DeriveKey Mechanisms
In the following table, "Unrestricted", "FIPS 140 Level 3", and "Common Criteria CMTS" refer to the Security World mode designation. The cells in these columns detail any restrictions for the corresponding feature in each of the Security World modes. A blank cell means that the feature has no restrictions.
FIPS 140 Level 3: In v3 Security Worlds, in FIPS 140 Level 3 mode, some smaller key sizes are disabled. |
Key Wrapping (see also IES variants)
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
EncryptMarshalled |
AESKeyWrapPadded & |
||
AESKW non-default ICV |
Forbidden (wrap & unwrap) |
||
Raw encryption |
AESKeyWrapPadded, |
||
Padded raw encryption |
Forbidden |
||
PKCS#8 wrap |
AESKeyWrapPadded, |
||
AES Key Wrap |
Key Derivation
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
MAC on a key |
KeyType_Random output only |
||
NIST SP800-56Cr1 KDF |
|||
NIST SP800-56Cr1 KDF |
Forbidden |
||
ANSI X9.63 KDF |
Forbidden |
||
Either ConcatenationKDF with RSA key agreement |
Forbidden |
||
Either ConcatenationKDF with ECDHC key agreement |
|||
Either ConcatenationKDF with ECDH key agreement |
|||
Either ConcatenationKDF with ECDH |
Forbidden |
||
SP800-108 KDF with AES-CMAC |
|||
SP800-108 KDF with AES-CMAC or HMAC SHA-256, |
|||
DES split/join XOR |
Forbidden |
||
Random split/join XOR |
|||
AES split/join XOR |
|||
Key concatenation |
|||
Public from private |
Key Agreement
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ECCMQV with ANSI X9.63 KDF |
Forbidden |
||
ECCMQV with SP800-56Ar3 KDF |
|||
ECDH key agreement |
Forbidden |
||
DH key agreement |
Forbidden |
||
X25519 key agreement |
Forbidden |
IES Variants
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ECIES |
Forbidden |
||
X25519 ECIES |
Forbidden |
||
RSA key wrap of symmetric key |
|||
RSA key wrap of asymmetric key |
Rainbow
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
ARQC verification |
Forbidden |
||
Watchword sign/verify |
Forbidden |
HyperLedger
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
HyperLedger client key derivation |
Forbidden |
MILENAGE
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
MILENAGEOP key generation |
Forbidden |
||
MILENAGESubscriber key generation |
Forbidden |
||
MILENAGERC key generation |
Forbidden |
||
MILENAGEOPC key derivation |
Forbidden |
||
MILENAGEAV key derivation (f1…f5) |
Forbidden |
||
MILENAGEResync (f1s/f5s) |
Forbidden |
||
MILENAGEGenAUTS (for testing) |
Forbidden |
TUAK
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
TUAKSubscriber key generation |
Forbidden |
||
TUAKTOP key generation |
Forbidden |
||
TUAKf1 key derivation |
Forbidden |
||
TUAKf1s key derivation |
Forbidden |
||
TUAKf2345 key derivation |
Forbidden |
||
TUAKf5s key derivation |
Forbidden |
Hashing
Feature | Unrestricted | FIPS 140 Level 3 | Common Criteria CMTS |
---|---|---|---|
SHA-1 |
|||
SHA-2 |
|||
SHA-3 |
|||
HAS160 |
Forbidden |
||
RIPEMD160 |
Forbidden |
||
Tiger |
Forbidden |