# Question 468 of 530 from exam 400-251: CCIE Security written exam

### Question

Which statement about the DH group is true?

### Answers

### Explanations

A.

The Diffie-Hellman (DH) key exchange protocol is a method of securely exchanging cryptographic keys over a public channel. The DH algorithm allows two parties to generate a shared secret key that can be used for subsequent symmetric encryption of data. The shared secret key is never actually transmitted over the public channel.

Now let's look at each option to determine which statement is true:

A. It does not provide data authentication. This statement is not entirely true. The DH algorithm itself does not provide data authentication, but it is often used in combination with digital signatures or message authentication codes (MACs) to ensure the authenticity and integrity of the data being exchanged.

B. It provides data confidentiality. This statement is not true. The DH algorithm does not provide data confidentiality. Instead, it provides a means for two parties to establish a shared secret key that can be used for subsequent symmetric encryption of data.

C. It establishes a shared key over a secured medium. This statement is true. The DH algorithm is used to establish a shared secret key between two parties over a public channel, without actually transmitting the key over that channel. The shared secret key can then be used for symmetric encryption of data, providing confidentiality.

D. It is negotiated in IPsec phase 2. This statement is partially true. The DH algorithm can be used in IPsec VPNs for key exchange during phase 2 of the negotiation process. However, it is not the only key exchange algorithm that can be used in IPsec VPNs. Other algorithms such as RSA and Elliptic Curve Cryptography (ECC) can also be used.

Therefore, the correct answer is C. The DH algorithm is used to establish a shared secret key between two parties over a public channel, without actually transmitting the key over that channel.