S 2.164 Selection of a suitable cryptographic procedure

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer

The selection of a cryptographic procedure can be divided into the following two tasks:

Before users commit to using certain procedures, they should have an exact idea of the requirements they need to place on the confidentiality and authenticity of the data processed at every point of the informationprocessing system.

Selection of cryptographic algorithms

When selecting cryptographic algorithms, it is necessary to clarify what type of cryptographic procedure is needed, i.e. a symmetric, asymmetric, or hybrid procedure, and then to select suitable algorithms, i.e. one offering a mechanism of the right strength.

Encryption methods

Authentication procedure

Hash methods

Great progress has been made recently in the cryptographic analysis of hash functions. Due to the progress made, SHA-1 is not recommended unconditionally any more for all applications, but it is still possible to use HMAC as its use is still not considered critical.

Suitable algorithms include, in particular, the newer SHA-2 versions (SHA-224, SHA-256, SHA-384, SHA-512), which are designed for applications with higher collision resistance requirements, in addition to RIPEMD-160 (for lower collision resistance requirements, i.e. with about 80 bits of complexity).

The MD5 hash algorithm is outdated and has known weaknesses that can be demonstrated today based on practical examples. For these reasons, MD5 should not be used any more.

Selection criteria

The strength of the mechanism / key length

One of the most important criteria for the selection of a cryptographic procedure is the strength of its mechanism. For symmetric procedures, the key length in particular should be adequately long. The longer the key length of the key used for a cryptographic procedure, the longer it takes to calculate the key (for example using a brute force attack). On the other hand, the procedures are slower when using longer keys, which means it is necessary to decide which key length to use by weighing the benefits obtained using a longer key against the lowered performance aspects. A general rule of thumb for a procedure considered good today (Triple DES, IDEA, RC5, AES ...) for an application with average protection requirements is that the key used should be at least 100 bits long. When using block ciphers, larger, structured amounts of data should not be encrypted in the ECB mode. The CBC or the CFB mode should be used instead. For this reason, at least one of these operating modes should be implemented.

When using asymmetric procedures, the strength of the mechanism should be selected in such a way that the underlying mathematical problems require an unreasonably large amount of computing time to solve or are practically impossible to solve (for this reason, the strength of the mechanism to be selected depends on the current state of development of the algorithm and computing technology). At the current time, you can assume you are on the safe side when using the following:

curve. Well-known experts estimate that 1024-bit RSA moduli can be factored after approximately 280 operations, and the number of operations required by the best generic algorithms to solve the discrete logarithm problem in a group is in the order of 160 bits, which is in about the same magnitude. Since the time required to perform 280 operations is slowly coming in the range of technical feasibility due to the progress in computer technology, algorithms with 80-bit security levels (e.g. 1024-bit RSA) currently in use should not be used any more for new developments and should be replaced entirely in the long term.

For security applications that will be used in the long term, 2048-bit RSA moduli or subgroup orders of at least 224 bits should be used. Examples of suitable elliptic curves can be found on the internet at www.ecc-brainpool.org.

"Unknown" algorithms should not be used, meaning algorithms that have been published, intensively examined by a wide range of experts, and in which there are currently no known security vulnerabilities should be used instead. Manufacturers frequently offer security products using new algorithms that are supposedly "much more secure and even faster" than other algorithms. However, we would like to warn you about using unknown algorithms from sources whose cryptographic competence has not been adequately verified.

Symmetric or hybrid procedures?

For performance reasons, no implementations based solely on public key techniques should be used for encryption purposes. All common implementations of public key cryptography use hybrid procedures (see also S 3.23 Introduction to basic cryptographic terms).

In applications with large or open user groups, it is usually recommended to use a hybrid procedure (due to the advantages in the key management). For small, closed user groups (and especially when there is only one user), the selection should be restricted to symmetric procedures. When using hybrid procedures, it makes sense to use a symmetric and an asymmetric procedure with the same strength. Since numerous keys need to be encrypted by the asymmetric procedure for use in the symmetric procedure before exchanging keys, the asymmetric algorithm should be designed to be slightly stronger.

Feasibility of technical requirements

The cipher algorithms must be designed in such a way that the technical requirements, and especially the performance required, can be met by a suitable implementation. This includes requirements on the error propagation (for example when sending over very noisy channels), but also requirements on synchronisation overhead and time delay (in case "real-time" encryption of large amounts of data is required, for example).

Example: Voice encryption with ISDN

When planning a communication network, a host of parameters must be taken into account which have an influence on the expected quality of the voice transmission and appearing in the form of hissing, crackling, crosstalk, or whistling. Such influencing factors include, for example, the encryption method used. In order to obtain a satisfactory level of voice quality, all of the equipment in a transmission route needs to be examined and assessed.

Although examining an individual component alone should not be considered justified due to the interaction of each of the relevant effects, it is nevertheless important to know the factors influencing each individual component (e.g. the encryption component). The general conditions for realisation as well as for selection can then be derived from this information.

The response of an encryption component is therefore primarily characterised by the following factors:

The influencing factors mentioned above have a negative effect on voice encryption in particular (as a real-time service) and lead to an increase in the end-to-end transmission time, more fluctuation in the transmission time, as well as higher error rates, which in turn means reduced quality that is measurable and can be attributed to the encryption components.

Other influencing factors

Some cryptographic algorithms (IDEA, for example) are patented and it may be necessary to pay licence fees when using them in commercial applications (which also includes applications in government).

Publications of the Federal Network Agency

In the Federal Gazette, the Federal Network Agency regularly publishes an overview of the algorithms that can be considered suitable for generating signature keys, hashing data to be signed, or generating and examining qualified electronic signatures. These publications can also be downloaded from the website of the Federal Network Agency (www.bundesnetzagentur.de). They can provide additional information to help you select a procedure.

Review questions:

© Federal Office for Information Security. All rights reserved.