Financial Cryptography Standards

FS‑ISAC has issued a sector‑wide paper, "The Timeline for Post‑Quantum Cryptographic Migration". It argues financial services must move in lockstep to replace RSA/ECC in time. The press release is here: https://lnkd.in/gKqFkJC4. And the paper (registration required) is here: https://lnkd.in/g4-DPFqD FS-ISAC voice is the collective voice of the financial industry on cybersecurity. It reflects a consensus of leading experts across the sector. Its guidance often informs industry standards and regulatory expectations, making this new position paper especially significant. For a CISO in financial services, FS-ISAC’s recommendations can translate into actionable steps for strengthening resilience. In terms of quality and importance, it’s hard to overstate the value of this document for a financial CISO. The paper warns against “crypto‑procrastination” - underestimating impact, misreading migration complexity, deferring the threat (I love the term!). It maps ecosystem dependencies - FMIs, central‑bank rails, telecom/critical infrastructure, vendors, and standards (IETF, X9), and urges crypto‑agility and an enterprise crypto inventory. Recommended phases: Initiation (governance/budget), Discovery (inventory/prioritization), Deployment (remediate high/medium‑risk uses; start disallowing legacy), Exit (ban legacy algorithms; audit/attest). The timeline aligns with global signals: NIST aims to deprecate RSA‑2048 by 2030 and bar classical PKC by 2035; NSA CNSA 2.0 and the EU’s coordinated roadmap are similar; MAS and the Bank of Israel have directed preparedness. My take: this is the clearest cross‑industry map yet for CISOs - strong on sequencing and coordination, realistic about vendor/standards bottlenecks, and urgent. It stops short of prescriptive, FS‑specific interim dates, but the 2030/2035 anchors are enough to justify moving from planning to implementation now. In short, you should read the paper even if you are not in FS. #PQC #PostQuantum #QuantumReadiness #QuantumSecurity #QuantumResilience #QuantumResistance The image below is comparison of transition timelines from the paper.

👏 Cryptography management and cryptoagility closer to become regulation after the three European Supervisory Authorities (European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) – the ESAs) published today the first set of final draft Regulatory Technical Standards (RTS) under the DORA. (Find the relevant links at the end) DORA is the Digital Operational Resilience Act for the financial sector with rules for the protection, detection, containment, recovery and repair capabilities against IT incidents. The draft RTS on ICT risk management framework covers encryption and cryptography in section IV (page 49). I would like to highlight Article 6, point 4: "Financial entities shall include in the policy on encryption and cryptographic controls provisions to, where necessary, on the basis of developments in cryptanalysis, update or change the cryptographic technology to ensure they remain resilient against cyber threats [...]. Where the financial entity cannot update or change the cryptographic technology, it shall adopt mitigation and monitoring measures to ensure they remain resilient against cyber threats." These final draft technical standards have been submitted to the European Commission, who will now start working on their review with the objective to adopt these first standards in the coming months. So, proper cryptograhy management and cryptoagility will soon be part of the regulatory compliance obligations of financial entities in Europe. Links: 🚩 Announcement of the publication of the final drafts: https://lnkd.in/dnzDP9PG 🚩 Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework: https://lnkd.in/dp2aUj75 🚩 DORA: https://lnkd.in/dtJguGHf Thanks to Nuria González Martín for her continued monitoring of the regulatory space. #pqc #cybersecurity #cryptography

FIPS-140 The US government defines a number of standards that many companies comply with, and one of the strongest is FIPS (Federal Information Processing Standard) 140. This standard defines a number of levels that define the security level of a product/system and includes modules tested within the Cryptography Module Validation Program (CMVP). In 2019, FIPS 140–3 replaced FIPS 140–2. It defines 11 areas of design involved in designing and implementing modules. This includes four security levels for the cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operating environment; physical security; non-invasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. Each layer builds on the previous level, and where Level 1 is the lowest level, and Level 4 provides the highest level. For those working in finance and in high-risk areas, Level 3 is often the benchmark, while in defence-related areas, Level 4 would often be applied. https://lnkd.in/dPYEUUWh

The three finalized standards released today – CRYSTALS-Kyber, CRYSTALS-Dilithium, and Sphincs+ – contain the encryption algorithms’ computer code, instructions for how to implement them, and their intended uses. The fourth draft standard based on FALCON is planned for late 2024, NIST said. The CRYSTALS-Kyber algorithm – Federal Information Processing Standard (FIPS) 203 – is intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. It has been renamed Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). The CRYSTALS-Dilithium algorithm – FIPS 204 – is intended as the primary standard for protecting digital signatures. It has been renamed Module-Lattice-Based Digital Signature Algorithm (ML-DSA). The Sphincs+ algorithm – FIPS 205 – is also designed for digital signatures. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable. It has been renamed the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). Similarly, when the draft FIPS 206 standard built around FALCON is released, the algorithm will be dubbed FN-DSA, short for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm. https://lnkd.in/g8gYeQ5j.