Increasing the encryption level

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This article examines how to increase your encryption level.

What does strong encryption do?

Enabling the use of strong encryption will only allow strong ciphers such as:

  • AES
  • 3DES

and digest

  • SHA1

for HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is supported by the following web browsers:

  • Netscape 7.2 -8.0
  • Firefox
  • Microsoft Internet Explorer 7.0 – 8.0

Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.

How to enable strong encryption

To enable Strong Encryption run the following CLI command:

config sys global
  set strong-crypto enable
  end

To ”’disable”’ Strong Encryption run the following CLI command:

config sys global
  set strong-crypto disable
  end

The default setting for strong-crypto is disabled.

The pros and cons of using strong encryption

If strong encryption is better, why is the default setting for it disabled?

This is because while using strong encryption is a good thing most of the time, its benefit is not an absolute benefit for all situations. In fact, there can be situations where there may be some unintended consequences and the encryption level may not be the first thing that comes to mind when troubleshooting.

Strong encryption means that it is harder for someone to crack the encryption and read the traffic, however, stronger levels of encryption require an increase in CPU usage. It takes more CPU cycles to encrypt a packet with a 256 bit than it does with a 40-bit key. This doesn’t make much difference when the CPU performance is usually about 30% of capacity, but when the CPU is already working at a high percentage of capacity, that little bit extra usage may push the CPU to the level that triggers the FortiGate to go into conserve mode. On the plus side, if you have a FortiGate unit that you think is too close to the threshold to risk adding any additional CPU usage, you don’t have to forgo enabling strong encryption on the other FortiGates in your network. Except for FortiGates working in HA, where the configuration will be synchronized automatically, the use of strong encryption on a FortiGate is independent of other devices.

Another aspect with a potential unwanted consequence is the browser support for its usage. While most current browsers are capable of supporting the higher levels of encryption, there may still be people using a browser that do not support it, and if access is dependent on HTTPS or SSH, then access may be denied.

These potential downsides to using strong encryption are unlikely, but they should be taken into consideration before enabling it.

Bruce Davis

Bruce Davis

Technical Writer at Fortinet
Bruce has been working with computers, and related technology, since before the World Wide Web was a thing. He has worked in system and network administration. He has even dabbled in technical support. He has made the switch to technical writing as part of his deep, dark and dastardly plan to make the arcane machinations of IT technology more easily understood by the poor folks who use it. That, and the voices in his head told him it was good idea. Never argue with the voices in your head. People will start to stare.
Bruce Davis

Latest posts by Bruce Davis (see all)

  • Was this helpful?
  • Yes   No