Secure Ciphers investigation

Revision History

Revision No	Date	Change description	Author	Reviewed by
001	2025-08-06	Secure ciphers investigation details	Dinesh Kumar	BV (Bureau Veritas)

1. Objective

During CIP IEC-62443-4-2 final assessment, it was found as part of CR 3.01, CIP should provide a list of secure ciphers for CIP users.

BV shared guidelines document to follow for finding out recommended secure ciphers for TLS 1.3 and TLS 1.2.

The information in this document serves as reference for CIP users. However, it is strongly recommended to refer to the latest list of secure ciphers as the list of secure ciphers keep changing over the period of time.

2. Technical guidelines from BSI & NIST

BSI provides technical guidelines for Cryptographic mechanisms and use of secure ciphers. These guidelines are provided in two parts

1. Part-1 focuses on Cryptographic mechanisms and key lengths

2. Part-2 focuses on usage of TLS version and secure cipher suite

As Part-1 is core to the cryptographic mechanisms Part-2 references part-1 many times.

3. Key points of the BSI guidelines

1. These guidelines are revised every year based on latest development and research

2. Most of the recommendations are valid up to 6 years, hence it’s recommended to consider if some use cases require to use specific ciphers for longer period, appropriate key length, block size etc should be selected which can be extended in future

3. NIST recommendations and BSI are always in sync

4. BSI started to recommend ciphers which are quantum safe as well

4. Part-1 of BSI technical guidelines

1. Systems using MD5 and SHA-1 for cryptographic purpose are not compliant to BSI standards

2. It is receommended to use SHA-2 and SHA-3 for any cryptographic operations

3. Certificates should only be issued with limited validity

4. All certificate issuers must be trustworthy

5. The length of certificate chain should be limited upwards

4.1 Recommended key lengths for asymetric encryption and key derivation

Scheme name	RSA	DLIES	ECIES	DH	ECDH
Key length(bits)	3000	3000	250	3000	250

4.2 Symmetric encryption schemes

The following block ciphers are recommended

AES-128, AES-192, AES-256

Recommended modes are CCM, GCM,CBC,CTR

4.3 Recommended Hash functions

SHA-256, SHA-512/256, SHA-384, SHA-512

SHA3-256, SHA3-384, SHA3-512

4.4 Recommended MAC schemes with key length

CMAC (>=128), HMAC (>=128), KMAC128 (>=128,), KMAC256 (>=256), GMAC (>=128)

4.5 Signature Algorithms

RSA, ECDSA, ECKDSA, ECKCDSA, ECGDSA

The use of DSA is only recommended until 2029 hence not listed here.

4.6 Seed generation for determinitsic RNG

The randomness provided by the device file /dev/random is regularly reviwed by BSI for the current recent kernels and found to be suitable for usage in PC-like systems. However, the usage of /dev/urandm is found to be problematic hence not recommnded to use it.

5. Part-2 of BSI technical guidelines

In general, use of TLS 1.2 or TLS 1.3 is recommended, whereby the more modern protocol TLS 1.3 should be used in preference.

TLS 1.0 and TLS 1.1 are not recommended

5.1 Recommendations for TLS 1.2

The use of following ciphersuites with use of Perfect Forward secrecy is recommended.

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_CCM

• TLS_ECDHE_ECDSA_WITH_AES_256_CCM

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_DHE_RSA_WITH_AES_128_CCM

5.2 Recommended cipher suites for TLS 1.2 (without Perfect Forward Secrecy)

• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

• TLS_DH_DSS_WITH_AES_128_CBC_SHA256

• TLS_DH_DSS_WITH_AES_256_CBC_SHA256

• TLS_DH_DSS_WITH_AES_128_GCM_SHA256

• TLS_DH_DSS_WITH_AES_256_GCM_SHA384

• TLS_DH_RSA_WITH_AES_128_CBC_SHA256

• TLS_DH_RSA_WITH_AES_256_CBC_SHA256

• TLS_DH_RSA_WITH_AES_128_GCM_SHA256

• TLS_DH_RSA_WITH_AES_256_GCM_SHA384

5.3 Recommended cipher suites for TLS 1.2 (with pre-shared key)

• TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256

• TLS_DHE_PSK_WITH_AES_128_CBC_SHA256

• TLS_DHE_PSK_WITH_AES_256_CBC_SHA384

• TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

• TLS_DHE_PSK_WITH_AES_256_GCM_SHA384

• TLS_DHE_PSK_WITH_AES_128_CCM

• TLS_DHE_PSK_WITH_AES_256_CCM

• TLS_RSA_PSK_WITH_AES_128_CBC_SHA256

• TLS_RSA_PSK_WITH_AES_256_CBC_SHA384

• TLS_RSA_PSK_WITH_AES_128_GCM_SHA256

• TLS_RSA_PSK_WITH_AES_256_GCM_SHA384

5.4 Signature algorithms

Signature	Use up to
RSA	2025
DSA	2029
ECDSA	2031+

5.5 Hash functions

Hash function	Use up to
SHA256	2031+
SHA384	2031+
SHA512	2031+

5.6 Recommendations for TLS 1.3

In TLS 1.3, the cryptographic mechanisms of a connection are defined by.

1. Handshake mode

2. Diffie-Hellman group (if (EC)DHE is used),

3. signature algorithm (if certificate-based authentication is used)

4. cipher suite.

In contrast to earlier versions of TLS, a cipher suite specifies only an authenticated encryption algorithm for the record protocol and a hash function for key derivation.

5.7 Signature Algorithms (Client/server signatures)

These algorithms can be used up to 2031+.

• rsa_pss_rsae_sha256

• rsa_pss_rsae_sha384

• rsa_pss_rsae_sha512

• rsa_pss_pss_sha256

• rsa_pss_pss_sha384

• rsa_pss_pss_sha512

• ecdsa_secp256r1_sha256

• ecdsa_secp384r1_sha384

• ecdsa_secp521r1_sha512

• ecdsa_brainpoolP256r1tls13_sha256

• ecdsa_brainpoolP384r1tls13_sha384

• ecdsa_brainpoolP512r1tls13_sha512

5.8 Signature Algorithms (Signatures in certificates)

Following algorithms can be used until 2025.

• rsa_pkcs1_sha256

• rsa_pkcs1_sha384

• rsa_pkcs1_sha512

Following algorithms can be used until 2031+.

• rsa_pss_rsae_sha256

• rsa_pss_rsae_sha384

• rsa_pss_rsae_sha512

• rsa_pss_pss_sha256

• rsa_pss_pss_sha384

• rsa_pss_pss_sha512

• ecdsa_secp256r1_sha256

• ecdsa_secp384r1_sha384

• ecdsa_secp521r1_sha512

• ecdsa_brainpoolP256r1tls13_sha256

• ecdsa_brainpoolP384r1tls13_sha384

• ecdsa_brainpoolP512r1tls13_sha512

5.9 Cipher suites

• TLS_AES_128_GCM_SHA256

• TLS_AES_256_GCM_SHA384

• TLS_AES_128_CCM_SHA256

6. How to use these guidelines (cipher suite list)

CIP users can refer supported ciphers in TLS 1.2 and TLS 1.3 at Openssl Ciphers page.

Users should refer supported ciphers and consult CIP secure cipher document and accordingly make decision to use specific cipher suite.

It should be noted that secure ciphers list is periodically updated by bsi, so users are suggsted to refer latest ciphers list and the validity period.

Key References

1. BSI technical guideline part-1

   https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=9

2. BSI technical guideline part-2

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=7