Cryptography solutions approved by Traficom's NCSA-FI

In relation to Finland's international information security obligations, the tasks of the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom include the approval of cryptography products for protecting the confidentiality of classified information in Finland. In the EU, the authority responsible for the approval of cryptography products is referred to as the CAA (Crypto Approval Authority). In Finland, CAA responsibilities are handled by NCSA-FI function at Traficom's NCSC-FI.

This list includes cryptography products approved by NCSC-FI for protecting the confidentiality of national and EU classified information. The products included on the list have been approved for protecting the confidentiality and integrity of information in high threat level environments. High threat level means communication over open networks, such as the internet, for example. It can also mean a system that has been approved for a lower classification level than the information being communicated. Advice on how to apply the list to other threat levels can be requested from NCSA-FI.

The presented classification levels only apply to information classified by public authorities, but they can also be used as recommendations for other needs.

The Council of the European Union and its General Secretariat also maintain a list of cryptography products that can be used for protecting the confidentiality of international or national classified information.

Cryptography solutions approved by NCSA-FI for national classified information

A cryptography product requires the approval of the Crypto Approval Authority (CAA) when applying for approval for an information system or telecommunications arrangements based on the fulfilment of international information security obligations (Act 588/2004). Approval may also be required when the approval process is based on the Act on the Assessment of the Information Security of Public Authorities' Information Systems and Telecommunications Arrangements (1406/2011).

Regarding the commissioning of cryptography products, it should be noted that approval may be subject to additional requirements. Because of this, NCSA-FI should be consulted when planning new systems and in any unclear situations. As regards products approved for protecting the confidentiality of national confidential information, key management solutions must also be approved nationally, either in connection with the SAA approval of information systems or based on a separate procedure.

NCSA-FI’s national approval is based on an information security assessment of the cryptography product carried out or supervised by a competent CAA.

Classification level TL II

Note! Products approved for a higher classification level can also be used for protecting the confidentiality of information at a lower classification level. Terms of use may differ based on the classification level.

Veracrypt

IDRIX (FR)

File encryptor

1.22 and 1.23

until further notice

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from NCSA-FI.

Recent changes:

  • 28 January 2021: Veracrypt approved for classification levels TL II and TL III

Classification level TL III

Bittium Tough Mobile 2 C                    

Bittium Oyj (FI)

VPN and mass storage encryption for smartphones

  • 81.59 MR5.7 Ruby
  • 81.66 MR5.8 Ruby
  • until 31 October 2022
  • until further notice

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.

Deltagon Sec@GW (D-Network)

SSH Communications Security Oyj (FI)

Email encryption

3.3 (D-Network)

until further notice

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. More detailed component-specific version information can be requested from NCSA-FI.

Forcepoint Stonesoft NGFW

Forcepoint Finland Oy (FI)

VPN encryptor

VPN engine 5.8.2 and SMC 5.8.3

until 31 March 2023

Only use in compliance with the usage policy prepared by Traficom is approved. Commissioning instructions and more detailed version information must be requested from NCSA-FI.

Insta SafeLink

Insta Defsec Oy (FI)

VPN encryptor

  • 4.1.1, 4.1.0 and 4.0.3
  • 3.5A
  • until further notice
  • until 31 December 2022

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.

SSH NQX

SSH Communications Security Oyj (FI)

VPN encryptor

  • 1.1.0p5
  • 1.1.0p2
  • until further notice
  • until 15 October 2022

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.

  • 19 September 2022: Forcepoint Stonesoft NGFW's approval is valid until 31 March 2023
  • 12 September 2022: Bittium Tough Mobile C removed from the list. Bittium Tough Mobile 2 C version details updated.
  • 21 December 2021: Insta SafeLink 4.1.0 approved for classification level TL III, updated version 3.5A's validity period. Remove expired Stonesoft FW/VPN's approval. Updated Bittium Tough Mobile C's validity period.
  • 19 November 2021: Removed expired Instal Safelink version 3.4B, 3.5 and 4.0.1 approvals
  • 1 November 2021: Updated Bittium Tough Mobile C and 2 C's validity period and approved versions.
  • 6 September 2021: Stonesoft FW/VPN's approval is valid until 30 November 2021
  • 7 April 2021: Bittium Tough Mobile 2 C approved for classification level TL III
  • 10 February 2021: SSH NQX version 1.1.0p5 approved for classification level TL III

Classification level TL IV

Deltagon Sec@GW

SSH Communications Security Oyj (FI)

Email encryption

3.10 (SecAtGW 3.10.82-1)

until further notice

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. More detailed component-specific version information can be requested from NCSA-FI.

GnuPG

 

Email encryption

GnuPG 2

until further notice

Only use in compliance with Traficom’s instructions is approved. The instructions are available from NCSA-FI.

TETRA E2EE

Airbus Defense and Space Oy (FI)

End-to-end encryptor for the TETRA network

E2EE smart cards 3.5

until further notice

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.

Recent changes:

  • 19 November 2021: Deltagon Sec@GW version 3.10 update approved for classification level TL IV, approval for version 3.8 has expired
  • 17 February 2021: Deltagon Sec@GW version 3.10 update approved for classification level TL IV

Encryption products for EU classified information

Encryption products used to protect EU classified information must be approved in accordance with Article 10(6) of the Council Decision on security rules for protecting EU classified information. The Article states that within Member States’ national systems, the confidentiality of information classified as CONFIDENTIEL UE/EU CONFIDENTIAL (C-UE/EU-C) or RESTREINT UE/EU RESTRICTED (R-UE/EU-R) may be protected by cryptographic products approved by a Member State’s Crypto Approval Authority (CAA). The confidentiality of information classified as SECRET UE/EU SECRET (S-UE/EU-S) and above, and outside of national systems the confidentiality of information classified as C-UE/EU-C and R-UE/EU-R, shall be protected by cryptographic products approved by the Council or its General Secretariat as Crypto Approval Authority.

Important: Regarding the commissioning of cryptography products, it should be noted that approval is usually subject to additional requirements. Because of this, NCSA-FI should be consulted when planning new systems. According to the Council's security rules for protecting EU classified information, all systems used to process EU classified information must also be reviewed and approved by the national SAA (Security Accreditation Authority, which in Finland is NCSA-FI).

NCSA-FI’s approval is based on an information security assessment of the cryptography product carried out or supervised by the competent Crypto Approval Authority (CAA) of a Member State.

List of cryptography products approved by the Council or its General Secretariat (External link)