DH Group: Understanding Its Importance in Network Security

DH Group in CCIE Security Exam

Q: Which two statements about the DH group are true? (Choose two.)

The DH group is negotiated in IPsec phase-1.The DH group is used to establish a shared key over an unsecured medium.

Prev Question Next Question

Question

Which two statements about the DH group are true? (Choose two.)

Answers

A. The DH group is used to provide data authentication.

B. The DH group is negotiated in IPsec phase-1.

C. The DH group is used to provide data confidentiality.

D. The DH group is used to establish a shared key over an unsecured medium.

E. The DH group is negotiated in IPsec phase-2.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

BD.

DH (Diffie-Hellman) is a cryptographic algorithm used to establish a shared secret key between two parties over an insecure communication channel. The shared key can then be used for data confidentiality, data authentication, and/or data integrity.

Regarding the statements about DH group:

A. The DH group is used to provide data authentication. This statement is incorrect. The DH group is not used to provide data authentication. DH is a key exchange algorithm that provides a way for two parties to establish a shared secret key, but it does not provide data authentication on its own.

B. The DH group is negotiated in IPsec phase-1. This statement is correct. In IPsec VPNs, the DH group is negotiated during phase-1 of the VPN establishment process. Phase-1 is responsible for setting up a secure communication channel between the two endpoints, and part of this process is negotiating the DH group that will be used to establish the shared key.

C. The DH group is used to provide data confidentiality. This statement is partially correct. The DH group is not used directly to provide data confidentiality, but it is used to establish a shared key that can be used for data confidentiality. Once the shared key is established using DH, it can be used in combination with a symmetric encryption algorithm like AES to provide data confidentiality.

D. The DH group is used to establish a shared key over an unsecured medium. This statement is correct. DH is used specifically for key exchange over an unsecured communication channel, such as the internet. It provides a way for two parties to establish a shared secret key without ever exchanging the key itself over the insecure channel.

E. The DH group is negotiated in IPsec phase-2. This statement is incorrect. The DH group is negotiated during IPsec phase-1, not phase-2. Phase-2 is responsible for negotiating the security parameters that will be used for the actual data transmission, such as the encryption and authentication algorithms that will be used with the shared key that was established during phase-1.

In summary, the correct statements about the DH group are:

The DH group is used to establish a shared key over an unsecured medium.
The DH group is negotiated in IPsec phase-1.

Prev Question Next Question