Enhanced Cryptographic Algorithms

Cryptographic algorithms supported in the VPN selection for Key Exchange Policy and Data policy security association attributes.

Key Exchange Policy:
  • Encryption
    • 3DES-CBC
    • AES-CBC (128, 192, and 256 bit)
    • AES-CTR (128, 192, and 256 bit)
  • Hash/PRF
    • SHA
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512
    • AES-XCBC-MAC (HASH 96 bits; PRF 128 bits)
  • Diffie-Hellman
    • Group 1
    • Group 2
    • Group 14
    • Group 19 (256 ECP)
    • Group 20 (384 ECP)
    • Group 24
Data Policy:
  • Authentication
    • SHA
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512
    • AES-XCBC-MAC
  • Diffie-Hellman for PFS
    • Group 1
    • Group 2
    • Group 14
    • Group 19 (256 bit ECP)
    • Group 20 (384 bit ECP)
    • Group 24
  • Encryption
    • 3DES-CBC
    • AES-CBC (128, 192, and 256 bit)
    • AES-CTR (128, 192, and 256 bit)
    • AES-CCM (128, 192, and 256 bit)
    • AES-GCM (128, 192, and 256 bit)
In addition to the enhanced cryptographic algorithms being supported, the following algorithms are de-emphasized. They are still supported, but the direction is to use them less.
  • Hash
    • MD5
  • Encryption
    • DES
    • RC4
    • RC5

The Internet Engineering Task Force (IETF) formally defines the algorithms in the following Request for Comments (RFC):

  • AES-CBC in RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec
  • AES-XCBC-MAC in RFC 3566, The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
  • HMAC-SHA_256, HMAC-SHA-384, and HMAC-SHA-512 in RFC 4868, Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
  • HMAC-MD5 in RFC 2085, HMAC-MD5 IP Authentication with Replay Prevention
  • DES in Request for Comment (RFC) 1829, The ESP DES-CBC Transform
  • DH groups 19 and 20 in RFC 4754, IKE and IKEV2 Authentication Using the Elliptical Curve Digital Signature Algorithm (ECDSA)
  • AES-CTR in RFC 3686, Using Advanced Encryption (AES) Counter Mode with IPSec Encapsulating Security Payload (ESP)
  • AES-CCM in RFC 4309, Using Advanced Encryption Standard (AES) CCM mode with IPSec Encapsulating Security Payload (ESP)
  • AES-GCM in RFC 4106, The Use of Galios/Counter Mode (GCM) in IPSec Encapsulating Security Payload (ESP)

You can view these RFCs on the Internet at the following Web address: http://www.rfc-editor.org.