Alert:
A nationwide postal strike or lockout may occur as early as November 3, 2004. Dealer Members must take steps to ensure that document delivery requirements prescribed under CIRO Rules continue to be met.
Strategy for Encryption of Client LEIs (amended April 16, 2021)
Advanced Encryption Standard
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST). Now used internationally, it is the only publicly accessible cipher approved by the National Security Agency (NSA) and was adopted by the U.S. as a federal government standard in 2002.
The AES describes a 'block cipher' and is a symmetric-key algorithm (i.e. the same key is used for both encryption and decryption); key size may be 128, 192 or 256 bits. Using 128-bit keys would minimize impact to system performance while maintaining a sufficient level of information security.
Mode of Operation – AES-CTR
A mode of operation is an algorithm used in conjunction with a block cipher to enhance information security. There exists a wide range of modes that encompass varying guarantees of security and efficiency; the Counter (CTR) mode offers a number of efficiency advantages over other modes without weakening security (e.g. it is highly parallelizable, and securely transforms of a block cipher into a stream cipher (thereby removing the need for block padding)).
With the plaintext having been divided into blocks, the basic algorithm combines a 'nonce' (or 'initialization vector') – an arbitrary, unpredictable value such as a random or pseudo-random number – with a counter that increments with each block; this combination is then encrypted using the key and the result is XOR'd with the plaintext to generate the ciphertext. A simplified description of the process is illustrated in Figure 1.
Figure 1: AES-CTR Encryption
Encryption of FIX Values
The relevant FIX tags should be populated with a string comprised of three concatenated elements:
The concatenated binary data will be then encoded with Base64 to a 52-character string value assigned to the relevant FIX tag as the figure 2 illustrated below:
Figure 2: Encrypted Value Structure
Key Rotation Management
A different encryption key will be provided to each originating Dealer Member. The key is a 128-bit binary data and will be encoded into a 24-character ASCII text using Base64 encoding for delivery to the Dealer Member via encrypted email. Keys will be refreshed every 12 months; CIRO will generate and disseminate keys on an annual basis (as opposed to disseminating multiple years' keys at once) – it is believed that this approach will minimize potential uncertainty around when to refresh keys, which keys should be used etc.
The key rotation schedule will operate as Figure 3 illustrates:
Figure 3: Key Rotation Schedule
Historical versions of Strategy for Encryption of Client Identifiers
Encryption Proposal v.1.8.1 (amended on 08/28/2020)
Encryption Key Management Information for Dealer Members
Encryption Key Management Information for IIROC Dealer Members (added September 1, 2020)
Encryption API
If you would like to use our Encryption API in Java and C++, please send us a request at [email protected] and we will provide you with the files via email. (added September 25, 2020)
Fix Specifications
Fix Specifications – PowerBI (amended on 04/01/2020)
Fix Specifications – Excel (added on 10/05/2020)