3DES may be faster

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

3DES may be faster

Post by Guest » Thu Jan 13, 2005 1:40 am

Even though AES has theoretical advantage over 3DES for speed and efficiency in some hardware implementation 3DES may be faster where support for 3DES is mature. http://blogs.msdn.com/b/ace_team/archiv ... phers.aspx I have the following questions about the above comment as it relates to the ASA 5505. 1. Does Cisco have any published benchmarks of site to site vpn performance using 3DES vs AES on the ASA platform?  2. Are both/either of AES and 3DES supported directly in hardware on the ASA 5505? Everyone seems to know AES is more secure, but Im running up against a manager who says 3DES is somehow better. The only way it could be better would be if it were faster on the ASA 5505. I need documentation to make my point, but Im not finding anything concrete just blanket statements saying AES is a best practice.  If there are no published benchmarks, perhaps someone could provide a method for obtaining a benchmark comparison for site to site vpns on a pair of 5505s. I have a pair I could test with in the lab.  Thanks in advance for your comments.

Guest

Re:3DES may be faster

Post by Guest » Thu Jan 13, 2005 3:08 am

Hi, 3DES uses a 168-bit key encryption. (DES 56 times 3)AES can either use a 128, 192 or 256-bit encryption. From that point of view, 3DES can be faster than AES-192 or AES-256 However, being able to use a 256-bit key in AES makes AES more secure (even 192-bit). Unfortunaly don really have a document to share with you at the moment. Federico.

Guest

Re:3DES may be faster

Post by Guest » Thu Jan 13, 2005 4:30 am

Thanks for your reply. I did find this IETF draft document related to benchmarking ipsec devices. http://tools.ietf.org/id/draft-ietf-bmw ... erm-11.txt

Guest

Re:3DES may be faster

Post by Guest » Thu Jan 13, 2005 5:53 am

Hi, Speed may not always be the only deciding factor, you also need to consider the maturity of the algorithm that you choose. A good reference for comparing 3DES to AES can be found here, the CCNA Security Exam guidehttp://www.ciscopress.com/bookstore/product.as ... 1587202204 See page 451, it states that:"AES does run faster than 3DES on comparabable hardware....this is especially true when pure software encryption is used." However the disadvantage of AES in comparison to 3DES is that it is a relatively new encryption algorithm.".. a more mature algorithm is always more trusted. That being the case, 3DES represents a more conservative yet more trusted choice in terms of strength, because it has been analysed for nearly 35 years." Its not related to ASA firewalls but a benchmark comparison of the speed of AES vs 3DES on routers with built in VPN hardware accelerators can be found here. See Figure 9 for details.http://www.cisco.com/en/US/docs/solutio ... Encap.html Interesting to note that there is virtually no difference in speed between AES vs 3DES. Please remember to rate posts that are helpful. CheersSean

Guest

Re:3DES may be faster

Post by Guest » Thu Jan 13, 2005 7:29 am

Nice post. Thanks much.

Post Reply