skip to main content
Caltech
Information Management Systems and Services
IMSS  /  Services  /  Information Security  /  Security for IT Staff  /  Cryptographic Standards

Caltech Cryptographic Standards

Caltech Cryptographic Standards (Hashing, Ciphers, Digital Signatures)

Aligned to NIST (FIPS 140-3, SP 800-131A, FIPS 180-4, FIPS 186-5, SP 800-38, FIPS 203–205 Post-Quantum Cryptography Standards, NIST IR 8547 Transition Guidance)

1. Purpose

Define approved cryptographic algorithms and minimum standards for hashing, encryption (ciphers), and digital signatures to ensure confidentiality, integrity, and authenticity of institutional data.

This standard also establishes a forward-looking cryptographic posture to address emerging risks associated with quantum computing.

2. Scope

Applies to:

  • All Caltech systems, applications, research environments (including HPC), and cloud vendors
  • Data classified as Internal, Confidential, Restricted, or regulated (HIPAA, FERPA, GLBA, ITAR, etc.)

3. Cryptographic Baseline Requirements

3.1 General Requirements

  • Only NIST-approved algorithms and key sizes SHALL be used
  • Minimum security strength: 128 bits for new systems
  • All cryptographic implementations MUST use FIPS 140-validated modules (where applicable)
  • Deprecated algorithms MUST NOT be used for new deployments
  • Systems MUST be designed with cryptographic agility to enable future transition to NIST-approved post-quantum cryptographic standards

4. Hashing Standards

4.1 Approved Algorithms

  • SHA-2 family: SHA-256, SHA-384, SHA-512
  • SHA-3 family: SHA3-256, SHA3-384, SHA3-512

4.2 Deprecated / Prohibited

  • SHA-1 (disallowed for digital signatures and deprecated overall)
  • MD5 (not NIST-approved and MUST NOT be used)

4.3 Usage Requirements

  • Minimum: SHA-256 or higher
  • Hashes MUST provide:
    • Collision resistance
    • Preimage resistance
    • Second preimage resistance

4.4 Password Hashing

  • PBKDF2 (NIST SP 800-132)
  • bcrypt / Argon2 permitted under institutional exception policy

5. Symmetric Encryption (Ciphers)

5.1 Approved Algorithms

  • AES: AES-128, AES-192, AES-256

5.2 Approved Modes of Operation

  • GCM (preferred)
  • CBC, CTR (acceptable with appropriate protections)

5.3 Prohibited / Deprecated

  • DES
  • RC4
  • AES-ECB
  • Triple DES

5.4 Requirements

  • Minimum key size: 128-bit
  • AES-256 preferred for regulated or high-risk data
  • Authenticated encryption REQUIRED (e.g., AES-GCM)

6. Asymmetric Cryptography & Digital Signatures

6.1 Approved Algorithms (FIPS 186-5)

  • RSA (≥ 2048 bits)
  • ECDSA (P-256, P-384, P-521)
  • EdDSA (recommended for new implementations)

6.2 Deprecated

  • DSA (only permitted for legacy verification)

6.3 Requirements

Digital signatures MUST provide:

  • Integrity
  • Authentication
  • Non-repudiation

6.4 Key Size Baselines and Post-Quantum Readiness

  • RSA: ≥ 2048 bits (≥ 3072 recommended for long-lived systems)
  • ECC: ≥ 224-bit curve strength (P-256 or higher recommended)

All systems SHALL incorporate cryptographic agility to support migration to post-quantum cryptographic algorithms.

Given the diverse nature of Caltech environments, including legacy systems, research platforms, and HPC infrastructure immediate adoption of PQC is not required. Systems

MUST support incremental transition without requiring significant architectural redesign.

6.5 Post-Quantum Cryptography (PQC) Transition Strategy

NIST has published initial post-quantum cryptographic standards and continues to define transition guidance. Caltech SHALL adopt a phased transition approach aligned with these standards and federal timelines.

Phase 1 – Readiness and Planning

  • Maintain cryptographic agility in all new systems
  • Avoid hard-coded dependencies (e.g., RSA-only implementations)
  • Evaluate exposure of long-lived and high-value data (e.g., research IP, ITAR, HIPAA)

Phase 2 – Hybrid Adoption

  • Support hybrid cryptographic models combining classical and PQC algorithms as available

Phase 3 – Full Transition

  • Transition to NIST-approved PQC algorithms as standards, vendor support, and federal mandates mature

Legacy systems and research environments may require extended timelines and SHALL be managed using a risk-based exception process.

7. Key Management Requirements

  • Follow NIST SP 800-57
  • Keys MUST be:
    • Generated using approved random number generators
    • Stored securely (e.g., HSM, KMS, Key Vault, or secure enclave)
    • Rotated based on sensitivity and usage (at least annually)
  • Separate keys MUST be used for:
    • Encryption
    • Signing
    • Key derivation

8. Transport Security (TLS)

  • Minimum: TLS 1.2
  • Preferred: TLS 1.3
  • Only NIST-approved cipher suites SHALL be used
  • SSL, TLS 1.0, and TLS 1.1 are prohibited

9. Legacy & Transition Guidance

Caltech operates a diverse technology environment that includes legacy systems, research platforms, and specialized instrumentation. Cryptographic modernization SHALL follow a risk-based, phased approach, not immediate replacement.

Systems using deprecated algorithms MUST:

  • Be remediated where feasible, or
  • Have documented risk acceptance with compensating controls

Transition efforts MUST prioritize:

  • Systems handling CUI, ITAR/EAR, or regulated data
  • Systems storing long-lived or high-value research data

Caltech SHALL:

  • Prefer modern algorithms (SHA-256+, AES-256, ECDSA/EdDSA)
  • Ensure post-quantum readiness and transition planning for new systems
  • Leverage vendor-supported PQC capabilities as they mature

Full migration to PQC will occur in alignment with:

  • NIST standards maturity
  • Vendor ecosystem readiness
  • Federal compliance requirements

10. Compliance & Enforcement

Applies to:

  • Internal systems
  • Research computing environments
  • Third-party cloud vendors

Exceptions require:

  • Documented risk acceptance
  • Security architecture review approval

11. References (NIST)