VPN Crytography:  Understanding It and Why It Matters

I frequently perform firewall upgrades from legacy Cisco devices. Oftentimes as we go through this process my customers need to upgrade their site-to-site VPNs from aging ciphers like DES and 3DES, or deprecated Diffie-Helman groups.

Background

Site-to-site VPNs are encrypted tunnels typically terminated between two network infrastructure devices (firewalls, routers) to extend connectivity between two specific remote networks. 

IPsec (IP Security) is a suite of protocols used to create secure tunnels. One of the most common Security Association (SA) protocols within the IPsec suite is IKE (Internet Key Exchange), a key and encryption negotiating protocol that securely establishes the IPsec tunnel over 2 phases.

While there are two versions of IKE (IKEv1 and IKEv2), security best practices are to prefer IKEv2, as IKEv1 does not support all modern cryptographic tools that we will need (discussed later in this article).

 IKEv2

IKEv2 was published in RFC5996 in 2010. IKEv2 provides the same function as IKEv1, however, it is more streamlined and much more secure. IKEv2 phase 1, known as the IKE_SA, creates a secure line of communication to exchange ESP (Encapsulating Security Payload) or AH (Authentication Header) Packets. IKE_SA configures several attributes that must match on both ends of the VPN for the Phase 1 Security Association (SA) to form. Those Attributes include the following: 

1. Encryption Algorithm (AES-GCM-256)
2. Hashing (SHA-384 and SHA-512)
3. Diffie-Helman (DH Groups 19, 20, 21)
4. Psuedo-Random Function (SHA-384)
5. Authentication Method (Shared Secret)
6. Vendor-Specific Attributes (Optional)

Once Phase 1 is complete, Phase 2, also known as the CHILD_SA, begins to establish. Phase 2 sets up the IPSec Tunnel using either ESP within the Phase 1 tunnel. Phase 2 Attributes define the ESP configuration. In the instance of a Cisco Secure Firewall (formerly Cisco Firepower) they are the following:

1. ESP Hash (SHA-256 or higher)
2. ESP Encryption (AES-GCM-256)
3. Perfect Forward Secrecy (Modulus Group 21)

Perfect Forward Secrecy (PFS) is an optional feature that utilizes Diffie-Helman to create temporary private key exchanges for each session, adding a layer of protection in the instance that session keys are compromised. Only the compromised session is affected.

You may have configured a VPN previously and seen cipher suites have cryptic names (e.g., AES-GCM-NULL-SHA). Let's investigate further.

 Cryptography

Currently, best practices include what is known as the Commercial National Security Algorithm (CNSA), a suite of cryptographic ciphers that the NSA evolved out of their own NSA Suite B cryptology suite. 

CMSA includes the following ciphers:

1. Encryption: AES-GCM-256
2. Hashing: NULL if using GCM encryption, otherwise, SHA-384 or SHA-512
3. Key Exchange: Elliptic Curve Diffie-Helman using P-256 and P-384 curves (DH Groups 19, 20, and 21)

 If a termination point in your VPN setup doesn’t support one or all of these attributes, it is recommended to go with the next best attributes such as:

1. Encryption: AES-256
2. Hashing: SHA-256
3. Key Exchange: Diffie-Helman Group 14 or Higher, choosing the highest option available

 Configuration Example:

Finally, as an example, are some screenshots of how you would create a Site-to-Site VPN on a Cisco Secure Firewall using the Commercial National Security Algorithm:

1. After configuring the VPN-protected networks and termination IPs, we will configure the IKEv2 Policy. If you aren't sure which default Cipher Suite (AES-GCM-NULL-SHA) works for your situation, you can always (at least in the case of Cisco Firepower) create your own.

iii. Set PRF to SHA384

iv. Set Diffie-Helman to 21

v. Set Perfect Forward Secrecy

2. Once you have a IKEv2 Policy that is configured, you then need to set authentication to Pre-Shared Manual Key. Ideally using a password generator to ensure the key is robust.

3. You will then repeat that process for the IPSec Proposal, setting ESP Hash to Null and ESP Encryption to AES-GCM-256

Conclusion

To bridge everything together: VPN cryptography has evolved significantly over the last 20 years and is often misunderstood. Luckily, CNSA has provided us with a simple way to standardize a strong cryptographic posture. If you have further questions or happen to need network security services please reach out to the Network Solutions, Inc. (nsi1.com) Security Team!