Algorithm Name 
Key Management Issues 
Encryption Algorithms 
AES (128, 192, 256 bits)
NIST standard FIPS PUB 197 2001 (Advanced Encryption Standard) gives a specification for the AES algorithm. 

TripleDES
(ANSI X9.52; Triple DES Encryption Algorithm Modes of Operation and NIST Special Publication 80067 2004 (Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher) specify the acceptable methods of implementing TripleDES.) 
 The 3key option provides the best security and is therefore the preferred option. The 2key option is also currently acceptable for Protected A and B, where the key used in the final encryption/decryption operation is the same as in the first encryption/decryption operation.
 The single key option which is equivalent to DES, is not approved by CSEC for the protection of Protected GC information.
 Use of the 2key option for Protected A and B information shall be discontinued by the end of 2015.
 The cryptoperiod shall not exceed seven days.

CAST5 (80 and 128 bits)
(RFC2144) 
 Acceptable modes of operation are the same as those defined for AES.
 The 128bit version of CAST5 is currently valid for all levels of Protected information. For Protected C information, use of the 80bit version should have been discontinued by the end of 2005. For Protected A and B information, use of the 80bit version shall be discontinued by the end of 2013.
 For 80bit CAST5, the cryptoperiod shall not exceed 24 hours. For 128bit CAST5, the cryptoperiod shall not exceed 7 days.

Key Establishment Algorithms 
RSA (Rivest, Shamir, Adleman) 
 The modulus shall be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
 By the end of 2013, the modulus length shall be increased to at least 2048 bits for Protected A and B information. The modulus length shall be increased to at least 3072 bits by the end of 2025 for Protected C and by the end of 2030 for all other levels of Protected information.
 Cryptoperiods shall be approved by CSEC.

Other algorithms based on exponentiation in finite fields (e.g., DiffieHellman, MQV) 
 The field size shall be prime and be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
 By the end of 2013, a field size of at least 2048 bits for Protected A and B information shall be used. By the end of 2025 a field size of at least 3072 bits shall be used for Protected C information. By the end of 2030 a field size of at least 3072 bits shall be used for Protected A and B information.
 CSEC must approve the schemes in which the key exchange is embedded.
 Cryptoperiods shall be approved by CSEC.

Elliptic Curve algorithms 
 The ECC shall be implemented over a finite field of order q, where q is an odd primer or of the form 2m where m is a prime. Associated with the domain parameters is a key length, the length in bits of the order of the base points. The key length shall be at least 160 bits in length for Protected A and B information, and 224 bits in length for Protected C information.
 For Protected A and B information, elliptic curve key lengths of at least 224 bits shall be used by the end of 2013.
 Recommended curves can be found in Appendix D of FIPS 1863 (Digital Signature Standard (DSS)).
 CSEC must approve the schemes in which the key exchange is embedded.
 Cryptoperiods shall be approved by CSEC.

Digital Signature Algorithms 
RSA (Rivest, Shamir, Adleman) 
 The signature schemes are defined in ANSI X9.31  1998 and in RSA PKCS #1 v2.1. Guidance for implementation can be found in FIPS 1863 2006 (Digital Signature Standard (DSS)).
 The modulus shall be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
 By the end of 2013 the modulus length shall be increased to al least 2048 bits for Protected A and B information. The modulus length shall be increase to at least 3072 bits by the end of 2025 for Protected C, and by the end of 2030 for all other levels of Protected information.
 Cryptoperiods shall be approved by CSEC.

Digital Signature Algorithm (DSA) 
 This signature scheme is defined in FIPS 1863 (Digital Signature Standard (DSS)).
 The modulus shall be at least 1024 bits long for Protected A and B information, and 2048 bits long for Protected C information.
 By the end of 2013 the modulus length shall be increased to at least 2048 bits for Protected A and B information. The modulus length shall be increased to at least 3072 bits by the end of 2025 for Protected C, and by the end of 2030 for all other levels for Protected information.
 Cryptoperiods shall be approved by CSEC.

Other algorithms based on exponentiation in finite fields (e.g. ElGamal) 
 The field size shall be prime and be at least 1024 bits in length for Protected A and B information. For Protected C information, a field size of at least 2048 bits shall be used.
 By the end of 2013, the field size shall be increased to at least 2048 bits for Protected A and B information. The modulus length shall be increased to at least 3072 bits by the end of 2025 for Protected C, and by the end of 2030 for all levels of Protected information.
 CSEC must approve the schemes in which the digital signature algorithm is embedded.
 Cryptoperiods shall be approved by CSEC.

ECDSA (Elliptic Curve Digital Signature Algorithm) 
 This signature scheme is defined in ANSI X9.62  2005. Guidance for implementation can be found in FIPS 1863 2006 (Digital Signature Standard (DSS)).
 The elliptic curve key length shall be at least 160 bits for Protected A and B information, and 224 bits for Protected C information.
 For Protected A and B information, elliptic curve key lengths of at least 224 bits shall be used by the end of 2013.
 Recommended curves can be found in Appendix D of the FIPS 1863 standard.
 Cryptoperiods shall be approved by CSEC.

Hash Algorithms 
SHA224, SHA256, SHA384 and SHA512 
 CSEC approves the use of SHA224, SHA256, SHA384 and SHA512 as defined in FIPS 1803 (Secure Hash Standard) for Protected A, B, and C information.
 The use of SHA1 for digital signature generation for Protected A and B information should be discontinued by the end of 2013. For Protected C information, the use of SHA1 for digital signature generation should have been discontinued in 2008.
 Although the use of SHA1 is currently permitted, CSEC strongly recommends the use of SHA224 or higher whenever possible.

Data Integrity Algorithms 
HMAC (Hashbased Message Authentication Code (MAC)) 
 CSEC approves the use of HMAC as defined in FIPS 198 (The KeyedHash Message Authentication Code (HMAC)) issued in 2008.
 Key lengths shall be at least 80 bits.
 By the end of 2013, key lengths shall be increased to at least 112 bits.

CMAC (Cipherbased Message Authentication Code (MAC)) 
 The use of Cipher Based MAC with AES as defined in NIST Special Publication 80038B is approved for use with all Protected information.
 The use of 2key Triple DES shall be discontinued by the end of 2015.
 Tag length shall be at least 90 bits for Protected A and B information and 122 bits for Protected C information.
 For Protected A and B information, tag lengths of at least 122 bits shall be used by the end of 2013.

GMAC/Galois Counter Mode and CCM 
 The CCM mode is specified in NIST SP 80038C and GMAC/GCM is specified in NIST SP 80038D.
 These can be used for all levels of Protected information.
