During 2013, ENISA prepared and published its first reports with cryptographic guidelines supporting the security measures required to protect personal data in online systems. Recently published EC Regulations on the measures applicable to the notification of personal data breaches [118] make reference to ENISA, as a consultative body, in the process of establishing a list of appropriate cryptographic protective measures. This report is providing an update of the 2013 report [113] produced by ENISA. As was the case with the report of 2013, the cryptographic guidelines of ENISA should serve as a reference document, and cannot fill in for the existing lack of cryptographic recommendations at EU level. As such we provide rather conservative guiding principles, based on current state-of-the-art research, addressing construction of new systems with a long life cycle. This report is aimed to be a reference in the area, focusing on commercial online services that collect, store and process the personal data of EU citizens. In the report of 2013 there was a section on protocols; for this year we decided to extend the part on implementation by adding to this report a section on side-channels, random number generation, and key life cycle management. The summary of protocols is now covered in a sister report [114]. It should be noted that this is a technical document addressed to decision makers, in particular specialists designing and implementing cryptographic solutions, within commercial organisations. In this document we focus on just two decisions which we feel are more crucial to users of cryptography. Firstly, whether a given primitive or scheme can be considered for use today if it is already deployed. We refer to such use as legacy use within our document. Our first guiding principle is that if a scheme is not considered suitable for legacy use, or is only considered for such use with certain caveats, then this should be taken as a strong advise that the primitive or scheme should be replaced as a matter of urgency. Secondly, we consider the issue of whether a primitive or scheme is suitable for deployment in new or future systems. In some sense mechanisms which we consider usable for new and future systems meet cryptographic requirements described in this document; they generally will have proofs of security, will have key sizes equivalent to 128-bit symmetric security or more, will have no structural weaknesses, will have been well studied, will have been been standardized, and will have a reasonably-sized existing user base. Thus the second guiding principle is that decision makers now make plans and preparations for the phasing out of what we term legacy mechanisms over a period of say 5-10 years, and replacing them with systems we deem secure for future use. This document does not consider any mechanisms which are currently only of academic interest. In particular all the mechanisms we discuss have been standardized to some extent, and have either been deployed, or are slated to be deployed, in real systems. This selection is a means of focusing the document on mechanisms which will be of interest to decision makers in industry and government. Further limitations of scope are mentioned in the introductory chapter which follows. Further restrictions are mentioned in Chapter 2 "How to Read this Document". Such topics, which are not explored by this document, could however be covered in the future.
