https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296687#M28 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/123486">@devd_25</a>&nbsp; Anything from SHA256 and above is secure. To use SHA-512 or SHA-384, you need to have compatible servers and are not widely used. Other reasons include processing time.&nbsp; Following public links can add some more info<BR /><BR /><A href="https://security.stackexchange.com/questions/165559/why-would-i-choose-sha-256-over-sha-512-for-a-ssl-tls-certificate" target="_blank">https://security.stackexchange.com/questions/165559/why-would-i-choose-sha-256-over-sha-512-for-a-ssl-tls-certificate</A></P><P><A href="https://automationrhapsody.com/md5-sha-1-sha-256-sha-512-speed-performance/" target="_blank">https://automationrhapsody.com/md5-sha-1-sha-256-sha-512-speed-performance/</A></P> Wed, 06 Nov 2019 13:28:47 GMT Sai_Tumuluri 2019-11-06T13:28:47Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296587#M25 <P>Quoting from the <A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/vpns/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ipsec-crypto-profiles.html#idf7dc1080-0595-40ef-9849-f3d4887f1b8a" target="_self">docs</A> for&nbsp;<STRONG>Define IPSec Crypto Profiles</STRONG>, it says&nbsp;</P><LI-CODE lang="markup">For the authentication algorithm, use SHA-256 or higher (SHA-384 or higher preferred for long-lived transactions). Do not use SHA-512, SHA-1, or MD5. </LI-CODE><P>Whereas, going from most to least secure, it recommends the below order&nbsp;</P><LI-CODE lang="markup">Authentication—sha512, sha384, sha256, sha1, md5.</LI-CODE><P>&nbsp;Can someone please help clarify what is right or wrong ? Thanks!</P> Wed, 06 Nov 2019 03:32:43 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296587#M25 devd_25 2019-11-06T03:32:43Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296611#M26 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/123486">@devd_25</a>&nbsp;The second line shows what is supported on the firewall and the first what is recommended to use.&nbsp;</P> Wed, 06 Nov 2019 07:48:27 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296611#M26 BatD 2019-11-06T07:48:27Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296687#M28 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/123486">@devd_25</a>&nbsp; Anything from SHA256 and above is secure. To use SHA-512 or SHA-384, you need to have compatible servers and are not widely used. Other reasons include processing time.&nbsp; Following public links can add some more info<BR /><BR /><A href="https://security.stackexchange.com/questions/165559/why-would-i-choose-sha-256-over-sha-512-for-a-ssl-tls-certificate" target="_blank">https://security.stackexchange.com/questions/165559/why-would-i-choose-sha-256-over-sha-512-for-a-ssl-tls-certificate</A></P><P><A href="https://automationrhapsody.com/md5-sha-1-sha-256-sha-512-speed-performance/" target="_blank">https://automationrhapsody.com/md5-sha-1-sha-256-sha-512-speed-performance/</A></P> Wed, 06 Nov 2019 13:28:47 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296687#M28 Sai_Tumuluri 2019-11-06T13:28:47Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296958#M31 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/74884">@BatD</a>&nbsp;, thats right. However, if you notice, first it says&nbsp;</P><PRE>Do not use SHA-512, SHA-1, or MD5. </PRE><P>&nbsp;Then, it recommends in the order of most to least secure starting with SHA-512, implying that SHA-512 is most secure. Hence, needed clarification on that. Might be a documentation error.</P> Thu, 07 Nov 2019 08:24:35 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296958#M31 devd_25 2019-11-07T08:24:35Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296959#M32 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/123486">@devd_25</a>&nbsp;This is correct, SHA-512 is indeed the most secure, but not recommended for reasons mentioned by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/31227">@Sai_Tumuluri</a>&nbsp;- processing resources, comapability, etc.&nbsp;</P> Thu, 07 Nov 2019 08:32:08 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/296959#M32 BatD 2019-11-07T08:32:08Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/297319#M34 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/123486">@devd_25</a>&nbsp;Please mark if you are satisfied with the solution. This closes the discussion and helps others to fastly identify the solutions</P> Fri, 08 Nov 2019 16:29:43 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/need-clarification-on-recommended-authentication-algorithm/m-p/297319#M34 Sai_Tumuluri 2019-11-08T16:29:43Z