Enhanced Cryptographic Algorithms
Cryptographic algorithms supported in the VPN selection for Key Exchange Policy and Data policy security association attributes.
Key Exchange Policy:
- Encryption
- 3DES-CBC
- AES-CBC (128, 192, and 256 bit)
- AES-CTR (128, 192, and 256 bit)
- Hash/PRF
- SHA
- HMAC-SHA-256
- HMAC-SHA-384
- HMAC-SHA-512
- AES-XCBC-MAC (HASH 96 bits; PRF 128 bits)
- Diffie-Hellman
- Group 1
- Group 2
- Group 14
- Group 19 (256 ECP)
- Group 20 (384 ECP)
- Group 24
Data Policy:
- Authentication
- SHA
- HMAC-SHA-256
- HMAC-SHA-384
- HMAC-SHA-512
- AES-XCBC-MAC
- Diffie-Hellman for PFS
- Group 1
- Group 2
- Group 14
- Group 19 (256 bit ECP)
- Group 20 (384 bit ECP)
- Group 24
- Encryption
- 3DES-CBC
- AES-CBC (128, 192, and 256 bit)
- AES-CTR (128, 192, and 256 bit)
- AES-CCM (128, 192, and 256 bit)
- AES-GCM (128, 192, and 256 bit)
In addition to the enhanced cryptographic algorithms being supported,
the following algorithms are de-emphasized. They are still supported,
but the direction is to use them less.
- Hash
- MD5
- Encryption
- DES
- RC4
- RC5
The Internet Engineering Task Force (IETF) formally defines the algorithms in the following Request for Comments (RFC):
- AES-CBC in RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec
- AES-XCBC-MAC in RFC 3566, The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
- HMAC-SHA_256, HMAC-SHA-384, and HMAC-SHA-512 in RFC 4868, Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
- HMAC-MD5 in RFC 2085, HMAC-MD5 IP Authentication with Replay Prevention
- DES in Request for Comment (RFC) 1829, The ESP DES-CBC Transform
- DH groups 19 and 20 in RFC 4754, IKE and IKEV2 Authentication Using the Elliptical Curve Digital Signature Algorithm (ECDSA)
- AES-CTR in RFC 3686, Using Advanced Encryption (AES) Counter Mode with IPSec Encapsulating Security Payload (ESP)
- AES-CCM in RFC 4309, Using Advanced Encryption Standard (AES) CCM mode with IPSec Encapsulating Security Payload (ESP)
- AES-GCM in RFC 4106, The Use of Galios/Counter Mode (GCM) in IPSec Encapsulating Security Payload (ESP)
You can view these RFCs on the Internet at the following Web address: http://www.rfc-editor.org.