```
```

## April 2012## Last updated: April 2014## Contents
Introduction ## IntroductionOver the years, numerous cryptographic algorithms have been developed and used in many different protocols and functions. Cryptography is by no means static. Steady advances in computing and in the science of cryptanalysis have made it necessary to adopt newer, stronger algorithms and larger key sizes. Older algorithms are supported in current products to ensure backward compatibility and interoperability. However, some older algorithms and key sizes no longer provide adequate protection from modern threats and should be replaced. This paper summarizes the security of cryptographic algorithms and parameters, gives concrete recommendations regarding which cryptography should be used and which cryptography should be replaced, and describes alternatives and mitigations. ## Recommendations for Cryptographic AlgorithmsThe following table can help customers migrate from legacy ciphers to current or more secure ciphers. The table explains each available cryptographic algorithm, the operations it supports, and whether it is Cisco's best recommendation. Customers should pay particular attention to algorithms designated as
Algorithms marked as ## Introduction to CryptographyCryptography can provide confidentiality, integrity, authentication, and nonrepudiation for communications in public networks, storage, and more. Some real-world applications include protocols and technologies such as VPN networks, HTTPS web transactions, and management through SSH. Over the years, some cryptographic algorithms have been deprecated, "broken," attacked, or proven to be insecure. There have been research publications that compromise or affect the perceived security of almost all algorithms by using reduced step attacks or others (known plaintext, bit flip, and more). Additionally, every year advances in computing reduce the cost of information processing and data storage to retain effective security. Because of Moore's law and a similar empirical law for storage costs, symmetric cryptographic keys must grow by 1 bit every 18 months. For an encryption system to have a useful shelf life and securely interoperate with other devices throughout its life span, the system should provide security for 10 or more years into the future. The use of good cryptography is more important now than ever before because of the very real threat of well-funded and knowledgeable attackers. Cryptographic algorithms, in general, are divided into the following: **Symmetric key algorithms:**These algorithms share the same key for encryption and decryption. Examples include Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES).**Public key algorithms:**These algorithms use different keys for encryption and decryption that are mathematically related. Examples include Digital Signature Algorithm (DSA) and the Rivest-Shamir-Adleman (RSA) algorithm.**Elliptic curve algorithms:**These algorithms function over points that belong to elliptic curves. Examples include Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA).**Hash:**These algorithms provide a constant-sized output for any input, and their most important property is irreversibility.
The following section presents the corresponding recommended algorithms and key sizes for each category. ## Next Generation EncryptionNext generation encryption technologies satisfy the security requirements described in the preceding sections while using cryptographic algorithms that scale better. This document presents algorithms that are considered secure at present, the status of algorithms that are no longer considered secure, the key sizes that provide adequate security levels, and next generation cryptographic algorithms. ## NGE Background InformationNGE offers the best technologies for future-proof cryptography, and it is setting the industry trend. These are the best standards that one can implement today to meet the security and scalability requirements 10 years hence or to interoperate with the cryptography that will be deployed in that time frame. The algorithms that comprise NGE are the result of more than 30 years of global advancement and evolution in cryptography. Each constituent component of NGE has its own history, depicting the diverse history of the NGE algorithms as well as their long-standing academic and community review. For instance, AES was named by the U.S. National Institute of Standards and Technology (NIST), but AES was not created by NIST. AES was originally called The following sections discuss the NGE algorithms in more detail. ## Categories of Cryptographic AlgorithmsThere are four groups of cryptographic algorithms: ## Symmetric KeySymmetric key algorithms use the same key for encryption and decryption. Examples include 3DES and AES. 3DES, which consists of three sequential Data Encryption Standard (DES) encryption-decryptions, is a legacy algorithm. This designation means 3DES provides a marginal but acceptable security level, but its keys should be renewed relatively often. Because of its small key size, DES is no longer secure and should be avoided. RC4 should be avoided as well. AES with 128-bit keys provides adequate protection for sensitive information. AES with 256-bit keys is required to protect classified information of higher importance. ## Public KeyPublic key algorithms use different keys for encryption and decryption. These keys are usually called the private key, which is secret, and the public key, which is publicly available. The private and public keys are cryptographically related. The private key cannot be derived from the public key. The private key can be used only by its owner, and the public key can be used by third parties to perform operations with the key owner. The RSA algorithms for encryption and digital signatures are less efficient at higher security levels, as is the integer-based Diffie-Hellman (DH) algorithm. There are subexponential attacks that can be used against these algorithms. To compensate, their key sizes must be substantially increased. In practice, this means that RSA and DH are becoming less efficient every year. DH, DSA, and RSA can be used with a 2048-bit modulus to protect sensitive information. Smaller DH, DSA, and RSA key sizes, such as 768 or 1024, should be avoided. ## Elliptic CurveElliptic Curve Cryptography (ECC) is a newer alternative to public key cryptography. ECC operates on elliptic curves over finite fields. The main advantage of elliptic curves is their efficiency. They can offer the same level of security for modular arithmetic operations over much smaller prime fields. Thus, the relative performance of ECC algorithms is significantly better than traditional public key cryptography. ECDH is a method for key exchange, and ECDSA is used for digital signatures. ECDH and ECDSA using 256-bit prime modulus secure elliptic curves provide adequate protection for sensitive information. ECDH and ECDSA over 384-bit prime modulus elliptic curves are required to protect classified information of higher importance. ## HashHash algorithms are also called digital fingerprinting algorithms. They are irreversible functions that provide a fixed-size hash based on various inputs. Irreversibility and collision resistance are necessary attributes for successful hash functions. Examples of hash functions are Secure Hash Algorithm 1 (SHA-1) and SHA-256. Message Digest 5 (MD5) is a hash function that is insecure and should be avoided. SHA-1 is a legacy algorithm and thus is adequately secure. SHA-256 provides adequate protection for sensitive information. On the other hand, SHA-384 is required to protect classified information of higher importance. Hashed Message Authentication Code (HMAC) is a construction that uses a secret key and a hash function to provide a message authentication code (MAC) for a message. HMAC is used for integrity verification. HMAC-MD5, which uses MD5 as its hash function, is a legacy algorithm (note that MD5 as a hash function itself is ## Security LevelsThe following table shows the relative security level provided by the recommended and NGE algorithms. Security level is the relative strength of an algorithm. An algorithm with a security level of x bits is stronger than one of y bits if x > y. If an algorithm has a security level of x bits, the relative effort it would take to "beat" the algorithm is of the same magnitude of breaking a secure x-bit symmetric key algorithm (without reduction or other attacks). The 128-bit security level is for sensitive information, and the 192-bit level is for information of higher importance.
## Cryptographic Algorithm Configuration GuidelinesAfter the review of NGE and recommendations on choosing cryptographic algorithms, it is worthwhile to review specific guidelines for security technology configuration. The guidelines in this section are by no means all inclusive. Cryptography is widely deployed in almost every technology; thus, it is impossible to provide exhaustive guidelines for every technology that employs cryptography. ## IPsec VPN with Encapsulating Security PayloadUse the following guidelines when configuring IPsec VPN encryption with Encapsulating Security Payload (ESP): - Do not use NULL encryption (esp-null).
- Use both an authentication algorithm (esp-sha-hmac is recommended) and an encryption algorithm (esp-aes is recommended).
The following example shows a Cisco IOS Software or Cisco Adaptive Security Appliance (ASA) transform set configuration that uses 128-bit AES encryption and HMAC-SHA-1 authentication for ESP IPsec in tunnel mode:
## Internet Key Exchange in VPN TechnologiesUse the following guidelines when configuring Internet Key Exchange (IKE) in VPN technologies: - Avoid IKE Groups 1, 2, and 5.
- Use IKE Group 14 or 24, both of which employ 2048-bit DH. Alternatively, Groups 15 and 16 employ 3072-bit and 4096-bit DH.
- When possible, use IKE Group 19 or 20. They are the 256-bit and 384-bit ECDH groups, respectively.
- AES should be used for encryption.
For Cisco ASA 5500 Series models, administrators are strongly advised to enable hardware processing instead of software processing for large modulus operations, such as 2048-bit certificates. Initially enabling hardware processing by using the command The following example shows a Cisco IOS Software IKE configuration that uses 128-bit AES for encryption, pre-shared key authentication, and 256-bit ECDH (Group 19):
The following example shows a Cisco IOS Software IKEv2 proposal configuration that uses 256-bit CBC-mode AES for encryption, SHA-256 for the hash, and 2048-bit DH (Group 14):
Not all product versions support SHA-256 or IKE Group 14, 19, 20, or 24. Recent releases of Cisco IOS Software and some other product version releases have incorporated support for some of these features. ## Transport Layer Security and Cipher SuitesMany products are managed through a web interface using HTTPS. HTTPS uses SSL/Transport Layer Security (TLS) to encrypt communications. TLS is the successor of SSL and provides encryption, authentication, and integrity for web communications. TLS 1.2 is the current version. Where possible, TLS 1.2 is preferred over SSL 3.0, TLS 1.0, and TLS 1.1. TLS is also used in various Cisco products to provide VPN services. Cipher suites are combinations of security algorithms that are used in TLS. When configuring products that support TLS, when possible, administrators are advised to use secure algorithms in the cipher suites of the TLS negotiation. Some recommendations follow: - Use 2048-bit certificates with cipher suites that include
- TLS_RSA_
- Use 2048-bit DH or 256-bit or 384-bit ECDH and ECDSA with cipher suites that include
- TLS_DH_
- TLS_ECDH_
- TLS_ECDH_ECDSA or TLS_RSA_ECDSA
- Configure the negotiated TLS cipher suites to include AES-128 or AES-256 GCM as the encryption algorithms and SHA-256 or SHA-384 for the hashes. The negotiated cipher suites should include the following:
- WITH_AES_128_GCM_SHA256 or WITH_AES_256_GCM_SHA384
- WITH_AES_256_GCM_SHA256 or WITH_AES_256_GCM_SHA384
Alternatives are - WITH_AES_128_CBC_SHA256
- WITH_AES_256_CBC_SHA256
Browsers should support the preceding cipher suites, as should the HTTP server or SSL VPN concentrator. However, not all product versions support the preceding cipher suites. Support is progressively added. ## AcknowledgmentsPanos Kampanakis (pkampana[at]cisco[dot]com) David McGrew (mcgrew[at]cisco[dot]com) Jay Young-Taylor (jyoungta[at]cisco[dot]com) Wen Zhang (wzhang[at]cisco[dot]com) Lonnie Harris (lonnieh[at]cisco[dot]com) ## ReferencesNIST SP 800-131A, B, and C NIST Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (SP800-131A) IANA Transport Layer Security (TLS) Parameters IANA Internet Key Exchange (IKE) Attributes ## Appendix A: Minimum Cryptography RecommendationsThe following table explains recommended cryptographic algorithms that satisfy minimum security requirements for technology as of mid-2012.
This document is part of Cisco Security Intelligence Operations. This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time. |