Cisco developed Next Generation Encryption (NGE) in 2011. NGE was created to define a widely accepted and consistent set of cryptographic algorithms that provide strong security and good performance for our customers. These are the best standards that can be implemented today to meet the security and scalability requirements for network security in the years to come; or to interoperate with the cryptography that will be deployed in that time frame. Most importantly, all of the NGE algorithms, parameters, and key-sizes are widely believed to be secure. No attacks against these algorithms have been demonstrated.
Recently there has been attention on Quantum-Computers (QC) and their potential impact on current cryptography standards. Quantum-computers and quantum algorithms is an area of active research and growing interest. Even though practical quantum-computers have not been demonstrated until now, if quantum-computers became a reality they would pose a threat to crypto standards for PKI (RSA, ECDSA), key exchange (DH, ECDH) and encryption (AES-128). These standards are also used in Cisco NGE.
An algorithm that would be secure even after a quantum-computer is built is said to have postquantum security or be quantum-computer resistant (QCR). AES-256, SHA-384 and SHA-512 are believed to be postquantum secure.
We would like to provide the following updates regarding NGE and quantum-computers:
- NGE algorithms: We recently updated our public NGE document to reflect quantum-computer resistant algorithms in NGE. Given that a practical quantum-computer does not seem to have been built now or in the near future, our NGE recommended algorithms offer secure cryptography for today's technology. For customers who are concerned that a quantum-computer might be built in the near future, we recommend using the larger keys algorithms (higher than 128-bit security level) recommended in NGE.
- IKE: IKEv2 supports only public key authentication which is not quantum-computer resistant and could deter administrators from using it. IKEv2 has several important technical advantages over IKEv1; IKEv2 is stronger protection against denial of service attacks, it performs identity hiding, it has better efficiency, and its implementations benefit from a specification that has less ambiguity. These practical advantages should not be disregarded. To eliminate that quantum-computer threat to IKEv2, Cisco has submitted an IETF draft on extending IKEv2 to be quantum resistant. We envision its implementation, with a large, high-entropy postquantum pre-shared key and the AES-256 encryption algorithm, will ensure that IKEv2 will continue to be used.
- DH/RSA/DSA vs ECDH/ECDSA: If quantum-computers became a reality, ECC-based algorithms (ECDH, ECDSA) could be broken easier than their same security level public key equivalents (DH, RSA / DSA). For example, 384-bit ECDH could be broken easier than 7680-bit DH. But even though ECC would be broken by a quantum-computer, RSA would be broken as well, thus someone cannot claim that staying away from ECC offers significant advantage in a quantum-computer world. ECC algorithms have significant performance advantages that should not be overlooked. Additionally, implementation of ECC algorithms can make a transition to post-quantum crypto easier. For example, implementing an ECDH step in a key exchange standard could relatively easily be adjusted to leverage a quantum-computer resistant key exchange algorithm instead of ECC.
- Future: There are public key algorithms that are believed to be postquantum secure as well, but there are not yet any standards for their use in Internet protocols. The industry has started looking to standardize algorithms that would be secure in the postquantum era for many years down the road. This will provide a path towards future adoption of postquantum-secure cryptography that is well-vetted, standards-based, and interoperable across the industry.
Again, readers should note that no one can say with certainty if and when practical quantum-computers will be built in the future. The single biggest threat to crypto nowadays is another high impact bug, not a quantum-computer, so while we need to get smart fast about postquantum crypto, we need to do it in such a way that we don't create more complexity and less robustness (and thus leave the door open to the next high-impact bug).
Cisco is committed to providing the best cryptographic standards to our customers. We will remain actively involved in quantum resistant cryptography and we will provide updates as postquantum secure algorithms are standardized. For more information, visit NGE.