The Guidelines for Cryptography, published by the Australian Signals Directorate (ASD), provide authoritative advice and requirements for government agencies and large organizations on the secure use of cryptographic technologies.
Overview of the Guidelines for Cryptography by ASD
The Guidelines for Cryptography help organizations implement strong cryptographic controls, select approved algorithms and protocols, and manage cryptographic keys securely to protect sensitive information against evolving cyber threats.
The guidelines support the overarching Australian Government Information Security Manual (ISM) framework by offering detailed guidance on cryptographic practices, including algorithm usage, key management, protocol selection, and migration to post-quantum cryptography, as mandated by 2030.
The guidelines provide a structured framework to secure information through robust cryptographic standards and practices, with 7 sections below:
- Cryptographic Fundamentals
- ASD-Approved Cryptographic Algorithms
- ASD-Approved Cryptographic Protocols
- Transport Layer Security
- Secure Shell
- Secure/Multipurpose Internet Mail Extension
- Internet Protocol Security
The Guidelines for Cryptography apply primarily to:
- Australian Government agencies and departments
- Large organizations and critical infrastructure operators
- Any entities handling government information or sensitive data requiring protection under Australian government cybersecurity policies
Compliance Brief
Complying with the Guidelines for Cryptography of the Australian Signals Directorate (ASD)
Discover how organisations can address the guidelines through our comprehensive cybersecurity solutions and learn more about the requirements.
How Thales Helps with the Guidelines for Cryptography in Australia
Thales’ solutions can help organisations address the guidelines, focusing on Cryptographic Fundamentals, ASD-Approved Cryptographic Algorithms and Protocols, Transport Layer Security and Secure Shell by simplifying compliance and automating security with visibility and control, thereby reducing the burden on security and compliance teams.
ASD Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, and a secure Content Delivery Network (CDN).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the Guidelines for Cryptography by ASD
Cryptographic fundamentals
How Thales helps:
- Protect cryptographic keys in a tamper-resistant FIPS 140-3 Level 3 validated environment for securing the key lifecycle.
- Support granular role separation and access controls, ensuring only authorized personnel can manage or use cryptographic keys for security governance.
How Thales helps:
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized and to prevent exposure of real data applications and personnel.
- Protect the root-of-trust of a cryptographic system within FIPS140-3 Level 3 - a highly secure environment.
How Thales helps:
- Protect data in motion with high-speed encryption.
- Integrate quantum-resistant encryption in high-speed encryption, supporting the protection of classified and sensitive data in transit.
How Thales helps:
- Offer leading cryptographic solutions that are rigorously tested, validated, and compliant with internationally recognized standards, such as FIPS 140-3 and Common Criteria Certifications.
How Thales helps:
- Provide an additional layer of protection beyond the physical security controls with Secure Transport Mode – the logical control validation capability. Customers can use the logical and physical HSM controls to verify that HSMs shipped have not been modified in transit.
How Thales helps:
- Ensure secure deletion by removing keys from CipherTrust Manager, digitally shredding all instances of the data.
- Feature detailed logging and audit trails for cryptographic operations and key management activities for reporting mandates.
ASD-Approved Cryptographic Algorithms
How Thales helps:
- Provide secure keys lifecycle management consistent with ISM requirements on module validation (ISO/IEC 19790, FIPS 140-3).
- Ensure compliance with stringent cryptographic standards by regularly validating against Common Criteria and eIDAS standards of the HSM.
- Support ASD-approved cryptographic algorithms such as AES, SHA-2 family, ECDH, RSA, and ECDSA, ensuring the use of strong and approved algorithms in cryptographic operations.
- Offer native support to NIST-Standardized PQC Algorithms: ML-KEM (FIPS 203) and ML-DSA (FIPS 204) — fully integrated into firmware, eliminating the need for external functionality modules.
- Provide Hybrid PQC encryption for secure key synchronization, backup, and restore.
- Provide a crypto agile foundation of digital trust for a seamless transition and interoperability between classical and post-quantum algorithms, supporting hybrid schemes for ISM’s resilience and gradual migration.
- Allow updates for new algorithms and post-quantum cryptography capabilities, future-proofing TLS encryption against emerging threats.
- Embed quantum entropy sources (Quantum Random Number Generation – QRNG) within cryptographic modules, enhancing cryptographic strength and ensuring high-quality randomness.
How Thales helps:
- Supports a broad range of secure hashing algorithms and message authentication codes (MAC), including the SHA-2 family (such as SHA-256, SHA-384, SHA-512), and others approved by security standards.
- Perform hashing operations inside a FIPS 140-3 validated tamper-resistant hardware, ensuring secure and trustworthy execution of hashing functions.
ASD-Approved Cryptographic Protocols
How Thales helps:
- Support ASD-approved cryptographic protocols such as TLS, SSH, IPsec, and more.
- Offer a cryptographic engine that supports approved algorithms used in these protocols, including RSA, Diffie-Hellman (DH), Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), AES (including authenticated modes), and SHA-2 family hashing algorithms.
- Establish secure, authenticated communication channels for key management and cryptographic operations, using protocols compliant with standards such as NIST SP 800-56A/B and RFCs for TLS, SSH, and IPsec.
Transport Layer Security
How Thales helps:
- Deliver encryption at network Layers 2, 3, and 4, securing data in transit with minimal latency and no impact on bandwidth or throughput, suitable for TLS-encrypted traffic.
- Support ASD-approved cryptographic algorithms used in TLS, such as AES-GCM 256 for encryption, Elliptic Curve Digital Signature Algorithm (ECDSA), Elliptic Curve Diffie-Hellman (ECDH) for key exchange, and SHA-2 family hashing algorithms, meeting strong cryptographic standards.
How Thales helps:
- Support secure generation, storage, and protection of SSH private keys on FIPS 140-3 validated hardware, ensuring that private keys used for SSH authentication are well protected against extraction or unauthorized access.
How Thales helps:
- Support public key-based authentication, enabling secure generation, storage, and usage of SSH private keys within the hardware security module.
- Enforce access controls, including the use of passphrases or key encryption keys. Private keys stored in the HSM remain encrypted and require proper authentication to access, significantly reducing the risk of brute-force or unauthorized access.
- Integrate with OpenSSH, enabling seamless use of public key authentication while leveraging the HSM’s secure key protection capabilities.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.