AES we need
   about a 3200-bit group [Orman01].  The 192 and 256-bit keys would
   need groups that are about 8000 and 15400 bits respectively.  Another
   source [RSA13] [Rousseau00] estimates that the security equivalent
   key size for the 192-bit symmetric cipher is 2500 bits instead of
   8000 bits, and the equivalent key size 256-bit symmetric cipher is
   4200 bits instead of 15400 bits.

   Because of this disagreement, we just specify different groups
   without specifying which group should be used with 128, 192 or 256-
   bit AES.  With current hardware groups bigger than 8192-bits being
   too slow for practical use, this document does not provide any groups
   bigger than 8192-bits.

   The exponent size used in the Diffie-Hellman must be selected so that
   it matches other parts of the system.  It should not be the weakest
   link in the security system.  It should have double the entropy of
   the strength of the entire system, i.e., if you use a group whose
   strength is 128 bits, you must use more than 256 bits of randomness
   in the exponent used in the Diffie-Hellman calculation.

Kivinen & Kojo              Standards Track                     [Page 2]
RFC 3526           MODP Diffie-Hellman groups for IKE           May 2003

2.  1536-bit MODP Group

   The 1536 bit MODP group has been used for the implementations for
   quite a long time, but was not defined in RFC 2409 (IKE).
   Implementations have been using group 5 to designate this group, we
   standardize that practice here.

   The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }

   Its hexadecimal value is:

      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
      670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF

   The generator is: 2.

3.  2048-bit MODP Group

   This group is assigned id 14.
Show full document text