Evaluated cryptographic implementations
Implementations of the algorithms in this section need to undergo an ACE before they can be approved to protect classified information.
High assurance cryptographic algorithms
High assurance cryptographic algorithms, which are not covered in this section, can be used for the protection of highly classified information if they are suitably implemented in HACE. Further information on high assurance cryptographic algorithms can be obtained from the ACSC.
ASD Approved Cryptographic Algorithms
There is no guarantee of an algorithmâ€™s resistance against currently unknown attacks. However, the algorithms listed in this section have been extensively scrutinised by industry and academic communities in a practical and theoretical setting and have not been found to be susceptible to any feasible attacks. There have been some cases where theoretically impressive security vulnerabilities have been found; however, these results are not of practical application.
AACAs fall into three categories: asymmetric/public key algorithms, hashing algorithms and symmetric encryption algorithms.
The approved asymmetric/public key algorithms are:
 DiffieHellman (DH) for agreeing on encryption session keys
 Digital Signature Algorithm (DSA) for digital signatures
 Elliptic Curve DiffieHellman (ECDH) for key exchange
 Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures
 RivestShamirAdleman (RSA) for digital signatures and passing encryption session keys or similar keys.
The approved hashing algorithm is Secure Hashing Algorithm 2 (SHA2) (i.e. SHA224, SHA256, SHA384 and SHA512).
The approved symmetric encryption algorithms are Advanced Encryption Standard (AES) using key lengths of 128, 192 and 256 bits, and Triple Data Encryption Standard (3DES) using three distinct keys.
Where there is a range of key sizes for an algorithm, some of the smaller key sizes are not approved as they do not provide an adequate safety margin against possible future attacks. For example, advances in integer factorisation methods could render smaller RSA moduli vulnerable.
Using ASD Approved Cryptographic Algorithms
If cryptographic equipment or software implements unapproved algorithms, as well as AACAs, it is possible that these unapproved algorithms could be used without a userâ€™s knowledge. In combination with an assumed level of security confidence, this can represent a security risk. As such, organisations can ensure that only the AACA can be used by disabling the unapproved algorithms (which is preferred) or advising users not to use the unapproved algorithms via usage policies.
Security Control: 0471; Revision: 6; Updated: Jun20; Applicability: O, P
Only AACAs are used by cryptographic equipment and software.
Approved asymmetric/public key algorithms
Over the last decade, DSA and DH cryptosystems have been subject to increasingly successful subexponential indexcalculusbased attacks. ECDH and ECDSA offer more security per bit increase in key size than DH or DSA and are considered more secure alternatives.
Security Control: 0994; Revision: 5; Updated: Sep18; Applicability: O, P
ECDH and ECDSA are used in preference to DH and DSA.
Using DiffieHellman
A modulus of at least 2048 bits for DH is considered best practice by the cryptographic community. A modulus smaller than 1024 bits for DH is considered cryptographically weak.
Security Control: 0472; Revision: 4; Updated: Sep18; Applicability: O, P
When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used.
Using the Digital Signature Algorithm
A modulus of at least 2048 bits for DSA is considered best practice by the cryptographic community. A modulus smaller than 1024 bits for DSA is considered cryptographically weak.
Security Control: 0473; Revision: 4; Updated: Sep18; Applicability: O, P
When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used.
Using Elliptic Curve Cryptography
The curve used within an elliptic curve algorithm can affect the security of the algorithm. Only approved curves should be used.
Security Control: 1446; Revision: 1; Updated: Sep18; Applicability: O, P
When using elliptic curve cryptography, a curve from FIPS 1864 is used.
Using Elliptic Curve DiffieHellman
A field/key size of at least 256 bits for ECDH is considered best practice by the cryptographic community. A field/key size smaller than 160 bits for ECDH is considered cryptographically weak.
Security Control: 0474; Revision: 4; Updated: Sep18; Applicability: O, P
When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used.
Using the Elliptic Curve Digital Signature Algorithm
A field/key size of at least 256 bits for ECDSA is considered best practice by the cryptographic community. A field/key size smaller than 160 bits for ECDSA is considered cryptographically weak.
Security Control: 0475; Revision: 4; Updated: Sep18; Applicability: O, P
When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used.
Using RivestShamirAdleman
A modulus of at least 2048 bits for RSA is considered best practice by the cryptographic community. A modulus smaller than 1024 bits for RSA is considered cryptographically weak.
Security Control: 0476; Revision: 5; Updated: Sep18; Applicability: O, P
When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used.
Security Control: 0477; Revision: 6; Updated: Sep18; Applicability: O, P
When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used.
Approved hashing algorithms
Research conducted by the cryptographic community has shown Secure Hashing Algorithm 1 (SHA1) is susceptible to collision attacks. In 2017, researchers demonstrated a SHA1 collision with Portable Document Format files. A hashing algorithm from the SHA2 family should be used instead of SHA1.
Security Control: 1054; Revision: 4; Updated: Sep18; Applicability: O, P
A hashing algorithm from the SHA2 family is used instead of SHA1.
Approved symmetric encryption algorithms
The use of Electronic Codebook Mode with block ciphers allows repeated patterns in plaintext to appear as repeated patterns in ciphertext. Most plaintext, including written language and formatted files, contains significant repeated patterns. As such, an adversary can use this to deduce possible meanings of ciphertext. The use of other modes such as Galois/Counter Mode, Cipher Block Chaining, Cipher Feedback or Output Feedback can prevent such attacks, although each has different properties which can make them inappropriate for certain use cases.
Security Control: 0479; Revision: 4; Updated: Sep18; Applicability: O, P
Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
Using the Triple Data Encryption Standard
Using three distinct keys for 3DES is deemed the only secure option for practical purposes. All other keying options are susceptible to attacks that reduce the security of 3DES and are therefore not deemed secure. Where practical, organisations should use an approved implementation of AES, instead of 3DES.
Security Control: 0480; Revision: 6; Updated: Sep18; Applicability: O, P
3DES is used with three distinct keys.
Protecting highly classified information
ASD has approved the following cryptographic algorithms for the protection of highly classified information when used in an evaluated implementation.
Recommended algorithms and key sizes should be given preference in order to ensure interoperability with the Commercial National Security Algorithm (CNSA) Suite.
Purpose 
Algorithm 
Approved for 
Approved for 
Recommended 

Encryption 
AES 
AES128 
AES256 
AES256 
Hashing 
SHA2 
SHA256 
SHA384 
SHA384 
Digital signatures 
ECDSA 
NIST P256 
NIST P384 
NIST P384 
RSA 
3072 bit key 
3072 bit key 
3072 bit key 

Key exchange 
DH 
3072 bit key 
3072 bit key 
3072 bit key 
ECDH 
NIST P256 
NIST P384 
NIST P384 

RSA 
3072 bit key 
3072 bit key 
3072 bit key 
Security Control: 1232; Revision: 5; Updated: May19; Applicability: S, TS
AACAs are used in an evaluated implementation.
Security Control: 1468; Revision: 5; Updated: Oct19; Applicability: S, TS
Preference is given to using the CNSA Suite algorithms and key sizes.
Further information
Further information on selecting evaluated products can be found in the evaluated product acquisition section of the Guidelines for Evaluated Products.
Further information on DH can be found in Diffie, W and Hellman, ME, New Directions in Cryptography, IEEE Transactions on Information Theory, vol. 22, is. 6, pp. 644654, November 1976.
Further information on DSA can be found in FIPS 1864, Digital Signature Standard (DSS), at https://csrc.nist.gov/publications/detail/fips/186/4/final.
Further information on ECDH can be found in:
 American National Standards Institute (ANSI) X9.632011 (R2017), Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography, at https://infostore.saiglobal.com/enau/Standards/ANSIX9632011R20172086_SAIG_ABA_ABA_5343/
 ANSI X9.422003 (R2013), Public Key Cryptography for the Financial Services Industry, Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, at https://infostore.saiglobal.com/enau/Standards/ANSIX9422003R20132071_SAIG_ABA_ABA_5311/
 NIST SP 80056A Rev. 3, Recommendation for PairWise KeyEstablishment Schemes Using Discrete Logarithm Cryptography, at https://csrc.nist.gov/publications/detail/sp/80056a/rev3/final.
Further information on ECDSA can be found in:
 ANSI X9.632011 (R2017), Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography, at https://infostore.saiglobal.com/enau/Standards/ANSIX9632011R20172086_SAIG_ABA_ABA_5343/
 ANSI X9.622005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), at https://infostore.saiglobal.com/enau/Standards/ANSIX96220052085_SAIG_ABA_ABA_5340/
 FIPS 1864, Digital Signature Standard (DSS), at https://csrc.nist.gov/publications/detail/fips/186/4/final.
Further information on the CNSA Suite can be found in the CNSA Suite and Quantum Computing FAQ at https://apps.nsa.gov/iaarchive/library/iaguidance/iasolutionsforclassified/algorithmguidance/cnsasuiteandquantumcomputingfaq.cfm.
Further information on RSA can be found in Internet Engineering Task Force (IETF) Request for Comments (RFC) 8017, PKCS #1: RSA Cryptography Specifications Version 2.2, at https://tools.ietf.org/html/rfc8017.
Further information on SHA can be found in FIPS 1804, Secure Hash Standard (SHS), at https://csrc.nist.gov/publications/detail/fips/180/4/final.
Further information on AES can be found in FIPS 197, Advanced Encryption Standard (AES), at https://csrc.nist.gov/publications/detail/fips/197/final.