The next generation of encryption technologies meets this need by using Elliptic Curve Cryptography (ECC) to replace RSA and DH, and using Galois/Counter Mode (GCM) of the Advanced Encryption Standard (AES) block cipher for high-speed authenticated encryption. Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985. According to Cisco,"New algorithms for encryption, authentication, digital signatures, and key exchange are needed to meet escalating security and performance requirements".
A 244-bit ECC key has the equivalent strength of a 2048-bit RSA key for security; a 384-bit ECC key matches a 7680-bit RSA key. Greater strength for any given key length enables the use of shorter keys, resulting in significantly lower computational loads and memory requirements, faster computations, smaller chips, and lower power consumption—all beneficial for implementations of asymmetric authentication in low-cost systems.
The U.S. government selected and recommended a set of cryptographic standards, called Suite B because it provides a complete suite of algorithms that are designed to meet future security needs. Suite B is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. Suite B has been approved for protecting classified information at both the SECRET and TOP SECRET levels. Suite B sets a good direction for the future of network security, and the Suite B algorithms have been incorporated into many standards.
"Cryptographic algorithms and key sizes are designed to make it economically infeasible for an attacker to break a cryptosystem. In principle, all algorithms are vulnerable to an exhaustive key search. In practice, this vulnerability holds only if an attacker can afford enough computing power to try every possible key. Encryption systems are designed to make exhaustive search too costly for an attacker, while also keeping down the cost of encryption. The same is true for all of the cryptographic components that are used to secure communications – digital signatures, key establishment, and cryptographic hashing are all engineered so that attackers can't afford the computing resources that would be needed to break the system." - David McGrew says on Cisco Blog.
Cisco VPN Internal Service Module for ISR G2 acceleration module supports the latest encryption standards, including stronger National Security Agency (NSA) regulated encryption algorithms such as SUITE-B. The Cisco VPN Internal Service Module (VPN ISM) is a compact, versatile high-performance VPN blade for the Cisco Integrated Services Routers Generation 2 (ISR G2). It provides up to three times better performance for IPsec VPN encrypted traffic.
A 244-bit ECC key has the equivalent strength of a 2048-bit RSA key for security; a 384-bit ECC key matches a 7680-bit RSA key. Greater strength for any given key length enables the use of shorter keys, resulting in significantly lower computational loads and memory requirements, faster computations, smaller chips, and lower power consumption—all beneficial for implementations of asymmetric authentication in low-cost systems.
The U.S. government selected and recommended a set of cryptographic standards, called Suite B because it provides a complete suite of algorithms that are designed to meet future security needs. Suite B is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. Suite B has been approved for protecting classified information at both the SECRET and TOP SECRET levels. Suite B sets a good direction for the future of network security, and the Suite B algorithms have been incorporated into many standards.
"Cryptographic algorithms and key sizes are designed to make it economically infeasible for an attacker to break a cryptosystem. In principle, all algorithms are vulnerable to an exhaustive key search. In practice, this vulnerability holds only if an attacker can afford enough computing power to try every possible key. Encryption systems are designed to make exhaustive search too costly for an attacker, while also keeping down the cost of encryption. The same is true for all of the cryptographic components that are used to secure communications – digital signatures, key establishment, and cryptographic hashing are all engineered so that attackers can't afford the computing resources that would be needed to break the system." - David McGrew says on Cisco Blog.
Cisco VPN Internal Service Module for ISR G2 acceleration module supports the latest encryption standards, including stronger National Security Agency (NSA) regulated encryption algorithms such as SUITE-B. The Cisco VPN Internal Service Module (VPN ISM) is a compact, versatile high-performance VPN blade for the Cisco Integrated Services Routers Generation 2 (ISR G2). It provides up to three times better performance for IPsec VPN encrypted traffic.