Encryption

This setting specifies which encryption algorithm to use to provide data confidentiality:

  • Select AES CBC 128-bit to use the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) mode with a key length of 128 bits.
  • Select AES CBC 256-bit to use the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) mode with a key length of 256 bits.
  • Select Triple DES to execute the DES encryption algorithm three times and use 192 bits, including 24 parity bits.
  • Select DES (Data Encryption Standard) to use a 56-bit key and a 64-bit initialization vector. DES is the default. Do not use DES when the stack is configured for FIPS 140 mode.
  • Start of changeSelect AES GCM 128-bit key to use the Advanced Encryption Standard (AES) Galois Counter Mode (GCM) with a 16-byte Integrity Check value (ICV) and 128-bit keys to simultaneously encrypt and authenticate the data. Do not use AES GCM when the stack is configured for FIPS 140 mode.End of change
  • Start of changeSelect AES GCM 256-bit key to use the Advanced Encryption Standard (AES) Galois Counter Mode (GCM) with a 16-byte Integrity Check Value (ICV) and 256-bit keys to simultaneously encrypt and authenticate the data. Do not use AES GCM when the stack is configured for FIPS 140 mode.End of change
Tips:
  • The use of DES is not recommended by the IETF and is documented in RFC 4835.
  • The use of Triple DES must be evaluated and, if possible, avoided in favor of another more secure cipher specification.

See the following quotation from RFC 4835 written by Vishwas Manral:

"The IETF deprecated the use of single DES years ago and has not included it in any new standard for some time (see IESG note on the first page of [RFC2407]). But this document represents the first standards-track recognition of that deprecation by specifying that implementations SHOULD NOT provide single DES. The US Government National Institute of Standards and Technology (NIST) has formally recognized the weakness of single DES by a notice published in the 26 July 2004 US Government Federal Register (Docket No. 040602169-4169-01) proposing to withdraw it as a US Government Standard. Triple DES remains approved by both the IETF and NIST."

Start of changeRule: The DES, AES GCM 128-bit and AES GCM 256-bit algorithms are not available for selection if the stack is configured for FIPS 140.End of change

Parent topic: Encryption