The publication titled "Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information," issued by the Canadian Centre for Cyber Security (Cyber Centre), serves as a comprehensive update to its previous versions. The document, effective from March 6, 2025, aims to guide organizations, particularly government departments and agencies, on the recommended cryptographic algorithms and their applications to safeguard sensitive information.
Organizations’ capacity to secure sensitive data is vital for delivering their services and maintaining public trust. The publication outlines the importance of using well-configured cryptography to ensure the authenticity, confidentiality, and integrity of information. A successful security mechanism relies on carefully selecting and implementing appropriate algorithms tailored to an organization’s specific security needs.
Key Points in the Publication:
-
Introduction and Purpose: The document emphasizes that organizations utilize interconnected IT systems that are prone to cyber threats. A compromised system can lead to data breaches and financial repercussions, underscoring the significance of cryptographic measures. Given the critical role of cybersecurity in managing risks, organizations are urged to implement effective strategies.
-
Recommended Cryptographic Algorithms: The publication provides specific guidance on suitable cryptographic algorithms. This includes encryption algorithms such as the Advanced Encryption Standard (AES), which is recommended for its robust security features. It outlines encryption modes of operation for AES, emphasizing the importance of utilizing proper methods like Cipher Block Chaining (CBC) and Counter (CTR) modes to protect sensitive data.
-
Key Establishment Schemes: Recommendations encompass several key establishment schemes, which include the Rivest-Shamir-Adleman (RSA) method and various elliptic curve cryptography (ECC) schemes. It advises on transitioning to post-quantum cryptography due to the potential vulnerabilities posed by quantum computing.
-
Digital Signatures: The publication highlights various digital signature schemes, designating RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) as standard practices. It notes that some signature schemes, such as the Digital Signature Algorithm (DSA), should be phased out by a specified date, reflecting the adaptation to evolving cryptographic standards.
-
Phasing Out Obsolete Algorithms: To maintain security, the document discusses algorithms that should no longer be in use or need to be replaced by specific deadlines, indicating a proactive approach to cybersecurity.
-
Hash Functions and Security: The publication details various secure hash functions, succinctly specifying the need for transition away from SHA-1 due to security risks. It recommends using SHA-2 and SHA-3 families for their collision resistance properties.
-
Key Derivation Functions and Message Authentication: This section suggests methods for deriving secure keys crucial for cryptographic operations and specifies several protocols and standards for implementation, ensuring that these are up to date with current security standards.
-
Preparation for Quantum Threats: In light of advancements in quantum computing, guidelines are included for embracing post-quantum cryptography to safeguard against future vulnerabilities.
-
Commercial Technology Assurance Programs: The document also emphasizes the importance of utilizing cryptographic modules validated through the Cryptographic Module Validation Program (CMVP).
- Ongoing Revisions and Updates: The publication commits to constant updates and revisions in line with emerging technologies and standards, providing ongoing support to organizations navigating cybersecurity threats.
In closing, effective cryptography is presented as essential for the protection of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. Organizations are encouraged to actively engage with the guidelines set forth in this publication to ensure they meet the requisite security standards and stay ahead of potential threats. The publication aligns with the Treasury Board of Canada’s policies, reinforcing its critical role in national cybersecurity strategy.