Evaluated cryptographic implementations
Implementations of the algorithms in this section need to undergo an ACE before they can be approved to protect classified information.
High assurance cryptographic algorithms
High assurance cryptographic algorithms, which are not covered in this section, can be used for the protection of highly classified information if they are suitably implemented in HACE. Further information on high assurance cryptographic algorithms can be obtained from the ACSC.
ASD Approved Cryptographic Algorithms
There is no guarantee of an algorithmâ€™s resistance against currently unknown attacks. However, the algorithms listed in this section have been extensively scrutinised by industry and academic communities in a practical and theoretical setting and have not been found to be susceptible to any feasible attacks. There have been some cases where theoretically impressive security vulnerabilities have been found; however, these results are not of practical application.
AACAs fall into three categories: asymmetric/public key algorithms, hashing algorithms and symmetric encryption algorithms.
The approved asymmetric/public key algorithms are:
 DiffieHellman (DH) for agreeing on encryption session keys
 Digital Signature Algorithm (DSA) for digital signatures
 Elliptic Curve DiffieHellman (ECDH) for key exchange
 Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures
 RivestShamirAdleman (RSA) for digital signatures and passing encryption session keys or similar keys.
The approved hashing algorithm is Secure Hashing Algorithm 2 (SHA2) (i.e. SHA224, SHA256, SHA384 and SHA512).
The approved symmetric encryption algorithms are Advanced Encryption Standard (AES) using key lengths of 128, 192 and 256 bits, and Triple Data Encryption Standard (3DES) using three distinct keys.
Where there is a range of key sizes for an algorithm, some of the smaller key sizes are not approved as they do not provide an adequate safety margin against possible future attacks. For example, advances in integer factorisation methods could render smaller RSA moduli vulnerable.
Using ASD Approved Cryptographic Algorithms
If cryptographic equipment or software implements unapproved algorithms, as well as AACAs, it is possible that these unapproved algorithms could be used without a userâ€™s knowledge. In combination with an assumed level of security confidence, this can represent a security risk. As such, organisations can ensure that only the AACA can be used by disabling the unapproved algorithms (which is preferred) or advising users not to use the unapproved algorithms via usage policies.
Security Control: 0471; Revision: 6; Updated: Jun20; Applicability: O, P
Only AACAs are used by cryptographic equipment and software.
Approved asymmetric/public key algorithms
DH and DSA are vulnerable to different attacks than ECDH and ECDSA. As a result, ECDH and ECDSA offer more effective security per bit increase. This leads to smaller data requirements which in turn means that elliptic curve variants have become de facto global standards. For reduced data cost, and to promote interoperability, ECDH and ECDSA should be used when possible.
Security Control: 0994; Revision: 5; Updated: Sep18; Applicability: O, P
ECDH and ECDSA are used in preference to DH and DSA.
Using DiffieHellman
A modulus of 2048 bits for correctly implemented DH provides 112 bits of effective security strength. Taking into account projected technological advances, it is assessed that 112 bits of effective security strength will remain secure until 2030.
When DH in a prime field is used, the prime modulus impacts the security of the algorithm. The security considerations when creating such a prime modulus can be found in NIST SP 80056A Rev. 3, along with a collection of commonly used secure moduli.
Security Control: 0472; Revision: 5; Updated: Dec20; Applicability: O, P
When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used.
Security Control: 1629; Revision: 0; Updated: Dec20; Applicability: O, P
When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 80056A Rev. 3.
Using the Digital Signature Algorithm
A modulus of 2048 bits for correctly implemented DSA provides 112 bits of effective security strength. Taking into account projected technological advances, it is assessed that 112 bits of effective security strength will remain secure until 2030.
Security Control: 0473; Revision: 5; Updated: Dec20; Applicability: O, P
When using DSA for digital signatures, a modulus of at least 2048 bits is used.
Security Control: 1630; Revision: 0; Updated: Dec20; Applicability: O, P
When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 1864.
Using Elliptic Curve Cryptography
The curve used within an elliptic curve algorithm impacts the security of the algorithm. Only approved curves should be used.
Security Control: 1446; Revision: 1; Updated: Sep18; Applicability: O, P
When using elliptic curve cryptography, a curve from FIPS 1864 is used.
Using Elliptic Curve DiffieHellman
When using a curve from FIPS 1864, a base point order and key size of at least 224 bits for correctly implemented ECDH provides 112 bits of effective security strength. Security of a curve selected from another source cannot be assumed to have the same security using base point order and key size alone.
Security Control: 0474; Revision: 5; Updated: Dec20; Applicability: O, P
When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used.
Using the Elliptic Curve Digital Signature Algorithm
When using a curve from FIPS 1864, a base point order and key size of 224 bits for correctly implemented ECDSA provides 112 bits of effective security strength. Security of a curve selected from another source cannot be assumed to have the same security using base point order and key size alone.
Security Control: 0475; Revision: 5; Updated: Dec20; Applicability: O, P
When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used.
Using RivestShamirAdleman
A modulus of 2048 bits for correctly implemented RSA provides 112 bits of effective security strength. Taking into account projected technological advances, it is assessed that 112 bits of effective security strength will remain secure until 2030.
Security Control: 0476; Revision: 6; Updated: Dec20; Applicability: O, P
When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used.
Security Control: 0477; Revision: 6; Updated: Sep18; Applicability: O, P
When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used.
Approved symmetric encryption algorithms
The use of Electronic Codebook Mode with block ciphers allows repeated patterns in plaintext to appear as repeated patterns in ciphertext. Most plaintext, including written language and formatted files, contains significant repeated patterns. As such, an adversary can use this to deduce possible meanings of ciphertext. The use of other modes such as Galois/Counter Mode, Cipher Block Chaining, Cipher Feedback or Output Feedback can prevent such attacks, although each has different properties which can make them inappropriate for certain use cases.
Security Control: 0479; Revision: 4; Updated: Sep18; Applicability: O, P
Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
Using the Triple Data Encryption Standard
Using three distinct keys for 3DES is deemed the only secure option for practical purposes. All other keying options are susceptible to attacks that reduce the security of 3DES and are therefore not deemed secure. Where practical, organisations should use an approved implementation of AES, instead of 3DES.
Security Control: 0480; Revision: 6; Updated: Sep18; Applicability: O, P
3DES is used with three distinct keys.
Protecting highly classified information
ASD has approved the following cryptographic algorithms for the protection of highly classified information when used in an evaluated implementation.
Recommended algorithms and key sizes should be given preference in order to ensure interoperability with the Commercial National Security Algorithm (CNSA) Suite.
Purpose 
Algorithm 
Approved for 
Approved for 
Recommended 

Encryption 
AES 
AES128 
AES256 
AES256 
Hashing 
SHA2 
SHA256 
SHA384 
SHA384 
Digital signatures 
ECDSA 
NIST P256 
NIST P384 
NIST P384 
RSA 
3072 bit key 
3072 bit key 
3072 bit key 

Key exchange 
DH 
3072 bit key 
3072 bit key 
3072 bit key 
ECDH 
NIST P256 
NIST P384 
NIST P384 

RSA 
3072 bit key 
3072 bit key 
3072 bit key 
Security Control: 1232; Revision: 5; Updated: May19; Applicability: S, TS
AACAs are used in an evaluated implementation.
Security Control: 1468; Revision: 5; Updated: Oct19; Applicability: S, TS
Preference is given to using the CNSA Suite algorithms and key sizes.
Further information
Further information on selecting evaluated products can be found in the evaluated product acquisition section of the Guidelines for Evaluated Products.
Further information on DH can be found in Diffie, W and Hellman, ME, New Directions in Cryptography, IEEE Transactions on Information Theory, vol. 22, is. 6, pp. 644654, November 1976.
Further information on DSA can be found in FIPS 1864, Digital Signature Standard (DSS), at https://csrc.nist.gov/publications/detail/fips/186/4/final.
Further information on ECDH can be found in:
 American National Standards Institute (ANSI) X9.632011 (R2017), Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography, at https://infostore.saiglobal.com/enau/Standards/ANSIX9632011R20172086_SAIG_ABA_ABA_5343/
 ANSI X9.422003 (R2013), Public Key Cryptography for the Financial Services Industry, Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, at https://infostore.saiglobal.com/enau/Standards/ANSIX9422003R20132071_SAIG_ABA_ABA_5311/
 NIST SP 80056A Rev. 3, Recommendation for PairWise KeyEstablishment Schemes Using Discrete Logarithm Cryptography, at https://csrc.nist.gov/publications/detail/sp/80056a/rev3/final.
Further information on ECDSA can be found in:
 ANSI X9.632011 (R2017), Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography, at https://infostore.saiglobal.com/enau/Standards/ANSIX9632011R20172086_SAIG_ABA_ABA_5343/
 ANSI X9.622005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), at https://infostore.saiglobal.com/enau/Standards/ANSIX96220052085_SAIG_ABA_ABA_5340/
 FIPS 1864, Digital Signature Standard (DSS), at https://csrc.nist.gov/publications/detail/fips/186/4/final.
Further information on the CNSA Suite can be found in the CNSA Suite and Quantum Computing FAQ at https://apps.nsa.gov/iaarchive/library/iaguidance/iasolutionsforclassified/algorithmguidance/cnsasuiteandquantumcomputingfaq.cfm.
Further information on RSA can be found in Internet Engineering Task Force (IETF) Request for Comments (RFC) 8017, PKCS #1: RSA Cryptography Specifications Version 2.2, at https://tools.ietf.org/html/rfc8017.
Further information on SHA can be found in FIPS 1804, Secure Hash Standard (SHS), at https://csrc.nist.gov/publications/detail/fips/180/4/final.
Further information on AES can be found in FIPS 197, Advanced Encryption Standard (AES), at https://csrc.nist.gov/publications/detail/fips/197/final.