|
Home > |
Administration Guide > Standards and Validations > NIST SP 800-131A: Changes to FIPS-Supported Algorithms
|
|---|
As a result of the NIST SP 800-131A algorithm transitions, the list of algorithms that are supported in FIPS mode changes periodically.
To comply with changes that came into effect on 01 January 2014, the following algorithms are not supported in SafeNet HSM 5.4, and higher, when the HSM is operated in FIPS mode:
•All digital signature and mac generation algorithms that use SHA-1 will no longer be supported, digital signature verification and mac verification will still be supported using SHA-1 for legacy purposes
•DSA Key Pair Generation and Signature Generation with a key size of less than 2048 bits is no longer supported
•DSA Signature Verification of 1024 bit keys is still supported for legacy purposes
•RSA Key Pair Generation and Signature Generation with a key size of less than 2048 bits is no longer supported
•RSA Signature Verification of 1024 bit keys is still supported for legacy purposes
•ECDSA DSA Key Pair Generation and Signature Generation with a curve size of less than 224 bits is no longer supported
•ECDSA Signature Verification with a curve size of less than 224 is still supported for legacy purposes
•RSA Key wrapping with an RSA Key of less than 2048 bits is no longer supported, however key unwrapping is still supported for legacy purposes
•RSA encryption with an RSA key of less than 2048 bits is no longer supported, however decryption is still supported for legacy purposes
•Diffie-Hellman key agreement with a key size of less than 2048 bits is no longer supported
•EC Diffie-Hellman key agreement with a curve size of less than 224 bits is no longer supported
•HMAC Generation with a key size less than 112 bits is no longer supported
•HMAC Verification with a key size less than 112 bits is supported for legacy purposes
Note: Use of SHA-1 is allowed for use in FIPS Approved mode, with the exception of digital signature/ MAC generation applications, for which is it not allowed in FIPS Mode.
These changes affect the following algotithms:
|
Digital Signature |
Key Pair Generation |
Signature Generation |
Signature Verification |
|---|---|---|---|
|
DSA < 2048 with SHA-1 |
OFF |
OFF |
LEGACY |
|
DSA < 2048 with SHA-2 |
OFF |
OFF |
LEGACY |
|
RSA < 2048 with SHA-1 |
OFF |
OFF |
LEGACY |
|
RSA < 2048 with SHA-2 |
OFF |
OFF |
LEGACY |
|
ECDSA n < 224 with SHA-1 |
OFF |
OFF |
LEGACY |
|
ECDSA n < 224 with SHA-2 |
OFF |
OFF |
LEGACY |
|
|
Key Wrapping |
Key Unwrapping |
|---|---|---|
|
RSA < 2048 |
OFF |
LEGACY |
|
|
Encryption |
Decryption |
|---|---|---|
|
RSA < 2048 |
OFF |
LEGACY |
|
|
Key Agreement |
|---|---|
|
Diffie-Hellman < 2048 |
OFF |
|
EC Diffie-Hellman with n < 224 |
OFF |
|
|
Encryption |
Decryption |
Key Wrapping |
Key Unwrapping |
CMAC KDF |
HMAC KDF |
CMAC Generation |
CMAC Verification |
|---|---|---|---|---|---|---|---|---|
|
2-Key Triple-DES |
RESTRICTED |
LEGACY |
RESTRICTED |
LEGACY |
DEPRECATED |
ACCEPTABLE |
DEPRECATED |
LEGACY |
|
|
MAC Generation |
MAC Verification |
|---|---|---|
|
HMAC < 112 |
OFF |
LEGACY |
Note: SHA-1 is allowed except for digital signature/MAC Generation
You can restore keys having legacy bit lengths from a backup. Legacy keys are retained on the HSM after the upgrade to SafeNet HSM 5.4 or later, and function in ‘legacy’ mode, only.
If you still wish to use the ‘legacy’ keys fully, you must exit FIPS mode:
•Backup your keys
•Switch off FIPS mode (change the policy), wiping out all keys
•Restore keys to the HSM that is no longer in FIPS mode
These changes affect the following mechanisms:
|
RSA FIPS Mechanism |
FIPS |
Changes in FIPS mode |
|---|---|---|
|
CKM_RSA_PKCS_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
|
CKM_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA1_RSA_PKCS |
YES |
LEGACY |
|
CKM_RSA_PKCS_OAEP |
YES |
LEGACY less than 2048 bit |
|
CKM_RSA_X9_31_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
|
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
|
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR |
YES |
NO, Already enforced at 2048 bit |
|
CKM_RSA_X9_31_KEY_PAIR_GEN |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA1_RSA_X9_31 |
YES |
LEGACY |
|
CKM_SHA224_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA256_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA384_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA512_RSA_X9_31 |
YES |
LEGACY less than 2048 bit |
|
CKM_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA1_RSA_PKCS_PSS |
YES |
LEGACY |
|
CKM_SHA224_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA224_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA256_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA256_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA384_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA384_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA512_RSA_PKCS |
YES |
LEGACY less than 2048 bit |
|
CKM_SHA512_RSA_PKCS_PSS |
YES |
LEGACY less than 2048 bit |
|
DSA FIPS Mechanism |
FIPS |
Changes in FIPS mode |
|---|---|---|
|
CKM_DSA_KEY_PAIR_GEN |
YES |
LEGACY |
|
CKM_DSA |
YES |
LEGACY |
|
CKM_DSA_PARAMETER_GEN |
YES |
LEGACY |
|
CKM_SHA1_DSA |
YES |
LEGACY |
|
CKM_SHA224_DSA |
YES |
LEGACY |
|
CKM_SHA256_DSA |
YES |
LEGACY |
|
ECDSA Mechanism |
FIPS |
Changes in FIPS mode |
|---|---|---|
|
CKM_EC_KEY_PAIR_GEN |
YES |
LEGACY for n < 224 |
|
CKM_ECDSA |
YES |
LEGACY for n < 224 |
|
CKM_SHA1_ECDSA |
YES |
LEGACY |
|
CKM_SHA224_ECDSA |
YES |
LEGACY for n < 224 |
|
CKM_SHA256_ECDSA |
YES |
LEGACY for n < 224 |
|
CKM_SHA384_ECDSA |
YES |
LEGACY for n < 224 |
|
CKM_SHA512_ECDSA |
YES |
LEGACY for n < 224 |
|
HMAC Mechanism |
FIPS |
Changes in FIPS mode |
|---|---|---|
|
CKM_HMAC_SHA224 |
YES |
LEGACY for key length less than 112 bits |
|
CKM_HMAC_SHA256 |
YES |
LEGACY for key length less than 112 bits |
|
CKM_HMAC_SHA384 |
YES |
LEGACY for key length less than 112 bits |
|
CKM_HMAC_SHA512 |
YES |
LEGACY for key length less than 112 bits |
|
CKM_HMAC_SHA1 |
YES |
LEGACY for key length less than 112 bits – ALSO HMAC based KDF is acceptable using an approved hash function including SHA-1 |
|
Diffie-Hellman Mechanisms |
FIPS |
Changes in FIPS mode |
|---|---|---|
|
CKM_ECDH1_DERIVE |
YES |
LEGACY, for n < 224 |
|
CKM_ECDH1_COFACTOR_DERIVE |
YES |
LEGACY, for n < 224 |
NIST document SP 800-131A places restrictions on the usage of Triple-DES, a.k.a. DES3, in FIPS mode.
As of 01 January 2016, 2-key Triple-DES is restricted to legacy operations (decryption, unwrapping, and CMAC verification) when the HSM is in FIPS mode. All other operations for Triple-DES now require the use of the 24-byte three-key variant.
The HSM refuses non-legacy operations when in FIPS mode. The restriction on 16-byte two-key Triple-DES is enforced by the module in firmware versions 6.22.0 and higher. The restriction on 24-byte two-key Triple-DES with non-unique keys is now enforced by the module in firmware versions 6.24.2 and higher.
To illustrate, Triple DES has three keying options (table below):
| Common Names | Key Size | Key Format | FIPS Status | Notes | |
|---|---|---|---|---|---|
| Keying Option 1 | 3-Key Triple DES
or 3DES / DES3 |
24-byte DES3 key
(3 x 8-byte keys) |
K1≠K2≠K3
3 keys, all unique |
Approved | |
| Keying Option 2 | 2-Key Triple DES
or 2DES / DES2 |
16-byte DES2 key
(2 x 8-byte keys) |
K1≠K2
2 keys, K1 is reused for K3 |
Legacy as of 1 Jan 2016 |
Restricted in FW 6.22.0 |
| 24-byte DES3 key
(3 x 8-byte keys) |
K1=K3≠K2
3 keys, with K1 and K3 identical |
Restricted in FW 6.24.2 | |||
| Keying Option 3 | 1-Key Triple DES
or DES |
24-byte DES3 key
(3 x 8-byte keys) |
K1=K2=K3
3 keys, all identical |
Disallowed |
|
| 8-byte DES key | K1
1 key, K1 is reused for K2 and K3 |
Note: The FIPS Status and Notes columns in the above table refer to the HSM when it is in FIPS mode.
Only when the HSM is not in FIPS mode, can the 2-key and the non-unique 3-key DES3 variants be used freely.
Note: These Triple DES restrictions are enforced by the HSM at release HSM 6.2.1 and firmware 6.24.2 and above; firmware 6.24.2 is currently (July 2016) on track to be the next FIPS-validation candidate.
The FIPS-validated version at this time is firmware 6.10.9 which was released before the SP 800-131A Revision 1 adjustment. Therefore, exclusion of 2-key, or 3-key non-unique, Triple DES is enforced by firmware only if you update to firmware versions shown in the table. If your HSM remains at version 6.10.9, then the SP800-131A revision 1 restriction must be enforced by your application if you wish to do so.
In addition to acceptable key sizes, some algorithms now limit the size of data that can be processed. For example, RSA sign/verify operations, even with sufficiently large key sizes selected, will not run if the input data chunk is too small, when FIPS mode is active. If using an application that is unaware of FIPS-mode limitations, you might encounter errors if you do not adjust the instructions. Using multitoken, as an example, allowing it to use its default data size of 16 bytes, you might see something like this:
C:\Program Files\SafeNet\LunaClient>multitoken.exe -mode rsasigver -key 2048 -slots 1 Initializing library...Finished Initializing ...done. Do you wish to continue? Enter 'y' or 'n': y Constructing thread objects. Logging in to tokens... slot 2... Enter password: Serial Number 151363 Please wait, creating test threads. Error 0x21 (CKR_DATA_LEN_RANGE) on C_Sign Aborting tests due to error 0x00000021 (CKR_DATA_LEN_RANGE) on thread 0, slot 1, serial number 150022! Waiting for threads to terminate.
You would correct by including the additional parameter "-packet 32" in the command.
C:\Program Files\SafeNet\LunaClient>multitoken -mode rsasigver -key 2048 -slots 1 -packet 32
Initializing library...Finished Initializing
...done.
Do you wish to continue?
Enter 'y' or 'n': y
Constructing thread objects.
Logging in to tokens...
slot 1... Enter password: ********
Serial Number 150022
Please wait, creating test threads.
Test threads created successfully. Press ENTER to terminate testing.
RSA sign/verify 2048-bit : (packet size = 32 bytes)
operations/second | elapsed
1, 0 | total average | time (secs)
------ | ------- ---------- | ------------
111.2 | 111.2 111.259* | 45
111.2 | 111.2 111.253* | 50
Waiting for threads to terminate.
C:\Program Files\SafeNet\LunaClient> In accordance with NIST document SP 800-131A Revision 1, when the HSM is in FIPS mode, two-key DES3 is now restricted to legacy operations (Decryption, Unwrapping, and CMAC verification). All other operations for DES3 must use the three-key variant.
If you are still using Two-key Triple DES, we suggest that you begin adapting your operational work-flow for the following changes that are in effect as of year 2015.
•Encryption, Disallowed
•Decryption, Legacy
•Wrapping, Disallowed
•Unwrapping, Legacy
•CMAC Sign, Disallowed
•CMAC Verification, Legacy
SP 800-67 specifies the TDES standard and is static. SP 800-131A is a living document, updated frequently, that places additional requirements on existing standards as the crypto and threat environments evolve.
A late 2015 change in 131A is implemented in SafeNet General Purpose HSM firmware 6.24.2 as of July 2016.
Please refer to NIST SP 800-131A: Changes to FIPS-Supported Algorithms above for details.
.