DH Group in CCIE Security Written Exam
Question
Which statement about DH group is true?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The Diffie-Hellman (DH) algorithm is a public key cryptographic algorithm that allows two parties to establish a shared secret key over an unsecured communication channel. The DH algorithm is commonly used in key exchange protocols such as Internet Protocol Security (IPsec), Secure Sockets Layer (SSL), and Transport Layer Security (TLS).
Regarding the statements in the question, option C is true, and the rest are false. The following explanations support this statement:
A. The DH group provides confidentiality and integrity, but it does not provide data authentication. Data authentication is achieved through digital signatures or message authentication codes (MACs). However, the DH key exchange can be combined with digital signatures or MACs to provide data authentication.
B. The DH group does not provide data confidentiality by itself. It only provides a shared secret key that can be used to encrypt data with symmetric encryption algorithms such as Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES). The confidentiality of data depends on the encryption algorithm and key size used.
C. The DH group is used to establish a shared key over an unsecured communication channel. The two parties generate their public and private keys and exchange their public keys. Using the DH algorithm, they derive a shared secret key that is known only to them. This key can be used for symmetric encryption, message authentication, or any other purpose that requires a shared secret key.
D. The DH group is not negotiated in IPsec phase-2. The DH key exchange is one of the four methods that can be used to generate a shared secret key in IPsec. The other methods are pre-shared keys, digital certificates, and Kerberos. The DH group is negotiated in the IKE phase-1, which establishes a secure communication channel between the two IPsec peers.
In conclusion, the DH group is used to establish a shared secret key over an unsecured communication channel. It does not provide data authentication or confidentiality by itself, but it can be combined with other cryptographic algorithms to achieve these goals. The DH group is negotiated in the IKE phase-1, not in IPsec phase-2.
