About FIPS, NGE, and AnyConnect
AnyConnect incorporates the Cisco Common Cryptographic Module (C3M). This Cisco SSL implementation includes Federal Information Processing Standard (FIPS) 140-2 compliant cryptography modules and National Security Agency (NSA) Suite B cryptography as part of its Next Generation Encryption (NGE) algorithms.
Next Generation Encryption introduces new encryption, authentication, digital signatures, and key exchange algorithms for escalating security and performance requirements. RFC 6379 defines the Suite B cryptography algorithms that must conform to meet U.S. FIPS 140-2 standards.
AnyConnect components negotiate and use FIPS standard cryptography based on the configuration of the headend, the Secure Firewall ASA or the IOS router. The following AnyConnect client modules support FIPS:
-
AnyConnect VPN—FIPS compliance for the VPN client is enabled using a FIPS-mode parameter in the local policy file on the user computer. Suite B cryptography is available for TLS/DTLS and IKEv2/IPsec VPN connections. See Configure FIPS for the AnyConnect Core VPN Client for details and procedures.
The AnyConnect local policy file, AnyConnectLocalPolicy.xml, contains additional security settings beyond FIPS-mode that apply to the local client. It is not deployed by the Secure Firewall ASA and must be installed manually, or deployed using an enterprise software deployment system. See The AnyConnect Local Policy for details on using this profile.
-
AnyConnect Network Access Manager—FIPS compliance for the Network Access Manager is enabled using the FIPS-mode parameter in the AnyConnectLocalPolicy.xml file, and the FIPS-mode parameter in the Network Access Manager profile. FIPS for the Network Access Manager is supported on Windows. See Configure FIPS for the Network Access Manager for details and procedures.
FIPS Features in AnyConnect
Feature |
Core VPN Module |
Network Access Manager Module |
---|---|---|
AES-GCM support for symmetric encryption and integrity. |
128-, 192-, and 256-bit keys for IKEv2 payload encryption and authentication. ESP packet encryption and authentication. |
128-bit and 256-bit keys for 802.1AE (MACsec) for wired traffic encryption in software (Windows). |
AES-CBC encryption |
128-, 192-, and 256-bit key sizes |
128-, 192-, and 256-bit key sizes |
SHA-2 support for hashing, SHA with 256/384/512 bits. |
IKEv2 payload authentication and ESP packet authentication. (Windows 7 or later and macOS 10.7 or later). |
Ability to use certificates with SHA-2 in TLS-based EAP methods. |
SHA-1 |
IKEv2 PRF and integrity/authentication as well as PFS. IPsec/ESP integrity/authentication. |
n/a |
ECDH support for key exchange. |
Groups 19, 20, and 21 IKEv2 key exchange and IKEv2 PFS. |
Ability to use ECDH in TLS-based EAP methods (Windows). |
MODP for key exchange (in addition to the ECDH support listed above) |
Groups 15 and 16 |
Groups 15 and 16 |
ECDSA support for digital signature, asymmetric encryption, and authentication, 256-, 384-, 521-bit elliptic curves. |
IKEv2 user authentication and server certificate verification. |
Ability to use certificates with ECDSA in TLS-based EAP methods. |
Pseudo Random Functions |
SHA1, SHA256, SHA384, and SHA512 |
SHA1, SHA256, SHA384, and SHA512 |
Integrity algorithms |
SHA1, SHA256, SHA384, and SHA512 |
SHA1, SHA256, SHA384, and SHA512 |
Diffie Hellman |
Groups 15, 16, 19, 20, 21 (15 and 16 are the older Modular Exponential (MODP) DH groups, while 19, 20, and 21 are elliptical curve DH groups) |
Groups 15, 16, 19, 20, 21 (15 and 16 are the older Modular Exponential (MODP) DH groups, while 19, 20, and 21 are elliptical curve DH groups) |
Additional support: |
All required crypto algorithms for IPsecV3 except for NULL encryption. RSA certificates with 4096 bit keys for TLS/DTLS and IKEv2. |
n/a |
AnyConnect FIPS Requirements
-
Suite B cryptography is available for TLS/DTLS and IKEv2/IPsec VPN connections.
-
FIPS and/or Suite B support is required on the secure gateway. Cisco provides Suite B capability on the Secure Firewall ASA version 9.0 and later, and FIPS capability on the Secure Firewall ASA version 8.4.1 and later.
-
ECDSA certificate requirements: -
Must have a Digest strength equal or greater than the Curve strength. For example, an EC-384 key must use SHA2-384 or greater.
-
Support on Windows 7 or later, macOS 10.7 or later, Red Hat Enterprise Linux 6.x or 6.4 (64-bit) or later, and Ubuntu 12.4 and 12.10 (64-bit) or later. ECDSA smart cards are supported only on Windows 7 (and later).
-
Limitations of AnyConnect FIPS
No EAP methods support SHA-2 except in TLS-based EAP when validating certificates signed using SHA-2.
Guidelines for AnyConnect FIPS
-
The AnyConnect Statistics panel (under the Transport Information heading) shows the name of the cipher being used.
-
Because AES-GCM is computationally intensive algorithms, you may experience a lower overall data rate when using these algorithms. Some processors contain special instructions specifically introduced to improve the performance of AES-GCM. AnyConnect automatically detects whether the processor on which it is running supports these new instructions. If so, AnyConnect uses the new instructions to significantly improve VPN data rates as compared to those processors that do not have the special instructions. Contact your CPU manufacturer to determine which models of their CPUs support AES-GCM optimization.
-
Combined-mode encryption algorithms, where both encryption and integrity verifications are performed in one operation, are supported only on SMP ASA gateways with hardware crypto acceleration (such as 5585 and 5515-X). AES-GCM is the combined-mode encryption algorithm that Cisco supports.
Note
An IKEv2 policy can include either a normal- or a combined-mode encryption algorithm, but not both types. When a combined-mode algorithm is configured in the IKEv2 policy, all normal-mode algorithms are disabled, so the only valid integrity algorithm is NULL.
The IKEv2 IPsec proposals use a different model and can specify both normal- and combined-mode encryption algorithms in the same proposal. With this usage, you are required to configure integrity algorithms for both, which leaves a non-NULL integrity algorithm configured with AES-GCM encryption.
-
When the Secure Firewall ASA is configured with a different server certificate for SSL and IPsec, use trusted certificates. A Posture Assessment or Downloader failure can occur if using Suite B (ECDSA) untrusted certificates having different IPsec and SSL certificates.
Avoiding Endpoint Problems from AnyConnect FIPS Registry Changes
Enabling FIPS for the AnyConnect VPN changes Windows registry settings on the endpoint. Other components of the endpoint may detect that AnyConnect VPN has enabled FIPS. For example, the Microsoft Terminal Services client Remote Desktop Protocol (RDP) will not work, because RDP requires that servers use FIPS compliant cryptography.
To avoid these problems, you can temporarily disable FIPS encryption in the Windows Local System Cryptography settings by changing the parameter Use FIPs compliant algorithms for encryption, hashing, and signing to Disabled. Be aware that rebooting the endpoint device changes this setting back to enabled.
AnyConnect VPN sets the FIPSAlgorithmPolicy value to 1 in the Windows registry key HKLM\System\CurrentControlSet\ Control\Lsa. Note that disabling FIPS mode in the AnyConnect local policy file does not cause AnyConnect VPN to alter the FIPSAlgorithmPolicy value.