Skip to main content

This section of the ISM provides guidance on cryptographic fundamentals.

Purpose of cryptography

The purpose of cryptography is to provide confidentiality, integrity, authentication and non-repudiation of information. Confidentiality protects information by making it unreadable to all but authorised users, integrity protects information from accidental or deliberate manipulation, authentication ensures that a person or entity is who they claim to be, and non-repudiation provides proof that a user performed an action and prevents them from denying that they did so.

Using encryption

Encryption of data at rest can be used to reduce the physical storage and handling requirements for ICT equipment and media while encryption of data in transit can be used to provide protection for sensitive or classified information communicated over public network infrastructure.

When organisations use encryption for data at rest, or data in transit, they are not reducing the sensitivity or classification of information. However, as the information is encrypted, the consequences of the encrypted information being accessed by an adversary is considered to be less. Therefore, physical storage and handling requirements applied to the encrypted information can be reduced. As the sensitivity or classification of the unencrypted information does not change, additional layers of encryption cannot be used to further lower physical and handling requirements.

Additional cryptographic requirements

These guidelines describe the general use of cryptography. The Australian Signals Directorate (ASD) may specify additional requirements in consumer guides for cryptographic equipment or encryption software once they have completed an ASD Cryptographic Evaluation (ACE). Such requirements supplement these guidelines and where conflicts occur take precedence.

International standards for cryptographic modules

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 19790:2012, Information technology – Security techniques – Security requirements for cryptographic modules, and ISO/IEC 24759:2017, Information technology – Security techniques – Test requirements for cryptographic modules, are international standards for the design and validation of hardware and software cryptographic modules.

Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules, is a United States standard based upon ISO/IEC 19790:2012, ISO/IEC 24759:2017 and the National Institute of Standards and Technology (NIST) Special Publication (SP) 180-140 series.

Where a cryptographic module’s functionality has been validated under FIPS 140-2, FIPS 140-3 or ISO/IEC 19790:2012, ASD can at its discretion reduce the scope of an ACE.

High Assurance Cryptographic Equipment

High Assurance Cryptographic Equipment (HACE) is used by organisations to protect highly classified information. HACE is designed to lower the physical storage and handling requirements of highly classified information using cryptography. Due to the sensitive nature of HACE, and the limited information publicly available on it, organisations must contact the Australian Cyber Security Centre (ACSC) before using it.

Reducing physical storage and handling requirements

When encryption is applied to information it provides an additional layer of defence. Encryption does not change the sensitivity or classification of the information, but when encryption is used, the physical storage and handling requirements of ICT equipment and media may be reduced.

Security Control: 1161; Revision: 4; Updated: Sep-18; Applicability: O
Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information.

Security Control: 0457; Revision: 5; Updated: Sep-18; Applicability: P
Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information.

Security Control: 0460; Revision: 8; Updated: Sep-18; Applicability: S, TS
HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information.

Encrypting information at rest

Full disk encryption provides a greater level of protection than file-based encryption. While file-based encryption may encrypt individual files, there is the possibility that unencrypted copies of files may be left in temporary locations used by an operating system.

Security Control: 0459; Revision: 3; Updated: Sep-18; Applicability: O, P
Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition.

Security Control: 0461; Revision: 5; Updated: Sep-18; Applicability: S, TS
HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition.

Encrypting particularly important information at rest

Due to the sensitivities associated with Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information, this information needs to be encrypted when at rest.

Security Control: 1080; Revision: 2; Updated: Sep-18; Applicability: S, TS
In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system.

Data recovery

The requirement for cryptographic equipment and encryption software to provide a key escrow function, where practical, was issued under a cabinet directive in July 1998.

Security Control: 0455; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.

Handling encrypted ICT equipment and media

When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, the encrypted information becomes accessible. At such a time, the ICT equipment or media should be handled according to its original sensitivity or classification. Once the user deauthenticates from encryption functionality (e.g. shuts down a device, activates a lock screen) the ICT equipment or media can return to potentially being handled at a lower level.

Security Control: 0462; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality.

Encrypting information in transit

Where insufficient physical security is provided for the protection of information communicated over network infrastructure or via wireless networks, encryption can be used to assist in protecting such information from compromise.

Security Control: 1162; Revision: 3; Updated: Sep-18; Applicability: O
Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces.

Security Control: 0465; Revision: 6; Updated: Sep-18; Applicability: P
Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces.

Security Control: 0467; Revision: 8; Updated: Sep-18; Applicability: S, TS
HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces.

Encrypting particularly important information in transit

Due to the sensitivities associated with AUSTEO and AGAO information, it needs to be encrypted when being communicated across network infrastructure.

Security Control: 0469; Revision: 3; Updated: Sep-18; Applicability: S, TS
In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure.

Further information

Further information on selecting evaluated products can be found in the evaluated product acquisition section of the Guidelines for Evaluated Products.

Further information on the use of HACE can be found in Australian Communications Security Instructions (ACSIs). ACSIs include requirements for the approved use of HACE and can be provided to organisations by the ACSC upon request.

Further information on the storage and transfer of ICT equipment and media can be found in the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF), Physical security for entity resources policy, at https://www.protectivesecurity.gov.au/physical/physical-security-entity-resources/Pages/default.aspx.

Further information on the ACE program is available at https://www.cyber.gov.au/acsc/view-all-content/programs/asd-cryptographic-evaluation-program.

Further information on international standards for cryptographic modules and their evaluation can be found in: