Graphiant Cryptography

New
  • Published on Jan 23, 2026
  • 1 minute(s) read
  • KD
 Prev Next

Symmetric Cryptography (AES)

Graphiant uses AES for all symmetric cryptography.

  1. GSP and IPsec between Graphiant devices uses only AES-256-GCM. This is AES in Galois Counter Mode (GCM) using 256-bit keys.

  2. IPsec with 3rd party devices will favor AES-256-GCM but will allow for alternative choices of AES-128-GCM, AES-256-CBC, and AES-128-CBC.

    1. When CBC mode is used, integrity must be done with SHA-256, SHA-384, or SHA-512.

    This selection is configured by the Graphiant customer on the portal, and the remote peer is limited by that selection.

  3. TLS between Graphiant components uses AES-256-GCM.

  4. TLS/HTTPS to our web portal favors AES-256-GCM, but will allow AES in either GCM or CBC modes, and with either 256- or 128-bit keys.

Asymmetric Cryptography

Graphiant uses both Diffie-Hellman and Certificates for asymmetric cryptography.

Diffie-Hellman

  1. Controller IKE uses one of the following, depending on Standard / Post-Quantum Cryptography needs:

    • Standard:

      • ECDH with a P-384 curve. (Group 20)

    • PQC:

      • A hybrid of a P-256 elliptic curve (Group 19) with ML-KEM 768 (Group 36)

    This selection (Standard/PQC) is configured by the Graphiant customer on the portal, and all of the remote peers are limited by that selection.

  2. IKE between Graphiant devices uses ECDH with a P-384 curve (Group 20).

  3. IKE with 3rd party devices will use one of the following:

    • ECDH with P-521 (Group 21)

    • ECDH with P-384 (Group 20)

    • ECDH with P-256 (Group 19)

    • MODP with a 2048-bit modulus (Group 14)

    This selection is configured by the Graphiant customer on the portal, and the remote peer is limited by that selection.

  4. TLS between Graphiant devices favors ECDH P-384 (Group 24), and will also allow P-256 (Group 23) or P-521 (Group 25).

  5. TLS/HTTPS to our web portal will allow ECDH with P-384, P-256, & P-521, and DH with 2048 or greater modulus.

Certificates

  1. Graphiant devices with a TPM (Edges, Cores, Gateways, T2s, ODPs) use a TPM EK certificate that is ECDSA with either P-384 or P-256.

    1. The EK is only used for onboarding to obtain a Graphiant issued certificate (GEK).

      1. SHA-384 or SHA-256 is used respectively.

  2. Graphiant certificates (GEK and GAK) are ECDSA with either P-384 or P-256, depending on what the TPM supports.

    1. SHA-384 or SHA-256 is used respectively.

  3. The Graphiant internal Root CA, and the Intermediate CAs for GEKs, GAKs, GCS, and gNMI are all ECDSA P-384 with SHA-384.

  4. The Graphiant portal uses ECDSA with P-256 and SHA-256.

Related articles