Supported Algorithms
This chapter lists the National Security Agency (NSA) classified Suite B algorithms supported by the nShield CNG providers.
| The MQV algorithm is not supported by the nShield CNG providers. |
| Some mechanisms may be restricted from use in Security Worlds conforming to FIPS 140 Level 3. See the User Guide for your HSM for more information. |
Signature interfaces (key signing)
| Interface name | Type of support |
|---|---|
RSA PKCS#1 v1 |
Hardware |
RSA PSS |
|
DSA |
|
ECDSA_P224 |
|
ECDSA_P256 |
|
ECDSA_P384 |
|
ECDSA_P521 |
Hashes used with ECDSA must be of the same length or shorter than the curve itself.
If you attempt to use a hash longer than the curve the operation returns NOT_SUPPORTED. In FIPS 140 Level 3 Security Worlds, curves must be of an approved type and length.
|
Hashes
| Hash name | Type of support |
|---|---|
SHA1 |
Hardware (HMAC only)/software |
SHA256 |
|
SHA384 |
|
SHA512 |
|
SHA224 |
Hardware (HMAC only, requires firmware version 2.33.60 or later)/software |
MD5 |
Hardware (HMAC only)/software |
Asymmetric encryption
| Algorithm name | Type of support |
|---|---|
RSA Raw (NCRYPT_NO_PADDING_FLAG) |
Hardware |
RSA PKCS#1 v1 (NCRYPT_PAD_PKCS1_FLAG) |
|
RSA OAEP (NCRYPT_PAD_OAEP_FLAG) |
Symmetric encryption
| Algorithm name | Type of support |
|---|---|
RC4 |
Hardware and Software |
AES ECB,CBC |
|
DES ECB,CBC |
|
3DES ECB,CBC |
|
3DES_112 ECB,CBC |
Key exchange
| Protocol name | Type of support |
|---|---|
DH |
Hardware |
ECDH_P224 |
|
ECDH_P256 |
|
ECDH_P348 |
|
ECDH_P521 |
Elliptic curve cryptography algorithms must be enabled before use.
Use the fet command-line utility with an appropriate certificate to enable a purchased feature.
If you enable the elliptic curve feature on your modules after you first register the CNG providers, you must run the configuration wizard again for the elliptic curve algorithm providers to be registered.
For more information about registering the CNG providers, see the User Guide for your HSM.
|