Encryption

Overview

This page contains recommendations for choosing an encryption algorithm, key length, cryptographic parameters and materials, and implementation features.

General

• Do not implement custom cryptographic algorithms.

• Use only public algorithms that have been proven to be strong, such as AES, RSA or Curve25519.

• The main criterion for choosing an encryption algorithm and the key length is the required level of security. That is, the longer data must remain encrypted, the stronger algorithm must be used. The strength of an algorithm is determined by the presence of effective attacks on it and the key length used. Table 2: Comparable strengths from the Recommendation for Key Management compares security levels for approved algorithms and key lengths.

• The implementation of a cryptographic algorithm should be widely distributed and developed with the involvement of a cryptographic expert.

• Use cryptographically strong random number generators to generate all random values that are used as cryptographic parameters such as initialization vectors, nonces, keys, etc., see the Cryptography: Random Generators page.

• Use nonces, initialization vectors, and other single-use numbers only once with a given encryption key.

• Comply with requirements from the Cryptography: Cryptographic Keys Management page.

• Log errors in cryptography components, see the Logging and Monitoring page.

• Comply with requirements from the Error and Exception Handling page.

• Use FIPS 140-2 or PCI DSS certified implementations of cryptographic algorithms.

Symmetric

• The minimum allowed symmetric encryption algorithm is AES/128/GCM.

• Use only NIST-approved encryption modes such as CCM, GCM, CTR, or CBC.

• Do not use ECB encryption mode.

• When using Authenticated Encryption and Authenticated Encryption with Associated Data encryption forms:

  • Use CCM or GCM encryption modes.

  • If CCM and GCM modes are not available:

    • Use block encryption in CBC mode and the Encrypt-then-MAC technique with the Hash-based message authentication code (HMAC).

    • Do not use CBC-MAC with variable-length data.

• Use nonces, initialization vectors, and other single-use numbers only once with a given encryption key.

• Use PKCS7 padding.

• The minimum allowed symmetric encryption algorithm is AES/256/GCM.

• Use Authenticated Encryption and Authenticated Encryption with Associated Data encryption forms.

Asymmetric

• The minimum allowed asymmetric encryption algorithm is RSA/2048/SHA256.

• Use elliptical curve cryptography (ECC) with a secure curve that provides at least 128 bits of security strength, such as secp256r1.

• The minimum allowed asymmetric encryption algorithm is RSA/3072/SHA256.

• Use elliptical curve cryptography (ECC) with a secure curve that provides at least 256 bits of security strength, such as secp521r1.

Encryption implementation

Go

Use the crypto package to implement cryptographic operations.

AES/256/GCM encryption and decryption

import (
    "crypto/aes"
    "crypto/cipher"
)

func Encrypt(aes256key []byte, nonce []byte, plaintext []byte) ([]byte, error) {
    // The key argument should be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
    block, err := aes.NewCipher(aes256key)
    if err != nil {
        return nil, err
    }
    aesgcm, err := cipher.NewGCM(block)
    if err != nil {
        return nil, err
    }
    return aesgcm.Seal(nil, nonce, plaintext, nil), nil
}

func Decrypt(aes256key []byte, nonce []byte, ciphertext []byte) ([]byte, error) {
    // The key argument should be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
    block, err := aes.NewCipher(aes256key)
    if err != nil {
        return nil, err
    }
    aesgcm, err := cipher.NewGCM(block)
    if err != nil {
        return nil, err
    }
    plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
    if err != nil {
        return nil, err
    }
    return plaintext, nil
}

RSA/2048/SHA256 encryption and decryption

import (
    "crypto/rsa"
    "crypto/sha256"
    "crypto/rand"
)

func Encrypt(rsa2048Key *rsa.PublicKey, plaintext []byte, label []byte) ([]byte, error) {
    // crypto/rand.Reader is a good source of entropy for randomising the encryption function
    rng := rand.Reader
    hash := sha256.New()
    ciphertext, err := rsa.EncryptOAEP(hash, rng, rsa2048Key, plaintext, label)
    if err != nil {
        return nil, err
    }
    return ciphertext, nil
}

func Decrypt(rsa2048Key *rsa.PrivateKey, ciphertext []byte, label []byte) ([]byte, error) {
    // crypto/rand.Reader is a good source of entropy for randomising the encryption function
    rng := rand.Reader
    hash := sha256.New()
    plaintext, err := rsa.DecryptOAEP(hash, rng, rsa2048Key, ciphertext, label)
    if err != nil {
        return nil, err
    }
    return plaintext, nil
}