a) "Table 1: Recommendations for Cryptographic Algorithms" recommends the following Cryptographic Algorithmswith status NGE:
Authenticated encryption: AES-GCM mode
Integrity: SHA-256 / SHA-384 / SHA-512
Key exchange: ECDH-384
Issue 1: The table 1 does not recommend an AES key length. Based on the rest of the document, it should be AES-128-CBC and AES-128-GCM
Issue 2: Mention the IKE Groups already in the Algorithm column. E.g., "DH-3072 (Group 15)" and IKE Groups 19 and 20 for ECDH-256 and ECDH-384. Group 15 is mentioned just once n the "Alterantive" column.
b) Section "Categories of Cryptographic Algorithms", NGE recommends:
AES with 128-bit keys provides adequate protection for sensitive information.
AES with 256-bit keys is required to protect classified information of higher importance.
ECDH and ECDSA using 256-bit prime modulus secure elliptic curves provide adequate protection for sensitive information.
ECDH and ECDSA over 384-bit prime modulus secure elliptic curves are required to protect classified information of higher importance.
SHA-256 provides adequate protection for sensitive information.
SHA-384 is required to protect classified information of higher importance.
DH, DSA, and RSA can be used with a 3072-bit modulus to protect sensitive information.
Issue 3: How about classified information of higher importance? Probably it is 4096 bit, since you recommend the usage of "IKE Group 16" in the VPN example later.
Option 1) I expect the smallest "acceptabe" algorithm in table 1, e.g., DH-2048, RSA-2048 and DSA-2048
Option 2) The 2048-bit versions must be legacy in table 1.
c) Following the "Appendix A: Minimum Cryptography Recommendations":
Encryption: AES-128-CBC mode
Authentication RSA-3072, DSA-3072
Key exchange: DH Group 15 (3072-bit)
Issue 5: Please write "DH-3072 (Group 15)" instead of "DH Group 15" to be consistent with table 1.
Issue 6: I miss an EC recommendation, which is provided in table 1.
Issue 7: This appendix contradicts with table 1. I would excpect the smallest acceptable algorithms/NGE in table 1 to be the "Recommended Minimum Security Algorithms":
AES-CBC is the smalles algorithm in table 1 ✔
RSA-3072, DSA-3072 are not the smallest algorithms in table 1 (see Issue 4) ✘
SHA-256 is the samllest acceptable/NGE table 1 ✔
DH Group 15 (3072-bit) is not the smallest algorithms in table 1 (see Issue 4) ✘
The status for DH-2048, RSA-2048, DSA-2048 must be Legacy, or all minimum required DLOG sizes must be 2048 bit instead of 3072 bit.
We are excited to announce the opening of the ISE Beta community for the Cisco Identity Services Engine (ISE) 2.5 Beta for everyone that is a member of the Cisco Customer Connection Program (CCP)! The ISE 2.5 Beta is scheduled to run from Se...
ISE 2.2 Patch 10 has been released at ISE 2.2.0 Software Download since 2018-Sep-18, with the filename ise-patchbundle-188.8.131.520-Patch10-18091119.SPA.x86_64.tar.gz.
For more info, please read Resolved Issues in Cisco ISE Version 184.108.40.2060—Cumulative ...
ISE 2.3 Patch 5 has been released at ISE 2.3.0 Software Download since 2018-Sep-17, with the filename ise-patchbundle-220.127.116.118-Patch5-18082702.SPA.x86_64.tar.gz.
For more info, please read Resolved Caveats in Cisco ISE Version 18.104.22.1688—Cumulative P...
I recently ran into an issue on ISE 2.3 Patch 5 when trying to modify a Hotspot Guest Portal that had been created in the ISE Portal Builder.
The support people with the ISEPB team gave me the answer, so I thought I'd save someone a...
The Security team is pleased to announce the Cisco Firepower Threat Defense 6.2.3 Attack Lab v1.2, available in all datacenters.
The lab is aimed at technical decision makers, security engineers and CSOs with an interest in security technology. Th...