Asymmetric Algorithms and Mechanisms
In the following table, "Unrestricted", "FIPS 140 Level 3", and "Common Criteria CMTS" refer to the Security World mode designation. The cells in these columns detail any restrictions for the corresponding feature in each of the Security World modes. A blank cell means that the feature has no restrictions.
FIPS 140 Level 3: In v3 Security Worlds, in FIPS 140 Level 3 mode, some smaller key sizes are disabled. |
Diffie-Hellman Key Agreement
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
Diffie-Hellman |
Y |
N |
DH |
Y |
Diffie-Hellman |
Y |
Y |
DHEx |
Y |
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
DHPrivate key generation |
Forbidden |
||
DHPrivate default size |
1024/160 |
2048/224 |
1024/160 |
DHPrivate key agreement |
Forbidden |
||
DHExPrivate key generation |
|||
DHExPrivate domain parameters |
Restricted as per SP800-56Ar3 |
||
DHExPrivate key generation modulus size |
512-16384 |
2048-16384 |
512-16384 |
DHExPrivate key generation group order size |
160 minimum |
224 minimum |
160 minimum |
DHExPrivate default size |
2048/256 |
||
DHExPrivate key agreement minimum size |
2048 |
||
DHExPrivate key agreement |
Forbidden with Cmd_Decrypt |
||
ElGamal encryption/decryption |
Forbidden |
||
IEEE DLIES with ANSI X9.63 KDF |
Forbidden |
||
IEEE DLIES with ANSI X9.63 KDF |
Forbidden |
||
IEEE DLIES with ANSI X9.63 KDF |
Diffie Hellman and FIPS 140 Level 3 mode
nShield supports two Diffie Hellman key types, DHPrivate and (from V12.50) DHExPrivate. The difference is that DHExPrivate tracks the group order q while DHPrivate does not. In DLf3072s256mFcSP800131Ar1 or later FIPS worlds, DHPrivate is disabled and only DHExPrivate is enabled.
From V12.70, in a DLf3072s256mFcSP800131Ar1 or later FIPS world, when a DHEx key is generated or loaded into the module, the domain parameters are more strictly validated. If the domain parameters do not match the safe prime groups in SP800-56Ar3 appendix D, the validation time is significantly longer. Entrust recommends that you always use SP800-56Ar3 domain parameters.
Firmware | Ciphersuite | DHPrivate & DHPublic |
DHExPrivate & DHExPublic |
---|---|---|---|
Before V12.50 |
Any |
Permitted |
Not implemented |
V12.50/V12.60 |
DLf1024s160mDES3 |
Permitted |
Permitted |
DLf3072s256mFcSP800131Ar1 |
Forbidden |
Permitted |
|
V12.70 and later |
DLf1024s160mDES3 |
Permitted |
Permitted |
DLf3072s256mFcSP800131Ar1 |
Forbidden |
SP800-56Ar3 domains only |
DSA Signature
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
DSA |
Y |
Y (see DSA and FIPS 140 Level 3 mode) |
DSA |
Y |
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
DSA key generation |
|||
DSA key generation public modulus sizes |
512-16384 |
FIPS 186-4 sizes only; |
512-16384 |
DSA key generation group order sizes |
160-512 |
FIPS 186-4 sizes only; |
160-512 |
DSA signature key sizes |
FIPS 186-4 sizes only; |
||
DSA signature hashes |
RIPEMD160 & SHA-1 forbidden |
||
Legacy DSA domain generation |
Forbidden |
||
Legacy DSA domain generation |
|||
FIPS 186-4 DSA domain generation |
|||
DSA SHA-1 signature |
Forbidden |
||
DSA SHA-2 signature |
|||
DSA RIPMED160 signature |
Forbidden |
RSA Signature/Encryption
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
RSA |
Y |
Y |
RSA |
Y |
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
RSA key generation |
Strong primes always on1 |
||
RSA key generation public modulus size |
512-16384 |
2048-16384; |
512-16384 |
RSA key generation rules (<1024) |
FIPS 186-5 A.1.6 |
Forbidden |
|
RSA key generation rules (>=1024) |
|||
RSA key generation/import public exponent |
minimum 3; |
16-256 bits; |
minimum 3; |
RSA signature key sizes |
2048 minimum |
||
RSA signature hashes |
RIPEMD160 & SHA-1 forbidden |
||
Raw RSA operations (i.e. encryption/decryption or sign/verify using |
See Raw RSA and FIPS 140 Level 3 mode below |
||
RSA PKCS#1 encryption/decryption |
Forbidden |
||
RSA PKCS#1 any-hash signature |
Forbidden |
||
RSA PKCS#1 SHA-1 signature |
Forbidden |
||
RSA PKCS#1 SHA-2 signature |
|||
RSA PKCS#1 SHA-3 signature |
|||
RSA PSS SHA-1 signature |
Forbidden |
||
RSA PSS SHA-2 signature |
|||
RSA PSS SHA-3 signature |
|||
RSA PSS RIPEMD160 signature |
Forbidden |
||
RSA SHA-1 OAEP encryption |
|||
RSA SHA-2 OAEP encryption |
|||
RSA SHA-3 OAEP encryption |
1 FIPS Security Worlds always have "always use strong primes" enabled. This setting is optional for non-FIPS Security Worlds. The "strong primes" algorithm is the only FIPS-compliant RSA keygen algorithm currently offered.
Raw RSA and FIPS 140 Level 3 mode
Since V12.50, raw RSA is restricted in FIPS 140 Level 3 mode and completely disabled in ECp521mAES FIPS worlds.
Firmware | Ciphersuite | Mechanism | FIPS 140 Level 3 |
---|---|---|---|
Before V12.50 |
Any |
Any |
Permitted |
V12.50-V13.7 |
Any |
Mech_RSApPKCS1 |
Forbidden |
Any |
Any other mechanism |
Permitted |
|
V13.8 |
DLf1024s160mDES3 |
Mech_RSApPKCS1 |
Forbidden |
DLf1024s160mDES3 |
Any other mechanism |
Permitted |
|
ECp521mAES |
Any |
Forbidden |
Elliptic Curve Key Agreement
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
ECDH |
Y |
Y |
ECDH or EC |
Y |
ECIES |
N |
N |
ECDH or EC |
N |
KeyType_ECPrivate allows a single key to be used for key establishment and signature generation, depending on the permissions in its ACL.
If you require FIPS 140 compliance, then additional care must be taken to comply with the rules about using a single key for multiple purposes, such as section 5.2, General Key Management Guidance: Key Usage of SP800-57pt1r5.
The HSM can help enforce these rules, for example, by placing the sign permission in a permission group with UseLim_Global (use limit) set to a maximum use count of 1.
|
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ECC enablement |
EllipticCurve feature (enabled by default from firmware V13.5 onwards) |
||
ECC domain parameters |
224 minimum; SECP256k1 forbidden; |
||
ECDH key agreement |
Forbidden with Cmd_Decrypt |
||
ECDHC key agreement |
Forbidden with Cmd_Decrypt |
||
ECDH key generation |
|||
ECDHLax key generation |
Forbidden |
||
ECDHLax key agreement |
Forbidden |
Elliptic Curve Signature
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
ECDSA |
Y 1 |
Y 1 |
ECDSA or EC |
Y |
1 FIPS 140 approval is only for use with ECDSA keys, not with EC keys.
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ECC enablement |
EllipticCurve feature enabled by default from V13.5 onwards |
||
ECC domain parameters |
224 minimum; SECP256k1 forbidden before V13.8; |
||
ECDSA key generation |
|||
ECDSA signature RNG |
Never uses unvalidated RNG |
||
ECDSA signature hash |
RIPEMD160 & SHA-1 forbidden |
||
ECDSA verify hash |
RIPEMD160 forbidden |
||
ECDSA SHA-1 sign |
Forbidden |
||
ECDSA SHA-1 verify |
|||
ECDSA RIPMED160 sign/verify |
Forbidden |
||
ECDSA SHA-2 sign/verify |
|||
ECDSA SHA-3 sign/verify |
|||
ECDSA sign/verify GBCS mode |
Forbidden |
X25519/Curve25519 Key Agreement
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
X25519 |
N |
N |
X25519 |
Y |
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
X25519 key generation |
Forbidden |
||
X25519 key agreement |
Forbidden |
Ed25519 Signature
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
Ed25519 key generation |
Forbidden up to V13.6; |
||
Pure Ed25519 sign/verify |
Forbidden up to V13.6; |
||
Prehashed Ed25519 sign/verify |
Forbidden up to V13.6; |
||
Prehashed Ed25519 sign/verify with context |
Ed448 Signature
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
Ed448 |
Y |
Y |
Ed448 |
N |
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
Ed448 key generation |
Forbidden up to V13.6; |
||
Pure Ed448 sign/verify |
Forbidden up to V13.6; |
||
Pure Ed448 sign/verify with context |
|||
Prehashed Ed448 sign/verify |
Forbidden up to V13.6; |
||
Prehashed Ed448 sign/verify with context |
KCDSA Signature
Algorithm | Enabled in a v1 or v2 FIPS Security World | Enabled in a v3 FIPS Security World | Key type | Supported by generatekey |
---|---|---|---|---|
KCDSA |
N |
N |
KCDSA |
N |
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
KCDSA enablement |
KISAAlgorithms feature required |
||
KCDSA key generation |
Forbidden |
||
KCDSA signature |
Forbidden |
||
KCDSA domain generation |
Forbidden |