BSI { Technical Guideline Designation: Cryptographic Mechanisms: Recommendations and Key Lengths Abbreviation: BSI TR-02102-1 Version: 2021-01 As of: March 24, 2021 Version Date Changes 2017-01 3.1.2017 Major revision of the section on random number gen- eration on Windows systems. Adjustment of the se- curity level of the present Technical Guideline to 120 bit, as far as concerns the post-2022 prediction period. The recommended key sizes for RSA and mechanisms based on the discrete log problem in finite fields have been adjusted accordingly. 2018-01 15.12.2017 Fundamental revision of the section on prime number generation. Revision of the statement on SHA-1 due to the publication of a SHA-1 collision. Shortening of document history to cover only the last three years in order to save space. 2019-01 22.2.2019 CCM mode is now newly listed among the approved modes of operation for block ciphers. The PKCS1.5 padding format is newly listed as a legacy mechanism. 2020-01 24.3.2020 Recommendation (conditional on use of suitable secu- rity parameters and usage in conjunction with a previ- ously approved asymmetric mechanism) of FrodoKEM and Classic McEliece for post quantum applications. Recommended Argon2id for password hashing. Tran- sitionally, RSA keys of key size ≥ 2000 bits remain conformant to this guideline until end of year 2023. 2020-01 8.3.2021 Revision of the chapter on random number generators, especially with regard to the use of DRG.3 and NTG.1 random number generators. PTG.2 random number generators are no longer recommended for general use. Inclusion of standardised versions of hash-based signa- ture schemes. Federal Office for Information Security P.O.B. 20 03 63, 53133 Bonn, Germany Email: [email protected] Internet: https://www.bsi.bund.de c Federal Office for Information Security 2020 Technical Guideline { Cryptographic Algorithms and Key Lengths Contents Notations and glossary7 1 Introduction 13 1.1 Security objectives and selection criteria....................... 14 1.2 General remarks .................................... 16 1.3 Cryptographic remarks................................. 17 1.4 Handling of legacy algorithms............................. 18 1.5 Further relevant aspects................................ 19 2 Symmetric encryption schemes 21 2.1 Block ciphers...................................... 21 2.1.1 Modes of operation............................... 22 2.1.2 Conditions of use................................ 23 2.1.3 Padding schemes................................ 24 2.2 Stream ciphers ..................................... 24 2.3 Side-channel attacks on symmetric schemes ..................... 24 3 Asymmetric encryption schemes 26 3.1 Preliminary remark on asymmetric key lengths................... 28 3.1.1 General preliminary remarks ......................... 28 3.1.1.1 Security of asymmetric schemes .................. 28 3.1.1.2 Equivalent key lengths for asymmetric and symmetric crypto- graphic mechanisms......................... 29 3.1.2 Key lengths for information worthy of protection for a long period of time and in systems with a long planned period of use.............. 31 3.2 Quantum safe cryptography.............................. 32 3.3 Other remarks ..................................... 34 3.3.1 Side-channel attacks and fault attacks.................... 34 3.3.2 Public key infrastructures........................... 34 3.4 ECIES encryption scheme............................... 35 3.5 DLIES encryption scheme............................... 36 3.6 RSA........................................... 37 4 Hash functions 39 5 Data authentication 41 5.1 Preliminaries ...................................... 41 5.2 Security objectives................................... 41 5.3 Message Authentication Code (MAC) ........................ 42 5.4 Signature algorithms.................................. 43 5.4.1 RSA....................................... 45 5.4.2 Digital Signature Algorithm (DSA)...................... 45 Federal Office for Information Security (BSI) iii Technical Guideline { Cryptographic Algorithms and Key Lengths 5.4.3 DSA versions based on elliptic curves .................... 46 5.4.4 Merkle signatures................................ 47 5.4.5 Long-term preservation of evidentiary value for digital signatures . 47 6 Instance authentication 48 6.1 Symmetric schemes................................... 48 6.2 Asymmetric schemes.................................. 49 6.3 Password-based methods................................ 49 6.3.1 Recommended password length for the access to cryptographic hardware components................................... 49 6.3.2 Recommended methods for password-based authentication to crypto- graphic hardware components......................... 50 7 Key agreement schemes, key transport schemes and key update 52 7.1 Symmetric schemes................................... 53 7.2 Asymmetric schemes.................................. 54 7.2.1 Diffie-Hellman ................................. 54 7.2.2 EC Diffie-Hellman ............................... 55 8 Secret sharing 56 9 Random number generators 58 9.1 Physical random number generators ......................... 59 9.2 Deterministic random number generators ...................... 61 9.3 Non-physical non-deterministic random number generators ............ 61 9.4 Various aspects..................................... 62 9.5 Seed generation for deterministic random number generators ........... 63 9.5.1 GNU/Linux................................... 63 9.5.2 Windows .................................... 64 A Application of cryptographic mechanisms 66 A.1 Encryption schemes with data authentication (secure messaging)......... 66 A.2 Authenticated key agreement............................. 67 A.2.1 Preliminary remarks.............................. 67 A.2.2 Symmetric schemes............................... 67 A.2.3 Asymmetric schemes.............................. 68 B Additional functions and algorithms 69 B.1 Key derivation ..................................... 69 B.1.1 Key derivation following key exchange.................... 69 B.1.2 Password-based key derivation ........................ 69 B.2 Generation of unpredictable initialisation vectors.................. 70 B.3 Generation of EC system parameters......................... 70 B.4 Generation of random numbers for probabilistic asymmetric schemes . 71 B.5 Prime generation.................................... 72 B.5.1 Preliminary remarks.............................. 72 B.5.2 Conforming methods.............................. 73 B.5.3 Generating prime pairs ............................ 75 B.5.4 Notes on the security of the recommended mechanisms........... 75 C Protocols for special cryptographic applications 77 C.1 SRTP .......................................... 77 iv Federal Office for Information Security (BSI) Technical Guideline { Cryptographic Algorithms and Key Lengths List of Tables 1.1 Examples of key sizes reaching a security level of 100 and 120 bits respectively . 15 1.2 Recommended key lengths............................... 15 2.1 Recommended block ciphers.............................. 21 2.2 Recommended modes of operation for block ciphers................. 22 2.3 Recommended padding schemes for block ciphers.................. 24 3.1 Key lengths....................................... 27 3.2 Approximate computing power R required (in multiples of the computing power needed for a simple cryptographic operation, e.g. one-time evaluation of a block cipher on a single block) for the calculation of discrete logarithms in elliptic curves (ECDLP) and/or the factorisation of general composite numbers of the specified bit lengths. ....................................... 30 3.3 Recommended formatting scheme for the RSA encryption algorithm . 38 4.1 Recommended hash functions............................. 39 5.1 Recommended MAC schemes............................. 43 5.2 Parameters for recommended MAC schemes..................... 43 5.3 Recommended signature algorithms ......................... 44 5.4 Recommended padding schemes for the RSA signature algorithm . 45 5.5 Recommended signature algorithms based on elliptic curves............ 46 6.1 Schematic representation of a challenge-response method for instance authentication 48 6.2 Recommended password lengths and recommended number of attempts to gain access for the access protection of cryptographic components ........... 49 6.3 Recommended password-based method for the protection of access to contactless chip cards ....................................... 50 7.1 Recommended asymmetric key agreement schemes................. 54 8.1 Calculation of the secret shares in Shamir's secret-sharing algorithm . 56 8.2 Reassembly of the shared secret in Shamir's secret-sharing algorithm . 57 9.1 Recommended method for seed generation under GNU/Linux .......... 63 A.1 Recommended symmetric methods for authenticated key agreement . 67 A.2 Recommended asymmetric schemes for key agreement with instance authentica- tion ........................................... 68 B.1 Recommended method for key derivation ...................... 69 B.2 Recommended methods for the generation of unpredictable initialisation vectors 70 B.3 Recommended EC system parameters for asymmetric schemes which are based on elliptic curves.................................... 71 B.4 Computation of random values in {0, . , q − 1} ................... 72 Federal Office for Information Security (BSI) v Technical Guideline { Cryptographic Algorithms and Key Lengths B.5 Recommended method 1: prime generation