Sensitive data, networks, and systems protection processes are among the most difficult process that institutions face, the protective mechanism had been developing over the years especially with cryptographic mechanisms, as these mechanisms and algorithms had to develop and improve over time, because the penetration that’s happened at the beginning until today they reach to a high level of complexity which this add more security to the systems and data, and prevent manipulator from overcoming them.
The National Cybersecurity Authority (NCA) prescribes/ defines national standards to determine the minimum acceptable cryptographic requirement to provide the required degree of protection for data, systems, and national networks by using cryptographic mechanisms for civil and commercial purposes, and to enhance the national uses of cryptographic to contribute in the protection of cyberspace at the kingdom level.
Important of the National Cryptographic Standards (NCS)
- These standards are considered the main reference the determined the minimum requirement for cryptographic for civil and commercial purposes of:
- Acceptable analog and non-symmetry cryptographic basics.
- Acceptable analog and asymmetric encryption designs.
- Commonly accepted applications associated with cryptographic protocols
- Public key infrastructure.
- key cycle management.
- Implementing national Cryptographic standards help significantly in:
- Protect data while it is stored, processed, and transmitted.
Protect the national systems and networks.
Scope of National Cryptographic Standards (NCS)
The National Cybersecurity Authority (NCA) asks all national authorities to commit to their minimum cryptographic requirements for civilian and commercial purposes and ensure these authorities are using the appropriate cryptographic systems.
And it’s very important for those who are committed to these standards to ensure the correct and safe implementation of the standards in order to avoid the security bugs that result from application errors.
The national Cryptographic standards define two strength levels of cryptographic standards: MODERIATE level (the basic level) and ADVANCED level to ensure the flexibility and efficiency of implementation.
Each national entity has to choose and implement an appropriate level of cryptography based on the nature and level of sensitivity of the data, systems, and networks to be protected.
Components of National cryptographic standards
The national cryptographic standards define the following:
- Accepted cryptographic primitives, Which involves the keys, blocks, and initialization vector sizes for each:
- Symmetric algorithms: such as stream and block ciphers algorithms.
- Asymmetric algorithms.
- Hash functions.
- Lightweight crypto algorithms.
- Accepted cryptographic schemes.
- Cipher Modes of operations.
- Message Authentication Codes (MAC).
- Authenticated, Encryption with associated data (AEAD).
- key wrap functions (KWF).
- Key Derivation Functions ( KDF).
- Key agreement and key transport.
- Hybrid Encryption schemes.
- Public key signatures.
- Requirements of commonly used cryptographic protocols.
There are accepted technical requirements for a list of commonly used cryptographic protocols that have been selected, so you can find these protocols in the frequent questions section.
- Algorithms and requirements for certifications and their validity.
- Requirements of key lifecycle management steps (KLM).
To ensure safe management of the keys from the moment it was created until it had been destroyed and to ensure its standard uses during the necessary processes and procedures.
- Pseudo-Random Number Generation (PRNG).
- Post-Quantum Cryptography.
- Side-Channel Attacks.
Select a set of measures in order to minimize these attacks, such as:
- Cryptographic operations must be performed in certified hardware components.
- Make a comprehensive analysis of the effects of these side channels on hardware components.
- Protect all cipher data by using message authentication codes MAC), and verify data cipher before performing any other cryptographic operations.
How can the Renad AlMajed for information technology (RMG) company help you?
Renad AlMajed for information technology (RMG) has succeeded in being from the earliest companies that we’re able to implement the national cryptographic standards (NCS) through a group of experts and consultants and the company provides many services, which include:
- Make a maturity assessment.
- Implementation of national cryptographic standard (NCS).
- Development of the appropriate policies and procedures to each facility.
- Develop performance indicators.
- Account assurance services.
- Providing training and knowledge transfer services.
CONTACT US TODAY AND WE WILL BE HAPPY TO SERVE YOU
Frequently asked questions
First: symmetric algorithms.
- Stream algorithms, it include:
- SNOW 2.0 (ISO/ IEC 18033-4).
- SOSEMANUK1 (eSTREAM).
The initialization vector (IV) must be at least 128 bits.
Must use different Initialization vector (IV) for each key.
A key must be used only once.
Correct de-cryptography is not a means of verifying reliability.
Blocks ciphers Algorithms:
- AES (FIPS- 197).
- Camellia (ISO/IEC 18033-3).
Second: Asymmetric Algorithms.
Third: Hash Function.
Hash functions must be inversion-resistant, pre-image resistant, and collision-resistant.
For SHAKE128, the output size “d ” value must be ≥256 bits.
For SHAKE256, the output size “ ” value must be ≥512 bits.
Fourth: Lightweight crypto Algorithms.
- Block Ciphers Algorithms (ISO 29192-2): PRESENT, CLEFIA.
- Stream Ciphers Algorithms (ISO 29192-3): Enocoro, Trivium.
- Asymmetric Algorithms (ISO 29192-4): Unilateral, ALILE, Identity-based signature.
- Hash Function (ISO29192-5): PHOTON, SPONGENT, Lesamnta-LW.
- Message Authentication Codes (MAC) (ISO 29192- 6): Tsudik’S key mode, Chaskey12.
- Using hardware cryptographic modules:
- Private keys should not be valid for more than 5 years for MODERATE level.
- Private keys should not be valid for more than 3 years for ADVANCED level.
- Using Software cryptographic modules:
- Private keys must not be valid longer than 2 years for MODERATE level.
- Not accepted for ADVANCED level.
- Keys (secret and private) must not be vulnerable to prediction or bias.
- Weak keys must not be used.
- Private and public keys require prime number generation with extra mathematical properties.
Key registration/ certification.
- Keys must be associated with their owner with a certificate.
- Root certificates must be distributed to relying parties and signatories.
- A trusted certificate authority (CA) must be used.
Key distribution and insulation.
- Keys must be distributed to their users securely by protecting its confidentiality and reliability.
- All copies of keys must be securely installed and stored.
- Public keys must be transported and their reliability must be protected by using certificates.
- Private keys must be protected and authorized by the owner/ third party or Certificate authority (CA).
- Keys must be protected against unauthorized use during their lifetimes.
- Keys must be protected against misuse from the owners themselves.
- Entities must keep secure backups of keys in case cryptographic algorithms are still supported.
- Keys used for non-repudiation must be under the sole control of the user.
key Revocation/ Validation.
- In distributed systems, must rely on special measures such as updated versions of the Certificate Revocation List (CRL) and the Online Certificate Status Protocol (OCSP).
- Key validation must be done by checking the CRL or OCSP servers.
- The archival process must be secured, and confidentiality must be ensured to preserve the secrecy of cryptographic information.
- Expired keys must be archived to keep old data accessible.
- Archival systems must follow the retention periods as per relevant regulations.
- When a key lifetime expires and there is no need for it to be archived or stored, it must be removed from hardware via a secure deletion process.
- Media storage systems storing keys must be sanitized during the destruction.
- There must be accounting for all asymmetric keys.
- The usepre-image-resistant of asymmetric keys must be monitored.
- There must be accounting for key use.