+CRY-01.02AC

1. Übersicht

CRY-01.02AC

The cloud service provider's PQC strategy is aligned with cryptography policies and procedures and includes the following aspects:

1. Maintenance of an inventory of cryptographic mechanisms in use, including priority levels to each inventory item based on the impact and probabilities of the risks posed by quantum computing attacks and the effort to remediate such risks;
2. Staying informed about encryption measures that are deemed state of the art and secure against adversaries who possess a quantum computer;
3. Usage of hybrid cryptography models to ensure security for both quantum and non-quantum computing based attacks; and
4. Definition of trigger events, required resources, transition plans and success criteria for implementation of post-quantum cryptographic mechanisms.

The following Technical Guidelines (valid at the given time) provide recommendations and key lengths for state of the art cryptographic mechanisms:

1. BSI TR-02102-1 Cryptographic Mechanisms: Recommendations and Key Lengths;
2. BSI TR-02102-2 Cryptographic Mechanisms: Recommendations and Key Lengths â€“ Use of Transport Layer Security (TLS);
3. BSI TR-02102-3 Cryptographic Mechanisms: Recommendations and Key Lengths â€“ Use of Internet Protocol Security (IPSec) and Internet Key Exchange (IKEv2); and
4. BSI TR-02102-4 Cryptographic Mechanisms: Recommendations and Key Lengths â€“ Use of Secure Shell (SSH).

A change management process in the sense of the basic criterion can either be covered by the standard change management process described in DEV-03 or can be implemented as a separate process.

Recommendations for the migration to PQC and future-proof use of cryptography are provided, for example, in:

1. The BSI guideline 'Quantum-safe cryptography â€“ fundamentals, current developments and recommendations';
2. The roadmap 'A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography' published by the European Commission; and
3. The preliminary drafts for the NIST publication 'NIST SP 1800-38: Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography'.

Hybrid cryptography models, as defined in the context of post-quantum cryptography (PQC), combine classical and quantum-safe mechanisms to ensure that the system remains secure even if one component is compromised. The purpose of such models is to provide long-term protection against threats such as 'store now, decrypt later' and other attacks based on classical or quantum computing.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html