Cryptographic Algorithms

Under the Policy on Government Security (PGS)the Communications Security Establishment Canada (CSEC) is responsible for providing the Government of Canada (GC) cryptography and key management processes for the protection of classified information as well as for the protection of Protected information. The following table lists the approved cryptographic algorithms for the protection of Protected Information and Electronic Authentication and Authorization (EAA) applications within the GC.

For a complete specification of all algorithms see ITSA-11E.

Algorithm Name Key Management Issues
Encryption Algorithms

AES (128, 192, 256 bits)

NIST standard FIPS PUB 197 2001 (Advanced Encryption Standard) gives a specification for the AES algorithm.

Triple-DES

(ANSI X9.52; Triple DES Encryption Algorithm Modes of Operation and NIST Special Publication 800-67 2004 (Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher) specify the acceptable methods of implementing Triple-DES.)

  • The 3-key option provides the best security and is therefore the preferred option. The 2-key option is also currently acceptable for Protected A and B, where the key used in the final encryption/decryption operation is the same as in the first encryption/decryption operation.
  • The single key option which is equivalent to DES, is not approved by CSEC for the protection of Protected GC information.
  • Use of the 2-key option for Protected A and B information shall be discontinued by the end of 2015.
  • The cryptoperiod shall not exceed seven days.

CAST5 (80 and 128 bits)
(RFC2144)

  • Acceptable modes of operation are the same as those defined for AES.
  • The 128-bit version of CAST5 is currently valid for all levels of Protected information. For Protected C information, use of the 80-bit version should have been discontinued by the end of 2005. For Protected A and B information, use of the 80-bit version shall be discontinued by the end of 2013.
  • For 80-bit CAST5, the cryptoperiod shall not exceed 24 hours. For 128-bit CAST5, the cryptoperiod shall not exceed 7 days.
Key Establishment Algorithms

RSA (Rivest, Shamir, Adleman)

  • The modulus shall be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
  • By the end of 2013, the modulus length shall be increased to at least 2048 bits for Protected A and B information. The modulus length shall be increased to at least 3072 bits by the end of 2025 for Protected C and by the end of 2030 for all other levels of Protected information.
  • Cryptoperiods shall be approved by CSEC.

Other algorithms based on exponentiation in finite fields (e.g., Diffie-Hellman, MQV)

  • The field size shall be prime and be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
  • By the end of 2013, a field size of at least 2048 bits for Protected A and B information shall be used. By the end of 2025 a field size of at least 3072 bits shall be used for Protected C information. By the end of 2030 a field size of at least 3072 bits shall be used for Protected A and B information.
  • CSEC must approve the schemes in which the key exchange is embedded.
  • Cryptoperiods shall be approved by CSEC.

Elliptic Curve algorithms

  • The ECC shall be implemented over a finite field of order q, where q is an odd primer or of the form 2m where m is a prime. Associated with the domain parameters is a key length, the length in bits of the order of the base points. The key length shall be at least 160 bits in length for Protected A and B information, and 224 bits in length for Protected C information.
  • For Protected A and B information, elliptic curve key lengths of at least 224 bits shall be used by the end of 2013.
  • Recommended curves can be found in Appendix D of FIPS 186-3 (Digital Signature Standard (DSS)).
  • CSEC must approve the schemes in which the key exchange is embedded.
  • Cryptoperiods shall be approved by CSEC.
Digital Signature Algorithms

RSA (Rivest, Shamir, Adleman)

  • The signature schemes are defined in ANSI X9.31 - 1998 and in RSA PKCS #1 v2.1. Guidance for implementation can be found in FIPS 186-3 2006 (Digital Signature Standard (DSS)).
  • The modulus shall be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
  • By the end of 2013 the modulus length shall be increased to al least 2048 bits for Protected A and B information. The modulus length shall be increase to at least 3072 bits by the end of 2025 for Protected C, and by the end of 2030 for all other levels of Protected information.
  • Cryptoperiods shall be approved by CSEC.

Digital Signature Algorithm (DSA)

  • This signature scheme is defined in FIPS 186-3 (Digital Signature Standard (DSS)).
  • The modulus shall be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
  • By the end of 2013 the modulus length shall be increased to at least 2048 bits for Protected A and B information. The modulus length shall be increased to at least 3072 bits by the end of 2025 for Protected C, and by the end of 2030 for all other levels for Protected information.
  • Cryptoperiods shall be approved by CSEC.

Other algorithms based on exponentiation in finite fields (e.g. El-Gamal)

  • The field size shall be prime and be at least 1024 bits in length for Protected A and B information. For Protected C information, a field size of at least 2048 bits shall be used.
  • By the end of 2013, the field size shall be increased to at least 2048 bits for Protected A and B information. The modulus length shall be increased to at least 3072 bits by the end of 2025 for Protected C, and by the end of 2030 for all levels of Protected information.
  • CSEC must approve the schemes in which the digital signature algorithm is embedded.
  • Cryptoperiods shall be approved by CSEC.

ECDSA (Elliptic Curve Digital Signature Algorithm)

  • This signature scheme is defined in ANSI X9.62 - 2005. Guidance for implementation can be found in FIPS 186-3 2006 (Digital Signature Standard (DSS)).
  • The elliptic curve key length shall be at least 160 bits for Protected A and B information, and 224 bits for Protected C information.
  • For Protected A and B information, elliptic curve key lengths of at least 224 bits shall be used by the end of 2013.
  • Recommended curves can be found in Appendix D of the FIPS 186-3 standard.
  • Cryptoperiods shall be approved by CSEC.
Hash Algorithms

SHA-224, SHA-256, SHA-384 and SHA-512

  • CSEC approves the use of SHA-224, SHA-256, SHA-384 and SHA-512 as defined in FIPS 180-3 (Secure Hash Standard) for Protected A, B, and C information.
  • The use of SHA-1 for digital signature generation for Protected A and B information should be discontinued by the end of 2013. For Protected C information, the use of SHA-1 for digital signature generation should have been discontinued in 2008.
  • Although the use of SHA-1 is currently permitted, CSEC strongly recommends the use of SHA-224 or higher whenever possible.
Data Integrity Algorithms

HMAC (Hash-based Message Authentication Code (MAC))

  • CSEC approves the use of HMAC as defined in FIPS 198 (The Keyed-Hash Message Authentication Code (HMAC)) issued in 2008.
  • Key lengths shall be at least 80 bits.
  • By the end of 2013, key lengths shall be increased to at least 112 bits.

CMAC (Cipher-based Message Authentication Code (MAC))

  • The use of Cipher Based MAC with AES as defined in NIST Special Publication 800-38B is approved for use with all Protected information.
  • The use of 2-key Triple DES shall be discontinued by the end of 2015.
  • Tag length shall be at least 90 bits for Protected A and B information and 122 bits for Protected C information.
  • For Protected A and B information, tag lengths of at least 122 bits shall be used by the end of 2013.
GMAC/Galois Counter Mode and CCM
  • The CCM mode is specified in NIST SP 800-38C and GMAC/GCM is specified in NIST SP 800-38D.
  • These can be used for all levels of Protected information.

Padding Schemes

Some of the key establishment and digital signature algorithms listed above require that a padding scheme be defined when the algorithm is used.

CSEC approves the use of the following RSA padding schemes for key establishment:

  • From RSA PKCS #1 v2.1, the padding scheme defined as RSAES-OAEP.

CSEC approves the use of the following RSA padding schemes for digital signature:

  • The padding scheme defined in ANSI X9.31; and
  • From RSA PKCS #1 v2.1, the padding scheme defined as RSAES-PSS.

The use of any padding scheme with SHA-1 for digital signature generation shall be discontinued by the end of 2013.

Notes:

All the above listed cryptographic algorithms may be implemented in hardware or software.

In ensuring a suitable level of cryptographic security, there are factors to be considered in addition to using approved algorithms. The cryptographic algorithm implementations must be validated to ensure that they meet the specified standard. Additional assurance for the product in which the algorithm is implemented can be validated through FIPS 140-2 and/or Common Criteria evaluation. Aspects of security including random number generation, the application environment and application specific threats must also be taken into account. Contact CSEC for details.

For additional information, contact:

ITS Client Services
Telephone: 613-991-7654
Email: itsclientservices@cse-cst.gc.ca