DeriveKey Mechanisms
In the following table, "Unrestricted", "FIPS 140 Level 3", and "Common Criteria CMTS" refer to the Security World mode designation. The cells in these columns detail any restrictions for the corresponding feature in each of the Security World modes. A blank cell means that the feature has no restrictions.
FIPS 140 Level 3: In v3 Security Worlds, in FIPS 140 Level 3 mode, some smaller key sizes are disabled. |
Key Wrapping
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
EncryptMarshalled |
HSM selects mechanism |
||
DecryptMarshalled |
AESKeyWrapPadded (since V12.60), |
||
AESKW non-default ICV |
Forbidden (wrap & unwrap) |
||
Raw encryption |
AESKeyWrapPadded (since V12.60), |
||
Raw decryption |
AESKeyWrapPadded (since V12.60), |
||
Zero-padded raw encryption & decryption |
Forbidden |
||
PKCS#8 wrap |
AESKeyWrapPadded (since V12.60), |
||
PKCS#8 unwrap |
AESKeyWrapPadded (since V12.60), |
||
AES Key Wrap |
|||
ECIES |
Forbidden |
||
ECIES |
|||
X25519 ECIES |
Forbidden |
||
RSA key wrap of symmetric key |
|||
RSA key wrap of asymmetric key |
|||
Global Platform encrypt+MAC AES keys |
|||
Global Platform encrypt+MAC of RSA key components |
Key Derivation
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
MAC on a key |
KeyType_Random output only |
||
SP800-56Cr2 KDF |
|||
SP800-56Cr2 KDF |
Forbidden |
||
ANSI X9.63 KDF |
Forbidden |
||
Either ConcatenationKDF with RSA key agreement |
Forbidden |
||
Either ConcatenationKDF with ECDHC key agreement |
|||
Either ConcatenationKDF with ECDH key agreement |
|||
Either ConcatenationKDF with ECDH |
Forbidden |
||
SP800-108 counter KDF with AES-CMAC |
|||
SP800-108 counter KDF with AES-CMAC or HMAC SHA-256, |
|||
Generic SP800-108 counter/feedback KDF |
|||
DES split/join XOR |
Forbidden |
||
Random split/join XOR |
|||
AES split/join XOR |
|||
Key concatenation |
|||
Public from private |
Key Agreement
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ECCMQV with ANSI X9.63 KDF |
Forbidden |
||
ECCMQV with SP800-56Cr2 one-step KDF |
|||
ECDH key agreement |
Forbidden |
||
DH key agreement |
Forbidden |
||
X25519 key agreement |
Forbidden |
Rainbow
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ARQC verification |
Forbidden |
||
Watchword sign/verify |
Forbidden |
HyperLedger
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
HyperLedger client key derivation |
Forbidden |
MILENAGE
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
MILENAGEOP key generation |
Forbidden |
||
MILENAGESubscriber key generation |
Forbidden |
||
MILENAGERC key generation |
Forbidden |
||
MILENAGEOPC key derivation |
Forbidden |
||
MILENAGEAV key derivation (f1…f5) |
Forbidden |
||
MILENAGEResync (f1s/f5s) |
Forbidden |
||
MILENAGEGenAUTS (for testing) |
Forbidden |
TUAK
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
TUAKSubscriber key generation |
Forbidden |
||
TUAKTOP key generation |
Forbidden |
||
TUAKf1 key derivation |
Forbidden |
||
TUAKf1s key derivation |
Forbidden |
||
TUAKf2345 key derivation |
Forbidden |
||
TUAKf5s key derivation |
Forbidden |
Hashing
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
SHA-1 |
|||
SHA-2 |
|||
SHA-3 |
|||
SHAKE |
|||
HAS160 |
Forbidden |
||
RIPEMD160 |
Forbidden |
||
Tiger |
Forbidden |