ITSP.40.111 Show
August 2016 ForewordThe Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information is an UNCLASSIFIED publication, issued under the authority of the Chief, Communications Security Establishment (CSE). Suggestions for amendments should be forwarded through departmental IT security coordinators to ITS Client Services at CSE For further information, please contact CSE’s ITS Client Services area by e-mail at or call (613) 991-7654. Effective DateThis publication takes effect on (08/02/2016). [Original signed by] OverviewThe Government of Canada’s (GC) ability to protect sensitive data and information is fundamental to the delivery of programs and services. Cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality, and integrity of GC information. Data authenticity, confidentiality and integrity, stakeholder authentication and accountability, and non-repudiation are all benefits of properly configured cryptography. Several algorithms may be required to satisfy these security requirements, and each algorithm should be selected and implemented to ensure these requirements are met. The information in this publication identifies and describes approved cryptographic algorithms and appropriate methods of use to protect the confidentiality of PROTECTED A and PROTECTED B information and the integrity of information to the medium injury level as defined in CSE’s ITSG-33 IT Security Risk Management: A Lifecycle Approach [6]. Table of Contents
1 IntroductionGovernment of Canada (GC) departments rely on Information Technology (IT) systems to achieve business objectives. These interconnected systems are often subject to serious threats that can have adverse effects on departmental business activities. Compromises to GC networks can be expensive and threaten the availability, authenticity, confidentiality, and integrity of the GC information assets. The GC uses cryptography to protect the authenticity, confidentiality, and integrity of its information. When used with valid domain parameters and specific key lengths, the cryptographic algorithms listed in Information Technology Security Guidance for Practitioners (ITSP).40.111 are approved cryptographic mechanisms for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information. For requirements on the use of CSE-approved cryptography to protect PROTECTED C and Classified information, refer to CSE’s ITSD-01A: IT Security Directive for the Application of Communications Security using CSE-Approved Solutions [1]Footnote 1. ITSP.40.111 has been created to aid the technology practitioner in choosing and appropriately using cryptographic algorithms to protect UNCLASSIFIED, PROTECTED A, and PROTECTED B information. ITSP.40.111 complements the Treasury Board of Canada Secretariat (TBS) Guideline on Defining Authentication Requirements [2] and supersedes ITSB-111. 1.1 Policy DriversThe need to address and counter cyber threats and vulnerabilities currently threatening GC networks is a crucial step in securing GC networks, data and assets. As such, GC departments must ensure IT security policies and procedures are implemented in accordance with the following TBS policies:
1.2 Applicable EnvironmentsThe information in ITSP.40.111 provides cryptographic guidance for IT solutions at the UNCLASSIFIED, PROTECTED A, and PROTECTED B levels. Systems operating in the PROTECTED C or Classified domains may require additional design considerations that are not within the scope of this documentFootnote 2. It is the department’s responsibility as part of a risk management framework to determine the security objectives required to protect departmental information and services. 1.3 Relationship to the IT Risk Management ProcessCSE’s ITSG-33 IT Security Risk Management: A Lifecycle Approach [6] guidelines suggest a set of activities at two levels within an organization; the departmental level and the information system level. Figure 1 IT Security Risk Management Process Departmental level activities are integrated into the organization’s security program to plan, manage, assess and improve the management of IT security-related risks faced by the organization. ITSP.40.111 will need to be considered during the Define, Deploy, and Monitor and Assess activities. These activities are described in detail in Annex 1 of ITSG 33 [6]. Information System level activities are integrated into an information system lifecycle to ensure IT security needs of supported business activities are met, appropriate security controls are implemented and operating as intended, and continued performance of the implemented security controls is assessed, reported back and acted upon to address any issues. ITSP.40.111 will need to be considered during all Information System level activities. These activities are described in detail in Annex 2 of ITSG-33 [6]. 2 Encryption AlgorithmsThe following sections outline the cryptographic algorithms that are approved by CSE for encrypting data to protect the confidentiality of information. 2.1 Advanced Encryption Standard AlgorithmThe Advanced Encryption Standard (AES) algorithm as specified in National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 197: Advanced Encryption Standard [7] with key lengths of 128, 192 and 256 bits is approved for encrypting PROTECTED A and PROTECTED B information. 2.2 Triple Data Encryption AlgorithmThe 3-key option of the Triple Data Encryption Algorithm (TDEA) as specified in NIST Special Publication (SP) 800 67 Revision 1: Recommendation for the Triple Data Encryption Algorithm Block Cipher [8] with a key length of 168 bits is approved for encrypting PROTECTED A and PROTECTED B information. The use of 3-key TDEA should be discontinued by the end of 2030. 2.3 CAST5The CAST5 algorithm as specified in Request for Comments (RFC) 2144 The CAST-128 Encryption Algorithm [9] with a key length of 128 bits is approved for encrypting PROTECTED A and PROTECTED B information. 3 Encryption Algorithm Modes of OperationThe following sections outline the encryption algorithm modes of operation that are approved by CSE. 3.1 Protecting the Confidentiality of InformationWhen used with an approved encryption algorithm the following modes of operation as specified in NIST SP 800 38A: Recommendation for Block Cipher Modes of Operation – Methods and Techniques [10] are approved to protect the confidentiality of PROTECTED A and PROTECTED B information:
When used with an approved encryption algorithm the following Cipher Block Chaining with Ciphertext Stealing (CBC-CS) modes of operation as specified in the Addendum to NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode [28] are approved to protect the confidentiality of PROTECTED A and PROTECTED B information:
When used with the AES encryption algorithm the XTS-AES mode as specified in NIST SP 800-38E: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices [11] is approved to protect the confidentiality of PROTECTED A and PROTECTED B information on storage devices. 3.2 Protecting the Confidentiality and Authenticity of InformationWhen used with an approved encryption algorithm, the following modes of operation are approved by CSE to protect the confidentiality and authenticity of PROTECTED A and PROTECTED B information and the authenticity of UNCLASSIFIED, PROTECTED A, and PROTECTED B information:
4 Key Establishment SchemesThe following sections outline the key establishment schemes that are approved by CSE for use with approved cryptographic algorithms. 4.1 Rivest, Shamir, AdlemanThe Rivest, Shamir, Adleman (RSA)-based key-transport and key-agreement schemes as specified in NIST SP 800 56B Revision 1: Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography [14] with an RSA modulus length of at least 2048 bits are approved for key establishment for protecting PROTECTED A and PROTECTED B information. The RSA modulus length should be increased to at least 3072 bits by the end of 2030. 4.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-VanstoneThe Finite Field Cryptography (FFC) Diffie-Hellman (DH) and FFC Menezes Qu Vanstone (MQV)-based key-agreement schemes with valid domain parameters for the FB or FC FFC parameter-size sets with a field size of at least 2048 bits as specified in NIST SP 800-56A Revision 2: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography [15] are approved for key establishment for protecting PROTECTED A and PROTECTED B information. The FFC field size should be increased to at least 3072 bits by the end of 2030. 4.3 Elliptic Curve Cryptography Cofactor Diffie-Hellman and Menezes-Qu-VanstoneThe Elliptic Curve Cryptography (ECC) Cofactor Diffie-Hellman (CDH) and ECC MQV-based key-agreement schemes with valid domain parameters for the EB, EC, ED or EE parameter-size sets with a subgroup order size of at least 224 bits as specified in NIST SP 800-56A Revision 2: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography [15] are approved for key establishment for protecting PROTECTED A and PROTECTED B information. CSE strongly recommends using the elliptic curve domain parameters in Appendix D of NIST FIPS 186-4: Digital Signature Standard [16] for ECC CDH and ECC MQV. The EC, ED, or EE parameter-size sets with a subgroup order size of at least 256 bits should be used by the end of 2030. 5 Digital Signature AlgorithmsThe following sections outline the digital signature algorithms that are approved by CSE for digital signature applications. 5.1 RSAThe RSA digital signature algorithm as specified in NIST FIPS 186-4: Digital Signature Standard [16] and RSA PKCS #1 v2.2: RSA Cryptography Standard [17] with an RSA modulus length of at least 2048 bits is approved for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. The RSA modulus length should be increased to at least 3072 bits by the end of 2030. 5.2 Digital Signature AlgorithmThe Digital Signature Algorithm (DSA) as specified in NIST FIPS 186-4: Digital Signature Standard [16] with valid domain parameters and a prime modulus length of at least 2048 bits is approved for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. The prime modulus length should be increased to at least 3072 bits by the end of 2030. 5.3 Elliptic Curve Digital Signature AlgorithmThe Elliptic Curve Digital Signature Algorithm (ECDSA) as specified in NIST FIPS 186-4: Digital Signature Standard [16] with valid domain parameters for a field size of at least 224 bits is approved for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. CSE strongly recommends using the elliptic curve domain parameters in Appendix D of FIPS 186-4: Digital Signature Standard [16] for ECDSA. The field size should be increased to at least 256 bits by the end of 2030. 6 Secure Hash AlgorithmsThe following sections outline the secure hash algorithms (SHA) that are approved by CSE for use with the specified, approved cryptographic algorithms. 6.1 SHA-1SHA-1 as specified in NIST FIPS 180-4: Secure Hash Standard [18] is approved for use with keyed-hash message authentication codes, key derivation functions and random bit generators for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information. SHA-1 is not approved for use with digital signature algorithms. 6.2 SHA-2SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 as specified in NIST FIPS 180-4: Secure Hash Standard [18] are approved for use with digital signature algorithms, keyed-hash message authentication codes, key derivation functions and random bit generators for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information. 6.3 SHA-3SHA3-224, SHA3-256, SHA3-384 and SHA3-512 as specified in NIST FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions [29] are approved for use with digital signature algorithms, keyed hash message authentication codes, key derivation functions and random bit generators for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information. 7 Message Authentication CodesThe following sections outline the message authentication code algorithms that are approved by CSE for data integrity and data origin authentication. 7.1 Keyed-Hash Message Authentication CodeKeyed-Hash Message Authentication Code (HMAC) as specified in NIST FIPS 198-1: The Keyed-Hash Message Authentication Code [19] with a key length of at least 112 bits is approved for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. The key length should be increased to at least 128 bits by the end of 2030. 7.2 Cipher-Based Message Authentication CodeCipher-based Message Authentication Code (CMAC) as specified in NIST SP 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication [20] with a key length of at least 112 bits is approved for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. The key length should be increased to at least 128 bits by the end of 2030. 7.3 Galois/Counter Mode Message Authentication CodeGalois/Counter Mode Message Authentication Code (GMAC) as specified in NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode [13] is approved for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. 8 Key Derivation FunctionsThe following sections outline the key derivation functions that are approved by CSE for the derivation of cryptographic keys from key-establishment or pre-shared secrets. 8.1 Single-Step Key Derivation FunctionThe Single-Step Key Derivation Function (KDF) as specified in NIST SP 800-56A Revision 2: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography [15] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.2 Key Derivation using Pseudorandom FunctionsThe KDFs using Pseudorandom Functions (PRFs) as specified in NIST SP 800-108: Recommendation for Key Derivation Using Pseudorandom Functions [21] are approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.3 Extraction-Then-Expansion Key Derivation FunctionThe Extraction-then-Expansion KDFs as specified in NIST SP 800-56C: Recommendation for Key Derivation through Extraction then Expansion [22] are approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.4 Internet Key Exchange Version 1 Key Derivation FunctionWhen used in the context of the Internet Key Exchange version 1 (IKEv1) protocol with an approved Keyed-Hash Message Authentication Code and an approved Secure Hash Algorithm the IKEv1 KDF as specified in NIST SP 800-135 Revision 1: Recommendation for Existing Application-Specific Key Derivation Functions [27] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.5 Internet Key Exchange Version 2 Key Derivation FunctionWhen used in the context of the Internet Key Exchange version 2 (IKEv2) protocol with an approved Keyed-Hash Message Authentication Code and an approved Secure Hash Algorithm the IKEv2 KDF as specified in NIST SP 800-135 Revision 1: Recommendation for Existing Application-Specific Key Derivation Functions [27] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.6 Transport Layer Security Version 1.2 Key Derivation FunctionWhen used in the context of the Transport Layer Security version 1.2 (TLS 1.2) protocol with an approved Keyed-Hash Message Authentication Code and an approved Secure Hash Algorithm the TLS 1.2 KDF as specified in NIST SP 800-135 Revision 1: Recommendation for Existing Application-Specific Key Derivation Functions [27] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.7 Secure Shell Key Derivation FunctionWhen used in the context of the Secure Shell (SSH) protocol with an approved Secure Hash Algorithm the SSH KDF as specified in NIST SP 800-135 Revision 1: Recommendation for Existing Application-Specific Key Derivation Functions [27] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.8 Secure REal-Time Transport Protocol Key Derivation FunctionWhen used in the context of the Secure Real-time Transport Protocol (SRTP) with an approved encryption algorithm the SRTP KDF as specified in NIST SP 800-135 Revision 1: Recommendation for Existing Application-Specific Key Derivation Functions [27] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 8.9 Trusted Platform Module Key Derivation FunctionWhen used in the context of a Trusted Platform Module (TPM) session with an approved Keyed-Hash Message Authentication Code and an approved Secure Hash Algorithm the TPM KDF as specified in NIST SP 800-135: Recommendation for Existing Application-Specific Key Derivation Functions [27] is approved for the derivation of keys for protecting PROTECTED A and PROTECTED B information. 9 Key Wrap Modes of OperationThe following sections outline the Key Wrap (KW) modes of operation that are approved by CSE for key wrapping to protect the confidentiality and integrity of cryptographic keys. 9.1 AES Key WrapThe KW mode as specified in NIST SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping [23] is approved to protect the confidentiality and integrity of cryptographic keys for protecting PROTECTED A and PROTECTED B information. 9.2 AES Key Wrap with PaddingThe AES Key Wrap with Padding (KWP) mode as specified in NIST SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping [23] is approved to protect the confidentiality and integrity of cryptographic keys for protecting PROTECTED A and PROTECTED B information. 9.3 Triple Data Encryption Algorithm Key WrapThe Triple Data Encryption Algorithm Key Wrap (TKW) mode as specified in NIST SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping [23] and with a key length of 168 bits is approved to protect the confidentiality and integrity of cryptographic keys for protecting PROTECTED A and PROTECTED B information. The use of 3-key TDEA in TKW should be discontinued by the end of 2030. 10 Deterministic Random Bit GeneratorsThe following Deterministic Random Bit Generators (DRBGs) as specified in NIST SP 800-90A Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators [24] are approved by CSE for the production of random bits for cryptographic applications for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information:
The use of Dual_EC_DRBG is no longer approved. 11 Commercial Technologies Assurance ProgramsIn addition to using CSE-approved cryptographic algorithms, parameters and key lengths to ensure a suitable level of cryptographic security, the following guidance on implementation assurance requirements should also be considered:
12 SummaryCryptography provides security mechanisms which can be used to protect the authenticity, confidentiality, and integrity of GC information. Several algorithms may be required to satisfy security requirements, and each algorithm should be selected and implemented to ensure these requirements are met. This publication provides guidance on the use of CSE-approved cryptographic algorithms to protect UNCLASSIFIED, PROTECTED A, and PROTECTED B information. 12.1 Contacts and AssistanceIf your department would like more detailed information on Cryptographic Algorithms for Protected Information, please contact: ITS Client Services 13 Supporting Content13.1 List of Abbreviations
13.2 Glossary
13.3 References
Notes© Government of Canada Which of the following is a nontechnical method often used by cybercriminals to gather sensitive information about an organization?Question 10What is a nontechnical method that a cybercriminal would use to gathersensitive information from an organization? ransomewareman-in-the-middlepharmingsocial engineeringCorrect! Correct!
Which technology can be used to ensure data confidentiality?Encryption is an important technology used to protect confidentiality.
What are three types of sensitive information choose three?What are three types of sensitive information? (Choose three.). business.. published.. declassified.. public.. classified.. PII. Explanation: Sensitive information is information that would otherwise cause harm to a company or individual if publicly disclosed.. Which algorithm will windows use by default when a user intends to encrypt files and folders in an NTFS volume select one?Which algorithm will Windows use by default when a user intends to encrypt filesand folders in an NTFS volume? RSADESAES3DESExplanation:Encryption is an important technology usedto protect confidentiality.
|