Security Recommendations for the Public Sector
Cryptography is a powerful tool, which—if applied correctly—provides confidentiality, integrity, and authenticity of electronically stored, processed, and transmitted data. Electronic Internet-based services from security-critical fields such as e-government or e-banking would be infeasible without cryptography. Hence, the correct application of cryptographic methods is also for public administrations of special relevance.
The application of cryptographic methods is a complex task. It requires the selection of appropriate methods that are able to meet given functional and security requirements. Furthermore, selected methods typically also need to be correctly parameterized, in order to achieve the intended security level. A well-known example is for instance the selection of suitable key sizes.
The complexity behind cryptographic methods and the need for an appropriate parameterization pose a serious challenge in practice and can lead to potential security flaws, as wrong algorithms or bad parameterizations can compromise the overall security. This also applies to frequently used cryptographic applications such as SSL/TLS, which rely on cryptographic primitives like authentication, encryption, or integrity checks.
Being aware of these issues, A-SIT has prepared two studies, in which recommendations regarding the proper selection of cryptographic algorithms, their application, and their parameterization are provided. The first study focuses on cryptographic primitives and identifies those algorithms, which are recommendable for achieving data integrity, confidentiality, and authenticity. In addition, appropriate parameterizations for these algorithms are recommended where required. Special focus is put on those aspects and scenarios, which are of special relevance in the Austrian public sector. The second study focuses on the correct application of SSL/TLS. Several general recommendations are provided and appropriate cipher suites are recommended.
Even though both studies are primarily addressed to public administrations, the contents of these studies are potentially also interesting for private-sector companies and organizations, or for end users. Therefore, these studies are provided as free download on this website.
|Part 1:Reccomendations for the application of cryptographic methods (DE, PDF)||1.2||2016-02-15|
|Part 2: Reccomendations for the application of SSL/TLS (DE, PDF)||1.1||2016-02-15|
|General update, inclusion of RFC 7525, discussion of new attacks||
1.2 (Part 1), 1.1 (Part 2)
|Initial public release||
1.1 (Part 1), 1.0 (Part 2)