Algorithms, Key Sizes and Parameters Report 2013 recommendations version 1.0 – October 2013 www.enisa.europa.eu Algorithms, Key Size and Parameters Report { 2013 Recommendations Contributors to this report: This work was commissioned by ENISA under contract P/18/12/TCD Lot 2 to the consortium formed for this work by K.U.Leuven (BE) and University of Bristol (UK). • Contributors: Nigel P. Smart (University of Bristol), Vincent Rijmen (K.U. Leuven), Bogdan Warinschi (University of Bristol), Gaven Watson (University of Bristol). • Editor: Nigel P. Smart (University of Bristol), • ENISA Project Manager: Rodica Tirtea Agreements of Acknowledgements We would like to extend our gratitude to: • External Reviewers: Arjen Lenstra (EPFL), Christof Paar (Ruhr-Universit¨atBochum), Ken- neth G. Paterson (Royal Holloway, University of London), Michael Ward (Mastercard) for their comments suggestions and feedback. • We also thank a number of people for providing anonymous input. Page: 1 Algorithms, Key Size and Parameters Report { 2013 Recommendations About ENISA The European Union Agency for Network and Information Security Agency is a centre of network and information security expertise for the EU, its member states, the private sector and Europe's citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe's critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross- border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA or for general enquiries on cryptography, please use the following details: • E-mail: [email protected]. • Internet: http://www.enisa.europa.eu. For questions related to current report, please use the following details: • E-mail: [email protected] Legal Notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal ac- tion of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. c European Union Agency for Network and Information Security (ENISA), 2013 Page: 2 Algorithms, Key Size and Parameters Report { 2013 Recommendations Contents 1 Executive Summary 9 2 How to Read this Document 11 2.1 Division into Chapters and Sections . 13 2.2 Making a Decision . 14 2.2.1 Public key signatures . 15 2.2.2 Public key encryption . 15 2.3 Comparison to Other Documents . 16 2.4 Open Issues and Areas Not Covered . 17 3 Primitives 20 3.1 Comparison . 20 3.2 Block Ciphers . 22 3.2.1 Recommended Block Ciphers . 23 3.2.2 Legacy Block Ciphers . 24 3.2.3 Historical (not-recommended) Block Ciphers . 25 3.3 Hash Functions . 25 3.3.1 Recommended Hash Functions . 26 3.3.2 Legacy Hash Functions . 26 3.3.3 Historical (not recommended) Hash Functions . 27 3.4 Stream Ciphers . 27 3.4.1 Recommended Stream Ciphers . 27 3.4.2 Legacy Stream Ciphers . 28 3.4.3 Historical (non recommended) Stream Ciphers . 29 3.5 Public Key Primitives . 30 3.5.1 Factoring . 30 3.5.2 Discrete Logarithms . 31 3.5.3 Pairings . 33 3.6 Recommendations . 34 Page: 3 Algorithms, Key Size and Parameters Report { 2013 Recommendations 4 Schemes 36 4.1 Block Cipher Basic Modes of Operation . 37 4.1.1 ECB . 37 4.1.2 CBC . 37 4.1.3 OFB . 39 4.1.4 CFB . 39 4.1.5 CTR . 39 4.1.6 XTS . 40 4.1.7 EME . 41 4.2 Message Authentication Codes . 41 4.2.1 Block Cipher Based MACs . 41 4.2.2 GMAC . 43 4.2.3 Hash Function Based MACs . 43 4.3 Authenticated Encryption . 43 4.3.1 Encrypt-then-MAC (and variants) . 44 4.3.2 OCB . 44 4.3.3 CCM . 44 4.3.4 EAX . 45 4.3.5 CWC . 45 4.3.6 GCM . 45 4.4 Key Derivation Functions . 45 4.4.1 NIST-800-108-KDF . 46 4.4.2 X9.63-KDF . 46 4.4.3 NIST-800-56-KDFs . 46 4.4.4 IKE-v1-KDF and IKE-v2-KDF . 47 4.4.5 TLS-KDF . 47 4.5 Generalities on Public Key Schemes . 47 4.6 Public Key Encryption . 48 4.6.1 RSA-PKCS# 1 v1.5 . 48 4.6.2 RSA-OAEP . 48 4.7 Hybrid Encryption . 48 4.7.1 RSA-KEM . 49 4.7.2 PSEC-KEM . 49 4.7.3 ECIES-KEM . 49 4.8 Public Key Signatures . 49 4.8.1 RSA-PKCS# 1 v1.5 . 49 4.8.2 RSA-PSS . 49 4.8.3 RSA-FDH . 50 4.8.4 ISO 9796-2 RSA Based Mechanisms . 50 4.8.5 (EC)DSA . 50 Page: 4 Algorithms, Key Size and Parameters Report { 2013 Recommendations 4.8.6 PV Signatures . 51 4.8.7 (EC)Schnorr . 51 4.9 Identity Based Encryption/KEMs . 51 4.9.1 BF . 51 4.9.2 BB . 52 4.9.3 SK . 52 5 Protocols 53 5.1 General Protocols . 53 5.1.1 Key Agreement . 53 5.1.2 TLS . 54 5.1.3 IPsec . 56 5.1.4 SSH . 58 5.1.5 Kerberos . 60 5.2 Application Specific Protocols . 61 5.2.1 WEP/WPA . 61 5.2.2 UMTS/LTE . 61 5.2.3 Bluetooth . 62 5.2.4 ZigBee . 63 5.2.5.