Secure Ciphers investigation 
============================

.. contents::

Revision History

.. list-table::
   :header-rows: 1
                              
   * - Revision No 
     - Date
     - Change description 
     - Author  
     - Reviewed by

   * - 001
     - 2025-08-06
     - Secure ciphers investigation details 
     - Dinesh Kumar
     - BV (Bureau Veritas)

   
1. Objective 
------------

During CIP IEC-62443-4-2 final assessment, it was found as part of CR 3.01, CIP should provide a list of secure ciphers for CIP users.

BV shared guidelines document to follow for finding out recommended secure ciphers for TLS 1.3 and TLS 1.2.

The information in this document serves as reference for CIP users. However, it is strongly recommended to refer to the latest list of secure ciphers 
as the list of secure ciphers keep changing over the period of time.


2. Technical guidelines from BSI & NIST
---------------------------------------

BSI provides technical guidelines for Cryptographic mechanisms and use of secure ciphers. These guidelines are provided in two parts

#. Part-1 focuses on Cryptographic mechanisms and key lengths

#. Part-2 focuses on usage of TLS version and secure cipher suite

As Part-1 is core to the cryptographic mechanisms Part-2 references part-1 many times.


3. Key points of the BSI guidelines
-----------------------------------

#. These guidelines are revised every year based on latest development and research

#. Most of the recommendations are valid up to 6 years, hence it’s recommended to consider if some use cases require to use specific ciphers for longer period,  
   appropriate key length, block size etc should be selected which can be extended in future 

#. NIST recommendations and BSI are always in sync

#. BSI started to recommend ciphers which are quantum safe as well

4. Part-1 of BSI technical guidelines
-------------------------------------

#. Systems using MD5 and SHA-1 for cryptographic purpose are not compliant to BSI standards

#. It is receommended to use SHA-2 and SHA-3 for any cryptographic operations

#. Certificates should only be issued with limited validity

#. All certificate issuers must be trustworthy

#. The length of certificate chain should be limited upwards

4.1 Recommended key lengths for asymetric encryption and key derivation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+------------------+------+-------+-------+------+------+
| Scheme name      | RSA  | DLIES | ECIES | DH   | ECDH |
+==================+======+=======+=======+======+======+
| Key length(bits) | 3000 | 3000  | 250   | 3000 | 250  |
+------------------+------+-------+-------+------+------+

4.2 Symmetric encryption schemes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following block ciphers are recommended

AES-128, AES-192, AES-256

**Recommended modes are** CCM, GCM,CBC,CTR

4.3 Recommended Hash functions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SHA-256, SHA-512/256, SHA-384, SHA-512

SHA3-256, SHA3-384, SHA3-512

4.4 Recommended MAC schemes with key length
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CMAC (>=128), HMAC (>=128), KMAC128 (>=128,), KMAC256 (>=256), GMAC (>=128)

4.5 Signature Algorithms
~~~~~~~~~~~~~~~~~~~~~~~~

RSA, ECDSA, ECKDSA, ECKCDSA, ECGDSA

*The use of DSA is only recommended until 2029 hence not listed here.*

4.6 Seed generation for determinitsic RNG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The randomness provided by the device file **/dev/random** is regularly reviwed by BSI for the current recent kernels and found to be suitable for usage in PC-like systems. However, the usage of **/dev/urandm** is found to be problematic hence not recommnded to use it.

5. Part-2 of BSI technical guidelines
-------------------------------------

In general, use of TLS 1.2 or TLS 1.3 is recommended, whereby the more modern protocol TLS 1.3 should be used in preference. 

**TLS 1.0 and TLS 1.1 are not recommended**

5.1 Recommendations for TLS 1.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The use of following ciphersuites with use of Perfect Forward secrecy is recommended.

* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_ECDSA_WITH_AES_128_CCM
* TLS_ECDHE_ECDSA_WITH_AES_256_CCM
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_CCM

5.2 Recommended cipher suites for TLS 1.2 (without Perfect Forward Secrecy)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
* TLS_DH_DSS_WITH_AES_128_CBC_SHA256
* TLS_DH_DSS_WITH_AES_256_CBC_SHA256
* TLS_DH_DSS_WITH_AES_128_GCM_SHA256
* TLS_DH_DSS_WITH_AES_256_GCM_SHA384
* TLS_DH_RSA_WITH_AES_128_CBC_SHA256
* TLS_DH_RSA_WITH_AES_256_CBC_SHA256
* TLS_DH_RSA_WITH_AES_128_GCM_SHA256
* TLS_DH_RSA_WITH_AES_256_GCM_SHA384

5.3 Recommended cipher suites for TLS 1.2 (with pre-shared key)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
* TLS_DHE_PSK_WITH_AES_128_CCM
* TLS_DHE_PSK_WITH_AES_256_CCM
* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384

5.4 Signature algorithms
~~~~~~~~~~~~~~~~~~~~~~~~

+-----------+-----------+
| Signature | Use up to |
+===========+===========+
| RSA       | 2025      |
+-----------+-----------+
| DSA       | 2029      |
+-----------+-----------+
| ECDSA     | 2031+     |
+-----------+-----------+

5.5 Hash functions
~~~~~~~~~~~~~~~~~~

+---------------+-----------+
| Hash function | Use up to |
+===============+===========+
| SHA256        | 2031+     |
+---------------+-----------+
| SHA384        | 2031+     |
+---------------+-----------+
| SHA512        | 2031+     |
+---------------+-----------+

5.6 Recommendations for TLS 1.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In TLS 1.3, the cryptographic mechanisms of a connection are defined by. 

#. Handshake mode 
#. Diffie-Hellman group (if (EC)DHE is used), 
#. signature algorithm (if certificate-based authentication is used)  
#. cipher suite. 

In contrast to earlier versions of TLS, a cipher suite specifies only an authenticated encryption algorithm for the record protocol and a hash function for key derivation.

5.7 Signature Algorithms (Client/server signatures)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

These algorithms can be used up to 2031+.

* rsa_pss_rsae_sha256
* rsa_pss_rsae_sha384
* rsa_pss_rsae_sha512
* rsa_pss_pss_sha256
* rsa_pss_pss_sha384
* rsa_pss_pss_sha512
* ecdsa_secp256r1_sha256
* ecdsa_secp384r1_sha384
* ecdsa_secp521r1_sha512
* ecdsa_brainpoolP256r1tls13_sha256
* ecdsa_brainpoolP384r1tls13_sha384
* ecdsa_brainpoolP512r1tls13_sha512

5.8 Signature Algorithms (Signatures in certificates)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Following algorithms can be used until **2025**.

* rsa_pkcs1_sha256
* rsa_pkcs1_sha384
* rsa_pkcs1_sha512

Following algorithms can be used until **2031+**.

* rsa_pss_rsae_sha256
* rsa_pss_rsae_sha384
* rsa_pss_rsae_sha512
* rsa_pss_pss_sha256
* rsa_pss_pss_sha384
* rsa_pss_pss_sha512
* ecdsa_secp256r1_sha256
* ecdsa_secp384r1_sha384
* ecdsa_secp521r1_sha512
* ecdsa_brainpoolP256r1tls13_sha256
* ecdsa_brainpoolP384r1tls13_sha384
* ecdsa_brainpoolP512r1tls13_sha512

5.9 Cipher suites
~~~~~~~~~~~~~~~~~

* TLS_AES_128_GCM_SHA256
* TLS_AES_256_GCM_SHA384
* TLS_AES_128_CCM_SHA256

6. How to use these guidelines (cipher suite list)
--------------------------------------------------

CIP users can refer supported ciphers in TLS 1.2 and TLS 1.3 at 
`Openssl Ciphers page <https://docs.openssl.org/3.0/man1/openssl-ciphers/>`__.

Users should refer supported ciphers and consult CIP secure cipher document and accordingly make decision to use specific cipher suite.

It should be noted that secure ciphers list is periodically updated by bsi, so users are suggsted to refer latest ciphers list and the validity period.

**Key References**
------------------

#. BSI technical guideline part-1
   
   https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=9

#. BSI technical guideline part-2

  https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=7