Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8045
Views
5
Helpful
5
Replies

3DES may be faster

Go to solution
lcaruso
Level 6
Level 6

‎01-04-2011 04:24 AM - edited ‎03-11-2019 12:30 PM 

Even though AES has theoretical advantage over 3DES for speed and efficiency in some hardware implementation 3DES may be faster where support for 3DES is mature.
http://blogs.msdn.com/b/ace_team/archive/2007/09/07/aes-vs-3des-block-ciphers.aspx

I have the following questions about the above comment as it relates to the ASA 5505.

1. Does Cisco have any published benchmarks of site to site vpn performance using 3DES vs AES on the ASA platform?

2. Are both/either of AES and 3DES supported directly in hardware on the ASA 5505?

Everyone seems to know AES is more secure, but I'm running up against a manager who says 3DES is somehow better. The only way it could be better would be if it were faster on the ASA 5505. I need documentation to make my point, but I'm not finding anything concrete just blanket statements saying AES is a best practice.

If there are no published benchmarks, perhaps someone could provide a method for obtaining a benchmark comparison for site to site vpns on a pair of 5505s. I have a pair I could test with in the lab.

Thanks in advance for your comments.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-04-2011 07:10 AM

Hi,

3DES uses a 168-bit key encryption. (DES 56 times 3)

AES can either use a 128, 192 or 256-bit encryption.

From that point of view, 3DES can be faster than AES-192 or AES-256

However, being able to use a 256-bit key in AES makes AES more secure (even 192-bit).

Unfortunaly don't really have a document to share with you at the moment.

Federico.

View solution in original post

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7

‎01-05-2011 04:49 AM

Hi,

Speed may not always be the only deciding factor, you also need to consider the maturity of the algorithm that you choose.

A good reference for comparing 3DES to AES can be found here, the CCNA Security Exam guide

http://www.ciscopress.com/bookstore/product.asp?isbn=1587202204

See page 451, it states that:

"AES does run faster than 3DES on comparabable hardware....this is especially true when pure software encryption is used."

However the disadvantage of AES in comparison to 3DES is that it is a relatively new encryption algorithm.

".. a more mature algorithm is always more trusted. That being the case, 3DES represents a more conservative yet more trusted choice in terms of strength, because it has been analysed for nearly 35 years."

It's not related to ASA firewalls but a benchmark comparison of the speed of AES vs 3DES on routers with built in VPN hardware accelerators can be found here. See Figure 9 for details.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html

Interesting to note that there is virtually no difference in speed between AES vs 3DES.

Please remember to rate posts that are helpful.

Cheers

Sean

View solution in original post

5 Replies 5

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-04-2011 07:10 AM

Hi,

3DES uses a 168-bit key encryption. (DES 56 times 3)

AES can either use a 128, 192 or 256-bit encryption.

From that point of view, 3DES can be faster than AES-192 or AES-256

However, being able to use a 256-bit key in AES makes AES more secure (even 192-bit).

Unfortunaly don't really have a document to share with you at the moment.

Federico.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Federico Coto Fajardo

‎01-05-2011 06:23 AM

Thanks for your reply. I did find this IETF draft document related to benchmarking ipsec devices.

http://tools.ietf.org/id/draft-ietf-bmwg-ipsec-term-11.txt

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7

‎01-05-2011 04:49 AM

Hi,

Speed may not always be the only deciding factor, you also need to consider the maturity of the algorithm that you choose.

A good reference for comparing 3DES to AES can be found here, the CCNA Security Exam guide

http://www.ciscopress.com/bookstore/product.asp?isbn=1587202204

See page 451, it states that:

"AES does run faster than 3DES on comparabable hardware....this is especially true when pure software encryption is used."

However the disadvantage of AES in comparison to 3DES is that it is a relatively new encryption algorithm.

".. a more mature algorithm is always more trusted. That being the case, 3DES represents a more conservative yet more trusted choice in terms of strength, because it has been analysed for nearly 35 years."

It's not related to ASA firewalls but a benchmark comparison of the speed of AES vs 3DES on routers with built in VPN hardware accelerators can be found here. See Figure 9 for details.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html

Interesting to note that there is virtually no difference in speed between AES vs 3DES.

Please remember to rate posts that are helpful.

Cheers

Sean

Go to solution
lcaruso
Level 6
Level 6
In response to sean_evershed

‎01-05-2011 06:24 AM

Nice post. Thanks much.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to sean_evershed

‎01-05-2011 06:28 AM

Also found these documents to add to the discussion.

Preview file
302 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card