Any cryptographic trust designs that are not fit for use-case may only be enabled after the user has been sufficiently informed of the security consequences in a manner that takes the use-case into account.
***[REQ-CRYPTO-9]** The product shall enable by default only the recommended designs that are fit for use-case.
***[REQ-CRYPTO-10]** The product shall implement data protection measures ensuring all management communications employ encrypted channels providing both confidentiality and integrity protection through best practice cryptography.
For backwards compatibility, use of other combinations of options other what is recommended[\[1\]](#_ref_1) shall be implemented with the following details listed in the technical documentation:
- What component requires lesser cryptographical implementation
- Statement about why the backwards compatibility is in place
- Transition plan towards recommended cryptographical implementation
- Transition timeline
Products are delivered without known exploitable vulnerabilities and that comprises also implemented cryptography.
However, certain use cases or the product installation into a present user infrastructure may require the use of legacy protocols and cryptography.
As the product is delivered without known exploitable vulnerabilities, those legacy configurations cannot be the factory default setting, and may only be enabled after the user has been sufficiently informed about the security consequences.
***[REQ-CRYPTO-1]** The product’s default configuration shall only use cryptographic mechanisms that meet at least one of the following criteria:
1. ACM-listed: the cryptographic mechanism is listed in the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [reference].
2. ACM-extended: the cryptographic mechanism is not listed in the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [reference] and meets at least one of the following conditions:
1. the cryptographic mechanism is listed in clause K.3.2 as an ACM-extended cryptographic mechanism for the specific product function(s);
2. where the cryptographic mechanism is not listed in clause K.3.2, the cryptographic mechanism meets all the following criteria:
1. the cryptographic mechanism, or where applicable the ACM-listed cryptographic mechanism on which it is based, is not deprecated per the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [reference];
2. the cryptographic mechanism has been specified, developed or maintained through a transparent process by a recognised European, international or sector-specific standards development organisation, or by an industry specification organisation accountable for the relevant specification, including <mark>[list of organisations]</mark>; or the cryptographic mechanism is listed as suitable in a publicly available cryptographic catalogue maintained by a recognised national or governmental cybersecurity authority, where the catalogue is maintained under a documented revision and retirement process, including <mark>[list of catalogues]</mark>;
3. the cryptographic mechanism is described in a valid, publicly available and uniquely referenceable specification;
4. the cryptographic properties of the cryptographic mechanism are known;
5. no known weakness affects the cryptographic mechanism in a way that affects its cryptographic properties;
6. the cryptographic mechanism is required for a specific set of product functions;
7.<mark>[any additional criteria specified by the vertical standard, where applicable]</mark>.
3. Interoperability-based: the cryptographic mechanism is listed in clause K.4.2 as an interoperability-based cryptographic mechanism for specific product function(s) and external specification(s) or external requirement(s).
***[REQ-CRYPTO-3]** To prevent rollback or downgrade, the product shall enforce a monotonic policy/configuration version (or equivalent mechanism), record changes in tamper-evident audit logs, and prevent re-enabling deprecated algorithms or disabled security checks via rollback without an explicit, logged administrative override.
***[REQ-CRYPTO-4]** Cryptographic mechanisms not covered by **[REQ-CRYPTO-1]** shall be disabled by default.
***[REQ-CRYPTO-5]** For backward compatibility:
* the product shall inform the user about the security implications when not using the default configuration;
* the product shall inform the user the component requiring the weaker mechanism;
* the product shall inform the user the justification for backward compatibility;
* the product shall provide the user a instructions how to transition to a secure cryptography.
> NOTE 1: The reference to the product’s default configuration is intended to define a clear and assessable baseline, corresponding to the configuration in which the product is placed on the market. The product can provide several configurations that fulfil the requirement.
> NOTE 2: For products supplied as hardware platforms or components to be configured by an integrator, references in this annex to the product’s default configuration refer to the configuration specified for the intended operational use of the product after integration, including the relevant integration assumptions and configuration constraints.
> NOTE 3: The applicable ACM catalogue version is identified in the normative references of the present document.
> The lifecycle treatment of mechanisms affected by ACM deprecation dates, expiry dates, migration conditions or usage limitations is addressed in clause K.2.
> NOTE 4: In this clause, an external specification or external requirement means a specification or requirement that is imposed on the product, and which requires the use of a specific cryptographic mechanism for the product to interoperate with an identified system, platform or operational context.
> An external requirement can be a regulatory requirement, operational constraint, technical interoperability constraint, or platform compatibility requirement.
> NOTE 5: Inclusion of a cryptographic mechanism under the interoperability-based criterion does not classify that mechanism as state-of-the-art cryptography.
> EXAMPLE: Examples of product functions include secure communication based on TLS 1.3; authenticated encryption of communicated data based on AES-GCM; storage confidentiality based on AES-XTS; firmware signature verification based on Ed25519; and key derivation based on HKDF.