Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
246
Views
0
Helpful
2
Comments

Introduction to Next Generation Encryption Protocols

Blue_Bird
VIP
VIP

‎05-27-2026 10:17 PM - edited ‎05-27-2026 10:37 PM

                                           Introduction to Next Generation Encryption Protocols

AES-GCM

Elliptic Curve Cryptography (ECC)

SFTP or FTPS 

Post-Quantum Cryptography (PQC)

AES-GCM:

  • AES-GCM (Advanced Encryption Standard - Galois/Counter Mode) is the gold standard for secure data transmission.

  • It is an Authenticated Encryption with Associated Data (AEAD) algorithm, meaning it simultaneously provides both confidentiality (encryption) and integrity (tampering protection) in a single, highly efficient operation.

  • AES-GCM can do encryption like all other AES and has an authentication tag, rest of the options can be used for encryption or authentication, but not both.

  • In cryptography, Galois/Counter Mode (GCM) is a mode of
    operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance.

  • GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

  • The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality.

How AES-GCM Works:   AES-GCM combines two distinct cryptographic techniques to secure data: 

  • Galois Mode (Authentication): Generates a unique 128-bit authentication tag using universal hashing over a binary Galois field. This guarantees the data hasn't been intercepted or tampered with by a malicious third party.

  • Counter Mode (Encryption): Transforms the block cipher into a stream cipher. It works by encrypting successive values of a counter, which allows encryption and decryption to be fully parallelized for high-speed performance.

Key Concepts in AES/GCM: 

  • Nonce/IV (Initialization Vector): The nonce, also known as the IV, is a unique value used in combination with the encryption key. For AES/GCM, a nonce (typically 12 bytes) ensures that the same plaintext encrypted with the same key will produce different ciphertexts each time. This prevents replay attacks and enhances security.

  • Key: The key is a secret value used in both encryption and decryption processes. In AES, key sizes can be 128, 192, or 256 bits. The strength of AES encryption largely depends on the key size — the larger the key, the more secure the encryption.

Elliptic Curve Cryptography (ECC):

  • Elliptic Curve Cryptography (ECC) is a modern, highly efficient method of public-key encryption.
  • It relies on the algebraic structure of elliptic curves to create mathematically secure keys that are much smaller than traditional methods, resulting in faster computations and less battery usage.

How ECC is used by Cisco:   Cisco heavily integrates ECC across its entire security architecture to meet modern Next Generation Encryption (NGE) and NSA Suite B compliance standards.

  • TLS/SSL Decryption: The firewall handles massive loads of encrypted web traffic. Features like the Encryption Visibility Engine (EVE) examine client-hello fingerprints (which negotiate ECC ciphers) to identify applications or threats without always needing to fully decrypt the payload. When decryption is required, using ECC keys speeds up the cryptographic overhead.

  • Site-to-Site & Remote Access VPNs: When setting up IPsec or SSL VPN tunnels (via Cisco Secure Client), the firewall uses ECDH (Elliptic Curve Diffie-Hellman) groups to securely exchange symmetric session keys over untrusted networks.

  • Device Identity & Authentication: Firewalls authenticate themselves using ECDSA (Elliptic Curve Digital Signature Algorithm) certificates instead of bulky RSA certificates, accelerating the IKEv2/TLS handshake phases.

To safely establish a shared secret across public untrusted space, Cisco relies on Elliptic Curve algorithms instead of traditional, compute-heavy Diffie-Hellman groups or standard RSA.

  • ECDH (Elliptic Curve Diffie-Hellman): Used for dynamic key agreement in IKEv2 (IPsec) and TLS (SSL/AnyConnect) handshakes. NGE Recommended Curves: Curve 25519, EC P-256 (Group 19), and EC P-384 (Group 20).

  • ECDSA (Elliptic Curve Digital Signature Algorithm): Used for device authentication and digital signing. It provides equivalent security to high-bit RSA but with drastically smaller keys and faster processing overhead. NGE Standards: ECDSA-256 and ECDSA-384 (aligned with NSA Suite B / CNSA requirements).

When configuring Site-to-Site IPsec VPNs or Remote Access (Cisco Secure Client) via the Firewall Management Center (FMC), NGE protocols are grouped into custom or pre-defined high-security crypto maps.

  • IKEv2 / IPsec: Tunnels are strictly configured using combinations like AES-GCM-256 for encryption, ECDH-384 (Group 20) for key exchange, and ECDSA-384 for certificate authentication.
  • TLS 1.2 and TLS 1.3: For SSL-based remote access and internal management interfaces, modern ciphers such as TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 are prioritized.

Cisco Secure FTP / Secure File Transfer:   

When implementing secure file transfers—such as uploading firmware, back-up configurations, or technical logs to a Cisco Secure Gateway via SFTP (SSH File Transfer Protocol) or FTPS (FTP over TLS)—ECC ensures safe delivery:

  • Key Exchange: During the initial SFTP handshake, the client and Cisco gateway use ECDH to dynamically agree on a symmetric key (like AES-GCM) to encrypt the actual file payload.
  • Host Verification: The Cisco server presents an ECDSA public key to your client software to prove its identity, protecting your data transfers from machine-in-the-middle (MITM) hijacking.

Post-Quantum Cryptography (PQC):    

Looking beyond classical NGE, Cisco is actively shipping and rolling out software support for Post-Quantum Cryptography (PQC) to defend against future quantum computing decryption capabilities.

  • ML-KEM (FIPS 203): Lattice-based key encapsulation mechanism targeting implementation in Cisco Secure Firewall Threat Defense (FTD 10.5 / ASA 9.25) to replace ECDH for VPN handshakes.
  • ML-DSA (FIPS 204): Quantum-resistant signature schemes slated for upcoming deployment cycles (FTD 11.0) to safeguard secure boot operations and peer authentication.
  • SLH-DSA (FIPS 205): is cryptography’s way of “diversifying your investments.” ML-KEM and ML-DSA are both built on lattice-based cryptography. SLH-DSA is intentionally built differently, using a different hash-based math problem. Its signatures are larger, but since its technique is different, it provides a critical safeguard for networks in case the lattice-based math problem is ever weakened by future research. Support is planned for FTD/ASA 11.0.
                          Blue_Bird_5-1779944949790.png

Thank you.!

 

0 Helpful
Comments
wayanu777walter
Community Member
‎05-29-2026 02:16 AM

Great summary of next-generation encryption protocols. The explanations of AES-GCM, ECC, and PQC are clear and practical, especially the real-world Cisco implementation examples. It’s good to see post-quantum security included since it’s becoming increasingly important for future-proofing networks.

Blue_Bird
VIP
VIP
‎05-29-2026 02:41 AM

@wayanu777walter 

Thanks for the feedback. If you think this information is useful, please mark it as "Helpful"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents