Enhanced Cryptographic Algorithms

Cryptographic algorithms Start of changesupported inEnd of change the VPN selection for Key Exchange Policy and Data policy security association attributes.

Key Exchange Policy:
  • Encryption
    • 3DES-CBC
    • Start of changeAES-CBC (128, 192, and 256 bit)End of change
    • Start of changeAES-CTR (128, 192, and 256 bit)End of change
  • Hash/PRF
    • SHA
    • HMAC-SHA-256
    • Start of changeHMAC-SHA-384End of change
    • Start of changeHMAC-SHA-512End of change
    • AES-XCBC-MAC (HASH 96 bits; PRF 128 bits)
  • Diffie-Hellman
    • Group 1
    • Group 2
    • Group 14
    • Start of changeGroup 19 (256 ECP)End of change
    • Start of changeGroup 20 (384 ECP)End of change
    • Group 24
Data Policy:
  • Authentication
    • SHA
    • HMAC-SHA-256
    • Start of changeHMAC-SHA-384End of change
    • Start of changeHMAC-SHA-512End of change
    • AES-XCBC-MAC
  • Diffie-Hellman for PFS
    • Group 1
    • Group 2
    • Group 14
    • Start of changeGroup 19 (256 bit ECP)End of change
    • Start of changeGroup 20 (384 bit ECP)End of change
    • Group 24
  • Start of changeEncryptionStart of change
    • 3DES-CBC
    • AES-CBC (128, 192, and 256 bit)
    • AES-CTR (128, 192, and 256 bit)
    • AES-CCM (128, 192, and 256 bit)
    • AES-GCM (128, 192, and 256 bit)
    • AES-GMAC (128, 192, and 256 bit)
    End of change End of change
In addition to the enhanced cryptographic algorithms being supported, the following algorithms are de-emphasized. They are still supported, but the direction is to use them less.
  • Hash
    • MD5
  • Encryption
    • DES
    • RC4
    • RC5

The Internet Engineering Task Force (IETF) formally defines the algorithms in the following Request for Comments (RFC):

  • AES-CBC in RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec
  • AES-XCBC-MAC in RFC 3566, The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
  • HMAC-SHA_256, Start of changeHMAC-SHA-384, and HMAC-SHA-512End of change in RFC 4868, Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
  • HMAC-MD5 in RFC 2085, HMAC-MD5 IP Authentication with Replay Prevention
  • DES in Request for Comment (RFC) 1829, The ESP DES-CBC Transform
  • Start of changeDH groups 19 and 20 in RFC 4754, IKE and IKEV2 Authentication Using the Elliptical Curve Digital Signature Algorithm (ECDSA)End of change
  • Start of changeAES-CTR in RFC 3686, Using Advanced Encryption (AES) Counter Mode with IPSec Encapsulating Security Payload (ESP)End of change
  • Start of changeAES-CCM in RFC 4309, Using Advanced Encryption Standard (AES) CCM mode with IPSec Encapsulating Security Payload (ESP)End of change
  • Start of changeAES-GCM in RFC 4106, The Use of Galios/Counter Mode (GCM) in IPSec Encapsulating Security Payload (ESP)End of change
  • Start of changeAES-GMAC in RFC 4543, The Use of Galios Message Authentication Mode (GMAC) in IPSec ESP and AHEnd of change

You can view these RFCs on the Internet at the following Web address: http://www.rfc-editor.org.