Home >

Administration Guide > Standards and Validations > NIST SP 800-131A: Changes to FIPS-Supported Algorithms Effective January 2014

NIST SP 800-131A: Changes to FIPS-Supported Algorithms Effective January 2014

As a result of the NIST SP 800-131A algorithm transition, the list of algorithms supported in FIPS mode is changing. These changes come into effect on 01 January 2014 .

Summary

To comply with this change, the following algorithms are not supported in SafeNet HSM 5.4, and higher, when the HSM is operated in FIPS mode:

All digital signature and mac generation algorithms that use SHA-1 will no longer be supported, digital signature verification and mac verification will still be supported using SHA-1 for legacy purposes   

DSA Key Pair Generation and Signature Generation with a key size of less than 2048 bits is no longer supported   

DSA Signature Verification of 1024 bit keys is still supported for legacy purposes   

RSA Key Pair Generation and Signature Generation with a key size of less than 2048 bits is no longer supported   

RSA Signature Verification of 1024 bit keys is still supported for legacy purposes   

ECDSA DSA Key Pair Generation and Signature Generation with a curve size of less than 224 bits is no longer supported   

ECDSA Signature Verification with a curve size of less than 224 is still supported for legacy purposes   

RSA Key wrapping with an RSA Key of less than 2048 bits is no longer supported, however key unwrapping is still supported for legacy purposes   

RSA encryption with an RSA key of less than 2048 bits is no longer supported, however decryption is still supported for legacy purposes   

Diffie-Hellman key agreement with a key size of less than 2048 bits is no longer supported   

EC Diffie-Hellman key agreement with a curve size of less than 224 bits is no longer supported   

HMAC Generation with a key size less than 112 bits is no longer supported   

HMAC Verification with a key size less than 112 bits is supported for legacy purposes

Note:  Use of SHA-1 is allowed for use in FIPS Approved mode, with the exception of digital signature/ MAC generation applications, for which is it not allowed in FIPS Mode.

Affected Algorithms

These changes affect the following algotithms:

Digital Signature Changes

Digital Signature

Key Pair Generation

Signature Generation

Signature Verification

DSA < 2048 with SHA-1

OFF

OFF

LEGACY

DSA < 2048 with SHA-2

OFF

OFF

LEGACY

RSA < 2048 with SHA-1

OFF

OFF

LEGACY

RSA < 2048 with SHA-2

OFF

OFF

LEGACY

ECDSA n < 224 with SHA-1

OFF

OFF

LEGACY

ECDSA n < 224 with SHA-2

OFF

OFF

LEGACY

Key Transport Changes

 

Key Wrapping

Key Unwrapping

RSA < 2048

OFF

LEGACY

Encryption Changes

 

Encryption

Decryption

RSA < 2048

OFF

LEGACY

Key Agreement Changes

 

Key Agreement

Diffie-Hellman < 2048

OFF

EC Diffie-Hellman with n < 224

OFF

2-Key Triple DES Changes

 

Encryption

Decryption

Key

Wrapping

Key

Unwrapping

CMAC KDF

HMAC KDF

CMAC

Generation

CMAC

Verification

2-Key

Triple-DES

RESTRICTED

LEGACY

RESTRICTED

LEGACY

DEPRECATED

ACCEPTABLE

DEPRECATED

LEGACY

Note:  Restricted key types must be enforced at the application level.

NIST SP 800-131A restriction implementation in your application

For practical and performance reasons, we do not implement these FIPS restrictions in firmware; therefore if you wish to use 2-Key Triple DES in FIPS compliant manner, then you must implement the needed restrictions within your application, as follows.

As specified in the SP 800-131A document: “the use of the algorithm or key length is deprecated, and there are additional restrictions required to use the algorithm or key length for applying cryptographic protection to data”.

2-Key Triple DES Encryption:
The use of two-key Triple DES is acceptable for encryption through December 31, 2010.
From January 1, 2011 through December 31, 2015, the use of two-key Triple DES for encryption is restricted: the total number of blocks of data encrypted with the same cryptographic key shall not be greater than 2^20 (note that for this algorithm, a block is the 64-bit block of a Triple DES encryption operation). This restriction also applies to those keys that were first used prior to 2011 and continue to be used beyond December 31, 2010 (i.e., those keys whose cryptoperiod begins prior to 2011 and extends into 2011). Rationale for this exception is provided in Appendix A.1.
After December 31, 2015, two-key Triple DES shall not be used for encryption.

2-Key Triple DES Wrapping:
Two-key Triple DES is acceptable for wrapping and unwrapping keying material through December 31, 2010.
From January 1, 2011 through December 31, 2015, the use of two-key Triple DES for wrapping keying material is restricted: the total number of blocks of keying material wrapped with the same cryptographic key shall be no more than 2^20.
After December 31, 2015, two-key Triple DES shall not be used to wrap keying material.

HMAC Changes

 

MAC Generation

MAC Verification

HMAC < 112

OFF

LEGACY

Note:  SHA-1 is allowed except for digital signature/MAC Generation

Impact on your operations

You can restore keys having legacy bit lengths from a backup. Legacy keys are retained on the HSM after the upgrade to SafeNet HSM 5.4 or later, and function in ‘legacy’ mode, only.

If you still wish to use the ‘legacy’ keys fully, you must exit FIPS mode:

Backup your keys   

Switch off FIPS mode (change the policy), wiping out all keys   

Restore keys to the HSM that is no longer in FIPS mode

Mechanisms Affected  

These changes affect the following mechanisms:

RSA FIPS Mechanisms

RSA FIPS Mechanism

FIPS

Changes in FIPS mode

CKM_RSA_PKCS_KEY_PAIR_GEN

YES

LEGACY less than 2048 bit

CKM_RSA_PKCS

YES

LEGACY less than 2048 bit

CKM_SHA1_RSA_PKCS

YES

LEGACY

CKM_RSA_PKCS_OAEP

YES

LEGACY less than 2048 bit

CKM_RSA_X9_31_KEY_PAIR_GEN

YES

LEGACY less than 2048 bit

CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN

YES

LEGACY less than 2048 bit

CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR

YES

NO, Already enforced at 2048 bit

CKM_RSA_X9_31_KEY_PAIR_GEN

YES

LEGACY less than 2048 bit

CKM_SHA1_RSA_X9_31

YES

LEGACY

CKM_SHA224_RSA_X9_31

YES

LEGACY less than 2048 bit

CKM_SHA256_RSA_X9_31

YES

LEGACY less than 2048 bit

CKM_SHA384_RSA_X9_31

YES

LEGACY less than 2048 bit

CKM_SHA512_RSA_X9_31

YES

LEGACY less than 2048 bit

CKM_RSA_PKCS_PSS

YES

LEGACY less than 2048 bit

CKM_SHA1_RSA_PKCS_PSS

YES

LEGACY

CKM_SHA224_RSA_PKCS

YES

LEGACY less than 2048 bit

CKM_SHA224_RSA_PKCS_PSS

YES

LEGACY less than 2048 bit

CKM_SHA256_RSA_PKCS

YES

LEGACY less than 2048 bit

CKM_SHA256_RSA_PKCS_PSS

YES

LEGACY less than 2048 bit

CKM_SHA384_RSA_PKCS

YES

LEGACY less than 2048 bit

CKM_SHA384_RSA_PKCS_PSS

YES

LEGACY less than 2048 bit

CKM_SHA512_RSA_PKCS

YES

LEGACY less than 2048 bit

CKM_SHA512_RSA_PKCS_PSS

YES

LEGACY less than 2048 bit

DSA FIPS Mechanisms

DSA FIPS Mechanism

FIPS

Changes in FIPS mode

CKM_DSA_KEY_PAIR_GEN

YES

LEGACY   

CKM_DSA

YES

LEGACY   

CKM_DSA_PARAMETER_GEN

YES

LEGACY    

CKM_SHA1_DSA

YES

LEGACY   

CKM_SHA224_DSA

YES

LEGACY

CKM_SHA256_DSA

YES

LEGACY   

ECDSA Mechanisms

ECDSA Mechanism

FIPS

Changes in FIPS mode

CKM_EC_KEY_PAIR_GEN

YES

LEGACY for n < 224

CKM_ECDSA

YES

LEGACY for n < 224

CKM_SHA1_ECDSA

YES

LEGACY

CKM_SHA224_ECDSA

YES

LEGACY for n < 224

CKM_SHA256_ECDSA

YES

LEGACY for n < 224

CKM_SHA384_ECDSA

YES

LEGACY for n < 224

CKM_SHA512_ECDSA

YES

LEGACY for n < 224

HMAC Mechanisms

HMAC Mechanism

FIPS

Changes in FIPS mode

CKM_HMAC_SHA224

YES

LEGACY for key length less than 112 bits

CKM_HMAC_SHA256

YES

LEGACY for key length less than 112 bits

CKM_HMAC_SHA384

YES

LEGACY for key length less than 112 bits

CKM_HMAC_SHA512

YES

LEGACY for key length less than 112 bits

CKM_HMAC_SHA1

YES

LEGACY for key length less than 112 bits – ALSO HMAC based KDF is

acceptable using an approved hash function including SHA-1

Diffie-Hellman Mechanisms

Diffie-Hellman Mechanisms

FIPS

Changes in FIPS mode

CKM_ECDH1_DERIVE

YES

LEGACY, for n < 224

CKM_ECDH1_COFACTOR_DERIVE

YES

LEGACY, for n < 224

Other Effects

In addition to acceptable key sizes, some algorithms now limit the size of data that can be processed. For example, RSA sign/verify operations, even with sufficiently large key sizes selected, will not run if the input data chunk is too small, when FIPS mode is active. If using an application that is unaware of FIPS-mode limitations, you might encounter errors if you do not adjust the instructions. Using multitoken, as an example, allowing it to use its default data size of 16 bytes, you might see something like this:

C:\Program Files\SafeNet\LunaClient>multitoken.exe -mode rsasigver -key 2048 -slots 1   
Initializing library...Finished Initializing
...done.
Do you wish to continue?
Enter 'y' or 'n': y
Constructing thread objects.
Logging in to tokens...
slot 2... Enter password:
Serial Number 151363
Please wait, creating test threads.
Error 0x21 (CKR_DATA_LEN_RANGE) on C_Sign
Aborting tests due to error 0x00000021 (CKR_DATA_LEN_RANGE) on thread 0, slot 1, serial number 150022!
Waiting for threads to terminate. 
 

You would correct by including the additional parameter "-packet 32" in the command.

 C:\Program Files\SafeNet\LunaClient>multitoken -mode rsasigver -key 2048 -slots 1 -packet 32
Initializing library...Finished Initializing
...done.

Do you wish to continue?

Enter 'y' or 'n': y

Constructing thread objects.
Logging in to tokens...
  slot 1...  Enter password: ********
    Serial Number 150022

Please wait, creating test threads.

Test threads created successfully. Press ENTER to terminate testing.

     RSA sign/verify  2048-bit : (packet size = 32 bytes)

          operations/second | elapsed
 1,  0 |   total   average  | time (secs)
------ | ------- ---------- | ------------
 111.2 |   111.2   111.259* |           45 
 111.2 |   111.2   111.253* |           50

Waiting for threads to terminate.

C:\Program Files\SafeNet\LunaClient>   
   

Modification to DES3 Algorithm for NIST Compliance   

In accordance with NIST document SP 800-131A Revision 1, when the HSM is in FIPS mode, two-key DES3 is now restricted to legacy operations (Decryption, Unwrapping, and CMAC verification). All other operations for DES3 must use the three-key variant.

If you are still using Two-key Triple DES, we suggest that you begin adapting your operational work-flow for the following changes that are in effect as of year 2015.

Encryption, Disallowed   

Decryption, Legacy   

Wrapping, Disallowed   

Unwrapping, Legacy   

CMAC Sign, Disallowed   

CMAC Verification, Legacy