Supported Algorithms

This chapter lists the National Security Agency (NSA) classified Suite B algorithms supported by the nShield CNG providers.

The MQV algorithm is not supported by the nShield CNG providers.
Some mechanisms may be restricted from use in Security Worlds conforming to FIPS 140 Level 3. See the User Guide for your HSM for more information.

Signature interfaces (key signing)

Interface name Type of support

RSA PKCS#1 v1

Hardware

RSA PSS

DSA

ECDSA_P224

ECDSA_P256

ECDSA_P384

ECDSA_P521

Hashes used with ECDSA must be of the same length or shorter than the curve itself. If you attempt to use a hash longer than the curve the operation returns NOT_SUPPORTED. In FIPS 140 Level 3 Security Worlds, curves must be of an approved type and length.

Hashes

Hash name Type of support

SHA1

Hardware (HMAC only)/software

SHA256

SHA384

SHA512

SHA224

Hardware (HMAC only, requires firmware version 2.33.60 or later)/software

MD5

Hardware (HMAC only)/software

Asymmetric encryption

Algorithm name Type of support

RSA Raw (NCRYPT_NO_PADDING_FLAG)

Hardware

RSA PKCS#1 v1 (NCRYPT_PAD_PKCS1_FLAG)

RSA OAEP (NCRYPT_PAD_OAEP_FLAG)

Symmetric encryption

Algorithm name Type of support

RC4

Hardware and Software

AES ECB,CBC

DES ECB,CBC

3DES ECB,CBC

3DES_112 ECB,CBC

Key exchange

Protocol name Type of support

DH

Hardware

ECDH_P224

ECDH_P256

ECDH_P348

ECDH_P521

Elliptic curve cryptography algorithms must be enabled before use. Use the fet command-line utility with an appropriate certificate to enable a purchased feature. If you enable the elliptic curve feature on your modules after you first register the CNG providers, you must run the configuration wizard again for the elliptic curve algorithm providers to be registered. For more information about registering the CNG providers, see the User Guide for your HSM.

Random Number Generation

Name Type of support

RNG

Hardware