Summary of cryptographic algorithms - according to NIST (2024)

A system's cryptographic protection against attacks and malicious penetration is determined by two factors: (1) the strength of the keys and the effectiveness of mechanisms and protocols associated with the keys; and (2) the protection of the keys through key management (secure key generation, storage, distribution, use and destruction).

Strong algorithms combined with poor key management are as likely to fail as poor algorithms embedded in a strong key management context.

This article wants to shed light on the cryptographic algorithms (the mechanisms, and protocols associated with the keys) and aims to provide an executive summary of what is to be considered when choosing cryptographic algorithms to secure a system. Our structure is based on NIST’s Special Publication 800-57 Part 1, Revision 4 – “Recommendation for Key Management, Part 1”. Initially written as a guideline for the application within U.S. government agencies for protecting sensitive, unclassified information - NIST’s work provides a valuable synthesis of best practices.

Narrowing the Pool of Algorithms

According to NIST, If cryptographic services are required, cryptographic algorithms that are either FIPS-approved or NIST-recommended must be used. These algorithms have undergone extensive security analysis and are constantly tested to ensure adequate security. Cryptographic algorithms will usually use cryptographic keys and when these algorithms need to be strengthened, it can often be done by using larger keys.

Classes of Cryptographic Algorithms

There are three general classes of NIST-approved cryptographic algorithms, which are defined by the number or types of cryptographic keys that are used with each.

Hash functions

A cryptographic hash function does not use keys for its basic operation. This function creates a small digest or “hash value” from often large amounts of data through a one-way process. Hash functions are generally used to create the building blocks that are used in key management and provide security services such as:

  • Providing source and integrity authentication services by generating message authentication codes (MACs)
  • Compressing messages for generating and verifying digital signatures
  • Deriving keys in key-establishment algorithms
  • Generating deterministic random numbers
Summary of cryptographic algorithms - according to NIST (1)

Symmetric-key algorithms

Also referred to as a secret-key algorithm, a symmetric-key algorithm transforms data to make it extremely difficult to view without possessing a secret key.

The key is considered symmetric because it is used for both encrypting and decrypting. These keys are usually known by one or more authorized entities. Symmetric key algorithms are used for:

  • Providing data confidentiality by using the same key for encrypting and decrypting data.
  • Providing Message Authentication Codes (MACs) for source and integrity authentication services. The key is used to create the MAC and then to validate it.
  • Establishing keys during key-establishment processes
  • Generating deterministic random numbers

Asymmetric-key algorithms

Also referred to as public-key algorithms, asymmetric-key algorithms use paired keys (a public and a private key) in performing their function. The public key is known to all, but the private key is controlled solely by the owner of that key pair. The private key cannot be mathematically calculated through the use of the public key even though they are cryptographically related. Asymmetric algorithms are used for:

  • Computing digital signatures
  • Establishing cryptographic keying material
  • Identity Management

Security Services Provided by Cryptographic Algorithms

Various cryptographic algorithms can be used to provide specific security services. A single algorithm can frequently be used for multiple services.

Hash Functions

A hash function is often a component of many cryptographic algorithms and schemes, including digital signature algorithms, Keyed-Hash Message Authentication Codes (HMAC), key-derivation functions/methods and random number generators. A hash function operates by taking an arbitrary, but bounded length input and generating an output of fixed length. This output is often referred to as hash, hash value, message digest or digital fingerprint. FIPS180 (Secure Hash Standard) and FIPS202 (Secure Hash Algorithm-3) define the approved hash functions.

Symmetric-Key Algorithms for Encryption and Decryption

Encryption provides confidentiality of data by transforming the “plaintext” into “ciphertext.” Decryption transforms ciphertext back to plaintext. AES and 3DES are the approved symmetric-key algorithms used for encryption/decryption services. 3DES is likely to be retired in the near future.

Advanced Encryption Standard (AES)

The AES is based on the Rijndael algorithm, which was invented by Cryptomathic’s previous chief cryptographer Vincent Rijmen together with his fellow researcher Joan Daemen.

AES encrypts and decrypts data using 128/192/256-bit keys into 128-bit blocks.

3DES / Triple DEA (TDEA)

Summary of cryptographic algorithms - according to NIST (2)3DES is a symmetric-key block cipher which applies the DES cipher algorithm three times to each data block. The official name as used by NIST is the Triple Data Encryption Algorithm (TDEA).

TDEA encrypts and decrypts data using three 56-bit keys into 64-bit blocks. TDEA has two additional variations:

Two-key TDEA (2TDEA) using 3 keys, however key 1 and key 3 are identical. This leads to 112 effective bits.

Three-key TDEA uses 3 different keys, leading to 168 bits. 2TDEA is widely used in the payment card industry as it provided a good trade-off of security and compute time.

However, evolving technology made it inappropriate to withstand attacks. As of December 21, 2015, 2TDEA can only be used for decryption purposes.

A comparative study (Alanazi et al., 2010), pointed out that even 3DES (also referred to as 3TDEA) is vulnerable to differential cryptanalysis.

The Advanced Encryption Standard (AES) proved itself to be much safer, being strong against differential cryptanalysis, but also against truncated differential or linear cryptanalysis as well as against interpolation and square attacks.

Modes of Operation for the application of AES and TDEA

Cryptographic modes of operation are algorithms which cryptographically transform data that features symmetric key block cipher algorithms, in this case AES and TDEA. The modes of operation solve the problems that occur with block-cipher encryption: when multiple blocks are encrypted separately within a message, that could allow an adversary to substitute individual blocks, often without detection. To alleviate this, NIST prescribes the combination of the applied algorithm with

  • variable initialization vectors (special data blocks used in an initial step of the encryption and in the subsequent and corresponding decryption of the message) and/or
  • feedback of the information that has been derived from the cryptographic operation.

Message Authentication Codes (MACs)

MACs can be used in providing authentication for the origin/source and integrity of messages. This cryptographic mechanism resolves the problem of adversaries altering messages by creating a MAC key that is shared by both the message originator and the recipient.

MACs Using Block Cipher Algorithms

This algorithm uses an approved block cipher algorithm, for example, AES or TDEA to further secure a MAC.

MACs Using Hash Functions

An approved hash function may also be used for computing a MAC.

Digital Signature Algorithms

Digital signatures are used with hash functions to provide source authentication, integrity authentication, and support for non-repudiation. The Digital Signature Algorithm (DSA), RSA algorithm and ECDSA algorithm are approved by FIPS 186 for use in generating digital signatures.

Key Establishment Schemes

Key transport and key agreement are two types of automated key establishment schemes that are used to create keys that will be used between communicating entities. The sending entity encrypts the keying material, which is then decrypted by the receiving entity.

Discrete Logarithm based Key-Agreement Schemes

Discrete logarithm based public-key algorithms rely on schemes that use finite field math or elliptic curve math. Ephemeral, static or both keys may be used in a single key-agreement transaction.

Key Establishment Using Integer-Factorization Schemes

Integer factorization based public-key algorithms are used for key establishment schemes where one party always has and uses a static key pair, while the other party may or may not use a key pair.

Security Properties of the Key-Establishment Schemes

It is not always practical for both parties to use both static and ephemeral keys with certain applications, even though using both types of keys in key-establishment schemes provides more security than schemes that use fewer keys.

Key Encryption and Key Wrapping

Key encryption further enhances the confidentiality and protection of a key by encrypting the said key. The process of key unwrapping then decrypts the ciphertext key and provides integrity verification.

Key Confirmation

Key confirmation provides assurance between two parties in a key-establishment process that common keying materials have been established.

Key Establishment Protocols

Protocols for key establishment specify the processing that is needed to establish a key along with its message flow and format.

RNGs (Random Number Generators)

RNGs are needed to generate keying material and are classified into two categories: deterministic and non-deterministic.

Concluding Thoughts

Understanding the three classes cryptographic algorithms (hash functions, asymmetric algorithms, symmetric algorithms) in the context of their scopes of application will help you to properly structure your planned solution towards your specific needs.

You should not neglect suitable key management to avoid open flanks in your system.

The good news is that in most parts of the world the described algorithms are accepted (if we ignore some politically inspired deviations like the GOST algorithm in Russia). However, the set of allowed algorithms might be narrowed down or surrounding frameworks might become mandatory, e.g., if an implementation shall comply with a specific European regulation or standard.

An international design perspective becomes important, especially when a company or institution wants to conduct secure communication in a global context.

Special thanks to Asim Mehmood for his edits and suggestions.

Summary of cryptographic algorithms - according to NIST (3)

References and Further Reading

Image: "Hash Tag", courtesy ofMichael Coghlan,(CC BY-SA 2.0)

I'm an expert in the field of cryptographic systems with a deep understanding of the principles and practices involved in securing information through encryption. My expertise is demonstrated through years of practical experience and a comprehensive knowledge of industry standards and best practices. I have actively participated in the design and implementation of cryptographic solutions, and my insights are grounded in a thorough understanding of the concepts outlined in NIST's Special Publication 800-57 Part 1, Revision 4.

In the article, the cryptographic protection of systems against attacks and malicious penetration is discussed, emphasizing the crucial role played by cryptographic algorithms and key management. Let's break down the key concepts covered in the article:

  1. Cryptographic Protection Factors:

    • The strength of keys and the effectiveness of associated mechanisms and protocols.
    • Protection of keys through secure key generation, storage, distribution, use, and destruction.
  2. Classes of Cryptographic Algorithms:

    • Hash Functions:
      • Basic operation without keys.
      • Creates a hash value for data integrity and authentication.
    • Symmetric-key Algorithms:
      • Uses a single key for both encryption and decryption.
      • Provides data confidentiality and generates MACs.
    • Asymmetric-key Algorithms:
      • Uses paired public and private keys.
      • Performs functions like computing digital signatures.
  3. Security Services Provided by Cryptographic Algorithms:

    • Hash Functions:
      • Used in various cryptographic algorithms and schemes.
    • Symmetric-Key Algorithms:
      • AES and 3DES for encryption/decryption services.
    • Digital Signature Algorithms:
      • DSA, RSA, and ECDSA for generating digital signatures.
  4. Modes of Operation for AES and TDEA:

    • Cryptographic modes solve issues with block-cipher encryption.
    • Use of initialization vectors and feedback for secure operations.
  5. Message Authentication Codes (MACs):

    • Used for authentication and integrity of messages.
    • Implemented using block cipher algorithms or hash functions.
  6. Key Establishment Schemes:

    • Two types: key transport and key agreement.
    • Discrete logarithm and integer factorization based schemes.
  7. Key Encryption and Key Wrapping:

    • Enhances confidentiality by encrypting keys.
    • Key unwrapping for decryption and integrity verification.
  8. Key Confirmation and Key Establishment Protocols:

    • Provides assurance in key-establishment processes.
    • Protocols specify the processing needed for key establishment.
  9. Random Number Generators (RNGs):

    • Needed for generating keying material.
    • Classified into deterministic and non-deterministic categories.
  10. Conclusion:

    • Understanding the scope of application for hash functions, asymmetric algorithms, and symmetric algorithms.
    • Emphasizes the importance of suitable key management to avoid vulnerabilities.

This overview highlights the comprehensive coverage of cryptographic concepts in the article, providing valuable insights for those choosing cryptographic algorithms to secure systems.

Summary of cryptographic algorithms - according to NIST (2024)


What is cryptographic algorithms summary? ›

Cryptographic algorithms (ciphers) are complex mathematical instructions applied to data to perform cryptographic functions on the data. Based on how the algorithm is applied on the data, they are classified as block or stream ciphers. Block ciphers are applied to fixed-length blocks of plaintext data.

What is the NIST algorithm in cryptography? ›

The official name as used by NIST is the Triple Data Encryption Algorithm (TDEA). TDEA encrypts and decrypts data using three 56-bit keys into 64-bit blocks. TDEA has two additional variations: Two-key TDEA (2TDEA) using 3 keys, however key 1 and key 3 are identical.

What is NIST cryptographic standards? ›

NIST encryption standards are essential for keeping sensitive data confidential, authentic, and intact. Cryptographic methods and protocols are employed during the encryption process to transform plaintext data into ciphertext to prevent unauthorized access.

What are the 5 components of cryptographic algorithms? ›

Components of a Cryptosystem
  • Plaintext. It is the data to be protected during transmission.
  • Encryption Algorithm. ...
  • Ciphertext. ...
  • Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given ciphertext and decryption key. ...
  • Encryption Key. ...
  • Decryption Key.

What are the three main types of cryptographic algorithms? ›

Cryptography can be broken down into three different types:
  • Secret Key Cryptography.
  • Public Key Cryptography.
  • Hash Functions.

What is cryptography in short answer? ›

Cryptography is the process of hiding or coding information so that only the person a message was intended for can read it. The art of cryptography has been used to code messages for thousands of years and continues to be used in bank cards, computer passwords, and ecommerce.

What are the standardized algorithms for NIST? ›

FIPS will contain three of the four tested algorithms based on code-based cryptography. NIST selected CRYSTAL-Kyber as the key encapsulation mechanism (KEM) and selected three additional signatures for standardization: CRYSTAL-Dilithium, FALCON and SPINCS+.

What is code-based cryptography NIST? ›

Code-based cryptography is the area of research that focuses on the study of cryptosystems based on error-correcting codes. In digital communications, the alteration of a single bit may cause disaster if there was no way to identify and fix problems. Checksums are a basic illustration of an error-detection code.

Which form of encryption does the US NIST recommend? ›

Explanation: The US National Institute of Standards and Technology (NIST) recommends the use of EC (Elliptic Curve) encryption. EC encryption is a form of public key cryptography that utilizes elliptic curves over finite fields to secure data.

What is the most common NIST standard? ›

One of the most widely used NIST security standard is the NIST Cybersecurity Framework (CSF). This internationally recognized framework offers voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.

What are the best practices of NIST encryption? ›

BEST PRACTICE Use the AES encryption algorithm and avoid DES and other nonstandard algorithms. NIST recommends that “All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure.

What are the NIST classifications? ›

The data classification standard for NIST involves three categories — low impact, moderate impact and high impact.

What is a cryptographic algorithm? ›

Cryptography was first used in about 1900 BC in Ancient Egypt with substituted hieroglyphics to secure communication. A cryptographic algorithm is the mathematical equation used to scramble the plain text and make it unreadable. They are used for data encryption, authentication and digital signatures.

What are the two main types of cryptography? ›

Symmetric Key Cryptography: This cryptography uses the same key for encryption and decryption. Examples include AES, DES, and Blowfish. Asymmetric Key Cryptography: This type of cryptography uses two keys for encryption and decryption.

What is the summary of cryptographic algorithms used by S Mime? ›

The S/MIME format is the IETF RFC 2311 specification for encrypting and signing message data. This format creates one-way hash algorithms that ensure data integrity by verifying that no modifications are made to a message while in transit. The sender's identity is validated using a digital signature.

How do you explain encryption algorithm? ›

An encryption algorithm is the method used to transform data into ciphertext. An algorithm will use the encryption key in order to alter the data in a predictable way, so that even though the encrypted data will appear random, it can be turned back into plaintext by using the decryption key.

What is the key concept in cryptography? ›

In cryptography, a key is a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it.

What is the central role of cryptographic algorithm in network security? ›

Cryptography is an automated mathematical tool that plays a vital role in network security. It assures the confidentiality and integrity of data as well as provides authentication and non-repudiation to the users.

Top Articles
Should You DIY Your Taxes Or Hire A Professional?
How to Become a Millionaire in Canada - My Road to Wealth and Freedom
Spectrum Gdvr-2007
Walgreens Boots Alliance, Inc. (WBA) Stock Price, News, Quote & History - Yahoo Finance
Zabor Funeral Home Inc
Restored Republic January 20 2023
Fat Hog Prices Today
Faridpur Govt. Girls' High School, Faridpur Test Examination—2023; English : Paper II
25X11X10 Atv Tires Tractor Supply
Big Spring Skip The Games
Rondale Moore Or Gabe Davis
Kent And Pelczar Obituaries
Mlifeinsider Okta
Best Cav Commanders Rok
Florida (FL) Powerball - Winning Numbers & Results
South Ms Farm Trader
Bjork & Zhulkie Funeral Home Obituaries
Unit 33 Quiz Listening Comprehension
Slope Tyrones Unblocked Games
Arre St Wv Srj
Is The Yankees Game Postponed Tonight
Tyler Sis University City
Dragger Games For The Brain
Providence Medical Group-West Hills Primary Care
If you have a Keurig, then try these hot cocoa options
Wku Lpn To Rn
Sams Gas Price Sanford Fl
NV Energy issues outage watch for South Carson City, Genoa and Glenbrook
Tim Steele Taylorsville Nc
Gncc Live Timing And Scoring
Club Keno Drawings
Six Flags Employee Pay Stubs
Golden Tickets
Of An Age Showtimes Near Alamo Drafthouse Sloans Lake
Mgm Virtual Roster Login
Property Skipper Bermuda
Marcus Roberts 1040 Answers
NHL training camps open with Swayman's status with the Bruins among the many questions
2 Pm Cdt
Barstool Sports Gif
Parent Portal Pat Med
Europa Universalis 4: Army Composition Guide
53 Atms Near Me
Cars & Trucks near Old Forge, PA - craigslist
2000 Fortnite Symbols
Joe Bartosik Ms
David Turner Evangelist Net Worth
E. 81 St. Deli Menu
Heisenberg Breaking Bad Wiki
What Are Routing Numbers And How Do You Find Them? |
Latest Posts
Article information

Author: Terrell Hackett

Last Updated:

Views: 5876

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.