Cisco Blogs

Cisco Blog > Security

Next Generation Encryption Algorithms

Over the years, numerous cryptographic algorithms have been developed and used in many different protocols and functions. Cryptography is by no means static. Steady advances in computing and in the science of cryptanalysis have made it necessary to continually adopt newer, stronger algorithms, and larger key sizes. Older algorithms are supported in current products to ensure backward compatibility and interoperability. However, some older algorithms and key sizes no longer provide adequate protection from modern threats and should be replaced.

Over the years, some cryptographic algorithms have been deprecated, “broken,” attacked, or proven to be insecure. There have been research publications that compromise or affect the perceived security of almost all algorithms by using reduced step attacks or others (known plaintext, bit flip, and more). Additionally, every year advances in computing reduce the cost of information processing and data storage to retain effective security. Because of Moore’s law, and a similar empirical law for storage costs, symmetric cryptographic keys must grow by 1 bit every 18 months. For an encryption system to have a useful shelf life and securely interoperate with other devices throughout its life span, the system should provide security for 10 or more years into the future. The use of good cryptography is more important now than ever before because of the very real threat of well-funded and knowledgeable attackers.

Next Generation Encryption (NGE) technologies satisfy the security requirements described above while using cryptographic algorithms that scale better. For more information on Legacy, Acceptable, Recommended and NGE algorithms that should be avoided or used in your networks, you can refer to our latest Whitepaper.

Tags: , , ,

Cisco Unified IP Phones earn FIPS Certification!

The Global Certification Team is proud to announce the FIPS 140-2 Crypto certification of the 6900 and 7900 Series IP Phones.

The phones received FIPS certificate #1647 for Models 6901 and 6911 and Certificate #1650 for 6921, 6941, 6945, and 6961.  Finally the 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G were awarded FIPS certificate #1689.

Take full advantage of converged voice and data networks while retaining the convenience and user-friendliness you expect from a business phone. Cisco Unified IP Phones can help improve productivity by meeting the needs of users throughout your organization. Advanced media endpoints in this innovative suite of Cisco Unified IP Phones enhance the end-user experience.

6900 Series on

7900 Series Phones on

FIPS-140 is a US and Canadian government standard that specifies security requirements for cryptographic modules. A cryptographic module is defined as “the set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.” The cryptographic module is what is being validated.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Next Generation Encryption

A transition in cryptographic technologies is underway. New algorithms for encryption, authentication, digital signatures, and key exchange are needed to meet escalating security and performance requirements. Many of the algorithms that are in extensive use today cannot scale well to meet these needs. RSA signatures and DH key exchange are increasingly inefficient as security levels rise, and CBC encryption performs poorly at high data rates. An encryption system such as an IPsec Virtual Private Network uses many different component algorithms, and the level of security that it provides is limited by the lowest security level of each of those components. What we need is a complete algorithm suite in which each component provides a consistently high level of security and can scale well to high throughput and high numbers of connections. The next generation of encryption technologies meets this need by using Elliptic Curve Cryptography (ECC) to replace RSA and DH, and using Galois/Counter Mode (GCM) of the Advanced Encryption Standard (AES) block cipher for high-speed authenticated encryption. More on these algorithms below, but first, some good news: the new ISR Integrated Services Module brings these next-generation encryption (NGE) technologies to IPsec Virtual Private Networks, providing a security level of 128 bits or more. These technologies are future proof: the use of NGE enables a system to meet the security requirements of the next decade, and to interoperate with future products that leverage NGE to meet scalability requirements. NGE is based on IETF standards, and meets the government requirements for cryptography stipulated in FIPS-140.

NGE uses new crypto algorithms because they will scale better going forward. This is analogous to the way that jets replaced propeller planes; incremental improvements in propeller-driven aircraft are always possible, but it was necessary to adopt turbojets to achieve significant advances in speed and efficiency.

Read More »

Tags: , , , ,

Great Cipher, But Where Did You Get That Key?

Today, there are many strong cryptographic algorithms and protocols, standards for their use at every layer of the network, and interoperable implementations in many products and in open source. When used appropriately, they provide strong safeguards against attacks that target our networks. Unfortunately, none of this good cryptography will protect anybody if it is used with secrets that are guessable.

Humorist Gene Weingarten claims he knows the secrets that protect the U.S. nuclear launch codes: 070494, which happens to be the date of Obama’s daughter’s birthday. No doubt the secrets are actually better chosen than that, but the joke conveys an important truth: you can’t expect everyone to choose passwords well. You should regard passwords that are human-generated or human-memorable as being guessable. A cryptographic system is only as strong as its weakest element. When human-generated keys are used in cryptography, the system should not be expected to resist a knowledgeable attacker.

The most secure key management technology is digital certificates; you should use them when you can. If for some reason you can’t, and you need to use shared secret keys, then you should make sure that those keys are generated by a uniform random process, and not by an administrator in a hurry. I will get to advice on certificates and key generation later, but first, I would like to explain why passwords and cryptography don’t mix well.

Read More »

Tags: , , ,

New White Paper on Cisco “Suite B” Cryptography

There is a new Whitepaper out on the Next-Generation Cryptography called “Suite B” for Government that will enable a new level of  secure communications and collaboration.

The Suite B set of cryptographic algorithms has become the preferred global standard for ensuring the security and integrity of information shared over non-trusted networks. This white paper, intended for public sector IT professionals, explains that:

  • Suite B combines four well established public domain cryptographic algorithms
  • The Internet Engineering TaskForce (IETF) has established open standards for commercial products using Suite B, helping organizations adopt it with confidence
  • Cisco has introduced an IPsec-based implementation of Suite B cryptography in its VPN products

There is a nice quote from David McGrew – Cisco Fellow

“Open and freely implementable cryptography standards are indispensable to global information security.  By not asserting patent rights with the Galois/Counter Mode of operation, Cisco has taken an active role in helping Suite B standards remain open.”

For an understanding of Suite B, you may download the Whitepaper here.

Tags: , , ,