You can employ encryption for protecting network traffic, secrets, and ordinary data at rest. Consider the following recommendations stated in the NIST standard for choosing appropriate cipher suites and key management techniques:
For storing passwords, always use a salt. A salt should be unique for every stored password and randomly generated.
For symmetric encryption with passphrases, use a passphrase with appropriate entropy valid for particular cipher key strength and expected brute-force durability. For example, a valid passphrase for 128 bit cipher (CAST-5, AES-128) should contain at least 128 bits of entropy.
Whenever possible, use ephemeral keys to maintain forward secrecy. Use Diffie-Hellman for exchanging keys.
Whenever possible, use Elliptic Curve Cryptography (ECC) as it requires less computational power than RSA or DSA.
To protect sensitive data (encrypting and digitally signing) in a long perspective (2031 year and beyond), use cipher suites and key length with security strength 128 or more (192, 256).
Note
The finite-field cryptography (FFC) and integer-factorization cryptography (IFC) algorithms with higher security strength of 192 and 256 bits are not currently included in the NIST standards for interoperability and efficiency reasons.
Use the algorithms that have security strength of 128 bits that are secure and efficient at the same time. To protect data until 2030, you can use cipher suites and key length with the security strength of 112 bits.
| Until 2030 (key strength = 112 bits) | After 2030 (key strength = 128 bits) | |
|---|---|---|
| Hashing and digital signatures | SHA-224, SHA-512/224, SHA3-224 | SHA-256, SHA-512/256, SHA3-256 |
| Symmetric | 3TDEA | AES-128 |
| FFC | DSA and Diffie-Hellman(DH) L=2048, N=224 | DSA and Diffie-Hellman(DH) L=3072, N=256 |
| IFC | RSA-2048 | RSA-3072 |
| Elliptic-curve (ECC) | ECDSA with the key size f=224-255 | ECDSA with the key size f=256-383 |
where L - is the size of the public key, N - is the size of the private key.