Title

Cryptographic Algorithms Profile

Description

The Cryptographic Algorithms Profile specifies the use of public standards for cryptographic algorithm interoperability to protect IT systems.

Taxonomy

Standards

Guidance

The following algorithms and parameters are to be used to support specific functions

• Root CA Certificates

• Digest Algorithm SHA-256 or SHA-384 (Root CA certificates, which were signed using SHA-1 before 1 January 2016, may be used until 1 January 2025)

• RSA modulus size (bits) 3072 or 4096

• ECC Curve NIST P-256 or P-384

• Subordinate CA Certificates

• Digest Algorithm SHA-256 or SHA-384

• RSA modulus size (bits) 2048, 3072 or 4096

• ECC Curve NIST P-256 or P-384

• Subscriber Certificates

• Digest Algorithm SHA-256 or SHA-384

• RSA modulus size (bits) 2048, 3072 or 4096

• ECC Curve NIST P-256 or P-384

For further guidance on the implementation the AC/322-N(2020)0077 iTIF Certificate Profiles Version 1.2.2 shall also be considered.

Even more guidance

• A digital certificate service provider shall choose which combination of algorithm and keylength chain to build. The service portfolio may contain several parallel solutions.
• You shall not mix key-algorithms in one CA/sub-CA chain.
• A digital certificate service consumer shall support the full spectrum of possible combinations in algorithm and keylength.
• During a mission instantiation, the service designer shall verify service consumer capabilities with regard to supported algorithms.

Status

Utilization