Asymmetric Algorithms and Mechanisms

In the following table, "Unrestricted", "FIPS 140 Level 3", and "Common Criteria CMTS" refer to the Security World mode designation. The cells in these columns detail any restrictions for the corresponding feature in each of the Security World modes. A blank cell means that the feature has no restrictions.

FIPS 140 Level 3: In v3 Security Worlds, in FIPS 140 Level 3 mode, some smaller key sizes are disabled.

Diffie-Hellman Key Agreement

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

Diffie-Hellman

Y

N

DH

Y

Diffie-Hellman
(extended)

Y

Y

DHEx

Y
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

DHPrivate key generation
(KeyType_DHPrivate)

Forbidden

DHPrivate default size

1024/160

2048/224

1024/160

DHPrivate key agreement
(Mech_DHKeyExchange)

Forbidden
(including DLIES)

DHExPrivate key generation
(KeyType_DHExPrivate)
(introduced in V12.50)

DHExPrivate domain parameters

Restricted as per SP800-56Ar3

DHExPrivate key generation modulus size

512-16384

2048-16384

512-16384

DHExPrivate key generation group order size

160 minimum

224 minimum
if |p|=3072, 256 minimum.

160 minimum

DHExPrivate default size

2048/256

DHExPrivate key agreement minimum size

2048

DHExPrivate key agreement
(Mech_DHExKeyExchange)

Forbidden with Cmd_Decrypt
(Permitted with KDF)

ElGamal encryption/decryption
(Mech_ElGamal)

Forbidden

IEEE DLIES with ANSI X9.63 KDF
and 3DES CBC encryption
(Mech_DLIESe3DEShSHA1)

Forbidden

IEEE DLIES with ANSI X9.63 KDF
and AES CBC encryption
(Mech_DLIESeAEShSHA1)

Forbidden

IEEE DLIES with ANSI X9.63 KDF
and AES CBC encryption
(Mech_DLIESeAEShSHA1DHEx)

Diffie Hellman and FIPS 140 Level 3 mode

nShield supports two Diffie Hellman key types, DHPrivate and (from V12.50) DHExPrivate. The difference is that DHExPrivate tracks the group order q while DHPrivate does not. In DLf3072s256mFcSP800131Ar1 or later FIPS worlds, DHPrivate is disabled and only DHExPrivate is enabled.

From V12.70, in a DLf3072s256mFcSP800131Ar1 or later FIPS world, when a DHEx key is generated or loaded into the module, the domain parameters are more strictly validated. If the domain parameters do not match the safe prime groups in SP800-56Ar3 appendix D, the validation time is significantly longer. Entrust recommends that you always use SP800-56Ar3 domain parameters.

Firmware Ciphersuite DHPrivate
& DHPublic		 DHExPrivate
& DHExPublic

Before V12.50

Any

Permitted

Not implemented

V12.50/V12.60

DLf1024s160mDES3
DLf1024s160mRijndael
DLf3072s256mRijndael

Permitted

Permitted

DLf3072s256mFcSP800131Ar1

Forbidden

Permitted

V12.70 and later

DLf1024s160mDES3
DLf1024s160mRijndael
DLf3072s256mRijndael

Permitted

Permitted

DLf3072s256mFcSP800131Ar1
ECp521mAES (from V13.7)

Forbidden

SP800-56Ar3 domains only

DSA Signature

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

DSA

Y

Y (see DSA and FIPS 140 Level 3 mode)

DSA

Y
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

DSA key generation
(KeyType_DSA)

See DSA and FIPS 140 Level 3 mode

DSA key generation public modulus sizes

512-16384

FIPS 186-4 sizes only;
2048 minimum

512-16384

DSA key generation group order sizes

160-512

FIPS 186-4 sizes only;
224 minimum

160-512

DSA signature key sizes

FIPS 186-4 sizes only;
2048/224 minimum

DSA signature hashes

RIPEMD160 & SHA-1 forbidden

Legacy DSA domain generation
(KeyType_DSAComm)

Forbidden

Legacy DSA domain generation
(KeyType_DSACommVariableSeed)

FIPS 186-4 DSA domain generation
(KeyType_DSACommFIPS186_3)

DSA SHA-1 signature
(Mech_DSA)

Forbidden

DSA SHA-2 signature
(Mech_DSAhSHA224,
Mech_DSAhSHA256,
Mech_DSAhSHA384,
Mech_DSAhSHA512)

DSA RIPMED160 signature
(Mech_DSAhRIPMED160)

Forbidden

DSA and FIPS 140 Level 3 mode

Firmware Ciphersuite FIPS 140 Level 3

Before V13.7

Any

Permitted

V13.7 and later

DLf1024s160mDES3
DLf1024s160mRijndael
DLf3072s256mRijndael
DLf3072s256mFcSP800131Ar1

Permitted

ECp521mAES

Forbidden

RSA Signature/Encryption

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

RSA

Y

Y

RSA

Y
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

RSA key generation
(KeyType_RSAPrivate)

Strong primes always on1

RSA key generation public modulus size

512-16384

2048-16384;
multiple of 2

512-16384

RSA key generation rules (<1024)

FIPS 186-5 A.1.6

Forbidden

FIPS 186-5

RSA key generation rules (>=1024)

FIPS 186-5

RSA key generation/import public exponent

minimum 3;
must be odd

16-256 bits;
must be odd

minimum 3;
must be odd

RSA signature key sizes

2048 minimum

RSA signature hashes

RIPEMD160 & SHA-1 forbidden

Raw RSA operations (i.e. encryption/decryption or sign/verify using
any RSA mechanism with bignum plaintext)

See Raw RSA and FIPS 140 Level 3 mode below

RSA PKCS#1 encryption/decryption
(Mech_RSApPKCS1,
Mech_RSApPKCS1pPKCS11 with bytes plaintext)

Forbidden

RSA PKCS#1 any-hash signature
(Mech_RSApPKCS1,
Mech_RSApPKCS1pPKCS11 with bytes/hash plaintext)

Forbidden

RSA PKCS#1 SHA-1 signature
(Mech_RSApPKCS1,
Mech_RSAhSHA1pPKCS1 with bytes/hash plaintext)

Forbidden

RSA PKCS#1 SHA-2 signature
(Mech_RSAhSHA224pPKCS1,
Mech_RSAhSHA256PKCS1,
Mech_RSAhSHA384pPKCS1,
Mech_RSAhSHA512pPKCS1 with bytes/hash plaintext)

RSA PKCS#1 SHA-3 signature
(Mech_RSAhSHA3b224pPKCS1,
Mech_RSAhSHA3b256PKCS1,
Mech_RSAhSHA3b384pPKCS1,
Mech_RSAhSHA3b512pPKCS1 with bytes/hash plaintext)

RSA PSS SHA-1 signature
(Mech_RSAhSHA1pPSS with bytes/hash plaintext)

Forbidden

RSA PSS SHA-2 signature
(Mech_RSAhSHA224pPSS,
Mech_RSAhSHA256pPSS,
Mech_RSAhSHA384pPSS,
Mech_RSAhSHA512pPSS with bytes/hash plaintext)

RSA PSS SHA-3 signature
(Mech_RSAhSHA3b224pPSS,
Mech_RSAhSHA3b256pPSS,
Mech_RSAhSHA3b384pPSS,
Mech_RSAhSHA3b512pPSS with bytes/hash plaintext)

RSA PSS RIPEMD160 signature
(Mech_RSAhRIPMED160pPSS with bytes/hash plaintext)

Forbidden

RSA SHA-1 OAEP encryption
(Mech_RSApOAEP with bytes plaintext)

RSA SHA-2 OAEP encryption
(Mech_RSApOAEPhSHA224,
Mech_RSApOAEPhSHA256,
Mech_RSApOAEPhSHA384,
Mech_RSApOAEPhSHA512 with bytes plaintext)

RSA SHA-3 OAEP encryption
(Mech_RSApOAEPhSHA3b224,
Mech_RSApOAEPhSHA3b256,
Mech_RSApOAEPhSHA3b384,
Mech_RSApOAEPhSHA3b512 with bytes plaintext)

1 FIPS Security Worlds always have "always use strong primes" enabled. This setting is optional for non-FIPS Security Worlds. The "strong primes" algorithm is the only FIPS-compliant RSA keygen algorithm currently offered.

Raw RSA and FIPS 140 Level 3 mode

Since V12.50, raw RSA is restricted in FIPS 140 Level 3 mode and completely disabled in ECp521mAES FIPS worlds.

Firmware Ciphersuite Mechanism FIPS 140 Level 3

Before V12.50

Any

Any

Permitted

V12.50-V13.7

Any

Mech_RSApPKCS1
Mech_RSApPKCS1pPKCS1

Forbidden

Any

Any other mechanism

Permitted

V13.8

DLf1024s160mDES3
DLf1024s160mRijndael
DLf3072s256mRijndael
DLf3072s256mAEScSP800131Ar1

Mech_RSApPKCS1
Mech_RSApPKCS1pPKCS1

Forbidden

DLf1024s160mDES3
DLf1024s160mRijndael
DLf3072s256mRijndael
DLf3072s256mAEScSP800131Ar1

Any other mechanism

Permitted

ECp521mAES

Any

Forbidden

Elliptic Curve Key Agreement

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

ECDH

Y

Y

ECDH or EC

Y

ECIES

N

N

ECDH or EC

N
KeyType_ECPrivate allows a single key to be used for key establishment and signature generation, depending on the permissions in its ACL. If you require FIPS 140 compliance, then additional care must be taken to comply with the rules about using a single key for multiple purposes, such as section 5.2, General Key Management Guidance: Key Usage of SP800-57pt1r5. The HSM can help enforce these rules, for example, by placing the sign permission in a permission group with UseLim_Global (use limit) set to a maximum use count of 1.
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

ECC enablement

EllipticCurve feature (enabled by default from firmware V13.5 onwards)

ECC domain parameters

224 minimum; SECP256k1 forbidden;
non-named curves forbidden

ECDH key agreement
(Mech_ECDHKeyExchange)

Forbidden with Cmd_Decrypt
(Permitted with Cmd_DeriveKey)

ECDHC key agreement
(Mech_ECDHCKeyExchange)

Forbidden with Cmd_Decrypt
(Permitted with Cmd_DeriveKey)

ECDH key generation
(KeyType_ECDHPrivate,
KeyType_ECPrivate)

ECDHLax key generation
(KeyType_ECDHLaxPrivate)

Forbidden

ECDHLax key agreement
(Mech_ECDHLaxKeyExchange)

Forbidden

Elliptic Curve Signature

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

ECDSA

Y 1

Y 1

ECDSA or EC

Y

1 FIPS 140 approval is only for use with ECDSA keys, not with EC keys.

Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

ECC enablement

EllipticCurve feature enabled by default from V13.5 onwards

ECC domain parameters

224 minimum; SECP256k1 forbidden before V13.8;
non-named curves forbidden

ECDSA key generation
(KeyType_ECDSAPrivate, KeyType_ECPrivate)

ECDSA signature RNG

Never uses unvalidated RNG

ECDSA signature hash

RIPEMD160 & SHA-1 forbidden

ECDSA verify hash

RIPEMD160 forbidden

ECDSA SHA-1 sign
(Mech_ECDSA)

Forbidden

ECDSA SHA-1 verify
(Mech_ECDSA)

ECDSA RIPMED160 sign/verify
(Mech_ECDSAhRIPEMD160)

Forbidden

ECDSA SHA-2 sign/verify
(Mech_ECDSAhSHA224,
Mech_ECDSAhSHA256,
Mech_ECDSAhSHA384,
Mech_ECDSAhSHA512)

ECDSA SHA-3 sign/verify
(Mech_ECDSAhSHA3b224,
Mech_ECDSAhSHA3b256,
Mech_ECDSAhSHA3b384,
Mech_ECDSAhSHA3b512)

ECDSA sign/verify GBCS mode
(Mech_ECDSAhSHA256kGBCS)

Forbidden

X25519/Curve25519 Key Agreement

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

X25519

N

N

X25519

Y
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

X25519 key generation
(KeyType_X25519Private)
(introduced in V12.50)

Forbidden

X25519 key agreement
(Mech_X25519KeyExchange)
(introduced in V12.50)

Forbidden

Ed25519 Signature

Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

Ed25519 key generation
(KeyType_Ed25519Private)
(introduced in V12.50)

Forbidden up to V13.6;
Permitted from V13.7

Pure Ed25519 sign/verify
(Mech_Ed25519)
(introduced in V12.60)

Forbidden up to V13.6;
Permitted from V13.7

Prehashed Ed25519 sign/verify
(Mech_Ed25519ph)
(introduced in V12.50)

Forbidden up to V13.6;
Permitted from V13.7

Prehashed Ed25519 sign/verify with context
(Mech_Ed25519phctx)
(introduced in V13.7)

Ed448 Signature

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

Ed448

Y

Y

Ed448

N
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

Ed448 key generation
(KeyType_Ed448Private)
(introduced in V13.5)

Forbidden up to V13.6;
Permitted from V13.7

Pure Ed448 sign/verify
(Mech_Ed448)
(introduced in V13.5)

Forbidden up to V13.6;
Permitted from V13.7

Pure Ed448 sign/verify with context
(Mech_Ed448ctx)
(introduced in V13.7)

Prehashed Ed448 sign/verify
(Mech_Ed448ph)
(introduced in V13.5)

Forbidden up to V13.6;
Permitted from V13.7

Prehashed Ed448 sign/verify with context
(Mech_Ed448phctx)
(introduced in V13.7)

KCDSA Signature

Algorithm Enabled in a v1 or v2 FIPS Security World Enabled in a v3 FIPS Security World Key type Supported by
generatekey

KCDSA

N

N

KCDSA

N
Feature Unrestricted FIPS 140 Level 3 Common Criteria CMTS

KCDSA enablement

KISAAlgorithms feature required

KCDSA key generation
(KeyType_KCDSAPrivate)

Forbidden

KCDSA signature
(Mech_KCDSAHASH160,
Mech_KCDSASHA1,
Mech_KCDSASHA224,
Mech_KCDSASHA256,
Mech_KCDSARIPMED160)

Forbidden

KCDSA domain generation
(KeyType_KCDSACommon)

Forbidden