Cisco Blogs

Next Generation Encryption

- October 25, 2011 - 6 Comments

A transition in cryptographic technologies is underway. New algorithms for encryption, authentication, digital signatures, and key exchange are needed to meet escalating security and performance requirements. Many of the algorithms that are in extensive use today cannot scale well to meet these needs. RSA signatures and DH key exchange are increasingly inefficient as security levels rise, and CBC encryption performs poorly at high data rates. An encryption system such as an IPsec Virtual Private Network uses many different component algorithms, and the level of security that it provides is limited by the lowest security level of each of those components. What we need is a complete algorithm suite in which each component provides a consistently high level of security and can scale well to high throughput and high numbers of connections. The next generation of encryption technologies meets this need by using Elliptic Curve Cryptography (ECC) to replace RSA and DH, and using Galois/Counter Mode (GCM) of the Advanced Encryption Standard (AES) block cipher for high-speed authenticated encryption. More on these algorithms below, but first, some good news: the new ISR Integrated Services Module brings these next-generation encryption (NGE) technologies to IPsec Virtual Private Networks, providing a security level of 128 bits or more. These technologies are future proof: the use of NGE enables a system to meet the security requirements of the next decade, and to interoperate with future products that leverage NGE to meet scalability requirements. NGE is based on IETF standards, and meets the government requirements for cryptography stipulated in FIPS-140.

NGE uses new crypto algorithms because they will scale better going forward. This is analogous to the way that jets replaced propeller planes; incremental improvements in propeller-driven aircraft are always possible, but it was necessary to adopt turbojets to achieve significant advances in speed and efficiency.

Suite B Cryptography

The community that needs a new technology most leads its adoption. For instance, the transition from propellers to jet engines happened for military applications before jets were adopted for commercial use. Similarly, governments are leading the transition to next generation encryption. The U.S. government selected and recommended a set of cryptographic standards, called Suite B because it provides a complete suite of algorithms that are designed to meet future security needs. Suite B has been approved for protecting classified information at both the SECRET and TOP SECRET levels. Suite B sets a good direction for the future of network security, and the Suite B algorithms have been incorporated into many standards. (Cisco supported the development of some of these standards, including GCM authenticated encryption and implementation methods for ECC.) NGE uses the Suite B algorithms for two different reasons. First, it enables government customers to conform to the Suite B requirements. Second, Suite B offers the best technologies for future-proof cryptography, and is setting the trend for the industry. These are the best standards that one can implement today if the goal is to meet the security and scalability requirements ten years hence, or to interoperate with the crypto that will be deployed in that timescale.

Scaling to Higher Security

A network encryption system must meet the network’s requirements for high throughput, high numbers of connections, and low latency, while providing protection against sophisticated attacks. Cryptographic algorithms and key sizes are designed to make it economically infeasible for an attacker to break a cryptosystem. In principle, all algorithms are vulnerable to an exhaustive key search. In practice, this vulnerability holds only if an attacker can afford enough computing power to try every possible key. Encryption systems are designed to make exhaustive search too costly for an attacker, while also keeping down the cost of encryption. The same is true for all of the cryptographic components that are used to secure communications – digital signatures, key establishment, and cryptographic hashing are all engineered so that attackers can’t afford the computing resources that would be needed to break the system.

Every year, advances in computing lower the cost of processing and storage. These advances in computing accrue over the years and make it imperative to periodically move to larger key sizes. Because of Moore’s law, and a similar empirical law for storage costs, symmetric cryptographic keys need to grow by a bit every 18 months. In order for an encryption system to have a useful shelf life, and be able to securely interoperate with other devices throughout its operational lifespan, it should provide security ten or more years into the future. The use of good cryptography is more important now than ever before, due to the threat of well-funded and knowledgeable attackers.

A complete crypto suite includes algorithms for authenticated encryption, digital signatures, key establishment, cryptographic hashing. I touch on each of these below, to explain the need for technology changes. The Rivest-Shamir-Adleman (RSA) algorithms for encryption and digital signatures are less efficient at higher security levels, as is the integer-based Diffie-Hellman (DH). In technical terms, there are sub-exponential attacks that can be used against these algorithms, and thus their key sizes must be substantially increased to compensate for this fact. In practice, this means that RSA and DH are becoming less efficient every year.

Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm, and replaces the DH key exchange with ECDH. ECDSA is an elliptic curve variant of the DSA algorithm, which has been a standard since 1994. ECDH is an elliptic curve variant of the classic Diffie-Hellman key exchange. DH and DSA are both based on the mathematical group of integers modulo a large prime number. The ECC variants replace that group with a different mathematical group that is defined by an elliptic curve. The advantage of ECC is that there are no sub-exponential attacks that work against ECC, which means that ECC can provide higher security at lower computational cost. The efficiency gain is especially pronounced as one turns the security knob up.

The AES block cipher is widely used today; it is efficient and provides a good security level. However, the Cipher Block Chaining (CBC) mode of operation for AES, which is commonly used for encryption, contains serialized operations that make it impossible to pipeline. Additionally, it does not provide authentication, and thus the data encrypted by CBC must also be authenticated using a message authentication code like HMAC. NGE improves on the combination of CBC and HMAC by using AES in the Galois/Counter Mode (GCM) of operation.

Wire Rate Encryption and Authentication

Fifteen years ago, it was considered a truism that encryption could not keep up with the fastest networks. Ten years ago, it was realized that the counter mode of operation (CTR) could keep up, but that did not resolve the need for data authentication. GCM solves this problem by incorporating an efficient authentication method, based on arithmetic over finite fields. GCM is an authenticated encryption algorithm; it provides both confidentiality and authenticity. Combing both these security services into a single algorithm improves both security and performance. (For instance, it prevents subtle attacks that exploit unauthenticated encryption, such as the recent BEAST attack against the TLS/SSL protocol and similar attacks.) AES-GCM is efficient even at very high data rates, because its design enables the use of full data pipelines and parallelism. Its efficiency is showcased by its use in the IEEE MACsec protocol, where it has kept up with 802.1 data rates of 10, 40, and even 100 gigabits per second without adding significant latency.

NGE follows Suite B and uses the SHA-2 family of hash functions. These functions replace the ubiquitous SHA-1 hash with SHA-256, SHA-384, and SHA-512. SHA-1 only targets an 80-bit security level, and has been shown to not meet that goal. If you are still using SHA-1, you should transition to SHA-256, which provides a 128-bit security level.

For more information about Cisco’s offering for faster next-generation encryption, see the Cisco VPN Internal Service Module for the ISR G2 page.

Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. "and meets the government requirements" Which government?

    • Hi Lukanikos, good question! The short answer is: Canada and the U.S. (the FIPS-140 countries) plus Japan (via the CRYPTREC program), plus NATO (at least for some defense-specific uses). Here of course I am referring to government regulations on how those governments use cryptography. Many governments do not have formally published regulations of that sort. Some other governments regulate all uses of cryptography within their borders. This is a complex topic (perhaps deserving its own post). Because government crypto requirements around the globe are sometimes conflicting, it is impossible to meet them all at the same time with a single product. By using open international standards, we have the best chance of meeting the global crypto requirements. Let's hope that the industry is able to converge onto common crypto standards going forward, so that we can have secure global communication with strong cryptography!

  2. Another fantastic post! Thanks for explaining a complex topic in plain English. After reading this I instantly requested prices for these, only to find out that they are not shipping until next year :-( BTW - The link to "new ISR Integrated Services Module " in the top paragraph is broken. cheers

    • Hi Graham, thanks for your interest and for pointing out the bad link; it's fixed now. The new VPN ISM is available now, so perhaps it would be good to check with the reseller again. David

      • Hi David Seems that there was a problem with the supplier I contacted. Thanks for the heads up - I've now tracked some down :-)

  3. Looks like we've come a long way since deciphering the German Enigma machine in WWII....