Which of the following are not considered NGE cryptographic algorithms and should be avoided according to
Cisco? (Select 2 choices.)
A.
DH768
B.
SHA256
C.
ECDH384
D.
SHA512
E.
DH1024
Explanation:
DiffieHellman (DH) with a 768bit modulus (DH768) and DH with a 1,024bit modulus (DH1024) are not
considered Next Generation Encryption (NGE) cryptographic algorithms and should be avoided according to
Cisco. NGE algorithms are a collection of cryptographic technologies that are efficient, scalable, and expected
to provide reliable security for at least the next decade. Because of recent advances in computing power, many
cryptographic algorithms no longer provide adequate security. DH768 and DH1024 do not provide a level of
security that is likely to meet the confidentiality requirements of the enterprise over the next decade.
Increasing the modulus size used by an algorithm can provide a higher level of security? however, if the
algorithm is inherently inefficient, the increased modulus size can adversely affect the performance of the
device using the algorithm. For maximum security without using an NGE, Cisco recommends using DH with a
3,072bit modulus (DH3072)? however, because DH is not particularly efficient when configured with a large
modulus, Cisco considers a 2,048 bit modulus as an acceptable compromise between security and efficiency.
Any modulus size less than 2,048 bits, such as 1,024 bits or 758 bits, is not considered to provide an
acceptable level of security.
ECDH384, Secure Hash Algorithm (SHA) with a 256bit digest (SHA256), and SHA with a 512bit digest
(SHA512) are all considered NGE cryptographic algorithms according to Cisco. SHA256 and SHA512 arecomponents of the set of cryptographic algorithms known as SHA2.Cisco: Next Generation Encryption: Recommendations for Cryptographic Algorithms