Home > |
Administration Guide > Standards and Validations > NIST SP 800-131A: Changes to FIPS-Supported Algorithms Effective January 2014
|
---|
As a result of the NIST SP 800-131A algorithm transition, the list of algorithms supported in FIPS mode is changing. These changes come into effect on 01 January 2014 .
To comply with this change, the following algorithms are not supported in SafeNet HSM 5.4, and higher, when the HSM is operated in FIPS mode:
•All digital signature and mac generation algorithms that use SHA-1 will no longer be supported, digital signature verification and mac verification will still be supported using SHA-1 for legacy purposes
•DSA Key Pair Generation and Signature Generation with a key size of less than 2048 bits is no longer supported
•DSA Signature Verification of 1024 bit keys is still supported for legacy purposes
•RSA Key Pair Generation and Signature Generation with a key size of less than 2048 bits is no longer supported
•RSA Signature Verification of 1024 bit keys is still supported for legacy purposes
•ECDSA DSA Key Pair Generation and Signature Generation with a curve size of less than 224 bits is no longer supported
•ECDSA Signature Verification with a curve size of less than 224 is still supported for legacy purposes
•RSA Key wrapping with an RSA Key of less than 2048 bits is no longer supported, however key unwrapping is still supported for legacy purposes
•RSA encryption with an RSA key of less than 2048 bits is no longer supported, however decryption is still supported for legacy purposes
•Diffie-Hellman key agreement with a key size of less than 2048 bits is no longer supported
•EC Diffie-Hellman key agreement with a curve size of less than 224 bits is no longer supported
•HMAC Generation with a key size less than 112 bits is no longer supported
•HMAC Verification with a key size less than 112 bits is supported for legacy purposes
Note: Use of SHA-1 is allowed for use in FIPS Approved mode, with the exception of digital signature/ MAC generation applications, for which is it not allowed in FIPS Mode.
These changes affect the following algotithms:
Digital Signature |
Key Pair Generation |
Signature Generation |
Signature Verification |
---|---|---|---|
DSA < 2048 with SHA-1 |
OFF |
OFF |
LEGACY |
DSA < 2048 with SHA-2 |
OFF |
OFF |
LEGACY |
RSA < 2048 with SHA-1 |
OFF |
OFF |
LEGACY |
RSA < 2048 with SHA-2 |
OFF |
OFF |
LEGACY |
ECDSA n < 224 with SHA-1 |
OFF |
OFF |
LEGACY |
ECDSA n < 224 with SHA-2 |
OFF |
OFF |
LEGACY |
|
Key Wrapping |
Key Unwrapping |
---|---|---|
RSA < 2048 |
OFF |
LEGACY |
|
Encryption |
Decryption |
---|---|---|
RSA < 2048 |
OFF |
LEGACY |
|
Key Agreement |
---|---|
Diffie-Hellman < 2048 |
OFF |
EC Diffie-Hellman with n < 224 |
OFF |
|
Encryption |
Decryption |
Key Wrapping |
Key Unwrapping |
CMAC KDF |
HMAC KDF |
CMAC Generation |
CMAC Verification |
---|---|---|---|---|---|---|---|---|
2-Key Triple-DES |
RESTRICTED |
LEGACY |
RESTRICTED |
LEGACY |
DEPRECATED |
ACCEPTABLE |
DEPRECATED |
LEGACY |
Note: Restricted key types must be enforced at the application level.
For practical and performance reasons, we do not implement these FIPS restrictions in firmware; therefore if you wish to use 2-Key Triple DES in FIPS compliant manner, then you must implement the needed restrictions within your application, as follows.
As specified in the SP 800-131A document: “the use of the algorithm or key length is deprecated, and there are additional restrictions required to use the algorithm or key length for applying cryptographic protection to data”.
2-Key Triple DES Encryption:
The use of two-key Triple DES is acceptable for encryption through December 31, 2010.
From January 1, 2011 through December 31, 2015, the use of two-key Triple DES for encryption is restricted: the total number of blocks of data encrypted with the same cryptographic key shall not be greater than 2^20 (note that for this algorithm, a block is the 64-bit block of a Triple DES encryption operation). This restriction also applies to those keys that were first used prior to 2011 and continue to be used beyond December 31, 2010 (i.e., those keys whose cryptoperiod begins prior to 2011 and extends into 2011). Rationale for this exception is provided in Appendix A.1.
After December 31, 2015, two-key Triple DES shall not be used for encryption.
2-Key Triple DES Wrapping:
Two-key Triple DES is acceptable for wrapping and unwrapping keying material through December 31, 2010.
From January 1, 2011 through December 31, 2015, the use of two-key Triple DES for wrapping keying material is restricted: the total number of blocks of keying material wrapped with the same cryptographic key shall be no more than 2^20.
After December 31, 2015, two-key Triple DES shall not be used to wrap keying material.
|
MAC Generation |
MAC Verification |
---|---|---|
HMAC < 112 |
OFF |
LEGACY |
Note: SHA-1 is allowed except for digital signature/MAC Generation
You can restore keys having legacy bit lengths from a backup. Legacy keys are retained on the HSM after the upgrade to SafeNet HSM 5.4 or later, and function in ‘legacy’ mode, only.
If you still wish to use the ‘legacy’ keys fully, you must exit FIPS mode:
•Backup your keys
•Switch off FIPS mode (change the policy), wiping out all keys
•Restore keys to the HSM that is no longer in FIPS mode
These changes affect the following mechanisms:
RSA FIPS Mechanism |
FIPS |
Changes in FIPS mode |
---|---|---|
CKM_RSA_PKCS_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
CKM_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
CKM_SHA1_RSA_PKCS |
YES |
LEGACY |
CKM_RSA_PKCS_OAEP |
YES |
LEGACY less than 2048 bit |
CKM_RSA_X9_31_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR |
YES |
NO, Already enforced at 2048 bit |
CKM_RSA_X9_31_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
CKM_SHA1_RSA_X9_31 |
YES |
LEGACY |
CKM_SHA224_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
CKM_SHA256_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
CKM_SHA384_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
CKM_SHA512_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
CKM_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
CKM_SHA1_RSA_PKCS_PSS |
YES |
LEGACY |
CKM_SHA224_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
CKM_SHA224_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
CKM_SHA256_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
CKM_SHA256_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
CKM_SHA384_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
CKM_SHA384_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
CKM_SHA512_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
CKM_SHA512_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
DSA FIPS Mechanism |
FIPS |
Changes in FIPS mode |
---|---|---|
CKM_DSA_KEY_PAIR_GEN |
YES |
LEGACY |
CKM_DSA |
YES |
LEGACY |
CKM_DSA_PARAMETER_GEN |
YES |
LEGACY |
CKM_SHA1_DSA |
YES |
LEGACY |
CKM_SHA224_DSA |
YES |
LEGACY |
CKM_SHA256_DSA |
YES |
LEGACY |
ECDSA Mechanism |
FIPS |
Changes in FIPS mode |
---|---|---|
CKM_EC_KEY_PAIR_GEN |
YES |
LEGACY for n < 224 |
CKM_ECDSA |
YES |
LEGACY for n < 224 |
CKM_SHA1_ECDSA |
YES |
LEGACY |
CKM_SHA224_ECDSA |
YES |
LEGACY for n < 224 |
CKM_SHA256_ECDSA |
YES |
LEGACY for n < 224 |
CKM_SHA384_ECDSA |
YES |
LEGACY for n < 224 |
CKM_SHA512_ECDSA |
YES |
LEGACY for n < 224 |
HMAC Mechanism |
FIPS |
Changes in FIPS mode |
---|---|---|
CKM_HMAC_SHA224 |
YES |
LEGACY for key length less than 112 bits |
CKM_HMAC_SHA256 |
YES |
LEGACY for key length less than 112 bits |
CKM_HMAC_SHA384 |
YES |
LEGACY for key length less than 112 bits |
CKM_HMAC_SHA512 |
YES |
LEGACY for key length less than 112 bits |
CKM_HMAC_SHA1 |
YES |
LEGACY for key length less than 112 bits – ALSO HMAC based KDF is acceptable using an approved hash function including SHA-1 |
Diffie-Hellman Mechanisms |
FIPS |
Changes in FIPS mode |
---|---|---|
CKM_ECDH1_DERIVE |
YES |
LEGACY, for n < 224 |
CKM_ECDH1_COFACTOR_DERIVE |
YES |
LEGACY, for n < 224 |
In addition to acceptable key sizes, some algorithms now limit the size of data that can be processed. For example, RSA sign/verify operations, even with sufficiently large key sizes selected, will not run if the input data chunk is too small, when FIPS mode is active. If using an application that is unaware of FIPS-mode limitations, you might encounter errors if you do not adjust the instructions. Using multitoken, as an example, allowing it to use its default data size of 16 bytes, you might see something like this:
C:\Program Files\SafeNet\LunaClient>multitoken.exe -mode rsasigver -key 2048 -slots 1 Initializing library...Finished Initializing ...done. Do you wish to continue? Enter 'y' or 'n': y Constructing thread objects. Logging in to tokens... slot 2... Enter password: Serial Number 151363 Please wait, creating test threads. Error 0x21 (CKR_DATA_LEN_RANGE) on C_Sign Aborting tests due to error 0x00000021 (CKR_DATA_LEN_RANGE) on thread 0, slot 1, serial number 150022! Waiting for threads to terminate.
You would correct by including the additional parameter "-packet 32" in the command.
C:\Program Files\SafeNet\LunaClient>multitoken -mode rsasigver -key 2048 -slots 1 -packet 32 Initializing library...Finished Initializing ...done. Do you wish to continue? Enter 'y' or 'n': y Constructing thread objects. Logging in to tokens... slot 1... Enter password: ******** Serial Number 150022 Please wait, creating test threads. Test threads created successfully. Press ENTER to terminate testing. RSA sign/verify 2048-bit : (packet size = 32 bytes) operations/second | elapsed 1, 0 | total average | time (secs) ------ | ------- ---------- | ------------ 111.2 | 111.2 111.259* | 45 111.2 | 111.2 111.253* | 50 Waiting for threads to terminate. C:\Program Files\SafeNet\LunaClient>
In accordance with NIST document SP 800-131A Revision 1, when the HSM is in FIPS mode, two-key DES3 is now restricted to legacy operations (Decryption, Unwrapping, and CMAC verification). All other operations for DES3 must use the three-key variant.
If you are still using Two-key Triple DES, we suggest that you begin adapting your operational work-flow for the following changes that are in effect as of year 2015.
•Encryption, Disallowed
•Decryption, Legacy
•Wrapping, Disallowed
•Unwrapping, Legacy
•CMAC Sign, Disallowed
•CMAC Verification, Legacy