Symmetric Mechanisms and Algorithms

In the following table, "Unrestricted", "FIPS 140 Level 3", and "Common Criteria CMTS" refer to the Security World mode designation. The cells in these columns detail any restrictions for the corresponding feature in each of the Security World modes. A blank cell means that the feature has no restrictions.

FIPS 140 Level 3: In v3 Security Worlds, in FIPS 140 Level 3 mode, some smaller key sizes are disabled.

ARIA

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
ARIA	N	N	Aria	N

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

ARIA

Aria

Feature	Unrestricted	FIPS 140 Level 3	Common Criteria CMTS
ARIA key generation (KeyType_ARIA)		Forbidden
ARIA CBC no padding (Mech_ARIAmCBCpNONE)		Forbidden
ARIA ECB no padding (Mech_ARIAmECBpNONE)		Forbidden

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

ARIA key generation
(KeyType_ARIA)

Forbidden

ARIA CBC no padding
(Mech_ARIAmCBCpNONE)

Forbidden

ARIA ECB no padding
(Mech_ARIAmECBpNONE)

Forbidden

Camellia

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
Camellia	N	N	Camellia	N

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

Camellia

Feature	Unrestricted	FIPS 140 Level 3	Common Criteria CMTS
Camellia key generation (KeyType_Camellia)		Forbidden
Camellia CBC no padding (Mech_CamelliamCBCpNONE)		Forbidden
Camellia ECB no padding (Mech_CamelliamECBpNONE)		Forbidden

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

Camellia key generation
(KeyType_Camellia)

Forbidden

Camellia CBC no padding
(Mech_CamelliamCBCpNONE)

Forbidden

Camellia ECB no padding
(Mech_CamelliamECBpNONE)

Forbidden

CAST256

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
CAST 256	N	N	CAST256	N

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

CAST 256

CAST256

Feature	Unrestricted	FIPS 140 Level 3	Common Criteria CMTS
CAST256 key generation (KeyType_CAST256)		Forbidden
CAST256 CBC PKCS#5 padding (Mech_CAST256mCBCi128pPKCS5)		Forbidden
CAST256 ECB PKCS#5 padding (Mech_CAST256mECBpPKCS5)		Forbidden
CAST256 CBC no padding (Mech_CAST256mCBCpNONE)		Forbidden
CAST256 ECB no padding (Mech_CAST256mECBpNONE)		Forbidden
CAST256 CBC-MAC PKCS#5 padding (Mech_CAST256mCBCMACi0pPKCS5)		Forbidden

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

CAST256 key generation
(KeyType_CAST256)

Forbidden

CAST256 CBC PKCS#5 padding
(Mech_CAST256mCBCi128pPKCS5)

Forbidden

CAST256 ECB PKCS#5 padding
(Mech_CAST256mECBpPKCS5)

Forbidden

CAST256 CBC no padding
(Mech_CAST256mCBCpNONE)

Forbidden

CAST256 ECB no padding
(Mech_CAST256mECBpNONE)

Forbidden

CAST256 CBC-MAC PKCS#5 padding
(Mech_CAST256mCBCMACi0pPKCS5)

Forbidden

DES

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
DES	N	N	DES	N
DES2	N	N	DES	Y
Triple DES	Y	N ¹	Triple DES	Y

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

DES

DES2

DES

Triple DES

N ¹

Triple DES

¹ Not FIPS approved for encryption operations, but available for decryption operations.

Feature	Unrestricted	FIPS 140 Level 3	Common Criteria CMTS
Single-DES key generation (KeyType_DES)		Forbidden
Single-DES CBC PKCS#5 padding (Mech_DESmCBCi64pPKCS5)		Forbidden
Single-DES CBC no padding (Mech_DESmCBCpNONE)		Forbidden
Single-DES ECC PKCS#5 padding (Mech_DESmEBCpPKCS5)		Forbidden
Single-DES ECB no padding (Mech_DESmECBpNONE)		Forbidden
Single-DES CBC-MAC PKCS#5 padding (Mech_DESmCBCMACi0pPKCS5)		Forbidden
Single-DES CBC-MAC no padding (Mech_DESmCBCMACpNONE)		Forbidden
2-key triple-DES key generation (KeyType_DES2)		Forbidden
2-key triple-DES PKCS#5 padding (Mech_DES2mCBCi64pPKCS5)		Forbidden
2-key triple-DES CBC no padding (Mech_DES2mCBCpNONE)		Forbidden
2-key triple-DES ECC PKCS#5 padding (Mech_DES2mEBCpPKCS5)		Forbidden
2-key triple-DESS ECB no padding (Mech_DES2mECBpNONE)		Forbidden
2-key triple-DES CBC-MAC PKCS#5 padding (Mech_DES2mCBCMACi0pPKCS5)		Forbidden
2-key triple-DES CBC-MAC no padding (Mech_DES2mCBCMACpNONE)		Forbidden
3-key triple-DES key generation (KeyType_DES3)		Forbidden
3-key triple-DES PKCS#5 padding (Mech_DES3mCBCi64pPKCS5)		Decrypt only
3-key triple-DES CBC no padding (Mech_DES3mCBCpNONE)		Decrypt only
3-key triple-DES ECC PKCS#5 padding (Mech_DES3mEBCpPKCS5)		Decrypt only
3-key triple-DESS ECB no padding (Mech_DES3mECBpNONE)		Decrypt only
3-key triple-DES CBC-MAC PKCS#5 padding (Mech_DES3mCBCMACi0pPKCS5)		Forbidden
3-key triple-DES CBC-MAC no padding (Mech_DES3mCBCMACpNONE)		Forbidden

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

Single-DES key generation
(KeyType_DES)

Forbidden

Single-DES CBC PKCS#5 padding
(Mech_DESmCBCi64pPKCS5)

Forbidden

Single-DES CBC no padding
(Mech_DESmCBCpNONE)

Forbidden

Single-DES ECC PKCS#5 padding
(Mech_DESmEBCpPKCS5)

Forbidden

Single-DES ECB no padding
(Mech_DESmECBpNONE)

Forbidden

Single-DES CBC-MAC PKCS#5 padding
(Mech_DESmCBCMACi0pPKCS5)

Forbidden

Single-DES CBC-MAC no padding
(Mech_DESmCBCMACpNONE)

Forbidden

2-key triple-DES key generation
(KeyType_DES2)

Forbidden

2-key triple-DES PKCS#5 padding
(Mech_DES2mCBCi64pPKCS5)

Forbidden

2-key triple-DES CBC no padding
(Mech_DES2mCBCpNONE)

Forbidden

2-key triple-DES ECC PKCS#5 padding
(Mech_DES2mEBCpPKCS5)

Forbidden

2-key triple-DESS ECB no padding
(Mech_DES2mECBpNONE)

Forbidden

2-key triple-DES CBC-MAC PKCS#5 padding
(Mech_DES2mCBCMACi0pPKCS5)

Forbidden

2-key triple-DES CBC-MAC no padding
(Mech_DES2mCBCMACpNONE)

Forbidden

3-key triple-DES key generation
(KeyType_DES3)

Forbidden

3-key triple-DES PKCS#5 padding
(Mech_DES3mCBCi64pPKCS5)

Decrypt only

3-key triple-DES CBC no padding
(Mech_DES3mCBCpNONE)

Decrypt only

3-key triple-DES ECC PKCS#5 padding
(Mech_DES3mEBCpPKCS5)

Decrypt only

3-key triple-DESS ECB no padding
(Mech_DES3mECBpNONE)

Decrypt only

3-key triple-DES CBC-MAC PKCS#5 padding
(Mech_DES3mCBCMACi0pPKCS5)

Forbidden

3-key triple-DES CBC-MAC no padding
(Mech_DES3mCBCMACpNONE)

Forbidden

AES (aka Rijndael)

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
AES	Y	Y	AES or Rijndael	Y

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

AES

AES or Rijndael

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

AES key generation
(KeyType_Rijndael)

AES CBC PKCS#5 padding
(Mech_RijndaelmCBCi128pPKCS5)

AES ECB PKCS#5 padding
(Mech_RijndaelmECBpPKCS5)

AES CBC no padding
(Mech_RijndaelmCBCpNONE)

AES ECB no padding
(Mech_RijndaelmECBpNONE)

AES GCM
(Mech_RijndaelmGCM)
with module-generated IV

AES GCM
(Mech_RijndaelmGCM)
with user-supplied IV

Forbidden

AES GCM
(Mech_AESmGCM)

AES KWP
(Mech_AESKeyWrapPadded)

AES CMAC with PKCS#5 padding
(Mech_RijndaelmCMAC)

AES CBC-MAC with PKCS#5 padding
(Mech_RijndaelmCBCMACi0pPKCS5)

Forbidden

AES CBC-MAC with no padding
(RijndaelmCBCMACi0pNONE)

Forbidden

RC4

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
Arcfour	N	N	Arcfour	N

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

Arcfour

Feature	Unrestricted	FIPS 140 Level 3	Common Criteria CMTS
RC4 key generation (KeyType_ArcFour)		Forbidden
RC4 encrypt/decrypt (Mech_ArcFourpNONE)		Forbidden

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

RC4 key generation
(KeyType_ArcFour)

Forbidden

RC4 encrypt/decrypt
(Mech_ArcFourpNONE)

Forbidden

SEED

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
SEED	N	N	SEED	N

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

SEED

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

SEED key generation
(KeyType_SEED)

Forbidden

SEED CBC PKCS#5 padding
(Mech_SEEDmCBCi128pPKCS5)

SEED ECBPKCS#5 padding
(Mech_SEEDmECBpPKCS5)

SEED CBC no padding
(Mech_SEEDmCBCpNONE)

SEED ECB no padding
(Mech_SEEDmECBpNONE)

SEED CBC-MAC PKCS#5 padding
(Mech_SEEDmCBCMACi0pPKCS5)

HMAC

Algorithm	FIPS approved in a v1 or v2 Security World	FIPS approved in a v3 Security World	Key type	Supported by generatekey
MD5 HMAC	N	N	HMACMD5	N
RIPEMD160 HMAC	N	N	HMACRIPEMD160	N
SHA-1 HMAC	Y	Y	HMACSHA1	Y
SHA-224 HMAC	Y	Y	HMACSHA224	N
SHA-256 HMAC	Y	Y	HMACSHA256	Y
SHA-384 HMAC	Y	Y	HMACSHA384	Y
SHA-512 HMAC	Y	Y	HMACSHA512	Y

Algorithm

FIPS approved in a v1 or v2 Security World

FIPS approved in a v3 Security World

Key type

Supported by
generatekey

MD5 HMAC

HMACMD5

RIPEMD160 HMAC

HMACRIPEMD160

SHA-1 HMAC

HMACSHA1

SHA-224 HMAC

HMACSHA224

SHA-256 HMAC

HMACSHA256

SHA-384 HMAC

HMACSHA384

SHA-512 HMAC

HMACSHA512

Feature

Unrestricted

FIPS 140 Level 3

Common Criteria CMTS

HMAC SHA-1/2/3 key generation
(KeyType_HMACSHA1,
KeyType_HMACSHA224,
KeyType_HMACSHA256,
KeyType_HMACSHA384,
KeyType_HMACSHA512,
KeyType_HMACSHA3b224,
KeyType_HMACSHA3b256,
KeyType_HMACSHA3b384,
KeyType_HMACSHA3b512)

Minimum 14 bytes
(112 bits)

HMAC SHA-1/2/3 sign/verify
(Mech_HMACSHA1,
Mech_HMACSHA224,
Mech_HMACSHA256,
Mech_HMACSHA384,
Mech_HMACSHA512,
Mech_HMACSHA3b224,
Mech_HMACSHA3b256,
Mech_HMACSHA3b384,
Mech_HMACSHA3b512)

HMAC MD5 key generation
(KeyType_HMACMD5)

Forbidden

HMACMD5 sign/verify
(Mech_HMACMD5)

Forbidden

HMAC RIPEMD160 key generation

Forbidden

HMACRIPEMD160 sign/verify
(Mech_HMACRIPEMD160)

Forbidden