Transcription

Annex A:Approved Security Functionsfor FIPS PUB 140-2,Security Requirements forCryptographic ModulesDraftInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930U.S. Department of CommercePenny Pritzker, SecretaryNational Institute of Standards and TechnologyWillie E. May, Under Secretary for Standards and Technology and DirectorOctober 12, 2021

Annex A: Approved Security Functionsfor FIPS PUB 140-2,Security Requirements for Cryptographic Modules1.IntroductionFederal Information Processing Standards Publication (FIPS) 140-2, Security Requirements forCryptographic Modules, specifies the security requirements that are to be satisfied by the cryptographicmodule utilized within a security system protecting sensitive information within computer andtelecommunications systems (including voice systems). The standard provides four increasing, qualitativelevels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide rangeof potential applications and environments in which cryptographic modules may be employed. The securityrequirements cover eleven areas related to the secure design and implementation of the cryptographicmodule. These areas include the following:1.2.3.4.5.6.7.8.9.10.11.Cryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityOperational EnvironmentCryptographic Key ManagementElectromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)Self TestsDesign AssuranceMitigation of Other AttacksThe Cryptographic Module Validation Program (CMVP - www.nist.gov/cmvp) validates cryptographicmodules to FIPS 140-2 and other cryptography based standards. The CMVP is a joint effort between NISTand the Canadian Centre for Cyber Security (CCCS - https://cyber.gc.ca/en/). Modules validated asconforming to FIPS 140-2 are accepted by the Federal agencies of both countries for the protection ofsensitive information (United States) or Designated information (Canada).In the CMVP, vendors of cryptographic modules use independent, accredited testing laboratories to havetheir modules tested. Organizations wishing to have validations performed would contract with thelaboratories for the required services.2.PurposeThe purpose of this document, and of Annexes C and D, is to provide a list of the approved securityfunctions applicable to FIPS 140-2. Annex C lists the approved Random Bit Generators, while Annex Dshows the approved Key Establishment Methods. The remaining approved security functions are listed inthis Annex. The Annexes also provide the links to the descriptions of the allowed algorithms.i

Contents1.2.Introduction . 1Purpose . 1ANNEX A: APPROVED SECURITY FUNCTIONS . 1Transitions . 1Symmetric Key Encryption and Decryption (AES, TDEA) . 11. Advanced Encryption Standard (AES) . 12. Triple-DES Encryption Algorithm (TDEA). 2Digital Signatures (DSA, RSA and ECDSA) . 21. Digital Signature Standard (DSS) . 2Secure Hash Standard (SHS) . 21. Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA512/256) . 2SHA-3 Standard . 21. SHA-3 Hash Algorithms (SHA3-224, SHA3-256, SHA3-384, SHA3-512) . 22. SHA-3 Extendable-Output Functions (XOF) (SHAKE128, SHAKE256). 23. SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParellelHash . 2Message Authentication (Triple-DES, AES and HMAC) . 21. Triple-DES . 22. AES . 33. HMAC . 3Document Revisions. 4ii

ANNEX A: APPROVED SECURITY FUNCTIONSAnnex A provides a list of the approved security functions applicable to FIPS 140-2. The categories includetransitions, symmetric key encryption and decryption, digital signatures, message authentication andhashing.TransitionsNational Institute of Standards and Technology, Recommendation for Transitioning the Use ofCryptographic Algorithms and Key Lengths, Special Publication 800-131A, Revision 2, March 2019.Symmetric Key Encryption and Decryption (AES, TDEA)1.Advanced Encryption Standard (AES)National Institute of Standards and Technology, Advanced Encryption Standard (AES), FederalInformation Processing Standards Publication 197, November 26, 2001.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation, Methods and Techniques, Special Publication 800-38A, December 2001.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: Three Variants of Ciphertext Stealing for CBC Mode, Addendum to Special Publication800-38A, October 2010.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: The CCM Mode for Authentication and Confidentiality, Special Publication 800-38C, May2004.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800-38D, November 2007.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: The XTS-AES Mode for Confidentiality on Storage Devices, Special Publication 800-38E,January 2010.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: Methods for Key Wrapping, Special Publication 800-38F, December 2012.IEEE Standards Association, Standard for Local and metropolitan area networks, Media AccessControl (MAC) Security, Amendment 2: Extended Packet Numbering, 802.1AEbw-2013, February 12,2013.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: Methods for Format-Preserving Encryption, Special Publication 800-38G, March 2016.NIST Computer Security DivisionPage 110/12/2021

2.Triple-DES Encryption Algorithm (TDEA)National Institute of Standards and Technology, Recommendation for the Triple Data EncryptionAlgorithm (TDEA) Block Cipher, Special Publication 800-67, Revision 2, November 2017.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation, Methods and Techniques, Special Publication 800-38A, December 2001. Appendix Ereferences modes of the Triple-DES algorithm.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: Methods for Key Wrapping, Special Publication 800-38F, December 2012.3.NOTE. The use of SKIPJACK is approved for decryption only. The SKIPJACK algorithm has beendocumented in Federal Information Processing Standards Publication 185. This publication is obsoleteand has been withdrawn.Digital Signatures (DSA, RSA and ECDSA)1.Digital Signature Standard (DSS)National Institute of Standards and Technology, Digital Signature Standard (DSS), FederalInformation Processing Standards Publication 186-4, July 2013.Secure Hash Standard (SHS)1.Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224and SHA-512/256)National Institute of Standards and Technology, Secure Hash Standard, Federal InformationProcessing Standards Publication 180-4, August, 2015.SHA-3 Standard1.SHA-3 Hash Algorithms (SHA3-224, SHA3-256, SHA3-384, SHA3-512)National Institute of Standards and Technology, SHA-3 Standard, Federal Information ProcessingStandards Publication 202, August, 2015.2.SHA-3 Extendable-Output Functions (XOF) (SHAKE128, SHAKE256)National Institute of Standards and Technology, SHA-3 Standard, Federal Information ProcessingStandards Publication 202, August, 2015.3.SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHashNational Institute of Standards and Technology, SHA-3 Derived Functions: cSHAKE, KMAC,TupleHash, and ParallelHash Special Publication 800-185, December 2016Message Authentication (Triple-DES, AES and HMAC)1.Triple-DESNational Institute of Standards and Technology, Computer Data Automation, Federal InformationProcessing Standards Publication 113, 30 May 1985. This standard has been withdrawn by NIST onSeptember 1, 2008. The CMVP will accept, until December 31, 2017, the new submissions with theNIST Computer Security DivisionPage 210/12/2021

claims of vendor affirmation to this standard. The existing validations with the claim of Triple-DESMAC complying with FIPS 113 will remain in place.National Institute of Standards and Technology, Recommendation for Block cipher Modes ofOperation: The CMAC Mode for Authentication, Special Publication 800-38B, May 2005.2.AESNational Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: The CMAC Mode for Authentication, Special Publication 800-38B, May 2005.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: The CCM Mode for Authentication and Confidentiality, Special Publication 800-38C, May2004.National Institute of Standards and Technology, Recommendation for Block Cipher Modes ofOperation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800-38D, November 2007.3.HMACNational Institute of Standards and Technology, The Keyed-Hash Message Authentication Code(HMAC), Federal Information Processing Standards Publication 198-1, July 2008.National Institute of Standards and Technology, Recommendation for Applications Using ApprovedHash Algorithms, Special Publication 800-107 Revision 1, Section 5.3, August 2012.NIST Computer Security DivisionPage 310/12/2021

Document 010ChangeSymmetric Key, Number 1:Added: Advanced Encryption Standard (AES)Keyed Hash, Number 1:Added: The Keyed-Hash Message Authentication Code (HMAC)Symmetric Key, Number 1:Added: Recommendation for Block Cipher Modes of Operation, Methods andTechniquesAsymmetric Key, Number 1:Deleted: Removed Asymmetric Key references to ANSI X9.31-1998 and ANSIX9.62-1998. These are referenced FIPS 186-2.Hashing, Number 1:Added: Secure Hash Standard - SHA-256, SHA-384 and SHA-512Hashing, Number 1:Added: Secure Hash Standard - SHA-224Asymmetric Key, Number 1:Updated: Modified reference to include Change Notice 1 - Digital SignatureStandard (DSS)Message Authentication, Number 3:Added: Recommendation for BlockCipher Modes of Operation: The CCM Mode forAuthentication and ConfidentialitySymmetric Key, Number 2:Added: Recommendation for the Triple Data Encryption Algorithm (TDEA) BlockCipherMessage Authentication, Number 4:Added: Recommendation for Block Cipher Modes of Operation: The CMAC Modefor AuthenticationRandom Number Generators, Number 1:Updated: Modified reference document date - Annex C: Approved Random NumberGenerators for FIPS 140-2, Security Requirements for Cryptographic ModulesSymmetric Key, Number 2:Deleted: References to DES removed.Message Authentication, Numbers 1 and 2:Deleted: References to DES removed.Updated: Modified URL'sSymmetric Key, Number 1:Added: Recommendation for Block Cipher Modes of Operation: Galois/CounterMode (GCM) and GMACHashing, Number 1:Updated: FIPS 180-3 replaces FIPS 180-2 - Secure Hash StandardAsymmetric Key - Signature, Number 1:Updated: FIPS 186-3 replaces FIPS 186-2 - Digital Signature Standard (DSS)Asymmetric Key - Signature, Number 1:Added: Included reference to archived Digital Signature Standard (DSS) – FIPS186-2 until transition plan from FIPS 186-2 to FIPS 186-3 ends.Updated: Editorial Changes to align with the CAVPKey Management, Number 1:Added: Recommendation for Key Derivation Using Pseudorandom FunctionsSymmetric Key, Number 1:Added: Recommendation for Block Cipher Modes of Operation: The XTS-AESMode for Confidentiality on Storage DevicesNIST Computer Security DivisionPage 410/12/2021

04/06/201605/10/2017Symmetric Key, Number 1:Added: Addendum to Special Publication 800-38A, October 2010:Recommendation for Block Cipher Modes of Operation: Three Variants ofCiphertext Stealing for CBC ModeMessage Authentication, Number 3:Updated: Revision date - FIPS 198-1, July 2008: The Keyed-Hash MessageAuthentication Code (HMAC)Moved Key Management/Establishment references to FIPS 140-2 Annex D.Added new Section: TransitionsAdded: Recommendation for Transitioning the Use of Cryptographic Algorithmsand Key LengthsSecure Hash Standard (SHS), Number 1:Updated: FIPS 180-4 replaces FIPS 180-3 - Secure Hash StandardAsymmetric Key - Signature, Number 1:Updated: FIPS 186-4 replaces FIPS 186-3 - Digital Signature Standard (DSS)Deleted: Reference to RSA Laboratories, PKCS#1 v2.1: RSA CryptographyStandard, June 14, 2002. Included in FIPS 186-4.Symmetric Key, Number 1:Added: Recommendation for Block Cipher Modes of Operation: Methods for KeyWrappingSecure Hash Standard (SHS), Number 1:Added: Guidelines for the Selection, Configuration, and Use of Transport LayerSecurity (TLS) ImplementationsSHA-3 Standard:Added: SHA-3 Hash Algorithms and Extendable-Output FunctionsDigital Signature Standard (DSS),Deleted: References to FIPS 186-2Escrowed Encryption Standard (EES)Deleted: Skipjack is withdrawn effective December 31, 2015.Symmetric Key, Advanced Encryption Standard (AES):Added: GCM-AES-XPN mode from IEEE Standard 802.1AEbw-2013.Symmetric Key, Advanced Encryption Standard (AES):Added: SP 800-38G, Recommendation for Block Cipher Modes of Operation:Methods for Format-Preserving Encryption.TransitionsUpdated: SP 800-131Arev1 replaces SP 800-131ATriple-DES Encryption Algorithm (TDEA)Updated: SP 800-67rev1 replaces SP 800-67Added SP 800-38F to the list of standards defining the approved modes of TDEASHSDeleted: SP 800-52 Rev 1, April 2014Random Number Generators (RNG and DRBG)Deleted RNG section. Approved RNGs are listed in Annex C.Message Authentication (Triple-DES, AES and HMAC)Added the transition information for vendor affirmation of Triple-DES MACAdded: Recommendation for Block Cipher Modes of Operation: The CMAC Modefor AuthenticationOverall Document01/10/201806-10-2019Modified section titles, added notes and fixed broken links.Triple-DES Encryption Algorithm (TDEA)Updated: SP 800-67rev2 replaces SP 800-67rev1TransitionsUpdated: SP 800-131Arev2 replaces SP 800-131Arev1SHA-3 StandardAdded: SP 800-185, December 2016NIST Computer Security DivisionPage 510/12/2021

10-12-2021TransitionsDeleted: SP 800-131Arev2 section referencesNIST Computer Security DivisionPage 610/12/2021

i Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules . 1. Introduction . Federal Information Processing Standards Publication (FIPS) 140-2, Security Requirements for Cryptographic Modules, specifies the security requirements that are to be satisfied