42.5. Algorithms

Both sides agree on the cryptographic algorithms to be used for encryption and data signing. The algorithms are separately adjustable for each phase. In the Intra2net system, encryption profiles with algorithms can be configured in the Services > VPN > Encryption menu.

An encryption method consists of an algorithm for encryption, for hashing (signature) and a Diffie Hellman group for establishing a secure connection. Most algorithms are offered in different lengths. The length is given in bits and the algorithm is stronger the more bits are used. However, the number of bits also increases the required amount of processing.

A list of possible methods is configured for both phases. This list is offered in the set order of the peer, which then uses the uppermost method it supports.

The use of Perfect Forward Secrecy (PFS) in phase 2 is also configured on the Intra2net system using the encryption profiles. If a PFS group is specified on the Intra2net system, it is used when establishing a connection. If the other side establishes the connection, the Intra2net system accepts the configured set and any stronger groups. If the PFS group is set to No, connections are established without PFS. If the other side establishes the connection, connections with and without PFS are accepted.

From a contemporary point of view, all offered algorithms offer sufficient strength. The Intra2net system does not even offer any more proposed algorithms like simple DES with 64 bit. However, some possible vulnerabilities of MD5 and SHA have been discussed recently in cryptographic research. We therefore recommend to switch to one of the stronger SHA2 variants (256,384 and 512 bit) as soon as possible.