I read your Next Generation Encryption (version October 2015) document.
a) "Table 1: Recommendations for Cryptographic Algorithms" recommends the following Cryptographic Algorithmswith status NGE:
Authenticated encryption: AES-GCM mode
Integrity: SHA-256 / SHA-384 / SHA-512
Key exchange: ECDH-384
Issue 1: The table 1 does not recommend an AES key length. Based on the rest of the document, it should be AES-128-CBC and AES-128-GCM
Issue 2: Mention the IKE Groups already in the Algorithm column. E.g., "DH-3072 (Group 15)" and IKE Groups 19 and 20 for ECDH-256 and ECDH-384. Group 15 is mentioned just once n the "Alterantive" column.
b) Section "Categories of Cryptographic Algorithms", NGE recommends:
AES with 128-bit keys provides adequate protection for sensitive information.
AES with 256-bit keys is required to protect classified information of higher importance.
ECDH and ECDSA using 256-bit prime modulus secure elliptic curves provide adequate protection for sensitive information.
ECDH and ECDSA over 384-bit prime modulus secure elliptic curves are required to protect classified information of higher importance.
SHA-256 provides adequate protection for sensitive information.
SHA-384 is required to protect classified information of higher importance.
DH, DSA, and RSA can be used with a 3072-bit modulus to protect sensitive information.
Issue 3: How about classified information of higher importance ? Probably it is 4096 bit, since you recommend the usage of "IKE Group 16" in the VPN example later.
Option 1) I expect the smallest "acceptabe" algorithm in table 1, e.g., DH-2048, RSA-2048 and DSA-2048
Option 2) The 2048-bit versions must be legacy in table 1.
c) Following the "Appendix A: Minimum Cryptography Recommendations":
Encryption: AES-128-CBC mode
Authentication RSA-3072, DSA-3072
Key exchange: DH Group 15 (3072-bit)
Issue 5: Please write "DH-3072 (Group 15)" instead of "DH Group 15" to be consistent with table 1.
Issue 6: I miss an EC recommendation, which is provided in table 1.
Issue 7: This appendix contradicts with table 1. I would excpect the smallest acceptable algorithms/NGE in table 1 to be the "Recommended Minimum Security Algorithms":
AES-CBC is the smalles algorithm in table 1 ✔
RSA-3072, DSA-3072 are not the smallest algorithms in table 1 (see Issue 4) ✘
SHA-256 is the samllest acceptable/NGE table 1 ✔
DH Group 15 (3072-bit) is not the smallest algorithms in table 1 (see Issue 4) ✘
The status for DH-2048, RSA-2048, DSA-2048 must be Legacy, or all minimum required DLOG sizes must be 2048 bit instead of 3072 bit.
... View more