Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below).
Withdrawn Publication Series/Number NIST Special Publication 800-175B Title Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms Publication Date(s) August 2016 Withdrawal Date March 31, 2020 Withdrawal Note SP 800-175B is superseded in its entirety by the publication of SP 800-175B Revision 1. Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s): Series/Number NIST Special Publication 800-175B Revision 1 Title Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms Author(s) Elaine Barker Publication Date(s) March 2020 URL/DOI https://doi.org/10.6028/NIST.SP.800-175Br1 Additional Information (if applicable) Contact Computer Security Division (Information Technology Laboratory) Latest revision of the attached publication Related Information https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines https://csrc.nist.gov/publications/detail/sp/800-175B/rev-1/final Withdrawal Announcement Link
Date updated: March 31, 2020 NIST Special Publication 800-175B
Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
Elaine Barker
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-175B Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
Elaine Barker Computer Security Division Information Technology Laboratory
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
August 2016
U.S. Department of Commerce Penny Pritzker, Secretary
National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director
Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-175B Natl. Inst. Stand. Technol. Spec. Publ. 800-175B, 73 pages (August 2016) CODEN: NSPUE2
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at http://csrc.nist.gov/publications.
Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: [email protected]
All comments are subject to release under the Freedom of Information Act (FOIA).
: key
; ederal digital digital TANDARDS ECHANISMS effective effective
- S M Public KeyPublic
cryptographic cryptographic RYPTO
anagement C m NG
. SI overnment for using for overnment ey U RYPTOGRAPHIC k ; cryptography
C repudiation;
; non-
related information in f information related UIDELINE FOR G key algorithm - series reports on ITL’s research, research, ITL’s on reports series to protect sensitive, but unclassified but unclassified to sensitive, protect
key derivation; onfidentiality
; c
. ;
ii symmetric andards ; Abstract Keywords key agreement key
uthentication ; are discussed are a
orts in information system security, and its collaborative collaborative its and security, system information in orts ; ; codes authentication message
integrity
random bit generation bit random Reports on Computer Systems Technology is intended to provide guidance to the Federal to G the to provide guidance intended is
and NIST’s cryptographic st (PKI); key algorithm encryption; - -175B ; key wrapping
tests, test methods, reference data, proof of concept implementations, and implementations, concept of proof data, methods, reference tests, test ;
; document symmetric transport signatures Infrastructure NIST 800 SP The Information Technology Laboratory (ITL) at the National Institute of Standards and Standardsand of Institute theThe Information Laboratory at (ITL) National Technology economy (NIST) promotesTechnology U.S. and public the by providingwelfare ITL infrastructure. standards and measurement the Nation’s for leadership technical develops informationtechnical of developmentto advance and analyses productive the use of management, the technology. ITL’s development include responsibilities and technical, and physical guidelinesadministrative, cost standards the for a cryptography storage. The in and while transmission during digitized information used be to services and methods This security and privacy of othersecurity privacyof than security and national - 800- Publication The Special systems. information eff andoutreach guidelines, organizations. and academic government, activities industry, with
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: TANDARDS ECHANISMS the many many the S M
jen Chang, jen Chang, - reviewed reviewed that RYPTO C NG SI U RYPTOGRAPHIC
C s appreciate and
s : Lily Shu Chen, UIDELINE FOR G 21 from which this was21 from document -
iii Acknowledgments to thank theto SP 800 thank authors of . The author also gratefully acknowledge gratefully also author . The
-175B Kerry McKay Kerry and colleagues colleagues those with along Barker, C. and William derived Lee Annabelle , drafts this of document and contributed to its development from thecomments public and private whose thoughtful sectors and constructive thisusefulness publication. quality improvedcomments the and of NIST 800 SP The author wish es
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: 1 1 2 2 2 3 9 22 23 22 22 23 15 23 22 14 16 17 18 25 13 25 14 26 26 14 20 23 26 27 28 28 29 13 10 12 12 19 19
......
TANDARDS ECHANISMS S M ......
...... RYPTO ...... C ...... NG SI U RYPTOGRAPHIC ...... C ......
......
UIDELINE FOR ...... G ......
......
......
......
......
......
(IETF)
iv ......
......
......
......
......
...... Table oftents Con
......
......
......
......
......
......
...... Data Encryption Standard (DES) Standard Encryption Data TripleData EncryptionAlgorithm (TDEA) SKIPJACK (AES) Standard Encryption Advanced Modes of Operation
Key Algorithms Key ...... - Key Algorithms Key
-Hellman and MQV - ......
-based Symmetric-key Algorithms ......
......
......
......
Institute of Electrical and Electronics Engineers(IEEE) Standards Association Hash DSA The Use of and FIPS SPs Use The American National Standards Institute (ANSI) Algorithms Cipher Block Internet Engineering Task Force Task Engineering Internet International Organization for Standardization (ISO) Standardization for Organization International (TCG) Group Computing Trusted ECDSA FIPS Waivers FIPS RSA Diffie 3.2.1.1 3.2.1.2 3.2.1.3 3.2.1.4 3.2.1.5
CRYPTOGRAPHIC ALGORITHMS -175B 3.2.2 3.3.1 2.2.1 2.3.1 3.2.1 2.3.3 Algorithm Security Strength Security Algorithm Lifetime Algorithm Confidentiality Data Authentication and Source Data Integrity Cryptographic Hash Functions Symmetric Asymmetric Benefits of StandardsBenefits of Publications ProcessingFederalInformation and Special Standards Organizations Standards Other Overview and PurposeOverview and Audience Scope Background and Terms Definitions Acronyms Content 2.3.2 2.3.4 2.3.5 3.3.2 2.2.2 3.3.3 3.3.4
4.1 4.2 3.4 3.5 3.3 3.1 3.2 2.3 2.1 2.2 1.2 1.3 1.4 1.5 1.6 1.7 1.1 SECTION 4: CRYPTOGRAPHIC SERVICES SECTION 3: SECTION 2: STANDARDS AND GUIDELINES SECTION 1: INTRODUCTION NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: 44 44 31 32 45 49 42 50 51 32 51 52 40 46 46 47 49 52 37 30 41 52 39 30 41 53 39 53 53 54 54 40 45 52 56 56 34 35 36 37 37
...... TANDARDS ECHANISMS S ...... M ...... RYPTO ......
...... C ......
...... NG SI U Cipher Mode of ModeCipher of ...... RYPTOGRAPHIC ...... C ......
......
......
UIDELINE FOR G ......
......
......
......
......
......
......
......
......
v ...... astructure
......
......
......
......
......
......
......
56AKey Transport 56BKey Transport ......
- - ......
......
SP 800 SP 800 SP PKIComponents, Relying Parties Responsibilitiesand Their BasicCertificate Verification Process CACertificate Policies and Certificate Practice Statements KeyInfr FederalPublic MACsBased on BlockAlgorithms Cipher MACsBased Hash on Functions
......
Key Wrapping Manual vs. Automated Key Establishment Derivation of a Key a from Password Key Derivation Digital Signature Algorithms Signature Digital Management Key for Recommendation Key Management Framework Key Generation Hash Functions Hash Key Management System Profile Key Agreement Key Transport Selecting and Operating a CKMS Keys Protecting and Storing Security Requirements for Cryptographic Modules for Cryptographic Requirements Security Message Authentication Code Algorithms Public Key Infrastructure Cryptoperiods New Cryptographic Algorithms and Key Lengths Key and Algorithms Cryptographic New to Transitions Use Validated Algorithms and Cryptographic Modules Cryptographic and Algorithms Validated Use Control of Keying Material Keying of Control Compromises Auditing and Accountability 5.3.4.1 5.3.4.2 5.2.3.1 5.2.3.2 5.2.3.3 5.2.3.4 4.2.2.1 4.2.2.2
-175B .3.2 5.3.5 5.4.1 5.3.6 4.2.3 5.1.1 5.2.1 5.3.1 Required Security Strength Security Required Key Establishment Key Issues Management Key Cryptographic Key Management Systems Management Key Cryptographic Combining Confidentiality and Authentication in a Block- Confidentialityin Combining and Authentication Operation Bit GenerationRandom Cryptography Asymmetric vs. Symmetric Guidance Management Key General 4.2.1 5.2.2 5 5.3.3 5.3.4 5.4.2 5.4.3 5.1.2 4.2.2 5.2.3 5.4.4 5.1.3 5.4.5 5.4.6 5.4.7 5.4.8
6.1 5.4 5.3 5.2 5.1 4.3 4.4 4.5 SECTION 6: OTHER ISSUES SECTION 5: KEY MANAGEMENT NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: 56 57 57 58 59 TANDARDS ECHANISMS S M RYPTO C NG SI U RYPTOGRAPHIC C UIDELINE FOR G ......
vi ......
ities (RAs) ities ......
......
......
-175B When Algorithms are Algorithms Longer Approved No When Registration Author Certification Cross Interoperability
6.2 6.3 6.4 6.5 Appendix References A: Appendix NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: and TANDARDS ECHANISMS S M
RYPTO C publications in the in publications NG (e.g., various policy (e.g., various SI
U RYPTOGRAPHIC repudiation. C
; hereafter, the shortened shortened the; hereafter, . Other sectors are invited invited are sectors . Other ts sensitive, but unclassified unclassified but sensitive, ts UIDELINE FOR G , whereby support for repudiation, - overnment’s sensitive information sensitive overnment’s related documents related non - also to- support non also lled lled
1 , information that best protect to and how ected initial initial the areThe following Cryptographic be considered should techniques . INTRODUCTION : 1 y whereby sensitive information is sensitive information not disclosedy whereby to . Additional documents beprovided may . Additionalsub documents inseries a process that provides assurance of the source of of source the of assurance provides that a process
the laws and regulations for the protection of the Federal the protection of the for regulations and lawsthe
. guidance the determination on requirements of using for is
175 a series of documents intended to provide guidance to the the to guidance to provide intended documents of a series
Confidentiality can be provided by a cryptographic process can be a provided by cryptographic Confidentiality ction of the ction of Federal G 800-
SECTION Purpose ) is the propert
provides (this document) discusses the cryptographic methods and services services (this and discusses cryptographic document) methods the
and one part in part one
175B 175B 175A - - environment of increasingly open and interconnected systems and networks interconnected increasingly systems open and environment of -175B overnment for using cryptography to protect i protectto forovernment cryptography using
information during transmission and while in storage during information and while transmission overnment’s risk the guidance of sensitive information, conduct assessments for G
SP 800 providesoverview NIST’s cryptographic standards an of for the prote for available and a discussion of the required securityrequired the and of a discussion SP 800 cryptography. It includes It cryptography. G to what needs be to prot determine information to a receiving entity; source authentication can also be considered as as considered be also can authentication source entity; to a receiving information special A identity). entity's an of assurance providing (i.e., authentication identity ca is authentication source case of party. theisthird information provided toassurance the a of source of and practice documents) Confidentiality entities.unauthorized in data anData integrity unauthorized is been whereby has altered a not property determining process the The of transmitted or stored. created, since it was manner integrity authentication. data called is data the of integrity Source authentication Overview encryption. called use of thisuse of tech information nology. • • • • • today's today's the future. Special Publication (SP Publication Special digitized information of to this class to refer used will be “sensitive” term to voluntary use this guidance on a basis Federal Federal This is document of mathematics that is based on the transformation of data of and the transformation on based that is Cryptography is a branch of mathematics can be used to provide security several data services: confidentiality, integrity In optimum the for essential are security and the use data of and mobile devices, network safe to is vulnerable or value, a high has sensitive, is that data of the protection for in or transmission while or disclosure unauthorized undetected during modification storage. authentication, and , andsource authentication 1.1 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , ; or The ” i.e., ” i.e., .
. TANDARDS ECHANISMS S M in or new network
, and a keyand a RYPTO the Federal Federal the hile
C W NG . SI procurement process procurement
industry and national industry and national U
RYPTOGRAPHIC . C Special Publications (SPs) Publications Special federal
; UIDELINE FOR G in this document in
who are responsible for responsible for are and others who
2 to meet identified security requirements. This This requirements. security identified meet to (FIPS) NIST and , “in place be must , cryptographic keys ” standards employees employees
have also have these cryptographic adopted methods ; federal o meet a specified requirement a specified meet o
and integrity of data that is transmitted and/or stored in a a in stored and/or transmitted is that data of integrity and
ended to provide information on the on information ended to provide
de these individuals with sufficient information to allow them to make make to them allow to information sufficient with individuals these de
cryptography and on selecting using information provides is intended for a cryptographic algorithm cryptographic a ound
that will require cryptographic methods to perform security to perform cryptographic methods functionalitywill require that
is required to use these standards, when applicable, applicable, when standards, these to use is required of the of cryptographic on the key. relies the secrecy of protection security The -175B
might be by: used Information Processing Standards Standards Processing Information provide a technical discussion on the mathematics of cryptography and cryptography mathematics of the on discussion technical provide a r Backg Audience raphic Program managers and selecting integrating responsible for raphic cryptog mechanisms into a system A technical specialist requested to select one or more cryptographic oneor to requested select technical specialist A niquesmethods/tech t A procurement specialist developing a solicitation for a system for a solicitation developing specialist procurement A Scope service and services. cryptographic of Users , as well as to obtain assurance of its authenticity of assurance to obtain as or network as well , document to • • • •
4 2 3 overnment algorithm is a mathematical function, and the key is a parameter used during the during keyparameter and is the used is a a algorithm mathematical function, cryptographic process. and key The algorithm are used together to cryptographic apply to toasignature) and the digital generate to or data encrypt data protectionto (e.g., or checkremove the to protection (e.g., decrypt encrypted data the or to verify the digital signature). Security should not rely on the as the secrecy of algorithm, specification the algorithm be publiclymay available. In order to use existing systems. existing systems. 1. algorithm an two basic components: upon relies cryptography The use of which are collectively discussed as NIST “ as NIST discussed collectively are which This Keyscryptography. to use that intend and/orbetween for parties be established keys must 1. NIST 800 SP This document services providing using cryptographic and document G bodiesand international standards or cryptographic algorithms. 1. to cryptographic tothat of those its discussion methods This conform document limits Federal This not document is int The goal is provi to system informed decisions about the cryptographic methods that will meet their specific needs to to needs specific their meet will that methods cryptographic the about decisions informed confidentiality the protect
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: of or bit
not
is used is used
TANDARDS ECHANISMS or NIST S M
integrity key algorithm . Additional . Additional issued by a tions that is is that tions , contains the RYPTO
C
is required for the the for required is
NG entity SI
must l signatures) U . RYPTOGRAPHIC C
.
; the functions map certificates
for further information. for further 1 UIDELINE FOR recommended. An G -
. 57, Part 1 - . and possibly other information, and is and possibly is otherinformation, and identified in the certificate the in identified
3 cryptographic keys ty key algorithmkey - specified mathematical process for computation; a set a computation; for process mathematical specified public key of a fixed length to bit strings of the same the same length. aof fixed of bit length to strings Approved and/or NIST - public key to enti the the how in specify information the could certificate the certificate.and the period of validity listA of revoked but unexpired Authority Certification A process that provides assurance of the source and and the source of assurance provides that process A thatis stored.information communicated or 0’s orderedsequence and1’s.An of functions inverse func of and family their A by parameterized strings an identifies uniquely that data set of A entity’s thereby thedigitally by asigned trusted public party, binding A clearly A result. prescribed a give will followed, if that, rules of FIPS See technique that is either 1) specified in a FIPS FIPS a in specified 1) either is that technique by adopted and elsewhere specified 2) or recommendation, Recommendation. NIST or a FIPS in reference
terms and definitions are used in this document. In general, the definitions the general, this In in document. are definitions used and terms key -
-175B
However, when an automated method is used, authentication isused, method an automated However, when Recommendation for Key Management: General Guideline General Management: Key for Recommendation 1, Part 57
Terms and Definitions - SP 800 SP Certificate Certificate Revocation List (CRL) Certificate (or public public (or Certificate certificate) key Bit string Bit Block cipher algorithm Asymmetric algorithm Authentication Approved Algorithm
1 1.5 The following may be establishedmay (e.g., an automated trusted manually via either courier) or a using method. Publications. Special and NIST FIPS from are drawn NIST 800 SP participating entities that relies on an established trust infrastructure, such as a Public Key Key as a Public such infrastructure, trust established an on relies that entities participating key authentication distributed manually a on or (PKI) Infrastructure In used one (e.g., general, for purpose digita keys the of generation be used for another (e.g., purpose key establishment) for the because the use of same key two differentfor securityweaken the may by one provided cryptographic or processes Section in SP 800 the See both 5.2 of processes.
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: -
with with
related related TANDARDS ECHANISMS data, S M entity RYPTO C NG and contains the all contains and SI thesatisfy following (if applicable), and and (if applicable),
U RYPTOGRAPHIC
C cryptographic algorithm (PKI) that is responsible responsible is that (PKI) cryptographic algorithm
tions and other security-
e or reverse the reverse operation, e or data into ciphertext used to test the data to verify verify to data the test to used
UIDELINE FOR - as a "cross to referred each each of the through signing G hash func
specified output, and output, specified - (CAs) trust relationship between two two between relationship trust
cryptographic key
certificate and exacting compliance tocompliance a policy. and PKI exacting cryptographic module
form. keying material .
4 Approved public key infrastructure key public entities
certificates in a encrypted n output.
way) is to It any find input computationally infeasible
- defined computational procedure that takes variable takesthat procedure variable computational defined
- public key in a
suing that maps tothat any pre maps find to infeasible computationally is It resistant) (Collision to output. the same any two distinctinputsthat map plaintext of The transformation data, ciphertext plaintext into of The transformation data (One entity 2. 1. 2. 1. he establishment of a of establishment he A parameterA used in conjunction a with a thatthat way itssuch an determines in operation can the reproduc of key knowledge Examples cannot. the of key knowledge without entity while an include: A mathematical value created using a using created value A mathematical later and to data assigned that is a fixed to arbitrary a length bitof function string A that maps length string. bit properties: Certification Authorities Certification other's ." certificate A well inputs, a including produces a explicitlyAn defined continuous the that establishes perimeter a of physical bounds hardware,software a firmware components and/or of cryptographic module. has not thatthe changed. data for is for in its Data The unauthorized disclosure, modification, substitution of or use (e.g., sensitive data information). to is disclosed not sensitive information that The property unauthorized T The
-175B
Cryptographic key Cryptographic hash function boundary Cryptographic checksum Cryptographic algorithm Cryptographic Cross certify Cross Compromise Confidentiality Certification Certification Authority (CA) Ciphertext NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , a
using a TANDARDS ECHANISMS within within S
M
cryptographic
RYPTO for thefor purpose confidentiality
C
from data, from plaintext NG SI is authorized for use use for is authorized from data, from
U
RYPTOGRAPHIC that is used to derive to derive that is used
C into key used as a basic building as used building a basic
ciphertext
. . into into
principles, means and methods and methods means principles, . UIDELINE FOR . that is an analog of DSA of thatisusing an analog G
the ciphertext shared secret shared s not been altered in an unauthorized an unauthorized in altered been s not authentication code authentication digital signature digital that is used for the generation and generation the for that is used , repudiation plaintext
and key . repudiation generation)and is contained
non- . for a given system remain in effect. may system a given for
5 , and key level cryptographic algorithms. - digital signatures digital . security functionssecurity (including cryptographic algorithm , and non- s and
key algorithm key
- verification of an authentication code from data and a data code from and an authentication verification of level level - Supports signer Source authentication Source Data integrity The computation a of The verification of a digital signature, signature, digital a of verification The The computation an of The receivedcode, authentication and keying material The computation a of
public digital signature algorithm signature digital 3. 1. 2. 7. 4. 5. 6. 3. A of verification A curve elliptic changingThe processof securityof privacy. or A property whereby ha data propertyA or stored. transmitted created, since it was manner changingThe process of cryptographic algorithm of when a data cryptographic that, The result transformation of servicesproperly providesthe implemented, of: cryptographic boundary A low block higher for embodies that discipline The providingfor information including security, integrity data span during aThe time specific which keys orthe in which The set of hardware, software and/or firmware that implements implements that firmware and/or software hardware, set of The approved algorithms
-175B
Encryption Algorithm (DSA) Algorithm Curve Elliptic Signature Digital (ECDSA) Algorithm Digital Signature Signature Digital Decryption signature Digital Cryptoperiod Data integrity primitive Cryptography Cryptographic module Cryptographic NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: and
. public
TANDARDS ECHANISMS
S M the public key public key ;
. . transport unters) during that is shared RYPTO ; a key pair is pair ; a key
C co and then securely securely then and key-
NG SI and
U RYPTOGRAPHIC are derived from either are from derived C cryptographic keys
s IVs to information; also called called also information; to private key
device or process. or device
key) algorithm key - and other information. not provided in a in provided not procedure where the resultant resultant the where procedure
keying material keying UIDELINE FOR . G keying material keying
to communicate with another communicate entity. withto hash function
is a information function of contributed
that is generated when needed when is generated that
. shared secret shared , entry and destruction. and output,
procedure whereby one party (the sender) (the sender) party one procedure whereby
. 6 establishment t - entity
. key and its corresponding
key pair public key (asymmetric
, unlike which often are keys public static .
establishment wise) term
- - establishment keying material keying - shared key, or a key, shared key agreemen key - of an ephemeral keyis pair an ephemeral of cryptographic key cryptographic cryptographic hash function
public key key other related security parameters (e.g., (e.g., parameters security other related the entire cycle the life of keys, includingthe generation, storage, A used with a A the secret for a value selects anotherdistributesto Contrast that value party (the receiver). with secret secret the value canby two participants, predetermine so party that no the independently theof secret from material keying the contributions of other party. with Contrast The process by which one ormore a pre in results that procedure The differentamong parties. of the handling involving The activities A vector used in defining the starting point of a cryptographic a cryptographic point the of vector starting A in defining used process. The property orhas an that deleted not been in modified data andunauthorized undetected manner. one The ability of See (pair A A shortA key certificate usedAs inthis used interchangeability document, with algorithm See The result applying of a digest a message An individualorganization,An (person),
-175B
Key pairKey transportKey Key management Key Key derivation Key establishment Key Key agreement Key Integrity Interoperability Hash value Vector Initialization (IV) Function Hash function Entity key pairEphemeral NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: . to
.
TANDARDS integrity ECHANISMS and that maintain maintain
S
M ing on the ing on and is notand is
. process private key to provide a to provide a and
RYPTO C symmetric key symmetric NG key cryptographic cryptographic key or authentication - SI . Depending on the the . Depending on U agreement RYPTOGRAPHIC
C such that they share atsuch that they share algorithm
public key- public key cryptographic public cryptographic key that is to support used a
confidentiality that may be verified by the be verified by the may that .
public key
entities . UIDELINE FOR G confidentiality
during a . ) necessary to establish and to establish ) necessary on data that uses a data that uses on . block cipher
y associated with an entity an with associated y . IVs encrypted digital signaturedigital and
keys
7 used to provide
keys . that uses a that uses keying relationships
. as not beenas that associated with an is entity uniquely , that is uniquel
cryptographic key entity corresponding publiccorresponding key, Decrypt that encrypted data by the was corresponding public key, or secret a shared Compute Compute the corresponding public key, theCompute public corresponding signature a digital Compute Cryptographic primitive hash value algorithm symmetric key symmetric cryptographic checksum 3. 4. 1. 2. n A cryptographica A used with key algorithm key (public) asymmetric public.In an be made may the cryptosystem, public key is a associated with The public be key by anyoneknown may and, depend Data that h that Data See cryptographicA key, used with a algorithm public. the In keymade (public) cryptosystem, an asymmetric a with is associated key private be used the may private to:algorithm, key See See A as such service, cryptographic Special or (FIPS) Standard Processing Information Federal (SP). Publication a service using A a by signed actually was a of whether message determination given protection for otherprotection for The data (e.g., cryptographic two between existing state The one least A data. of modifications intentional and accidental both detect A
-175B
repudiation wrapping key wrapping - - Public key Private key Private Plaintext Primitive NIST standard NIST Non Authentication Code Authentication Code (MAC) digest Message operationMode of Keying relationship, cryptographic Message Key Keyingmaterial NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ’s
the and key-
public and owner
TANDARDS ECHANISMS and any and any S M agreement
- . process the using a cryptographic . that issued the that the issued key RYPTO
C key CA NG SI g a . algorithms U agreement RYPTOGRAPHIC key establishment symmetric (secret key) key) (secret symmetric C , which is used with a a , which is with used d the
key-
an
that is signed by the by the signed is that
.
digital signatures digital UIDELINE FOR private key private G private key private during a that keys,related two a uses
certificate
as as well certificate, he that is for used and is not public.made the The use of
. The two keys have the property that propertythe that have . The two keys . that is used with a that with is used
in t
hm
.
8
, associated public key associated , digital signature digital is used as input to derive a to as input is used
and private key Compare with a with Compare
that relies on the the on relies that method. key algorithmkey or system. or system.
- and a Verify a Verify privatecorresponding key, corresponding by thebe decrypted can that Encrypt data private key, a secret shared Compute symmetric (secret key) algorithm key) (secret symmetric entity
public cryptographic algorithm cryptographic key 1. 2. 3. validity of the the of validity information. Sensitive, unclassified but number A associatedwith of thework (thatis, amount the a to break required operations) that is number of algorithm durin computed is that secret value A transaction derivation A cryptographic algorit classification a imply not does context this in “secret” term from key the protect to need the implies rather but level, public key algorithm See A framework that is established to issue, maintain and revoke revoke and maintain issue, to established that is framework A certificates key public An owner, certificate the of identity the verify to certificate parameters relevant A and verification theof generation disclosure. A key the the privatedetermining public key is from key infeasible. computationally algorithm, may be used algorithm, may to: thepossession corresponding of
-175B
Security strength secret Shared (symmetric) (symmetric) cryptographic algorithm Sensitive (information) Secret key Secret key RSA Secret key Relying party (asymmetric) (asymmetric) cryptographic algorithm Public Key (PKI) ucture Infrastr Public key NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
to ).
for an
TANDARDS ECHANISMS . S M . private key RYPTO 90A C - is often provided secret key to verify a digital digital a verify to symmetric (secret (secret symmetric
FIPS 198
and decryption NG . SI . and a . U RYPTOGRAPHIC
C . 38A -
. . 38A -
. public key public key
encryption FIPS 197 38A -
38D . SP 800 UIDELINE FOR - FIPS 186
. G . and a secret key secret
that is used with a a with used is that that uses the same that the same uses
on data. SP 800 38A . SP 800 -
for whichfor the
9
.
certificate digital signature algorithm signature digital Also called a called . Also
digital signature digital key pair key digital signature digital - on data on cryptographic key
term term ndom SP 800Bit specifiedin ndom Generator; - . cryptographic algorithm 67 key) algorithm A (e.g., itsoperation and complement generate a generate a The use of signature process information. A source provides that assurance the of of longA in a public singleA The use of a of use The - Hash Message Authentication Code; specified in specified Code; Authentication Message Hash
Hellman algorithm. Hellman - - er Feedback mode; specified in specified mode; er Feedback
Counter mode; specified inCounter SP 800 mode; specified Keyed Commission. Electrotechnical International Certificate Revocation List. Revocation Certificate Cryptographic Key Management System. Management Key Cryptographic Policy. Certificate Statement. Practice Certification provided 46; FIPS now specified in Data originally Encryption Standard; in SP 800 Diffie Ra Deterministic in specified Algorithm; Signature Digital in SP 800 mode; specified Electronic Codebook Algorithm Signature Digital Curve ptic Elli American National Standard. National American inmode; specified ChainingCipher Block Ciph Extensions. Security System Name Domain Advanced Encryption Standard; specified inAdvanced Encryption Standard; specified Institute. Standard National American Standards Committee. Accredited Authority. Certification Compatibility. Electromagnetic System. Management Key Cryptographic Federal Standard Processing Information Federal Act. Management Security Information Federal in Galois Counter specified Mode;
-175B
Acronyms
key) algorithm Symmetric key Symmetric (secret Symmetric verification Source authentication pair key Static Signature generation Signature CTR HMAC IEC CRL ECDSA DH DSA ECB CP CPS DES DNSSEC DRBG CFB CKMS 1.6 ANS CBC AES ANSI ASC CA EMC FCKMS FIPS FISMA GCM NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - TANDARDS ECHANISMS
. S M ational and national RYPTO . C . NG 67 - 56A SI - U
RYPTOGRAPHIC and Adleman C .
SP 800 management systems, key systems, management SP 800
38A - UIDELINE FOR 175 series of publications and to publications and to of 175 series
G
Rivest, Shamir ; specified in in ; specified
algorithms used for encryption, digital digital encryption, used for algorithms
10
. .
.
; in SP 800 specified
.
. ity
, and provides a glossary of terms and a provides list terms glossary of , and a of
.
the importance of standards, as well as the as well standards, of importance the Rekeying. Vanstone algorithm - - establishment, and establishment, provides discussions on strengthsecurity s - Qu Air - - the discusses the services that can the services cryptography provide: discusses data . Generator Bit Random deterministic - introduces the approved the introduces - discusses discusses
discusses requiredkey the the for management use cryptography, of
- the 800 to SP introduction provides an
.
discusses additional issues associated with the use of cryptography.of associatedwith the issues use discusses additional
Secure Shell protocol.Secure Shell Group. Trusted Computing in specified Algorithm; Encryption Data Triple Information Technology.Information public algorithm A attributed to key Publication Special International Standards Organization. Standards International . Code Message Authentication Menezes Infrastructure Key Public Request Comment. for Algorithm Hash Secure Secur Layer Transport Registration Authority Registration Generator Bit Random Institute of Electrical and Electronics Engineers. Electronics and Electrical of Institute Force.Internet Task Engineering Interference. Electromagnetic Information Standards. for Committee International Technology Security. Protocol Internet Non Technology Standards. National andInstitute of mode Output Feedback Over on 3 repudiation.
-175B nternational standards bodies concerned with standards cryptography.nternational concerned bodies
lifetime. algorithm and bit generation. random and mechanisms establishment Section 6 Content and for support authentication source authentication, confidentiality, integrity data non- Section 5 providing guidance and key discussions- general on i Secti key and signature Section 4 Section 1 this in particular document acronyms Section 2
• • • • • •
7 SSH TCG TDEA IT RSA SP 1. ISO MAC MQV PKI RFC SHA Thisfollowing sections: documentthe is into organized TLS RA RBG OTAR IETF EMI INCITS IPSEC NRBG NIST OFB IEEE NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: TANDARDS ECHANISMS tandards, tandards, S M S RYPTO C NG SI U rocessing RYPTOGRAPHIC P C UIDELINE FOR G nformation nformation
11
this document: lists applicable Federal I Federal lists applicable
x in A
-175B Appendix recommendations, and guidelines. •
is one appendi isThere one NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ,
FIPS odule TANDARDS ECHANISMS S M , standards , standards
RYPTO C NG SI U RYPTOGRAPHIC cryptographic m cryptographic
C
of different vendorsof
UIDELINE FOR G
. , a manager knows that and knows key lengtha manager , products sure quality the a product. of Standards .
12
based cryptographic algorithm is necessary, but is necessary, but algorithm cryptographic based algorithm - associated conformance tests and specify the the tests specify and conformance associated A NIST standard may become a common of standard become form NIST A may
to ensure that the product is still functioning correctly functioning productisthe still to ensure that
management.
: STANDARDS AND GUIDELINES 2 tests - cryptographic Products developed to a specific standard may be to used may standard to a specific developed Products
self change ufficient to ensure product interoperability. Other common Other productinteroperability. to ensure ufficient - Standards may be used to establish a common levela be establish common used to security. Standards of may For Standards may beStandards used may to as
Require and Require assure specific documentation to proper implementation and product Specify how a feature is to be implemented, to ais be feature implemented, Specify how n approved SECTION accredited laboratories and provide validation that the NIST standard was was standard NIST the that validation provide and laboratories accredited contains security and integrity requirements for any for requirements integrity and security contains
- s can reduce costs and protect their investments in technology. in investments their protect costs and reduce s can effective solution. effective
- 2 o o o -175B Security Requirements for Cryptographic Modules Cryptographic for Requirements Security , , product. For example, a vendor’s product. in testing/evaluating used be to reference correctly implemented. correctly of Reference. Form Common Many standards NIST have by administered be may tests conformance The requirements. conformance NIST implementing cryptographic implementing operations may: 140 the algorithm has been found to be adequate for the protection of sensitive of the for protection be adequate has to been found the algorithm government data been subjected and public has to of a significant period analysis and comment. Quality. example, areexample, managers and, not by most agency cryptographic experts, security using a Security. Interoperability. standard. same tothe conform that products with other provide interoperability that data was algorithm, cryptographic encryption same the by using For example, encrypted be usingA’s decrypted productmay vendorvendor using B’s product. standardsa common The use of not bemay s standards, as protocol communications standards, such also may be necessary. the ensuring among interoperability By various the most available products to find from select to organization an permit cost Benefits of Standards dards define common practices, methods, and measures/metrics. Standards provide provide and measures/metrics. Standards methods, practices, common define dards • • • •
.1 FIPS 140 FIPS
2 Standards provide the following benefits: Standards the following provide 2 NIST 800 SP Stan by the public areas, reviewed relevant in experts by evaluated been have that solutions and subsequently by a wide community accepted of users. using By standards, organization
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: 3 ) , an . For , and ederal ederal
. for the the for be used, be used, be used.
TANDARDS ECHANISMS
S . M
T) product product T) . In addition to addition In must
RYPTO encryption) C conform to conform FIPS that the algorithm algorithm the that 67. NG mandatory ederal agencies and and ederal agencies for SI U RYPTOGRAPHIC is must
C is required required is standard that
(e.g., . For example, FIPS. For example, 197 are different, both types of of types both different, are FIPS and must SPs
FIPS) UIDELINE FOR G an SP as specified in FIPS 197; whenever in FIPS as specified and
). Other NIST standards specify the the specify standards NIST ). Other . Also, without standards, products may cryptography 6 mentation and use as specified in SP 800- SP specified in as 53 FIPS FIPS
- in every information technology (Iinformation everyin 13
imple ). Whenever encryption is used by ais by f used encryption ). Whenever
. 4 implemented 67 tions that comply with commonly accepted tions accepted withthat commonly comply - be SP 800 ta use of a of use is not mandatory unless a unless a mandatory not is but FIPS, a to similar is ; approval is indicated by inclusion in a or by inclusion FIPS indicated SP approval in is ;
implemented implemented or
the 5 be SP 800 ederal agencies are required to use only implementations of of implementations only use to required are ederal agencies
f 199 for further discussion). further for Implemen be used be algorithms encryption for are AES (as specified in FIPS 197 by the Secretary of Commerce. Commerce. by the of Secretary
must cryptographic algorithms specified in algorithms cryptographic , must for the protection of sensitive information sensitive of protection the for
and Privacy Controls for Federal Information Systems and Organizations and Systems Information Federal for Controls Privacy and
algorithms, algorithms,
approved Section 5.4.5 Security Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher Block (TDEA) Algorithm Encryption Data Triple the for Recommendation -175B
ederal agency requires the use of of use requires the ederal agency specified in specified service of type the whenever overnment algorithm algorithm Advanced Encryption Standard (AES) Standard Encryption Advanced Systems Information and Information Federal of Categorization Security for Standards a specific set of technical security requirements for the AES algorithm. algorithm. AES the for requirements security technical of set specific a f , , (see (see G 53, 67, that considered procurement for is being could This users. other by purchased products different with interoperate not IT. implementing or of money in delay result the significant of in waste a Federal InformationProcessing Standards and Special Publications The Use of FIPS and SPs Cost Savings. can save money. Without standards, users users standards, money. Without can standards save by specifications provided experts be requiredto become may - - approved ederal agency ederal 199 A is to be used, it it used, be is to A •
hen a 2 . Commerce of the Secretary FIPS FIPS 800 SP FIPS 197, 197, FIPS 800 SP
publications have been subjected to the same reviewpublications have process to same by the been the subjected f than an that of SP formal more is a for FIPS The approval process the public. takessubsequently the longer for initial approval and the any subsequent approval of revisions. W approved twoexample, approved available.when guidelines Some be used may to specify the functions (e.g.,will FIPS perform 5 6 3 4 When developingWhen a specification the the for or criteria selection a cryptographic of or service mechanism A FIPS197. A is approval does the not need SP so. it An OMB) makes agency (e.g., particular government of for Although requirements the in (as specified TDEA and , eitherinformation sensitive or of TDEA protection AES the agency for isWhenever to it AES be used, must Whenever AES isWhenever used AES by an agency, its (SP) Publication Special NIST A that beentheseand validated are in cryptographic have validated algorithms included modules contains contains 2. 2.2.1 a Federal Information Processing of use The Standard ( Federal by a f TDE using NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: is for X9 (see ); this
Section industry industry TANDARDS ECHANISMS ASC - ). S M RYPTO FIPS 186 C approved likewise, likewise, FIPS 140FIPS NG ; SI ) clearly marked draft draft marked clearly U is a financial RYPTOGRAPHIC
s C
reader must refer to the latest latest the to refer must reader X9 have been adopted within , which
. 7 UIDELINE FOR
the X9 G
; .
t apply to the implementation of implementation the to t apply ). orporated intoorporated other the of standards ate the fourth revision of revisiontheate of fourth (ASC) www.ansi.org ; rather, it facilitates the development of of development the facilitates it rather, ; scussion)
organizations are briefly described below. are below. se organizations described briefly FIPS 197 14 number number its is revised, FIPS a that when Note via a registry of approved standards from non- from standards approved a registry of via
has been in 186 adopted FIPS for a for di
9 provisions provisions authorized 347) previously eliminated is used to indicis to used ; note that this site also contain also site this that ; note 175A - sector voluntary standardization system. ANSI does not ANSI standardization system. voluntary sector 4” overnment. - X9.62 -
. agencies. In addition, there are groupsthere other addition,ederal agencies. government In private
the main body of this document body of main the
' FIPS 186FIPS (see SP 800 (e.g., the Elliptic Curve Digital Signature Algorithm specified in in specified Algorithm Signature Digital Curve Elliptic the (e.g.,
contains a list and SPs FIPS of tha
Public Key Cryptography for the Financial Services Industry: TheElliptic Curve Digital . Many of the. Many of standards ASC developed within A -175B 8 and used by f and AmericanNational Standards Institute (ANSI) Other Organizations Standards FIPS Waivers Waivers FIPS ttee
3 Signature Algorithm (ECDSA) Algorithm Signature ANS X9.62, . Furtherinformation is available webANSI atthe site: Furtherinformation is available X9site:ANSIx9.org. atthe web
9 A number ofA ASC X9 standards also inc been have standards bodies,as the such (see International Standards (ISO) Organization 7 8 has approved the use of NIST standards NIST the of use has approved 2.3.1 and coordinator administrator the is (ANSI) Institute Standards National American The the States of United in as specified AES, sources (e.g., X9 ASC 2 who by vendors used that are guidelines and recommendations, develops standards, NIST be products may These modules. and products, components, security are developing acquired The andthat promulgate standards. develop itself Nationals Standard develop American publications) . 2.2.2 practice is not used in used not is practice version the or FIPS of SP that been officially has http://csrc.nist.gov/publications/ a of FIPS use that the to indicate agency an by issued sometimes was waiver a In the past, Security Management Federal Information the agency. However, that was not by required 2002 (P.L. 107- of Act (FISMA) FIPS from waivers qualified consensus gro establishing among ups.standards by Several committees ANSI have developed standards that use cryptography, but the cryptographic committee algorithmsprimary the for that has developed standards Committee Standards is Accredited themselves standardsNIST Standard National American f specific types of algorithms (e.g., AES, DSA) and the level of level of DSA) and the AES, (e.g., algorithms of types specific useoperation of and security testing of requiredindependent environments (e.g., classes for Appendix G the Federal incryptography NIST 800 SP commi commonly followed by a revision number that indicates the number of times that it has that it times of number the that indicates number a revision followedcommonly by (e.g.,been “ revised
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , 14 SA) is is SA) -
TANDARDS ECHANISMS X9.44
S . , M Standards 13 h has now been now been h has
). based industry industry based RYPTO - C Vanstone (MQV) (MQV) Vanstone
, whic X9.42 - NG
, SI 12 Qu U RYPTOGRAPHIC - Amendment 1: Additional Additional 1: Amendment C
. It has more than one than one more has . It . key cryptography schemes, schemes, cryptography key X9.31 -
.
. UIDELINE FOR (see Section 2.4.1 G on cryptography. It includes a series series includes It a on cryptography. es
technology. IEEE supportstechnology. IEEE international
- 15
Key Cryptography Key standard published2000 and was in revisedin -
Hellman (DH) and Menezes (DH) and Hellman SA web site: standards.ieee.org. website: SA - - standards, such as ANS as ANS such standards, Public he development of globally of acceptable standards. development he . It includes the basic public the includes . It edge electro edge 17
specifies NTRU encryption and and encryption , which was published in specifies 2008, NTRU key cryptography. IEEE P1363 IEEE cryptography. developed was key at same time the as 18 - cryptographic cryptographic , which were developed in ASC X9 Key Cryptographic Techniques Based on Hard Problems over Lattices over Problems Hard on Based Techniques Cryptographic Key - 16 key - IEEE P1363a Standard Specifications for Public Key Cryptography - Cryptography Key Public for Specifications Standard
, whichhas now been withdrawn. is the only IEEE standard thatIEEE focus is only the Public
Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Services Financial the for Cryptography Key Public Reversible Using Signatures Digital Standard Specifications for for Specifications Standard Agreement of Symmetric Keys Using Discrete Logarithm Cryptography Logarithm Discrete Using Keys Symmetric of Agreement Key Establishment Using Integer Factorization Cryptography Factorization Integer Using Establishment Key TheElliptic Curve Digital Signature Algorithm (ECDSA) Cryptography. Curve Elliptic Using Transport Key and Agreement Key 11 10
, , . -175B 1363a,
. , and X9.63 IEEE P1363.1 schemes. signature The first part of the IEEE the P1363 of part first The 2004 as and (DSA), Algorithm encryption,such the Signature as signatures, RSA Digital Diffie using key establishment ectronics Engineers (IEEE) Engineers ectronics El and Electrical of Institute over fields finite curves. and elliptic 15 ) via a Technical Advisory Group (TAG) called the International Committee on Committee International the called (TAG) Group Advisory Technical a ) via • • IEEE P ANS X9.31, IEEEP1363.1, ANS X9.42, ANSX9.44, ANSX9.62, ANSX9.63 Furtherinformation is available IEEE atthe IEEEP1363: Industry (rDSA) Industry Techniques
17 18 14 15 16 10 11 12 13
of standardsof on public the public ANSI X9.62 IEEE is an international, professional association that is dedicated to advancing to advancing dedicated is that association professional international, is an IEEE and excellence.technological innovation technical The the focus objectives of IEEE on and engineering, computer and electrical, electronics practice of and theory advancingthe and disseminates consensus voluntary, develops science. IEEE computer 2.3.2 Association 2.3.4 assuring for responsible has been INCITS Standards (INCITS). TechnologyInformation that standards both those (e.g., U.S. and developed NIST those by developed within ASC standards. ISO within incorporated are X9) NIST 800 SP t encourages and standardization standards involving leading- (IEEE Association Standards Engineers Electronics and Electrical of Institute The an organization within IEEE that developsglobal that IEEE standards an organization within of which to some related thousand are cryptography. standards, active IEEE P1363 withdrawn
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ) 1 or - 20 SP , as , WG) IETF IEEE -
. TANDARDS ECHANISMS S M ode (GCM) ode (GCM) widely used used widely was adopted was adopted authenticated authenticated
- RYPTO
IEEE 802.11 IEEE C 38C - NG used in HMACused
SI work on the Internet Internet on the work U RYPTOGRAPHIC C was adopted from and , . schemes SP 800
Oriented StorageDevices - 38E - security. In the security area, area, In security the security.
) and wireless ( wireless ) and UIDELINE FOR tion tion specifica technical official G and FIPS 180
SP 800 specified in in specified
thernet . IETF
E An .
protocol, which is used to build a trust and trust and to a protocol, build used which is 16
, such as block cipher modes of operation,, such ashash modes block cipher 38D specified in specified -
security mechanisms for different protocols or or protocols different for mechanisms security l retrieva key authenticated onfidentiality X.509 c Key Cryptography Key - which are standards, groupof which AN/MAN SP 800 and develop Key InfrastructureKey Group (PKIX X.509) Working - operation of
was also published in 2008. It 2008. publishedin was also specifies password
BasedPublic . - 19 . 38E - uthentication uthentication is called (RFC). Comments for a Request the IEEE 802 L IEEE the
a
Password . Networks Area Local Wireless
techniques and its techniques and protocols. - and password greement for FIPS 198 SP 800 -175B oved cryptographicoved algorithms Cryptographic algorithms are used to protect wireless communications. The protect areto wireless The algorithms communications. used Cryptographic
2 family of hash functions specified in specified hash functions of 2 family - in
standards. IEEE 802 standards also use the standards 802 SHA also standards. IEEE 802 IEEE in also used ) are as ode communication protocol andto technical provide security recommendations etc. a client, and a server between communication for services routing between network between devices, and routing secure for recommendations technical other authentication services infrastructure, services authentication Internet Engineering Task Force (IETF) Force Task Engineering Internet IEEE P1363.2 IEEE key a developed technical specifications and recommendations to support a Public Key support recommendationsto a Key Public developedtechnical specifications and the ed bas on Infrastructure, 21 m appr - 38D 3. The TLS (Transport Layer Security) working group has been specifying a a specifying (Transport has been 3. The TLS group Layer working Security) 2. The IPSEC (Internet Protocol groupdeveloped working protocol Security) and a • 1. The PKIX (Public Standard for Cryptographic Protection of Data on Block on Data of Protection Cryptographic IEEEfor P1619, Standard IEEEP1363.2, IEEE802.11,
NIST 19 20 21 functions, key establishment schemes, and digital signatures are used in various in are used signatures digital and schemes, establishment key functions, protocols. For example, RFC 5288 Galoisprotocols. AES RFC specifiesthe For M example, Counter basedr TLS, fo Cipher on Suites P1619 2.3.3 from IEEE 802.11. Other AES modes of operation (e.g., GCM, which is specified in IEEE in specified (e.g., which is Other operation from 802.11. GCM, AES of modes 800- and SHA specified a blockXTS, cipher mode computer networkingcomputer standards both for wired ( networks. recommendation The schemes specified in IEEE P1363.1 and P1363.2 are not included in the NIST in not are included P1363.2 and in P1363.1 IEEE specified The schemes standards. the of standards One different for applications. IEEE areCryptographic inschemes used is more notable CCM NIST 800 SP The Internet Engineering Task Force (IETF) is an international community of networkan of international community (IETF) Task Force is The Internet Engineering that technologists and researchers, vendors, operators, designers, architecture, by areworking which organized groups, its done in is IETF the The technical work of transport routing, such as areas, several topicinto different working groups For example, applications.
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - − . Key Key Key Hash . Digital Digital Digital . . TANDARDS ECHANISMS Message Message Message Modes of Modes of − − S cluded included M − − − RYPTO C NG SI U RYPTOGRAPHIC .
C are usually inare usually Security techniques Security techniques 22
Experts from all the over Experts from
Security techniques − techniques Security . Security techniques − techniques Security using a process consensus Security techniques − techniques Security Security techniques techniques Security , Security techniques techniques Security Security techniques Security techniques Security techniques Security techniques techniques Security UIDELINE FOR
G
− . http://ietf.org
. , www.iso.org . http://
functions 17
Part 2: Mechanisms using a dedicated hash- a dedicated MechanismsPart using 2: . . It usuallyhas than more mechanisms security and y Information technology − Information technology − Information technology − technology Information Information technology − Information technology − , and schemes in schemes and FIPS andSPs , Information technology − Information technology , worldwide federationworldwide national of standards Its bodies.
, Information technology − Information technology − Information technology , , , 6, , 3 - - 2008 bit block cipher bit block ryptograph c 3:2010 3:2008 n- 3:2004 2: 2:2011 1:2011 ISO/IEC ISO/IEC (IEC). Commission Electrotechnical International the ) and Part 3: Discrete logarithm based mechanisms based Discrete -- Part logarithm 3: th appendix algorithms algorithms Part 3: Dedicated hash-
standards, along with many other algorithms submitted by other submitted by other algorithms with other many standards, along
governmental, The following is a list of ISO/IEC standards that include cryptographic cryptographic include that standards ISO/IEC of list a is following The -175B uthentication Codes (MACs) -- uthentication Codes (MACs) SO/IEC 10118- SO/IEC ISO/IEC CD 14888 signatures wi ISO/IEC 18033- Encryption algorithms − Part 3: ciphers Block . techniques asymmetric using Mechanisms 3: management -- Part ISO/IEC CD 11770 derivation Key 6: management -- Part ISO/IEC 14888- factorization mechanisms Integer based -- Part signatures 2: with appendix function. ISO/IEC 10116:2006 operation for an I functions -- ISO/IEC 11770- Part 1: Mechanisms using a block Part usingAuthentication -- Codes (MACs) cipher 1: Mechanisms ISO/IEC 9797- A ISO/IEC 9797- International Organization for Standardization (ISO) Standardization for Organization International cryptographic 1 SC 27 for isthe IT security. subcommittee Working group 2 (WG2) is the group /IEC JTC 1 8. 9. 6. 7. 3. 4. 5. 2. 1. Furtherinformation is available web ISO atthe site,
22 ISO is a nonISO - industry efficient make more standardsto is develop that help mission to international from business, and technology all aspects of almost cover standards ISO effective. and healthcare. to agriculture from safety to and food computers, for Organization International the of committee technical joint a is 1 JTC ISO/IEC (ISO Standardization JTC developing standards for new a existing or standard an revisioneither of ato develop twenty projects active standard. consists parts,of standard eachmultiple partincludes and Each multiple and/oralgorithms mechanisms. The ISO countries. Further information is available at the IETF web site web IETF the at available is information Further 2.3.4 standards. NIST in specified schemes and algorithms NIST 800 SP world develop the standards that are required by their sector required by world the that are develop standards
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: − TANDARDS ECHANISMS ISO/IEC ISO/IEC S desktops), desktops), M e that can, e that can, class clients clients class - and Group defines Group RYPTO
ons that enable that enable ons C going work in the NG ing SI U RYPTOGRAPHIC specific specifications specifications specific - C Security techniques techniques Security These specifications were were specifications These
enforce policies regarding regarding policies enforce ampering, RoTs are often often are RoTs ampering,
performance storage systems systems storage performance ) are hardware, firmware, and and firmware, hardware, ) are UIDELINE FOR G
cannot be detected, they must be secure by be must they cannot detected, be
18
s develops and promotes a set industry of standards
work in the IETF’s Network Endpoint Assessment Assessment Network Endpoint IETF’s the work in
Information technology − . eveloped standards are deployed enterprise deployed are developed standards - , . 4 on devices connected to. anetwork based mechanisms to protect data on storage devices, and manage these these manage and devices, storage to protect data on mechanisms based ure and command set for TPMs, with and TPMs, command platformure set for
intended for client devices (e.g., tablets, notebooks tablets, (e.g., devices client which is intended for
-175B 11889:2015 Parts 1- Trusted Network Connect(TNC): The TCG’s TNC Work to administrators network allow that specifications endpoint integrity Trusted Platform Module (TPM):Trusted is TPM A a Platform cryptographic modul , establish device identity in a platform, provide secure platform, in a deviceidentity , establish other capabilities among storage keys for and and credentials, support reporting and the measurement of general the provides Specification Library 2.0 TPM state. The the system architect systems. of classes particular in implemented be can a TPM how detailing 1 has as ISO/IEC JTC approved Library TPM Specification the the of much the basis for ISO/IEC 19772:2009ISO/IEC encryptionAuthenticated Trusted Computing Group (TCG) (NEA) working group, and are highly complimentaryon- working arethe(NEA) group, to and highly IETF Security Automation and Continuous Monitoring (SACM) working group. and Security Continuous IETF Automation (SACM) working Monitoring Storage: Storage The TCG’s Group defines Work specificati - standards a from out break specifications storage TCG’s The capabilities. and devices the Opal Classes (SSCs): Subsystem Security into two core specification common SSC, and which the is Enterprise SSC, intended high for - (e.g., servers). • • 10. • design. To ensure that they are reliable and resistant to t to resistant and reliable are they that ensure To design. software components that are inherently trusted to perform specific, vital security security vital specific, perform to trusted inherently are that components software functions. Because misbehavior RoT by in, orimplemented by, hardware. protected fundamental of a set of capabilities define the TCG the by developed Industry standards roots to trust trust, how use and of describe those of variety architecturesand in roots of a the technologiesMany cases.use of use supported cases by TCG specifications and on onefocus of the or following more areas: device identity,cryptographic or 1) 2) key state. system the of attestation 3) and storage, credential TCG Technologies supporting of Families devices. virtualized and systems, embedded devices, storage servers, and include: specifications and standards TCG relevant that build upon roots of trust. Roots of Trust (RoTs trust. Trust roots of that Roots of upon build The Trusted Computing The Trusted Computing Group (TCG) 2.3.5 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
has not not has TANDARDS ECHANISMS 1 . invert to Common S M ) using the ) the using
. M which are which . 2
, M algorithm that that algorithm S
RYPTO
C difficult NG
SI . U A hash function takes hash A RYPTOGRAPHIC . C key algorithms key and digest message UIDELINE FOR ALGORITHM G it can be assumed that assumed be can it ) a message
extremely extremely is that Other topics to be introduced in this in introducedtopics to Otherbe ) using the hash)the function. using
1 . then M , . 2 1 H H
= 19 1 way functionway of cryptographic algorithms: cryptographic hash cryptographic algorithms: cryptographic of -
, respectively , 3.3
unction Generation and Verification and Generation unction types and CRYPTOGRAPHIC : received or retrieved data ( data ) retrieved is generated or received on the three three 3.2 ) is generated on data ( data on ) is generated 3 2
1 Hash FunctionsHash
H H - asymmetric and algorithms key representation of its of representation input(e.g., are then saved or transmitted. or saved then are H If are compared. -
1 2 , respectively). , H hash function is a one describes Figure 1: Hash F
and and H 1 1 SECTION Hash value ( value Hash same same hash function that generated H orchanged transmission. storage during M ( value Hash -175B 3.4 and 3.5 a hash value a hash and verifying generating of the process depicts Hash Generation: Hash 1. 2. 1. 2. Verification: Hash Cryptographic document document • •
cryptographic .1 A hash follows: A function isas used That is, it is not practical to reverse the process from the hash value back to the thevalue to input. process hash backthe to not reverse practical from Thatit is, is Figure 1 produces a condensed include hash the valuenames for function output a hash of A functions, symmetric 3.1, in Sections discussed (see lifetime algorithm and strength security algorithm of the concept include section Sections 3 primitive is a cryptographic hash algorithm) called hash a A function (also length predetermined a with an input arbitrary length and outputs a of value This NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ; -
) ), and
23 1 may - TANDARDS ECHANISMS
S M 512, SHA -
(e.g., a keyed- ), and . 1 as the hash the 1 as
. RYPTO 512. This FIPS 512. This FIPS - , including the C 26
NG . SI 107 s 3.2.2 and 4.2.2.2 - The key must be ext. U 384, SHA RYPTOGRAPHIC - C . However, SHA Section 5.3.2 Section Section 1 provides less security than - ) ( - 384 and SHA3 UIDELINE FOR 256, SHA and SP 800 G - 25 key algorithms) use a single key use to a single key algorithms) - function applications function 106
),
1). . - 256, SHA3- 224, SHA ode algorithms ( ode algorithms
-
20 . ). SP 800- overnment overnment use specifiedare in FIPS 180
called secret
output functions (SHAKE128 and SHAKE256), andSHAKE256), (SHAKE128 functions output 1, SHA Based Hash and Extendable Output Functions Output Extendable and Hash Based ). -
. 27 224, SHA3- 1 have indicated thatSHA - - Section 4.4 key algorithms have been approved: those based havethose been on block approved: key algorithms is disallowed that now for purpose authentication c 131A sometimes sometimes when generating digital signatures (see Section 4.2.3 (see signatures digital when generating 1 512/256 hashfunctions. Additional the for guidance use of - - level algorithms, including : algorithms, level P 800- P - Key AlgorithmsKey S - specifies SHA3 specifies attacks on SHA on attacks
- Permutation Standard: 3 hash message message hash - Transitions:Recommendation for Transitioning theUse Cryptographicof Algorithms and - Recommendations for Applications Using Approved Hash Algorithms Hash Approved Using Applications for Recommendations Randomized Hashing for Digital Signatures Digital for Hashing Randomized e code on SHA authentication based
key algorithms ( key algorithms hash functions for Federal G hash for functions . - -175B
SHA Secure Hash Standard (SHS) Standard Hash Secure . 24 131A, 106, 107, - - - verification of digital signatures previously signed using SHA using signed signatures previously digital verification of originally thought other be used hashcontinue most to for - function (see which are not, in themselves, considered to be hash functions; on their guidance future. the in provided be will use FIPS 202 - extendable two also specifies consequently, SHA consequently, Symmetric FIPS 180 specifies the SHA specifies the 180 FIPS Note that Section 4.2.3 (Section algorithms signature Digital establishment (e.g., key derivation functions for Key bit( Random generators Keyed 512/224 and SHA in theseis provided hash functions 180, 180,
• • • • • •
SP 800 SP FIPS 202, FIPS 800 SP 800 SP .2 - symmetric of classes everal
27 23 24 25 26 hash messag 3 Symmetric FIPS 202 Approved For example, protection. the check remove or to and protection both cryptographic apply the to key encrypt used data protection) (i.e., apply is also to decrypt used the encrypted data the protection); the (i.e., remove the in case encryption,data original of the is called ciphert the called is the data of form the encrypted while plaintext, protected to remain the data is if secret kept S (e.g.,cipher and those algorithms AES) based on the use of hash functions Hash functions are are Hash functions a hash function. of use the simplest is for description The above in higher usually used NIST 800 SP Key Lengths Key
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - s or keys their
SP 800 integrity integrity TANDARDS ECHANISMS ). S M unique key unique key at least sixat least See See here are six six here are . data key length RYPTO key algorithms, , - C , so, and protect and protect
NG D) - then additional then SI Section 4.3
, C U RYPTOGRAPHIC , ) C
advised, the the as use of erent keys may be required by by required be may keys erent - and and the sourceand the the data of .
5 D, - by NIST for the for by NIST protection of UIDELINE FOR
, B G Section 4.1 C integrity about the acceptability of using the using acceptability of the about
may continue processing for tomay be used . D, B- )
many (e.g., broadcast). (e.g., many - unique key needs to be generated for each each for generated to be unique key needs
4.4
1000 entities that wish to with communicate 21 to at least one one at least and relationships, wise - C, A- - ), ), and
B, A- Section ssurance of data of ssurance - for:
. one or one or one there are there - to - data (see confidentiality and each for (e.g.,purpose encryption, for more information more for ) may weaken the security provided by one or both of the the of or both by one security weaken the provided ) may
Section 5.3.2 Section 5.3.5 28 (e.g., both encryption and key encryption wrapping) both (e.g., key algorithm, a key algorithm, ome of these algorithms are no longer approved for applying applying for areapproved no longer these of algorithms ome - , 500 possible pair algorithms have beenalgorithms approved keying relationships is a significant problem; problem; significant a is relationships keying of large number a ) 131A , instead,
- 4.2 for key . If - 29 ash function Each entity must keep all its symmetric keys secret keys symmetric its all keep must entity Each
SP 800 relationship need need wise relationships (A relationships wise that need to communicate using and D) thatneed using C, to(A, B, communicate entitiesthere four are - Section
algorithms are used key algorithms and - -175B
exceptions to this rule have been (seetoapproved However, exceptions this rule have ey wrapping (see The andom bitandom generation (see
be supported to is symmetric . Key derivation (seeKey K R Encryption to provide Authentication to a provide (see protected information (e.g., decryption), providing that the risk of doing so of i thatthe (e.g.,information risk decryption), providing protected
- tive data. However, data. tive s • • • • • A cryptographic relationship exists when two or more parties can communicate using the same key and and key same the using communicate can parties more or two when exists relationship cryptographic A Although only six cryptographic relationships are used in the example, diff example, the in used are relationships cryptographic six only Although
cryptographic protection (e.g., encryption), but (e.g., but encryption), cryptographic protection Technically, the same key can be used for multiple multiple for used be can key the same and keyauthentication wrapping). Technically, ispurposes used, algorithm but the this is when same usually ill and key derivation HMAC (e.g., processes cryptographic different two for key same h same the using processes. sensi already 28 29 57, Part 1 cryptographic algorithms different cryptographic suppose that T different key. using encryption with a encryption, each entities pair of possible pair keys are required 499 are there other, each would be requiredeach more than If relationship. one algorithm for Several compromised) not was key a that to believe reason is there (e.g., acceptable As anAs example the of number keys of required thefor use of symmetric When usingWhen asymmetric purpose needed. be will integrity Symmetric NIST 800 SP for aremethods mitigating in Section this problem discussed algorithm. A relationship may be one be may relationship A algorithm. communications for required be may key different a i.e., direction, communication each for protocols some A. to B from sent communications for used is than B to A from sent
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - S the (see the SP 800 TANDARDS ECHANISMS
S no longer M . The cryptographic cryptographic RYPTO ble to use use ble to i information and information C
NG 3.2.1.4 SI U RYPTOGRAPHIC . However, the DE . However, mode of operation to of mode federal C . also referred to as 3TDEA to also referred or UIDELINE FOR G
information. was Therefore, DES 3.2.1.1 through cipher algorithms have been cipheralgorithms because increased of computing power or Section 3.2.1.5 (i.e., the use of DES is no DES (i.e., thelonger use of approved , some of which no longer be, some may key TDEA ( and specified in a classified document. document. in a classified specified and -
22 overnment overnment 30 the strength of the DES algorithm is thethe no longer of DES strength due to due but times, several It. was reaffirmed Several block Several
. . The SKIPJACK use applying of for to be usedto as aTDEA component function of
s algorithm
algorithm in 2005 algorithm ., decrypt).
as cryptographic primitives cryptographic as cryptographic
Data Encryption Algorithm (TDEA) Algorithm Encryption Data
is commonly as known three . and -175B modes of operation of inmodes discussed are Escrowed Encryption Standard Encryption Escrowed withdrawn as a FIPS. withdrawn
for applyingfor protection cryptographic Triple SKIPJACK Data Encryption Standard (DES) for decrypting information for decrypting
Block Cipher Algorithms Cipher Block approved -
three distinctly different (i.e., mathematically independent) keys is is keys independent) mathematically (i.e., different TDEAof distinctly using three . FIPS 185, 185, FIPS
“cryptographic engine” continue (TDEA), alsoThe TripleData Encryption known Algorithm usesas Triple the DES DES, datacryptographic engine in is to specified transform in three TDEA operations. approved is encryption) is permiss protection(e.g., not , although it algorithm 30 3.2.1.2 in the algorithm. weaknesses 3.2.1.3 SKIPJACK SKIPJACK is no longerconsidered protection of adequate the for withdrawn an approved as cryptographic protection) applying or encryption otherwise for next section) encryptsThe bundle.blocks 64 bits,that define a TDEA in three key data of keys using use approved 3TDES). identical, are the are of keys or three where two TDEA, of Other variations approved in FIPS 185 is referenced SKIPJACK been has 67 , and was the first first and the was July effective in 1977, became Standard (DES) The Data Encryption NIST advances power and speeds,computer in G Federal protect adequately to sufficient approved 3.2.1.1 A block cipher algorithm is used in with block an aA approved single cipher key algorithm and to the encrypt) subsequentlyboth protection(e.g., apply process cryptographic (e.g information protected 3.2.1 NIST 800 SP approved by NIST approved by still theybeprotection.However, neededapproved may for cryptographic applying for be needed may for they (e.g., processing that was previously information protected information). decrypting encrypted previously in Sections are discussed algorithms cipher block The
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: . a be , the
(see (see (see
D TANDARDS ECHANISMS 38 38G S FIPS 197 M - - keys (i.e. keys
efficiently . RYPTO
C
for use with any for use with SP 800 SP 800 107 ), NG -
SI modes for block for modes
). U d in specifie been has RYPTOGRAPHIC and and C
bit keys. SP 800 38E 38C the use of the the of . Guidance use on - - UIDELINE FOR - or 256 G Section 4.2.2.1 series of publications and include publications and include of series Section 5.3.5
. 38 SP 800 SP 800 - FIPS 202 , 192-
(see , (see
key algorithms) use a pair of use algorithms) key or - are mathematically related to each other. other. to each related mathematically are
38B 38A 38F - - -
SP 800 23 that
for new new is for specified inproducts. AES - , using 128 SP 800 FIPS 180 SP 800 operation a block been cipher specified to have use without reducing the security of the process, the without of but reducing the security
of key Algorithms key - of data of
based on the use of a hashof function based on the use
Key Algorithms Key a symmetric key and key a and symmetric with algorithm the cryptographic primitive bit blocks -
, ), and key block cipher algorithm, the same input always the produce block same algorithm, will cipher key block ) - algorithms (often called public (often called algorithms
key algorithm based Symmetric based This algorithm, known as HMAC, has known been as approved HMAC, This algorithm, - key -
- .
hash function specified in specifiedin hash function -175B
Keyed Hash Message Authentication Code (HMAC) Code Authentication Message Hash Keyed
31 performance of AES is significantly better than that of TDEA. TDEA. of that than better significantly is AES of the performance Modes of Operation Modes Advanced Encryption Standard (AES) , , , as specified in wrappingKey as specified , Hash Asymmetric Section 4.1 in Authentication as specified , in as specified , Authenticated encryption Section 4.3 , as specified in SP 800 Encryption as specified , ymmetric • • • •
FIPS 198 FIPS .3
A s FIPS 198 thedetermined based of public on knowledge key. 31 hash functions specified in FIPS 180 for HMAC ishash specifiedin HMAC 180 for functions FIPS provided in 3 3.2.2 approved Even protection. cryptographic its retain to is data the if secret remain must key private cannotkey private the two keys, the between relationship a is though there Furthermore, certain kinds of data kinds data of key Furthermore, is output certain thethe used. block same same when To such plaintext, would bepatterns apparent asthe in ciphertext. repeated in the blocks, properties,counteractthese modes asintegrityconfidentiality such or ton service, provide informatio algorithm an protection. These combine modes a as known initializationvariable to vectors) perform starting values (commonly Approved a message). of the encryption cryptographic service (e.g., for: modes Asymmetric 3.2.1.5 Note that that Note symmetric a With in have the been specified cipheralgorithms key and a private public key key a pair): 3.2.1.4 operatesAES on 128- NIST 800 SP The Advanced Encryption Standard (AES) was developed as a replacement for DES and DES for replacement a as developed (AES) was Standard Encryption The Advanced block cipher algorithm is the preferred be public The publickeymade may
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: . ) and and
and 5.3 Section Section its own TANDARDS ECHANISMS S
M certificate, certificate, (see
Section Section using recall that for for that recall key RYPTO -
and decryption, and C for two different may weaken the weaken may
an entity wants to to wants entity an
) (see authentication authentication NG
SI of fewer initial keys keys initial fewer of pair
U
public key). For those key). For public RYPTOGRAPHIC establishment process, process, establishment
C key algorithms, so arekey not used - UIDELINE FOR distributed to other entities and and entities other to distributed G data integrity data , for a total of 2000 key pairs. A key pairs. 2000 total of a , for
purpose. If there are six entities that that six entities there are If purpose. , the encryption is performed using using is performed , the encryption process establishment
generated for each for generated purposeone (e.g.,
32 cryptographic relationships. key certificate is used, the certificate the certificate is used, certificate key be - and key establishment and usually ing s
when used for key establishment key for used when 24
and key for establishment should
,
the public key, so the burden of key protection by key of burden so the the public key, for eachfor purpose algorithms or key lengths are to be used for either used either for lengths to are or be key algorithms
sed, as the use of the same the key of as the use sed, However, , for a total of twelve key pairs. For 1000 entities, 1000 entities, For 1000 pairs. key twelve of total a , for key advi - - . a public When algorithms fy thatfy keyprotection.The to on theusedepends algorithm unique key needs to be generated for each relationship (see relationship each to for beunique generated key needs
those private keys owned by the those entity keys. private owned Section 4.2) Section digitalsignatures. As an example, supposeexample, that an As key algorithms. key 5.2.3 - of data.of
key algorithms requires thekey establishment algorithms (e.g., (e.g., signaturedigital s
(see (see that combine the use of symmetric and asymmetric algorithms to algorithms asymmetric and symmetric of the use that combine
do not require that all parties have key pairs, so some parties parties some so pairs, key have parties all that require not do schemes establishment - algorithms are used primarily for primarily used are algorithms corresponding corresponding the using key and verified private tend to slower be much than symmetric ; relationship each for not be need generated does to Section Section
Technically, it is sometimes possible to use the same key pair for more more key pair for the same to use possible is sometimes it Technically,
purposes encryption both e.g., functions, multiple of capable are algorithms key methods - key . If multiple public multiple If . - ) a key pair needs to be generated for each for generated be to pair needs a key key algorithms, a algorithms, key -175B
- for asymmetric for ;
s 33 authentication authentication se algorithms e private key is retained by the entity who “owns” the key pair; it must be kept secret secret kept be must pair; the key it “owns” the entity who by is retained key e private Note that some key Note that some Notpublicall ey pair
), there are are ), there cryptographic security or the both of processes. provided by one - asymmetric of use The source source - symmetric of use the than pair unique key only to limited is entity each 33 key generating pair digital and verifying for signatures, a different key key pair and for establishment). than one but purpose, this is ill is key integrity The public protected. and its integrity provides protection for the 32 process, then additionalkey process, pairsthen required. be will Th to process large amount key- generate in signatures and participate digital a key pair in the participate key and - signatures digital generate intend to both key and pairs another six generation, signature digital for needed are pairs key six then establishment key for are needed be needed would each key pairs of symmetric requires accomplished this is a integrity protection; often public by using in as discussed Section 3.2 The 5 keys required of establish for reducethe number K used and the service provided. to be For example, a digital computed using is signature a is the protection (i.e., key the using public verified is signature and the private key, theapplied using encryption of also capable algorithms asymmetric the protection decryption (i.e., performed using private is the key and the the public key, using key and the key). removed is the applied private using public Asymmetric One ofOne the the keys of key pairused cryptographic is to apply protection, and the other key is used to remove or veri NIST 800 SP the generation and verification of of verification and generation the will not need a key pair for key establishment. key for pair key a need not will
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , An the . This certain certain TANDARDS , and the , and ECHANISMS FIPS 186 S FIPS 186 The basic basic The M ing . FIPS 186 186 . FIPS . . s 34 RYPTO used for used to be FIPS 186 by a certificate a certificate by C field and specifies specifies and within within -
, NG X9.62 SI U RYPTOGRAPHIC The Curve Elliptic Digital overnment, as well as as well overnment,
users obtain C
:
rability and security. key pairs
specified in in specified using finite
UIDELINE FOR overnment. Note that the same Note thatthe same overnment. and G
are considerably shorter than those than those shorter are considerably
for those algorithms requiring domain domain requiring algorithms those for ( is dependent on
. Domain parameters h theyparameters will be used Domain .
within the Federal G Federal the within
25 X9.62. X9.62. to be used secure for interoperability, provides domain parameters and parameters domain algorithms algorithms
ANS key
- parameter validity parameter key possession provides confidence that the party that is thatis possession providesconfidence key that the party is that the key lengths - -
key validitykey provides confidence that public appears the key
- . A and the algorithms algorithms the and interoperability secure for n the use of elliptic curves, rather than finite fields finite than rather curves, elliptic of use the n
algorithms use domain parameters, which are additional values values additional are which parameters, domain use algorithms the use of ECDSA usethe of , requiring less storage space and transmission bandwidth transmission and space storage less , requiring of the cryptographic algorithm. These values are mathematically mathematically are values These algorithm. cryptographic the of and to theand keys withwhic specifications the for generation the domain parameters of ECDSA
provides confidence that the domain parameters are mathematically are mathematically parameters the domain that confidence provides key
Public Key Cryptography the for Financial ServicesIndustry specified within American National Standard (ANS) (ANS) Standard National American within specified to be used
includes ,
defines key lengths the
l Signature Algorithm (DSA) is approved is (DSA) Algorithm Signature l recommended elliptic curves to facilitate interope facilitate to curves elliptic recommended -175B
ECDSA Assurance of domain of Assurance ) parameters correct, Assurance of public of Assurance to be a key, suitable and private of Assurance supposedly the really the owner of private the has key. key DSA signature generation and verification.signature generation - X9.62 lengths lengths actually actually • • • ANS X9.62 Signature Algorithm (ECDSA) Algorithm Signature
used DSA and for RSA and DSA isRSA than faster generally the execution of algorithm advantage of usingadvantage ECDS of provides guidance for providing in included also are curves elliptic 34 additional guidance on the use of random bitadditionalthe generators random use guidance on of generate key pairs, to the and by therecommends elliptic use Federal curves for G ANS and key pairs, as well as digital the for algorithms generation verification. signature and FIPS 186 but the that except DSA, for used as those same are the algorithms verification and signature o is based mathematics 3.3.2 approved is (ECDSA) Algorithm Signature Digital Curve Elliptic The algorithm is used to generate and verify signatures digital is and generate usedalgorithm to key digital - asymmetric Some NIST 800 SP use the for necessary related to other each are usually public and are used by a community of users for a substantial period of time. period of a users substantial of community for a usedpublicand are by are usually referenced or within contained are either parameters domain These publiccontaining a key. asymmetric of use secure The assurances: DSA generating for defines methods 3.3.1 Digita The
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - is
and
ose hose RSA , curve - SP 800 TANDARDS ECHANISMS S M lliptic RYPTO , key agreement , key agreement C . For e NG s SI U 6 includes restrictions restrictions 6 includes RYPTOGRAPHIC C is specified in is specified to be different for each each for different to be used to generate ECDSA ECDSA generate to used curve
agreement key for agreement hms
-
establishment algorithms used algorithms establishment . FIPS 18 - Schemes Using Integer Factorization Factorization Integer Using Schemes UIDELINE FOR
36 G for bothfor and key agreement key generation and generation the for as as well ,
it is possible to determine the value value the determine to possible is it , but need and elliptic k, on key establishment
s methods to generate RSA key to pairs generatemethods RSA
, Establishment Schemes Using Discrete Logarithm curve DH and MQV are the same as t are the same MQV and DH curve methods field
- ANS X9.31 26 and using the same s method
35 - Key Wise signature generation and verification, and for verification, and generation signature ). The use of these algorit of use ). The - wise Key Establishmentwise Key - - are two classes of key of classes two are
for the generation and verification of digital thefor andverification of generation signatures
X9.62 38 5.3.3 further information further
PKCS 1 using both finite for
39 3 encryption algorithm thatencryptionalgorithm isprotect used of to the confidentiality Section
5. to be used. secureinteroperability to for and MQV
.
for ECDSA. 56A - Security Strength
). ciphertext without knowledge of the the of key. ciphertext knowledge without from thecover plaintext , with an acceptable amount of wor of amount acceptable an , with (DH)
. This standard has been withdrawn as an ANSI standard. ANSI an as withdrawn been has standard This .
specified in ANS Section Recommendation for Pair Hellman and MQV
Recommendation for Pair Vanstone . . and in specified - ryptography Standard #1. Standard ryptography –
publication specifies approved SP 800
] are block cipher -175B for key key primitivebe usedestablishment for can Qu , the for, the thosemethods generating key pairs parameters and domain domain and . parameters domain and 56A, –
56B,
- - . that that Algorithm RSA Diffie Hellman ; - RSA 37
FIPS 186 SP 800 SP 800 Digital Signatures Using Reversible Public Key Cryptography For The Financial Services Services Financial The For Cryptography Key Public Reversible Using ANS Signatures X9.31, Digital Menezes PublicKey C Industry (RDSA) Industry Cryptography Cryptography .4
39 data is broken if is broken data 36 37 38 35 provided in FIPS 186 3 difficulty attacker's an by is measured algorithm a cryptographic of strength security The as can be defined Breakingalgorithm a cryptographic thein algorithm. breaking For provide. to intended is algorithm that the ction the prote of aspect some defeating a example, itsof to key re or key pairs - elliptic for elliptic curves recommended The specified in specified key pairs parameters and key transport digitalRSA for used The key pairs The RSA algorithm is approved is algorithm RSA The in lengths key the defines The establishment key for use Its signatures. digital of verification 56B (see transport way same the in generated are establishment key 3.3.3 to RSA generateon the signatures digital use of NIST 800 SP Diffie purpose 3.3.4 for key agreement (see agreement key for
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: a
t is Section Section TANDARDS ECHANISMS S ave been been ave r key may may r key M estimates. It It estimates. ince it is no no is it ince RYPTO . S C iding 80 bits of bits iding 80 NG lgorithms lgorithms andkeys SI a U RYPTOGRAPHIC
C
for applying cryptographic applying cryptographic for provides a current estimate estimate a current provides
further in discussed for offor an length application, the
UIDELINE FOR be into taken account so that G approved 57, Part 1 57, Part
- are , and are should
algorithms and key lengths are considered algorithms and key lengths are considered
applications 112, 128, 192 and 256 bits. are
27 prior to the end date of that time frame. I frame. time that of date end the to prior
no longer no strengths
is
and key behandling generation need to and methods approved bits was previously as approved well , cryptographic algorithms; these strengths h strengths these algorithms; cryptographic
assessing the risk for the compromise of the riskthe compromise of organization's assessing the data, for for processing data that was previously protected at that strength protected that strength previously dataat processing that was for
approved that can be that can strengths the security for estimates the current provides
security strengths for federal for strengths security
or cryptanalysis could occur or could cryptanalysis security strength of 80 bits of strength security algorithms and keys prov and However, algorithms data). encrypting (e.g., -175B
57, Part 1 Algorithm Lifetime Algorithm - . approved
.5 often the case that these advances are initially impractical or limited in their threat. It is It is threat. their in limited or impractical initially are advances these that case the often problem this addressing for strategy transition a have organization an that recommended itif occurs, including as algorithm or appropriate. to keyand transitioning length, a new
sed for cryptographic protection need to protection need cryptographic for and keylengths used The algorithms to be secure. – that just are estimates these However, frame. time estimated the within fall is possible that in an the advance technology quantum (e.g., use of and computers algorithms) of the time frames during the frames of time which the Over time, algorithms may be successfully no longer may algorithm algorithms so that theOver attacked time, itself, be algorithm or could be on the attack could desiredprovides The the protection. longe a usethe of latter case, the . In length with a specific key algorithm on the (e.g., decryption). for Appropriate algorithms, key lengths 5.1.4 3 determined with respect to specific key lengths. key to specific respect with determined 80 security of a strength that Note use the adequateof protection, as providing longerconsidered protection used be can strength time. of a period it for delay least or at attack, a successful prevent be used to lengths and key algorithms selecting the When used. and keyis SP 800 lengthsuitable algorithm SP 800 theprovided by The NIST 800 SP security used tothose support actually providing a which for needs protectedtime to the be data
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: non- TANDARDS ECHANISMS tion may may tion S approved M
.
data integrity data and a key are a key and
including RYPTO Section 3.2.1.4
ms as possible. as possible. ms
The ),
C iphertext can be be can iphertext , NG (see SI
U RYPTOGRAPHIC C , and c Section 4.1 ( algorithms. algorithms.
. These services include data data include services These . and as the basis for a random a random basis for as the and Unauthorized recipients of theof recipients Unauthorized ) UIDELINE FOR for different applications and different that for G
, and confidentiality protec, and confidentiality . and source authentication and block cipher
Section 5.3.5 28 key - be provided using as few algorithfew using as be provided encryption and TDEA are: AES . Decryption of theDecryptionof ciphertext using. is performed the ould
authentication authentication : CRYPTOGRAPHIC SERVICES
However, this may not be as practical as it first appears, as as appears, first it as as practical be not may this However,
4 key wrapping( ).
be provide used to confidentiality Figure 2: Encryption Decryption and This section discusses the cryptographic services that can be be can that services the cryptographic discusses section This . ould , respectively) , Section 4.4 Section data integrity data
algorithms for data for algorithms SECTION Section 4.2), ( , Confidentiality The protection and management of the keys used while providing these these providing the usedwhile of keys and management The protection
key provided using symmetric using provided -175B - depicts the encryption and decryption processes. decryption depicts The plaintext and encryption the
Data Section 3.2.1.2
1 . Figure 2 used by the encryption process to th produce e ciphertext. decrypt, To ciphertext the and data plaintext the to recover process decryption the by are used key the same security properties. security provide other but do not have the the know keyciphertext cryptographic algorithm correct should who not be to able decrypt the ciphertext. has However,the who anyone key and the the original and obtain ciphertext decrypt the can easily cryptographic algorithm plaintext. and plaintext. encrypt the to were used and key that algorithm 4 of the data is data. form The unprotected for confidentiality usedEncryptionis to provide the data into transforms called ciphertext plaintext. Encryption authentication authentication (see bit generator are needed that available be also may other algorithms Ideally, w cryptographic services For example, c AES are decryption and encryption Data decryption. plaintext using into backtransformed generally symmetric protection integrity requires information sensitive All NIST 800 SP provided sensitive the for protection of data other than keys be required as well required be confidentiality repudiation. are discussed in Section5 in discussed are cryptographic services
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
, as data third third ource ource TANDARDS ECHANISMS S M some some the data was was data the Cipher Block authentication authentication algorithms , RYPTO
C de is computed on computed is de NG when when SI ECB)
source source U RYPTOGRAPHIC Output Feedback Output Feedback , and C algorithms, they are notalgorithms, , can be used to provide
data integrity and source source and integrity data the source of information. information. of the source and
.2.1 , and computed again when, and computed again rature, this process is called is this process called rature, CTR) 4
lite repudiation, but at a higher UIDELINE FOR
G assurance to one provides to one , which assurance concerned with whether notconcerned or non- (for protecting confidentiality the of
Counter ( ) is , data integrity integrity data Depending used, on the s method that he is receiving data or providing from mode
ison to block cipher
) ). CFB) 29 cryptographic data came from Alice. from came the data
modes operation encryption for of modes are specified . AES Bob In both Bob and both Bob repudiation, whereby it was retrieved and/or received). and/or retrieved it was thewhen time
Alice
s can be useds can to provide , and . and and non- , as discussed in Section as discussed , ) Message Authentication Code (MAC) Code Authentication Message (say, (say,
, high probability. A data integrity co integrity data A probability. high
(say, (say, . , encryption is performed using a block cipher algorithm usingcipheralgorithm is a block , encryption performed
a approved . Source Authentication algorithm , can provide both both , can provide support
functions 2 Cipher Feedback ( Feedback Cipher integrity. integrity. , and supporting as supporting as well ,
key algorithms could also be used to encrypt and decrypt data, but but data, and decrypt to encryptbe usedalso could algorithms key Section 4.2.3 4.2. also also - Section 5 for AES: the- XTS for and AES TDEA: ( the Codebook Electronic Hash
for AES: the FF1 and FF3 modes for Format Preserving for the and AES: FF3 Format . for FF1 modes Encryption
. CBC) authentication rity cannot be guaranteed, the use of data integrity codes provides acodes provides integrity data use of the rity becannot guaranteed, (see (see have somehave that assurance Section 3.2.1.5 38E 38A 38G services
- - could modes, modes, -
(often referred to as simply integrity simply as to referred (often Section Integrity ) are discussed in Section 4.3 are discussed ) es in a communication es -175B used to encrypt and decrypt general used data; to however, they be protect can, OFB) datadevices only) on storage SP 800 Chaining ( ( SP 800 SP 800 cation cation Data i ntegrity • • •
.2 Additional that modes provide confidentiality and both authentication (as in discussed Section 4.2 authentication some assurance of data of assurance some signature Digital services. (or data) data) (or message of assurance to provide used a process is authentication Source authentication identity includes authentication Source the of parti party specific another data to authent Carl) party (say, algorithm, but same the these services not may Cryptography can be used to provide provide all of them in discussed cost performance in: 4 keys, in as discussed normally normally in discussed As and aoperation. Theof mode i Data the time between (e.g., times specified two between changed has transmitted and/or stored created, integ data While transmission or before storage before is created, it data when a provides agree computations these that Verification received. or retrieved is the data integrity. data of of assurance measure Note that asymmetric that Note are compar in slow algorithms these because with changes detect to means NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: are
1 TANDARDS ECHANISMS S M MAC to provide
. Typically, . Typically, secret key to to key secret and RYPTO
C 1
M NG since some pointsince some in SI
). U RYPTOGRAPHIC K C is the case of HMAC, or in or in HMAC, of case the is ; the use of MACs ; use the of
UIDELINE FOR G can provide some assurance of the the of assurance some provide can
, there is no assurance that the data no assurancethere is thatthe data , the same the same share that
) using a key ( ) a key using yptographic checksum on theyptographic data checksum that 1 among a community of users (e.g., two two users a of community (e.g., among
M when when isdata provided by a trusted source,
can be used to provide to assurance used be data of can ., parties parties 30 depends on limiting thedepends knowledge of secret key that that to determine changes that may occur because of a of because occur may that changes determine to . A MAC is a cr MAC A .
algorithm and a cryptographic key are used to generate a a to generate used are cryptographic key and a algorithm
. ) authentication
) on data is computed ( 1 Since a MAC key is shared is key a MAC Since authentication . source source : Message Authentication and Verification and Authentication Figure 3: Message MAC
source source -175B and depicts the use of depicts the of MACs: use then saved or transmitted. transmitted. or saved then A MAC ( Hash Functions AuthenticationMessage Code Algorithms party or parties sharing the key the sharing parties or the party by was computed the MAC and that
, provide assurance that the data has not changed or been altered or been changed not has the data that assurance provide •
Message Authentication Code authenticate information exchanged between exchanged parties those information authenticate data and integrity partiesthose to only parties),or more only parties those sharing can on the compute a MAC key correct given data. MACs are used between two or more two between used are MACs Figure 3 can integrity integrity time 4.2.1 that a hash value togenerate is hash used A function NIST 800 SP degraded transmission medium 4.2.2 A (MAC) code authentication message integrity data which the the over of hash a if hashHowever, value function generated. is as key, a secret the of use (e.g.,is alone without used signatures) with digital theconjunction of generation has not beenaltered by an adversary and the use a hash new Therefore, value computed. unless is recommended protection not providing for integrity alone a hashof function (e.g this scenario of risk low very a is there used is only value hash and the
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - and ) on
2
TANDARDS Mode for for Mode ECHANISMS ). has been been has S
M
the NIST the MAC
for Federal
RYPTO
C generate a MAC MAC generate a is the same as the the same is key block cipher key
NG - 2 MAC, then party B then partyB MAC, SI U M RYPTOGRAPHIC
C authentication a MAC a MAC using cryptographic techniques correctly correctly not detect errors that occur occur that errors detect not ing ated the original MAC, but the hasated MAC, original UIDELINE FOR could could MAC on the modified data. It is on the It data.MAC modified is
G , party A generates the MAC generates A party ,
and computing a MAC ( computing a MAC and s
comput 2 cryptographic mechanism, such as a such as a cryptographic mechanism, , and source
for anyone
received the received verifies orrectly generated the MAC. generated orrectly
share a key share 31
mode AES and TDEA. : ). The verifying party also knows that only a a that only knows also party The verifying ). 2
M , then it can be assumed that assumed it be can then , 2 =
1 AC ). K the GMAC mode for the computation of a MAC using using a MAC computation of the for GMAC mode the the CMAC
) (i.e., M cipher algorithms cipher 1 defines defines defines
41 40 successfully party successfully , and B block- is the same as M same is the Based on Block Cipher Algorithm Cipher Block on Based
38D Recommendation for Block Cipher Modes of Operation: The CMAC The Operation: of Modes Cipher Block for Recommendation 38B 1 -
. three parties share the key (e.g., A, B and B the three. However, if A, key C), party A (e.g., share parties
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and and (GCM) Mode Galois/Counter Operation: of Modes Cipher Block for Recommendation
00- y’s benefit. The use of an approved The use of y’s benefit. includes modes for the generation of MACs: 38 series publications includes the for of modes of generation - -175B using the same key ( same the using 38B, MAC MACs 2 - 38D,
- . SP 800 Modesconfidentiality providing (i.e., (i.e.,authentication both encryption) and a in defined MAC) (see Section a computing single also 4.3 are operation approved SP 8 AES. M (M data original At a later time, the integrity of the retrieved or received data is checked by by is checked data or received retrieved the of the integrity time, a later At as M data received or retrieved the labeling If c have could key the that shares party party B knows that or knows gener A party B party C either party • • • • • SP 800 SP 800 Authentication GMAC overnment use: MAC algorithms that are on symmetric based
sends it to partysends to it B will the of key knowledge adversary An without key. thewithout cryptographic knowing data and verifiable then a beto generate unablemodify secret. kept be keys MAC that crucial therefore approved been have types algorithms computingTwo for a of MAC hash algorithms functions.that are and MAC on algorithms, based 4.2.2.1 The SP 800 41 40 knows thatknows party generated A the original MAC accomplished the received verifies party successfully and B B, to be sent to party MAC the generates MAC; applications. besome acceptable of no proof which one. for Notethis may that of generation initial the between occur that modifications data to detect are used MACs They doreceived the and the the MAC. MAC of verification generated. is originally MAC the before - using data integrityis non frequently provided of Assurance to an adversary be by altered can codes these However, codes. as known error detection the adversar is integrity by a MAC of provided That is, the assurance problem. this addresses MAC, that likely is not that it assumption the based on G For example, if two parties and two B) if A For (e.g., example, NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: he the
TANDARDS ECHANISMS S is used to M and source and source must guard guard must
cryptographic rocess, digital digital rocess, RYPTO C A digital signature digital A NG
. integrity integrity . SI s U RYPTOGRAPHIC that has access to access has that
C party
. signature aand a private public key key UIDELINE FOR
be used to determine the private determine to used be G signature system is dependent on is dependent on system signature - pair owner); the public key public pair owner); the key algorithms. - be used with an approved
efficiently
32 signers key. Therefore,private signers that uses a cryptographic hash function in in function hash that a cryptographic uses must
The security associated with the use of HMAC is is HMAC of use the with associated security The
repudiation. ). signer’s be performed onlyperformed by thebe (HMAC) . If an adversary does an . If adversary not the know private key, the 4.2.1 . knows theknows public verify signature key the can by employingthe s Algorithm 43 HashMessage Authentication Code (HMAC) that that - 107 written signature that can be verified by anyone with access to t to access with anyone by verified be can that signature written Section - signature can be used to provide assurance of data of assurance to provide used be can signature
nyone possesses a private and public key pair. Signature generation (with generation pair. Signature public key a and a private possesses defines a MAC a MAC defines SP 800 sh Algorithms sh Ha Approved Using Applications for Recommendation The Keyed The
public key. The security adigital public of key. -175B 42 1, MACsBased on Hash Functions - digital generation verification of and depicts the
107, - Digital Signature Digital 4 signer signer Because two keys are required for the generation and verification p verification and the generation for arerequired keys two Because to generate and verify digitalprivate signatures. used key is to The generate signatures FIPS 198 FIPS 800 SP
private key. A associated maintaining the secrecy of the of the secrecy maintaining theiracquisitionof against keys. the private unauthorized signature alternative using by available not is that protection offer signatures Digital is signature digitized A signature. is a digitized such alternative One techniques. a handwritten of aelectronic visual converting to image signaturegenerated an form by its a resembles digitized signature Although (e.g., a into computer). by scanning it digital a as protection same the handwrittenprinted, counterpart when it does provide not other forged andsignature. can tocan be and be duplicated appended Digitized signatures been has information if to determine used be cannot signatures data; digitized electronic message each on computed are however, signatures, tal Digi signed. is it after altered the only Each signed by the different message using signer. by key a known private will message to the changes small Even signature. digital a different have will signer signature different a in result the canadversary a(i.e.,athat valid signature signature be generate cannot verified using signature). to the generate used topublicthat corresponds the key private key Figure Each Each can signature) digital verifiable public key. The andauthentication, to- support non - asymmetric as classified are algorithms signature bits and is electronic an of a computer as a string in is represented digital signature A a hand- analogue of 42 43 : process verification a signature and process generation a signature includes algorithm FIPS198 in discussed 4.2.3 – keys of pair a with used is algorithm signature digital A – only (the key be by the known signer and must for and the methods the algorithm, of design the of Because verify signatures. the cannot public key the generating pairs, key key. 4.2.2.2 withcombination a secret key. HMAC NIST 800 SP hash function (seehash function
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
1 S D
TANDARDS ECHANISMS and
S M 1 are input to input are ) 2 RYPTO
C DS NG in Figure in 4). 1 SI U RYPTOGRAPHIC
e verifies the signature signature the verifies e C ration process, along with a possibility that M UIDELINE FOR and Verification and G and signatur and
). 2 is used in the verification process rather rather process verification in the is used
2 M used in the process used to generation signature because of the the of because
Generation 33 ) is 1 S ) to the is verifier, with provided along the signed 1 ) is hashed using the same hash functionto produce using same the is ) hashed 2 Section 3.1 Section M
(
for signature generation in 4). Figure generation signature for
1 M to generate the digital signature (shown as DS (shown digitaltothe signature generate
). is used rather than D than rather used is 1
2 M S
received thesignaturereceived and ( value hash newly computed Figure 4: Digital Signature Digital 4: Figure D data ( value. hash another The obtain a hash value, theobtain data of which issigned a to version a hash condensed be (i.e., asshown The hash value is then to input the gene signature private key, data The received public key. The the signer’s the with along process, verification the signature valid whethersignatureoutputan of the this process indication oris is not of or ( invalid the for message received A hashA function (see The digital signature (DS signature digital The -175B , and , and o Signature verification: The receiver of the data the of receiver The verification: Signature o as follows: o Signature generation: o o 1 M • • than could have been deliberately or accidentally modified before the verification process process verification the before modified accidentally been or deliberately could have by performed the receiver. NIST 800 SP Note that the details of the signature generation and verification processes are different different are processes verification and generation the signature of details the that Note eachfor approvedAlso, note algorithm. that M
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: a 45 or
. 89 - ), and cipher - Cipher TANDARDS ECHANISMS S M
SP 800 .
RYPTO Block- .3; C 3 a digital signature signature digital a NG SI U
erations (see Sections (see Sections erations RYPTOGRAPHIC , C ) (no such has been mode
Section
and prior to the date that a a that date the to prior and Using such mode. encryption” - either two separate block separate two either UIDELINE FOR
includes three digital signature signature digital three includes G
. Section 3.3.1 FIPS Authentication in a , and
Note that in this discussion, authentication isthat thisNote in authentication discussion, 34 and mode
required using signatures assurances digital when authenticate in a single operation single a in and authenticate both encrypt the hash functions specified specified functions the hash used with in conjunction
If care is not taken in in taken not is care If required. are distinct keys se .
that that Each of these algorithms requires obtaining assurances assurances obtaining requires these algorithms of Each . the CCM ) . when providesguidance establishing on
odes 46 m mode of operation. of mode Confidentiality 102 defines the Galois/Counter mode (GCM). mode Galois/Counter the defines specifies specifies algorithms are algorithms - key) cryptography. The cryptography. key) use FIPS 202 -
48 47
encryption modes have been defined for AES have for been defined modes encryption : -
. cipher -
and 38C 38D
- - SP 800 Modes of Operation: the CCM Mode for Authentication Authentication for Mode CCM the Operation: of Modes Cipher Block for Recommendation 44 ), two ), , respectively RecommendationforSignatureDigital Timeliness specifies methods generatingfor and verifying digital signaturesusing Recommendation for Obtaining Assurances for Digital Signature Applications Signature Digital for Assurances Obtaining for Recommendation -175B Secure Hash Standard (SHS) Standard Hash Secure
4.2 ric (public ric 38C, 38C, 89, 102, - - - requires fewer keys and is generally faster than using two separate operations. separate two using than faster generally is and keys fewer requires SP 800 SP 800 Mode of Operation Combining (see Section (see 3.3.2 (ECDSA) Algorithm Signature Digital Curve The Elliptic RSA (see Section 3.3.3 (see (DSA) Algorithm Signature The Digital
and digital signature signature digital • • • • •
FIPS 180 encryption and authentication are performed performed as andare two separate authenticationencryption op SP 800 FIPS 180, 180, FIPS 800 SP 800 SP andConfidentiality .3
defined TDEA) for ; such a mode is called “authenticated an a mode using key; such a single modes authenticated Two 47 44 45 46 Confidentiality and authentication can be provided using be provided can andConfidentiality authentication order), right the the in operations performing performing (e.g., these operations attacks. allow may that introduced be can vulnerabilities to is alternative An was generated. was 4 about the domain parameters in keys discussedabout used, as theand/or domain the provides obtaining for methods cases,generatedIn important. a For when digital many is was determining signature signed before was a whether document be importantmay to it determine example, algorithms: algorithms: The in two wills of closest was signed e.g., to which certain date, person. died authentication) HMAC for in encryption (e.g., for themode andalgorithms AES CBC FIPS186 asymmet NIST 800 SP in a single block in a single 4.1 used to obtain both an assurance data and of of the integrity source the of data has that been cryptographically protected. If
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: d or
. reliably reliably dom Bit Bit dom TANDARDS ECHANISMS S M can can
echanisms
. RYPTO C
NG SI
U drive seek times. An An times. seek drive RYPTOGRAPHIC - C RBGs are constructed to to constructed are RBGs Deterministic Ran Deterministic -
generate cryptographic keys. 90A and the90A entropy sources UIDELINE FOR G method that depends on an entropy entropy on an method that depends
90A to90A provide a capability an fallback if
90B. 90B. Note that the N se of of algorithms,on thehash basedse u DRBG - 35 to determine thatto the source has entropy not approved . Constructions (RBG) Generator Bit Random cipher algorithms; DRBGs must be initialized from a from initialized be must DRBGs algorithms; cipher - (e.g., an entropysource (e.g., that NRBG) or provides an sufficient
. provides constructions for the design and implementation of design implementationprovides constructions of the for and specifies specifies
discusses some aspects of selecting and testing random an random testing and selecting aspects of some discusses
health tests needed health tests
, which is currently under development, discusses entropy sources, sources, entropy discusses development, currently under is , which
51 49 50 52 the 22 90C
90A
90B - - - - A Statistical Test Suite for Random and Pseudorandom Number Generators f Generators Number Pseudorandom and Random for Suite Test Statistical A ecommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and and (GCM) Mode Galois/Counter Operation: of Modes Cipher Block for Recommendation Random Number GenerationUsing Deterministic RandomBit Generator M For cryptography, random valuesFor cryptography, needed are random to Recommendation for the Entropy Sources Used for Random Bit Generation Bit Random for Used Sources Entropy the for Recommendation for Recommendation -175B 22, - 38D, 90A, 90B, 90C, bit generation:
bits. - - - - . - entropy be supported security by theto the for DRBG. strength(s) SP 800 criteria number pseudorandom some generators.This for document includes randomness source source randomness provide. SP 800 in and the DRBGs SPNRBGs algorithms from 800- 800 SP with accordance in designed functions and blockfunctions and SP 800 including failed and tests to estimate how much entropy that the entropy source entropy entropythat the estimate much testsfailed how to and include algorithm a SP DRBG from 800- notentropy failure is immediately detected. source Random Bit Generation SP 800 (e.g., by being reseeded). operation by being (e.g., tional entropy during • • • •
SP 800 SP 800 SP 800 SP 800 SP 800 SP CryptographicApplications GMAC .4
52 49 50 51 48 4 NIST 800 SP extensive numbers random and andCryptography of security make use applications random The term “entropy” is used to describe the amount of randomness value,the of inamount “entropy” to the a andThe term describe used is hard entropy how of that value. to is guess it amount determines Non (RBGs): bit generators random of classes two are There and generators, bit) number (or random true called sometimes (NRBGs), Generators bit (or called pseudorandom sometimes (DRBGs), Bit Generators Random Deterministic sourceto provide an is entropy of dependent the use RBG on number) Each generators. unpredictable bits that are outside of human control; these bits are acquired from some some from acquired are bits these control; human of outside are that bits unpredictable hard or oscillators ring noise, as thermal such source, physical is output.entropy with initially entropy NRBG every “seeded” source for DRBG A ansource approved using anproduced entropy or by or not receive an the NRBG);source depending application, themay may on (e.g., DRBG addi Several are for been developed or publications currently under have development random NRBG is dependent on the availability of new, unused entropy bits produced by the unused by entropy bits produced new, of the is availability on NRBG dependent
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - - - - and key
, and , single and the TANDARDS ECHANISMS
S M overall
RYPTO C
FIPS 140 NG user environment. user SI - U RYPTOGRAPHIC key cryptography key cryptography more C key algorithms, and the key algorithms, - - (see Sections 5.3.3 Sections (see Also, in a potential post bandwidth transporting for required. key algorithms are forkey algorithms used - raphy is Symmetric speed. the UIDELINE FOR or G key algorithms will not provide will provide algorithms not key , - , entities between shared already keys
symmetric keys key system can be used to establish a to establish used be can system key key cryptog - cryptography. - process transport
large numbers of cryptographic relationships cryptographic of relationships large numbers 36 key - may be be may required be will that keys symmetric - symmetric and necessary, is not cryptography , when
key) cryptography requires keys fewer 90. - using symmetricusing 3.3 key s significantly faster, a hybrid approach iss significantly faster, often used, a hybrid and cient. environments where This secure includes symmetric agreement or key- ncryption), especially those involving the protection of large especially the large ncryption), those protection of involving - 3.2 if memory for storing the be useful whether as astep first in determining generator or not a
key algorithms are used for the generation and verification of verification of thefor and generation are algorithms used key
, after which the symmetric key is used to encrypt files or messages. or messages. files encrypt to is used key the symmetric which after , key (i.e., public . s
iate parts- 800 SP iate of key cryptography i cryptography key -175B - consideration applications, the RBGs must be validated the to compliance RBGs for applications, appropr Symmetric vs. Asymmetric Cryptography characterizing and selecting appropriate generators, discusses statistical testing testing statistical discusses generators, appropriate selecting and characterizing tests. statistical recommended some provides and cryptanalysis to relation its and may These tests is afor particular suitable federal for cryptographic application. However, , respectively) eral, asymmetric cryptography is best suited for an for open, In is general, cryptography suited asymmetric bestmulti 5.3.4 - asymmetric situations, In some alonecryptography is suffi place take can establishment key environments where a single authority knows and manages manages allthe and in keys, and knows environments authority where a single However, the advantageprimary symmetric of 4.5 in Sections discussed As initial number of the required, are NIST 800 SP pairs key public/private of number the than larger significantly key algorithms are generally significantly faster than asymmetric than faster significantly generally are algorithms key user environment keys are shorter in length for the same security strength; the key length may be an length the key may security strength; same the for in length are shorter keys important computational cryptanalysis efficiency advances in and Intheis addition, keys limited. have to tended reduce level the protectionpublic of provided by rapidly than that provided by symmetric by provided that than rapidly quantum world, the currently approved asymmetric world,theapproved quantum currently adequate protection. symmetric - asymmetric whereby key while digital establishment, signatures and for - asymmetric Since symmetric key via a key via key symmetric all other purposes (e.g., e all other purposes (e.g., an asymmetric of data.amounts For example,
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , , TANDARDS ECHANISMS S M 57, which 131A (see131A (i.e., their (i.e., their -
RYPTO C . Allthemselves
NG SP 800 SI U
RYPTOGRAPHIC management guidance, guidance, management management guidance: management C and ), key- be reduced to just protecting to be reduced
5.1.2 ; nd is essential at all phases of a of phases at all essential is nd UIDELINE FOR a G safe provides no security against against security no provides safe data keys using that are properly
that
Section
are also included- in 800 SP (i.e., their to integrity needs be preserved) rovide general key- rovide general encrypt
, , basic contains
;
.
37 EY MANAGEMENT EY ing; . K : 5 an adversary, an
guidance on the management of cryptographic of on the keys: management their guidance (i.e., the appropriate lengths of time that keys are to be be to are keys that time of lengths appropriate the (i.e., ; cryptographic policy General Guidance 5.1.1), FIPS 140 (see , cycle responsibilities cycle - general and
SECTION
Part 1 Part );
countability and audit
Section Section ey life c
57, protection required for keyingThefor protection required material K Key backup, recovery archiving; and Changing keys Cryptoperiods used A - . provides )
. Similarly, poor key management may easily may compromise by management that key Similarly, poor adversary. orithm selection and and selection asuse, topics, alg such and eventualorithm destruction. Related Recommendation for Key Management Key for Recommendation o o o o o o
-175B 53 associated with keys, and the protection afforded to the to keys afforded the protection keys, and associated with 57, 57 (see 57 57 - - SP 800 including: Recommendation for Key Management for Recommendation General Management Key Guidance - ation •
SP 800 SP .1
consists of three parts: of consists appropriate key size, 53 generation, 5.1.1 SP 800 Section 5.1.3 penetr by cryptography protected Ultimately, securityinformation the strong of algorithms. theof keys,directly the mechanisms strength and on the effectiveness of depends protocols The proper management of cryptographic of The proper ismanagement of essential keys effective to use the safe a safe. If a of to combination the analogous Keys are security. for cryptography by known combination becomes NIST 800 SP keys against be protected need to modification algorithms asymmetricsymmetric and used by (i.e., keys private keys and and secret respectively) need to be protected unauthorizedagainst disclosure maintained) toconfidentialityneeds be storage, secure generation, the for foundation providesthe management Key keys, of destruction and distribution/establishment, use key’s a strong is life. If algorithm used to subsequently can that data of protection the then generated, the information keys, the i.e. of security by cryptography on protected directly depends SystemCryptographic Management Key a Therefore, the afforded keys. the protection the keys.(CKMS) ismanaging required for 5 p to developed been have publications Several SP 800
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
TANDARDS ECHANISMS S M
addresses the the addresses , contains: , cryptographic cryptographic
, RYPTO C .
NG management policy management SI
U RYPTOGRAPHIC C
Air Rekeying (OTAR), - the - dance provided therein is no dance is provided therein no
UIDELINE FOR , G
. 38 management information that needs to be to that needs information management be to that needs information management (e.g., by generating new keys) (e.g., new generating by applications of cryptography. of applications Specific Guidance Key Management - and and ; government information government , and will be updated gui the if
nd dates have been projected during which the use of usethe of which during projected have been nd dates , statements practices management for the use of the mechanism in its current form for the for form in its current mechanism the use the of for ion is alsoion required vary. this To has end, established NIST management infrastructure management federal Transport Layer Security protocol (TLS), Secure/Multipart Secure/Multipart (TLS), protocol Security Layer Transport - Application 57, Part 1 for the development of organizational key- organizational of development the for , Best Practices for Key Management Organization Management Key for Practices , Best . nce nce identification of key- of identification , and that cryptography employ ications 131A Part 3 Part - SP 800- n identification of keyn identification- of n
57, Part 2 57, Part A incorporated into general and plans security for major support systems appl A all for documented federal suites and sizes, key algorithm The recommended and/or allowable Recommendations protections of A generic key Guida key- and statements Contingency planningContingency compromise recovery Key compromise - - . These security strengths have been assigned to the approved to assigned been have strengths security These . security strengthssecurity 112, 128, 192 and the information: 256 for protection of 54 SP 800 o o o o o o o o -175B , Kerberos,, Over (S/MIME) Extensions Mail Internet Specific regarding: guidance is provided algorithms and key sizes, a and key sizes, algorithms information, further For secure. to be is anticipated sizes key and these algorithms see cryptographic available currently with associated issues key management Protocol Internet (PKI), infrastructure Key as the Public such mechanisms, the (IPsec), Security Note that that Note no longer adequate security). provides longer(e.g., an algorithm valid SP 800 Agencies need to determine the length timeAgencies thatcryptographicto is of determine need protection security and key appropriate size an the algorithm required with before selecting strength. SP 800 four Federal agencies have a variety of information that they have determined to determined have that they information of a variety have agencies Federal the sensitivity andrequire theof information cryptographic periods protection; the protect the that time of bits NameDomain System Security ExtensionsEncrypted Systems (DNSSEC), File and the (SSH) protocol Shell Secure • • A fifthAsecurity strength (i.e.,bits80 of security) was acceptable for applying cryptographic protection
(e.g.,encryption) prior 2014.to However, strength this is not adeq uate. 54 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - in
state tests; - - TANDARDS ECHANISMS keys that keys that S
M at the time time the at
addressed
RYPTO is using C is available at available is information aboutinformation , NIST provided, NIST NG to protect sensitive sensitive protect to SI on status er U
RYPTOGRAPHIC C A cryptographicA module was developed to provide
57, Part 1 57, Part 131A - UIDELINE FOR - management processes. management G guidance information contained in guidance information - for using TLS. using for key- s SP 800 . SP 800 that use cryptography and techniques products new and evolve,
cryptographic modules systems. information 39
.
. Therefore, include context provided may the management mechanisms and techniques are techniques and mechanisms management agencies agencies
federal key- in operational environment; cryptographic key management; management; key cryptographic environment; operational Cryptographic Algorithms and Key Lengths Cryptographic Key Algorithms and ce/electromagnetic compatibility (EMI/EMC); self (EMI/EMC); compatibility ce/electromagnetic
considerations that may affect the effectiveness of key of effectiveness the affect may that considerations mitigation of attacks. of the mitigation cryptographic computations for a security system protecting sensitive protecting sensitive system a for security computations cryptographic provides provides extensive – that detail to New management techniques and mechanisms are constantly being being are constantly mechanisms and techniques management 55 Requirements for Cryptographic Modules for Cryptographic Requirements
52 mechanisms the processesmanagement cryptographic mechanisms and Security are generated and by those managed are generated -
key- . Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) (TLS) Security Layer Transport of Use and Configuration, Selection, the for Guidelines provides minimum security requirements for that security cryptographic modules providesrequirements minimum o -175B is applicable to all federal to is applicable
52, - 140 and theof validation Transitions New developed, and existing security constantly the refined. being While mechanisms as updated be will Part 3 in the reflected not that are expected be always can specifications technical the document of current version suchstatus asinformation, version numbersor implementati Note that in the case of TLS, a reference is provided to a separate publication – publication separate to a is provided a reference TLS, of the case in that Note revised was last thatthe document Security SP 800 ; physical security; the security; ; physical s SP 800
With the development and publication of of anddevelopment publication the With 55 transitioning to new cryptographic algorithms and key lengths and key algorithms cryptographic to new transitioning recommendations for breaks orbecause the algorithm availability of of more powerful thatcomputers could be used to efficiently search cryptographic for keys. algorithm and service Each transitions. such for guidance specific more information in computer and telecommunications systems. Furth in systems. information computer and telecommunications FIPS http://csrc.nist.gov/groups/STM/cmvp/index.html 5.1.3 FIPS 140 embody or supportembody cryptography actual the actual performs and design secure to the related areas cover requirements security The information. aimplementation of crypto including thegraphic module, module specification; cryptographic ports servicesmodule and interfaces; roles, authentication; and finite NIST 800 SP 5.1.2 FIPS 140 model interferen electromagnetic and assurance; design Implementations
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , e 58 v key -
) and ers, cell ers, cell TANDARDS ECHANISMS S M
5.2.2
. management management , restricted , RYPTO 57
C rein is no longer longer no rein is
. NG Section SI rocedures, procedures, policies,
U
RYPTOGRAPHIC C (see (see
61 , deprecated , 56 includes
UIDELINE FOR 152
- ) G protected information, but there may beprotected information, a but there may - CKMS acceptable SP 800
40 Topics include security policies, cryptographic include policies, security Topics 5.2.1), 130 is intended to assist in:130 isassist intended to -
, or disallowed. one or more documentation requirements that need that need documentation requirements one or more and assessments. and security
59 , s g Cryptographic Key Management Systems Management Key Cryptographic g
). Section . SP 800
(see (see will be updated if the guidance provided the guidance the if provided updated will be
130 specifie 130 - 60 have been developed for the development of key the of development been- for developed have design specification.
consider the factors needed in a comprehensi needed factors the designers to consider CKMS
131A 130 Section 5.2.3 Section - SP 800
, indicating whether, indicating its use is contains topics that should be considered a CKMS designer when by A Framework for Designin for Framework A (CKMS) Systems Management Key Cryptographic Federal S. U. for Profile A
-175B SP- 800 SP 800 publications 131A 130 130, 152, - - - - The definition of the CKMS design by requiring the specification of significant significant the by requiring design specification of the of CKMS The definition capabilities, CKMS Encouraging CKMS, and theirLogically different capabilities, comparing CKMSs implemented specification of the by requiringPerforming security assessments capabilities, and supported CKMS and Cryptographic Management Key Systems Framework Key Management • • • •
Cryptographic Key Management System ( Cryptographic System Management Key The algorithm and key length may be used to process and already The may key length algorithm SP 800 SP 800 SP The use of the algorithm and key length is allowed, but the user must accept some risk. some accept must user the but allowed, is length key and algorithm the of use The use. for required restrictions additional are there and discouraged, is algorithm the of use The Nosecurity knownpresent.risk is at risk in doing so. doing in risk .2
to by the beer addressed design 60 61 57 58 59 56 For each topic, Note that that Note developing a CKMS A 5 Several used asymmetric for Infrastructure the Key to Public relatingdocuments (seecryptography cryptographic and distribute manage protect, to used that are anddevices components or devices all includes CKMS A metadata). (called information associated and keys The devices comput could or its be metadata. a key that access can subsystems or refrigerators. systems, alarm as cars, such devices, smart or other tablets, phones, 5.2.1 SP 800 and testing controls, security transitioning, and metadata, interoperability keys and recovery disaster assurances, system SP 800 algorithm no longervalid(e.g., an provides adequate security). NIST 800 SP allowed only for legacy applications legacyallowed for only systems:
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: required required TANDARDS ECHANISMS 130 (see identifier S M computing computing
the RYPTO C
nstall, configure, configure, nstall, ; key certificates to certificates key NG - associated with the with the associated SI and to otherand
U RYPTOGRAPHIC 62 C
ata s that may be desirable to desirable be may s that he FCKMS metad UIDELINE FOR bind public keys tobind public of t G the
key) cryptography. To achieve this goal, achieve To cryptography. key) - or a third party operating an FCKMS under under an FCKMS operating a third party or selecting
. The Profilebased 800- is on SP . The 41 ,
CKMS that manages the cryptographic keys that keys that cryptographic that manages the CKMS
F agency agency
and keys
agencies and their contractors. contractors. their and agencies that that certificates key public
protocols for protecting sensitive U.S. federal U.S. sensitive protecting for protocols owner of the corresponding private key private corresponding the of owner key (i.e., asymmetric de
- 152 specifies requirements, makes recommendations for federal for recommendations makes requirements, specifies 152 information to be bound, and to the information of the accuracy validating and their contractors their and algorithms
Infrastructure operate, and use an use and operate, velopment of Profiles that specify the specific specific the specify Profiles that of velopment the de the for basis
contains requirements for the design, implementation, procurement, contains requirements design, procurement, the for implementation, organizations and their contractors. and organizations having special security needs and desiring to augment the base security and and security base the to augment desiring and needs security special having
). 800- SP
ing selecting , and selecting -175B 152 - 5.2.1 organizations information after information Assist CKMS designers and implementers in supporting appropriate appropriate implementers Assistin designers supporting and CKMS cryptographic requirements for the CKMS to be used by an to by organization. the be for used requirements CKMS Profile System Key Management keys Form applications and data; protect sensitive and valuable obtained, data and used processed, by U.S. stored, federal Public Key provi and Generate Establish requirements for testing, procurement, installation,configuration, procurement, testing, for requirements Establish and usage operation, administration, maintenance Facilitate an easyFacilitate comparison one an CKMS with of another by analyzing their the meets each how understand to order in implementations and designs andFramework and Profile requirements; i evaluate, to procure, needed what is Assistin understanding administer, the with associated
a Federal CKMS (FCKMS) to be operated by a by operated to be (FCKMS) CKMS a Federal 152 provides for requirements management services, and suggests additional feature additional suggests and services, management • • 1. • • • The identifier could be the true identity of the owner, or could be an alias or a pseudonym used to to used pseudonym a or alias an be could or owner, the of identity true the be could identifier The
62 implement and use. implement contract for one or more federal one orcontract more for Thisis Profile intended to: key- SP design, CKMS a into incorporated torequirements design be providing to In addition 800- be aservicethat may federal provider 5.2.2 SP 800 a CKMS U.S.by and for and use operation of installation,configuration, management, federal Section organizations NIST 800 SP 5.2.3 public and manages that creates infrastructure is a security PKI A facilitate the use of public : basic tasks two to perform needs a PKI represent the owner. owner. the represent
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , a TANDARDS ECHANISMS transport - S M . RYPTO the public keys the public
C this is not not this is , but NG lgorithms algorithms signature SI - U RYPTOGRAPHIC C Certificates that convey convey that Certificates PKI tasks are assigned to to assigned are tasks PKI ).
3.3 may permit users to maintain maintain to users permit may
UIDELINE FOR G is lost (e.g., a key used for key key for a key lost(e.g., used is ies . Each certificate associated with with associated . Each certificate
polic he encrypted data be decrypted. cannot may be of twomay types: those that a provide those that provide akey that, and provide those ) provide provide to used certificates and Their Responsibilities
some some
42 the private key). the key). private further key establishment processes cannot be processes be cannot keyfurther establishment . However to anyone available be can made status information for unexpired for information andstatus revoked ; 5.3.3 RSA (see Section RSA
new key pairs and certificates. certificates. and pairs simply key new generate - arties ownerof the key.
usage bits in a certificate indicate the purpose for purpose the indicate a certificate in bits usage - real key establishment) key ic keys rtificate Section Key
ce . ) publ i.e., ( , , Relying P , Relying
the public keys of one of the three digital theof three one keys of the public
are commonly used: used: are commonly 3.3
key (see (see key an alternative is to is alternative an : DSA, ECDSA or For example, if the key is used to transport a decryption key for key for a decryption transport to is used key the if For example,
Section 5.3.4 public public
ng that key cannot be trusted (e.g., someone other than the true owner of (e.g.,that key be the cannot trusted someone otherthan true ng FIPS 186 maintained under the exclusive control of the owner of that private private that of owner the of control exclusive the under must be maintained establishment key possible for recovery. establishment -175B PKI Components If a private key used for key establishment is compromised, then any transactions transactions any then is compromised, establishment key for used key a private If involvi "secure"transaction supposedly be enter a attempting into to may the key private purpose). illicit some for certificates. aIf privatekey that to is generate used signaturesis digital lost, the owner can no signatures digital generate longer operations of continuity for key private the of backup copies encouraged, so relying compromised, is signatures digital to generate used key private the If key generated that private using signatures no longertrust digital the parties can be using(e.g.,information) to someone may provide false the signature key establishment key a usedIf private for transport key or agreement), then to is needed key the if replaced; or recovered accomplished is key until the can be key the lost unless is that data then the key, by protected recover data recovered. encrypted data,key and is the lost, t then private the backup lost, PKIs often is not data critical to ensure that access To key- Maintain and provide and Maintain key (see (see key for key management key for (i.e., the user that is authorized use user to (i.e.,the that is
agreement agreement 63 • • • • 2. An exception could be some other trusted entity, such as the owner’s organization. In these cases, the the cases, these In organization. owner’s the as such entity, trusted other some be could exception An
63 5.2.3.1 For scalability, PKIs are usually implemented with a set of complementary components, components, complementary with a of set usually implemented For PKIs are scalability, main The process. the PKI of aspects specific on focused each public which the public key is intended to be used. in Section discussed As private key key Two types of certificates of types Two used tothat are verify digital signatures, and to certificates provide the used public keys used provides signatures digital approved in the public to be used keys key for establishment key- NIST 800 SP organization could be considered to be the the be to considered be could organization
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , ,” or
. status . This KI, but KI, TANDARDS ECHANISMS S M key certificate key RYPTO
- . applying for a for applying C either directly either information to be
the owner of the the owner of the NG SI the CA creates a digital a digital creates CA U
RYPTOGRAPHIC C ies of usersof
:
certificate, certificate, t has a public has t ty UIDELINE FOR . G , including the compromise of the the of compromise the , including a warning indicates a compromised a compromised indicates a warning , and 2) verif , and f discontinue operation discontinue tos simply
RA sends the public key and other relevant relevant and other sends public key the RA 43 at a certificate be generated. generated. be a certificate at the other entity’s entity’s other the for for further discussion) riety of reasons riety of 64
After acquiring the certificate, the relying entity entity relying the certificate, the acquiring After When a certificate has been revoked, a system will a system revoked, been has a certificate When of theof applicant
32 - revocation message and perhaps include the reason for for reason the include perhaps and message revocation request a certificate to request (RAs) verify the identi the verify (RAs) ; other components are also used to support the P support the used to also are ;components other -
the public key in the certificate, or certificate, the in key public the
te ty identi an RA repository. the
and and continue operations, or ies g at a predetermined time unless revoked prior to the expiration date. expiration the prior to unless revoked time predetermined a at and authenticate other information to be included in to the be included and certificate authenticate other information , and
65
the signature on the certificate. Assuming that the certificate is “good is certificate the that Assuming the certificate. on signature the
the CA’s can be revoked for a for va revoked can be Introduction to Public Key Technology and the Federal PKI Infrastructure PKI Federal the and Technology Key Public to Introduction -175B the certificate is valid, then the the then valid, is certificate the
32, he relying party to needs obtain - t from verifies information to the CA to request th request to CA the to information the the request RA, receiving from Upon the certificate information entityAn to applies The RA verif . certificate the in inserted inserted be to the inthat by the 2 indicate step information RA theIf made checks in in a the certificate deposits and the RA to certificate the returns certificate, repository. tha entity another with interacts party relying a When certificate’s the with interaction its with safely proceed can party relying the then owner. - certificate and certificates generate (CAs) authorities Certification authorities Registration certificate 4. 1. 2. 3. 5. • • SP 800 SP certificate. a obtain to authorized userwhich deviceforis the a orfor user forbethe certificatecould The owever, be a administrator user obtaining or responsible for may and a installing system
warning must not be lightly. taken warning Ignoring the that means user the is accepting i example, For doing so. associated with the risks 64 65
. Depending on the application implementation and the revocation reason, reason, revocation and the implementation application on the . Depending the revocation couldthe disallow actions, application further or couldthe allow user to whether indicate warnin the ignore to are not discussed here (see SP 800 (see here are discussed not as follows: operates PKI a In general, user. the to transparent is certificate a using with involved interaction the of Most H interact to certificate the uses a browser) (e.g., application an Thereafter, a certificate. with these other usernotthe of may be aware actions. ex entities,ception and An be might be may message case a in which revoked, been or expired has a certificate when status. this indicate to displayed expire Certificates Certificates to corresponding private key the organization. leaving certificate certifica the display quite often the following logicalthe components following NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
; storage
TANDARDS ECHANISMS S M and . Each of the 5 RYPTO set of rules that C NG SI U RYPTOGRAPHIC C named named a “ ey generation Verification Example Verification defines the expectations and is
Figure 5: Basic Certificate Certificate Basic 5: Figure UIDELINE FOR All CA subscribers are provided are provided subscribers CA All CP G users subscribing to CAs different a certificate containing their public their containing certificate a
s , The e
h
If the the If
) obtain
44
(CP) (CP) Policy Certificate Statements Practice Certificate and
and User 3 User and verified, then User verified, User then
, a
User 2 User X.509 such issues as k issues as addresses such CP A
, to verify the contents and source of the signed document. This is the document. source signed verify contents and the of to
n whe exist scenarios complicated User 3 generated the signature the generated 3 User - successfully successfully ains the certificate containing the the containing certificate ains the
to sign the document, i.e., User 1 i.e.,1 User the sign document, to certificate, there is a possibility that someone other than the claimed claimed the than other someone that possibility a is there certificate,
Certificate Verification Process Verification Certificate e cross certified by signing a certificate for each other. each for a certificate signing by that certified cross CAs using have ature ature
who needswho example of howexample this works, suppose that and sends User a 3 signs document it -175B Basic Policies Policies CA Certificate User 1 obt private topublic the that key corresponds key used 3 User Either 3’s certificate. User obtains is certificate the or certificate, that supplies other some t obtained e.g., from source, User 1 verifies User 3’s certificate using the the using certificate 3’s User verifies 1 User CA’s public key. User 1 then employs the public in User key the on signature the verify to certificate 3’s 3. User from received document that 1 knows CA. is signature were modifications and no unauthorized to the made afterdocument the was signature generated. sign Recommendation Recommendation
using that policy. basic
66 and other which is information, signed their by CA. 1. 2. 3. consult with his organization to determine how to respond to this warning. to to respond how this organization toould determine consultwith his International Telecommunication Union. Telecommunication International
requirements of the relying party community that will trust the certificates issued by the by issued certificates the trust will that community party relying the of requirements CAs 66 indicates the applicability of a certificate to a particular community and/or class of of class and/or community particular a to certificate a of applicability the indicates applicationwith common security ” requirements. A PKI consists of at least one CA with its subscribers, as shown in Figure as shown with CA one its subscribers, at least PKI of consists A As a to User 1, 5.2.3.2 1 User (e.g., subscribers key as follows: accomplished to interact need digital digital NIST 800 SP theowner certificate of actuallythe key corresponding private used to public to the key sign data. the data, Depending not on be it may prudent to ignore warning. the A user sh with CA. the the key public of Note that other more by defined As Statement. Practices a Certificate and Policy a Certificate has CA Each ITU 5.2.3.3
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: cross- TANDARDS ECHANISMS is including including
S M consists of consists
be associated associated be .
RYPTO ), bridge C ing overnment withovernment a n about the FPKI, NG ystem management management ystem and use it without SI U ) private key pairs. The The pairs. key private RYPTOGRAPHIC - C or a CPS for a specific a for specific or a CPS agreement scheme (see scheme agreement specific CA issues and CA specific . , stored data 5.3.1 and archiv is designed to be used as ais be used as designedto UIDELINE FOR .
locally locally G , services status ertificate Section
infrastructure . - key
- NISTIR 7924 NISTIR
information) 45 public - and recovery; c and recovery;
generation and generation; and distribution and s 67
) ), , configuration management, , configuration management, certificates. further for within the bridge, thus establishing a trust conduit for s
identifies a baseline set of security controls and practices to practices and controls security of set baseline a identifies
68 ), or Section 5.3.2 Section 5.2.3.4 Section (CPS) describes how a describes how (CPS) Statement Practice key certificates. The CPS is derived from the applicable CP for the the for CP the applicable is from derived CPS The certificates. key -
(see (see
-175B Scenarios for which key establishment could which key establishment Scenarios be performed include for the Public Key Infrastructure Key Public Federal security audit as security such , NISTIR 7924 NISTIR providingtoprotectingit other entities (e.g., for aor key thatis shared more key couldfrom A already two be between derived entities each entity from data) entities could contributionsTwo generate (i.e., a key using a protocol key- usingincorporates an automated that Key EstablishmeKey nt singleA entity generate could a key (see Section 5.3.3
• • •
lowing: Saving a key or information that allows the key to be reconstructed so that the key can be recovered if if recovered be can key the that so reconstructed be to key the allows that information or key a Saving NISTIR7924, ReferenceCertificate Policy (Second Draft) ever needed (e.g., because of being lost or corrupted). or lost being of because (e.g., needed ever overnment .3
A Certification A publicmanages participates. in CA which or the community application Federal the by use for established been has (FPKI) Infrastructure Key Public Federal A G CA. 68 67 Certificate Revocation List (CRL List Revocation Certificate functions community specific a for CP a writing for guide and template 5 and by provided to entities are the which means keys generated establishment isKey the be a person, device or organization, may entity An use them. to authorized thatare process. fol support the secure issuance of secure issuance support the 5.2.3.4 DRAFT G Federal the provides (FPKI) Infrastructure Key Public Federal A public and certificates digital administer to infrastructure common ) “Bridge” the as to referred (commonly FPKI the of portion network the within CA Each agencies. various by designated CAs” “Principal CA other every with certified also may CA Principal Each FPKI. the within CAs all among relationships informatio For more bridge. the of part not are that CAs other with see statement, practices certificate and policy certificate its including http://www.idmanagement.gov/federal certificate generation; key escrow key generation; certificate NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , - -
). shared shared TANDARDS Hellman Hellman ECHANISMS d for thed for - S
approved M references references ). Random Bit Bit Random be generated
in addition toin addition cryptographic cryptographic
, with the key the , with , respectively), RYPTO 5.3.3 C rs for RSA key
must . NG 5.3.4 and5.3.5 5.3.4 shared keys. pre A shared s SI - U RYPTOGRAPHIC C and Section compliant key pai face meeting face shared key), or ashared could be key),
- - ), 5.3.3 to - it to one or more other entities other or more one it to UIDELINE FOR
. G 5.3.3 on a flash drive) or using automated or automated using flash drive) a on in the process generation Section a key directly from ana key directly and RBG, from
interactions. The secret information couldinformation be secret The interactions. 46 agreement scheme (see scheme agreement - 140 FIPS within ated transport scheme (see Section scheme transport - derivation functions that use pre that use derivation functions - gener
yptographic Key Generation be ), eans (e.g., a courier or a face a or courier eans a (e.g., transport schemes (see Sections (see Sections schemes transport ation also be used may - . Any random. Any value required by the module must Typically, the secret information is shared among entities isthe information that shared among Typically, secret
several key several ) discusses the generation of the keys to be used with the with used to be the keys of the generation discusses
module.
. agreement schemes (see schemes agreement
69 specifies the rules for the generation of the generation rules for the specifies specifies the rules for the generation of keys from passwords (see (see passwords from keys of generation the for rules the specifies specifies the rules for the generation of key pairs for Diffie for pairs key of generation the for rules the specifies ). provides methods for the generation of keys from an already- keys from of generation provides the for methods
and
provides rules for the generation of the key pairs to be use to be pairs the key of generation the for rules provides
133
Section 5.3.2 56B when not used as a component another processcomponent (e.g., of nota cryptographic when used as
132 108 56A - - be based directly or indirectly on the output of an approved of thedirectly indirectly output on or be based
- - specifies specifies FIPS 140 by by a manual m secret inform secret
- RecommendationforCr Functions Pseudorandom Using Derivation Key for Recommendation provides guidance on generating 70
-175B SP 800- non (see (see
133, 108,
108 133 - - Key Derivation Key SP 800 key and agreement and SP 800 Section 5.3.6 SP 800 (see key SP 800 key- and MQV FIPS 186 signatures, digital of generation either either as such electronic printedin form, or either key a incorporate that protocols Generation Key A singleA entity could a key and generate provide - - • • • • • • SP 800 SP 800 SP
69 70 SP 800 havesharedcould been key 5.3.2 Key derivationKey is athe key concerned of secret with generation from , information although the information secret subsequent for key same the derive to need (i.e., the already shared between entities a that is pre a key SP 800 theother required generation keys information publications additional for for for of algorithms: specific cryptographic algorithms. cryptographic algorithms. All keys must a cryptographic within 5.3.1 Generator (RBG) modules shared during key that is- secret derived a Cryptographic keys are required by most cryptographic algorithms, the exception being exception being themost cryptographic algorithms, required by are Cryptographickeys hash functions HMAC). NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - - SP 56C 56Aand TANDARDS ECHANISMS S M agreement agreement 56B or56B -
56A and SP and SP 56A . to 800- SP RYPTO
. C entitiesby some
NG SI wise key wise agreement process so so process agreement - U RYPTOGRAPHIC ). 800- SP C 56A, SP 800- SP 56A, agreement scheme (see (see scheme agreement Expansion - pair
5.3.3 800- then e shared secret using a key using secret e shared agreement schemes have two have schemes agreement DerivationFunctions UIDELINE FOR agreement schemes,agreement differingin G
. ) . Section automated automated 73 Specific Key Key Specific face meeting), meeting), face - ). The key- - provide methods for deriving theprovide for keys from methods to
- 47 pair 71 methods g an automated key-
56C 5.3.4 and 5.3.5 - s provide several several provide term key term
- SP 800 56B derivation methods for this purpose, and refer for and this purpose, methods derivation and 56B include variations of key include- variations56B of
-
establishment procedure in which the resultant keying material is is material keying resultant the which in procedure establishment
56B 56C. - - ), or SP 800- specified or approved by reference in SP specified by reference approved or For each scheme, a shared a shared scheme, each For parties. two schemes involving agreement - for additional for approved 72
and SP 800
- Extraction through Derivation Key for Recommendation RecommendationforExisting Application , 135 Agreement - -175B 56A . 56B SPto 800 56C, 135, 56A 800 and SP 56A - - - - Key manual means (e.g., a courier or face or a courier (e.g., means manual Agreed upon by the entities usin Section 5.3.3 key an automated entity using to another and provided one entity Generated by (see Section scheme transport Generated one entity and provided by to one or other more - - 56C - two key specify 56 B SP 800 • • • SP 800 SP - 800 SP in references and specifications KDF the move to progress in is modification a that Note SP 800 SP 800 SP
participating entities: an initiator and a responder. responder. a and initiator an entities: participating 73 71 72 sed and whether the keys are long term keys(i.e., usedor of long and theare term anthe whether ephemeral static) keys number valuea nonce (e.g., or a short 800- SP 800 Key agreement is a key- is agreement Key key i.e., schemes, th from is derived material keying and is generated, secret 800- 5.3.3 a information function by all of contributed participants in key- the SP 800 (see agreement key during generated secrets shared and keying material resulting the the of value predetermine can that no participant is usually agreement Key participants. the other of contributions the of independently using performed protocols. automated SP 800 derivation method NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: and
ion to ion for thefor
TANDARDS 56A ECHANISMS 6 - S M agreement agreement In the example In example the RYPTO C SP 800 ). NG SI U . See See . RYPTOGRAPHIC
C
ic key may be provided to to be provided key may ic ibution to key - the initiator: UIDELINE FOR G , and is in shown , and Figure scheme where the responder uses a a uses responder the where scheme key(s)
48 ation from the responder the from ation term key pair (i.e., key term pair), an ephemeral and agreement agreement - this public key is the responder’s contribut is the this public key
entical. key pair key ephemeral an use could party each or : Key Agreement Example Figure Agreement 6: Key
pair receives key confirm key receives
agreement process. process. agreement for further for information. -175B agreement schemes may use other arrangements of each pairs (e.g., party key use other arrangements may schemes agreement provides an example of a of key- example provides an
56B - The initiator obtainsThe initiator or responder's directly the public a(e.g., CA from key from this scheme, for the responder); the key- a short generates then initiator The . scheme this for process useBoth parties their key pair and public own the other party's generate key to a secret. shared one thenthe orBoth parties to more keys use shared secret derive their copy of id (hopefully) are that sends the ephemeral public key to the responder, retaining the ephemeral private ephemeral retainingthe responder, the public to sendsephemeral key the contr initiator’s the public is key. The ephemeral key 1. 2. 3. 4. SP 800 Key confirmation is an optional, but highly recommended, step that provides assurance thatassurance step provides recommended, highly optional, is confirmation but Key an that have both now the parties same (identical) initiator the case that static scheme, and the key pair during initiator the uses an ephemeral key pair. Notethat other key- key static a use could Figure 6 provided the in figure above, the private the retained responder's key is responder by publ responder's the but key pair), the owner of the(who is toanyone. is the the In provided this example, public key NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
SP
shared shared ols.
TANDARDS ECHANISMS S M
56A and SP and SP 56A Note that the the that Note
schemes using using schemes RYPTO C NG
SP- 800 SI U to generate the generate to RYPTOGRAPHIC agreement discussed in in discussed agreement C s - agreement part of the the of part agreement establishment transaction transaction establishment - agreement agreement , and an , and an schemes transport pair -
key algorithm (e.g., AES) by AES) (e.g., algorithm key agreement process. agreement - agreement scheme. agreement - further information key about key- -
UIDELINE FOR G for
wise key wise agreement part of the transaction, the the the agreement part of transaction, -
wrapping process. Key wrapping is a is process. wrapping a wrapping Key - wrapping key, which is then used as then as is used key, which wrapping - . schemes agreement pair - asymmetric key asymmetric
ection for keying material ection for prot integrity and 49 and
Section 5.3.5 56A Key56A Transport Example
RSAkey cs automated automated . After the key - (see
transport scheme. transport - emati to be sent to the other party (the receiver). (the party other the to sent be to Hellman (DH) and MQV transport method wherebytransport method a key igure 6 - key wrapping key with a symmetric a key with wrapping provide -
a SP 800- e 7: SP
both confidentiality both 56B -
agreement process and a key and process agreement Figur key algorithmkey 56B specifies two56B specifies - shown inshown F 56A Key56A Transport
SP 800 and specifies a key specifies
s as a used key SP 800 -175B
. and SP 800- illustrates the key transport process that follows the key the follows that process transport key the illustrates
- Diffie specifies 56A
56A
- Key Transport - and - a symmetric , provide an analysis of the merits of each key each of merits the also of 56B analysis an provide 56A 800- 5.3.4 and distributes key a generates (the sender) party whereby one a method is transport Key be accomplished transport Key could receiver(s)). (the parties other more or one it to using protoc automated courier) performed or using (e.g., a methods using manual secret Figure 7 Section 5.3.3 key a symmetric share responder and initiator follows: finite field or elliptic curve math curve elliptic or field finite SP 800 transaction i key the in responder the or initiator the either be can sender wrapping) generatedkey- the the during During transaction, key the analysis of the merits of each key each of merits the of analysis 5.3.4.1 aincludes key- both 800- the partysending to wrap SP 800 NIST 800 SP process that provides using
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
. that TANDARDS ECHANISMS (note S receiver obtain the the obtain M
in 800- SP whereby thewhereby
RYPTO C s now have the the have s now l to the receiver. l to receiver. the NG methods SI U RYPTOGRAPHIC C wrapping key, and wrapping wrapping key to ey transport is accomplished is accomplished transport ey . public key, and transport transport
key- , keying materia keying UIDELINE FOR that both parties now have the the have now parties that both
,
G ; although this step is optional, it is it is optional, is step this ; although using the
), , and 50
must have a keykey pair that during- must used a is shown in figure,shown the k to provide assurance to provide assurance that both partie to that both provide assurance
example of one of theexample of key- . ciphertext (i.e., the wrapped key) wrapped tociphertextthe the (i.e., intended very transporting for different methods keys blic to key securely transport In the example a symmetric key to be transported be to key symmetric a obtains) otherwise (or receiver's key using symmetric receiver's the the the ciphertext using his copy of theusingthe of key- his ciphertext copy simplified .
56B Key56B Transport
his private key to decrypt the ciphertext key, thus obtaining the original original the obtaining thus ciphertext key, decrypt the to key private his
: :
: : specifies two two specifies from step 1 from key raps the symmetric nwraps
Uses Uses plaintext key. key Optionally performs confirmation;isit although this optional, is step highly recommended same symmetric key. symmetric same the public key of thepublic intendedreceiver Obtains key of the transported to be key symmetric a Generates Encrypts receiver the key to phertext ci Sends the resulting original plaintext symmetric key symmetric plaintext original U Optionally performs keyOptionally performs confirmation highly recommended key symmetric same could have been either the initiator or the responder in the key- in the or responder the initiator the either been have could the sender transaction the part of agreement Sends the resulting Generates Generates W -175B . SP 800- provides a eceiver
56B 5. 6. 1. 2. 3. 4. - 4. 5. 3. 1. 2. 8 In both the receivermethods, The receiver The r The sender The sender 5.3.4.2 SP 800 sender uses the receiver’s pu receiver’s the uses sender Figure 56B. NIST 800 SP transaction transport as follows
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
SP keys
.
. are also TANDARDS ECHANISMS S M The wrapped . . However, RYPTO detect detect to s used C i that is known by known that is
NG
SI U securely. Unwrapping securely. RYPTOGRAPHIC wrapping key that was key thatwas wrapping C algorithm
wrapping key wrapping UIDELINE FOR - G key for wrapping used be - keyotherfor wrapping, 800 and SP so
74 (i.e., transported) transported) (i.e., algorithm andalgorithm key- key block cipher key
- 38F -
51
that can al can that Based Key Derivation Part 1: Storage Applications Storage 1: Part Derivation Key Based 56B Key56B Transport Example - . Due to the ease of guessing most passwords, passwords, most guessing ease of the to Due . e of the same the same of e Depending on the method or mode, either AES or TDEA can or TDEA AES either mode, or method on the Depending .
38F Figure 800- 8: SP of a Password a Key from
have been specifiedhave SP 800 been in
Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Key for Methods Operation: of Modes Cipher Block for Recommendation Recommendation for Password for Recommendation in SP 800- SP in -175B specifies a family of functions that can be used to derive keying material from from material keying to derive used be that can functions of a family specifies
75 38F, 132, - - Derivation Key Wrapping methods
132 SP 800 SP 800 SP
the keying material requires the us the requires material keying the wrappingused process.the during original simple wrappingKey encryption that differs from in an the process includes wrapping feature integrity this process, unwrapping the During feature. integrity material. keying wrapped the to modifications intentional or accidental Three keying material can then be stored or transmitted transmitted or stored be then can material keying approved be used. passwords derivedKeys can be from 74 75 800- 38 modes (or combination of modes) that of (ormodes) combination 38 modes 5.3.6 5.3.5 integrityto wrappingKey keys used and is to protection provide confidentiality a method key a symmetric using other information) (and possibly both the sender and receiver, and a symmetric applications for most used to be are suitable not derivedin this manner NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
an for ).
, 56B TANDARDS ECHANISMS S M , Part 1 may need tomay
57 - RYPTO determine what what determine
C
NG and SP 800- SI
U or to decrypt archived RYPTOGRAPHIC
C eys may also need to be be to also need eys may 56A - recovered in an acceptable an acceptable inrecovered Some k SP 800 UIDELINE FOR
G single person can person single can be be can
epends on the type of cryptography to be to epends cryptography type on the of
ations (e.g., when encrypting an (e.g., entire encrypting when disk ations 52 , keys can be established between entities either either entities between established be can keys , In many cases, a hybrid approach is used in which in which used approach is cases, hybrid In a many .
3.4
protect the keys, depending on itsthe depending protect could Keys keys, design. 5.
. resumed operations and
and discuss the considerations that need to be addressed by the by addressed to be need that the considerations discuss
5.3
152
s number of places and protected in a variety of ways. They could ways. They could variety of a in places and protected number of - key backup, key archiving and key key archiving recovery.key backup, d manually distributes one or more keys to other entities, and entities, to other keysone or distributes more manually d electronic applic storage electronic term storageterm because (e.g., legal of requirements
SP 800
vs. Automated Key vs. Automated Establishment can be recovered be can for recovery capability is needed whenever keys are backed up or archived. archived. or up backed are keys whenever needed is capability recovery
- Management Issues and
76 ility needs to be designed so that the keys the so that be designed to ility needs -175B anual the organization could operate a CKMS procured from a organization couldthe procured from operate avendor. CKMS Or 130 organization, including the scalability of the CKMS, and the metadata to be to be metadata the and the CKMS, of scalability the including organization, Storing and ProtectingKeys Selecting Operating and a CKMS Key M -
. crypted or split into key components so that no so key into components or split crypted (i.e., symmetric or asymmetric methods) and be consideredselecting the must when methods) asymmetric or symmetric (i.e., ). A key
Note that this publication considers a passphrase to be a password. a be to passphrase a considers publication this that Note .4
amount of time and only by those entities authorized to do so; seeso; SP 800 toauthorized do and onlyentities time by those of amount This capab This data the key is. These issues need to be addressed for operational keys. keys. operational for addressed to be need issues These is. the key is lost an inadvertently operational need key to up so be that if backed may Certain keys itor modified, archived long for - be en be 76 more information about 5.4.3 a key case, this drive; in as a flash such , media electronic on stored also be federal an entity generates an generates entity an (see keys other to establish used are keys these thereafter keys. the with associated a in stored be can Keys . They could bein a safe presenta validated where only in stored cryptographic be module adequately might itself module the The number of keys to distributedThe number of bed manually manually or using methods automated ormanually used a CKMS. of required capabilities 5.4.2 use organization that will by the could operated CKMS implementedA and be designed, , Or it. a from CKMS organization party that procures couldservices a a procure third the of CKMS e sure that the theto vendor. organization is needsmak Whichever made, choice information. organization’s the requiredthatare for protections provides the thatis used SP 800 a password NIST 800 SP 5 drive) a CKMS. and selecting using to for number of beA issues addressed need 5.4.1 in Section discussed As
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: : the nality nality critical TANDARDS ECHANISMS t require require t validated validated S - M 57, Part 1 57, Part - is available at at is available
RYPTO C NG
SP 800 SI U RYPTOGRAPHIC C
CAVP is available at at is available CAVP
UIDELINE FOR is authorized. For example, a key example, For authorized. is G compromised. Cryptoperiods are usually compromised. Cryptoperiods are usually
nformation about CMVP the nformation
53 for a discussion of the security requirements for for requirements the security a for discussion of
. , while i , while
nformation about the be validated implemented in 140 and FIPS
tiality, Although cryptography integrity, is and authentication. industry, and the public rely on cryptography for the protection thefor protection cryptography rely on public the and industry,
in this document in
. other application areas. At the core of all products offering offering products all of core the At areas. application other
or by the maximum amount of data of of amount timeperiod or maximum by the considered a carefully
-175B Control of Keying Material Material Keying of Control Use Validated Algorithms and Cryptographic Modules Cryptographic Algorithms and Use Validated Cryptoperiods agencies to use only tested and validated products. validatedto tested use agencies and only http://csrc.nist.gov/groups/STM/cavp/ cryptographic algorithms and the cryptographic modules in which they are which they and the in usedcryptographic algorithms cryptographic modules Module and the (CAVP) Cryptographic Program Validation Cryptographic Algorithm . I (CMVP) Program Validation Also, see Section 5.1.2 see Also, cryptographic modules 5.4.6 an only key beThe access should accessibleto by keys to needs be controlled. A it which for purpose the for authorized and only entity, http://csrc.nist.gov/groups/STM/cmvp/ NIST hasNIST toestablishedprograms validate the the implementation of approved private private agencies, Federal used commerce, the in information electronic of and communications render can algorithms weak or design as poor such weaknesses security, provide to used and testing at risk. Adequate sensitive information place highly insecurethe and product cryptographic algorithms its underlying module and the cryptographic of validation assurance. security to provide essential is standards established against 5.4.5 functio as to claim a makes available product IT Every cryptographic modules. modules, which Cryptographic thecryptographicis cryptographic services module. arecontain algorithms, used in cryptographic products to and systems provide security as confiden such services assigned for assigned a cryptoperiod of the determination associatedTradeoffs with theprotected key. by exposure. Section 5.3 consequences of of risks and involvethe provides discussion detailed more of the a need establishing for cryptoperiods, the factors the suggestions for some and cryptoperiod suitable a on deciding consideredto when be lengthtoperiods. cryp of Cryptographic must algorithms and/or security. protecting offered When data, level assurance a sensitive minimum of is also legislative are There is valid. claim stated security a product's that needed tha technology, cryptography, such of as regarding types certain restrictions federal and infrastructure, 5.4.4 NIST 800 SP cryptoperiodA is span the during time which a specific key is authorized use. for A a for keycryptoperiod is aassigned number of reasons, for including limiting the amount exposure encryptedof data of a if single keyis
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
to be
digital they are must TANDARDS
ECHANISMS be made S or control or control M
nientto make Users Users RYPTO operational. A operational. recovery plan.
. - C is signature tal
NG cted compromise of of compromise cted unauthorized SI
ages key key compromise ages U RYPTOGRAPHIC e C s a risk associated with with associated s a risk is useful in determining ed for the generation of of generation ed the for discour l be taken with compromised compromised with taken be l generat
UIDELINE FOR G for discussions. for 57, Part 1
- 54 includes discussions of the effects of a key a key the effects of of discussions includes
be used for the generation or verification of digital digital verification of the or generation be used for keys, user keys, previously generated signatures, signatures, previouslykeys, keys, generated user
zing the likelihood or consequences of a key a key of zing or likelihood consequences the
of responsibilities and liabilities, and eachshould responsibilities user and and liabilities, of
57, Part 1 - aids when in determination of a the compromise could have 1) and Auditing
Users must be able to store their secret and private keys securely, so so securely, keys private and secret their store to able be must Users
); this should be established before the system becomes system the before established be should this );
possibility couldthe that be copy used to recovery plan should address what actions wil address what should recovery plan - -175B
Accountability Compromises Accountability an effective tool tool cryptographic keys effective an throughout their Accountability can lifecycles. be
occurred and what individuals could have what individuals beenoccurred involved, 2) and could detected. because their users know the and 3) accessknown, to key is Accountability involves the identification of those entities that have access to access have that entities those of the identification involves Accountability that no intruder can access them, yet the keys must be readily accessible for legitimate legitimate for accessible readily be must yet the keys them, access can intruder that no use. 5.4.7 In cases, some a key and all the copiesof key should be destroyed the immediately upon a us private For detection example, a key key compromise. of made aware of their unique responsibilities, especially regarding the significance of a key key a of significance the regarding especially responsibilities, unique their of aware made or loss. compromise It isa to plan imperative have handling for compromise or the suspe keys, theusedused particularly those by a and managed at keys CA a site central (e.g., compromise CA hardware, and software system is someone'sIf private secret other must lost or key or compromised, users dataaware this, they a no longerprotectionof of will using the so that initiate assessing without key a compromised with or accept data protected key, compromised theand accepting risk doing so. This of is notification often accomplished using CRLs or SP 800 see (CKLs); Lists Key Compromised publiccorresponding However, the be immediatelydigital destroyed. signatures should need thekey verifying to availablefor that were signatures remain previouslymay Note private that there i key. compromised generated the using signatures. these accepting 5.4.8 of compromises when of impact the and tocompromises reduce to prevent key help compromise, measures for minimi for measures compromise, signatures. is it to often conve be While controlled. also keys needs The proliferation of developinga compromise incompromise, and be considered what should copies keys, these of extra copies to a be If key accounted need for. is compromised, that key and all copies its need may to be destroyed prevent to use. subsequent unauthorized a digi of generation a private the if for For key example, used destroyed, was copy the original after exists still the key of a copy and compromised, then a there is time. a later at signatures bewith providedUsers a list must a key receiving before concerns these acknowledging a statement sign certificates sign encrypted data, SP 800 etc. must not designated key must for transport NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: TANDARDS ECHANISMS S M RYPTO C NG SI U RYPTOGRAPHIC C and recovery from key and recovery from
of
UIDELINE FOR G
55
hanism used for the detection used the for hanism
-175B where the key was used and what data or other keys were protected by a compromised compromised a by protected were keys data or other what and used was key the where key,also and therefore, may be compromised. another mec is Auditing NIST 800 SP compromises. Auditing includes reviewing the actions of humans that use, operate and and thatuse, humans operate actions of compromises.includes Auditing reviewing the lookingmaintain systems, unusual for indicate by actions that may events inappropriate system. management usin or a key processes g the humans
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: bit Part 1 Part TANDARDS ECHANISMS S the lesser the lesser M be used to 57, 256, which - - RYPTO C - with 2048 SA NG SP 800 R
SI U RYPTOGRAPHIC C
impact information,impact and
- After performing a risk risk a performing After algorithm with the lowest the with algorithm 6 of 5.6 of
of at least 112 bits for the the 112 bits for at of least ). for some of the protocols are the protocols of some for rength of 112 bitsrength of − (for TLS). a number of issues need to be be to need issues of a number 53 - UIDELINE FOR 52 For example, For example, , the security , the provided the by - G .
) ISSUES . Section Section SP 800 SP 800 Part 1 Part n policies. eroperability reasons. When algorithms of algorithms When eroperability reasons. t
57, and 56
security strength strength security
OTHER : OTHER to protect data protect to a 6
P 800- P 175A S - requires requires together
trength S information, 128 bitsinformation, Moderate for
152
- SECTION securely, the entities must also have: must entities the securely, cryptography iscryptography used properly. issues to be addressedissuesafter to be is determining cryptography that (for S/MIME) and and 57, PartS/MIME) 3 (for impact - the ability of one entity,the entity with of to ability another communicate whether - ecurity impact information. The required information. securityimpact can then strength SP 800 -
). -175B
tables for selecting appropriate algorithms and key key and sizes. algorithms appropriate selecting for tables Trust that each entity will enforce its ow its enforce will entity each that Trust Interoperability communications same and the communications Internet) A the channel (e.g., and protocol TLS), (e.g., communicate to entities the allow that Policies Required S
FIPS 199 bits for High bits for case for performance, availability and in and availability performance, for case • • •
2 . .1 algorithm and key size to be used. and key sizeto be algorithm the determine the with is the associated strength algorithms combination of 5.6 of (see Section security strength different strengths are used are strengths different 6 192 SHA used with 112 bits, but often is of strength security support a keys can can supporta security 128 bits. strength the of combination toa When generate used is digital signature only the providea signature, can security st algorithms. two strength by the offered suites) Approved (called cipher algorithms combinations of provided in SP 800 is Interoperability must the entities , order to communicate In processes. or devices are people, the entities have: In orderto communicate protection of Lowprotection of provides Ideally, algorithms. cryptographic several different use of the require Many applications be always notthis may but security strength, same the all offer would these algorithms the 6 assessment and determining the sensitivity level of the toassessment of information be and protected determining the level (Low, sensitivity be used, controls the to security Moderate High) and or that ensure to addressed identifies section This required. cryptographyThe use shouldbe of and undertaken a analysis, without not thorough a risk security the and protected be to information the of sensitivity the of determination SP 800 (see used be to controls NIST 800 SP the information of level sensitivity the by determined is strength security minimum The (see
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: is ee key S (see (see
bit bit Section TANDARDS ECHANISMS
algorithm S , M
, and
) RYPTO
In this case, the the case, In this C 5.3.4 , and .
NG SI U RYPTOGRAPHIC C bit RSA key pair and can key pair and can bit RSA tion using AES is 128 bits, is 128 bits, tion AES using to communicate, to communicate, using AES
UIDELINE FOR G for providing adequate protection adequate protection providing for
entities
protected using an approved using protected - information bit AES key and act as the sender in the the in as the sender act and key bit AES - on key transport) on key a discussion for
approved 57
that has been established securely (see (see securely established been has that , used communication for an be correctness of this information is the linchpin on the is linchpin thisinformation of correctness see Section (see transport key RSA bit Longer Approved longer 128 are rated at 128 a security of bits strength
- for additional discussion. additional for The , an RA verifies applying users the of a identity for
; the information for the remainder of its security life. security its of remainder the for information the
a secure and interoperable communication channel that can be interoperable channel that can a secure and communication (see Section (see 5.3.4.2 57, Part 1 bit key for encryptingbit key for - -
bit RSA andbit AES RSA
. transport scheme, and the other entity has a 3072- entity and has the a transport scheme, other . ) -175B ) ppropriate identification is provided by an entity requesting a certificate and a certificate requesting by an entity is ppropriate identification provided establish a 128 Once this information is verified, the the verified, is information this Once is based. certificates using of security he Information Information submitted for inclusion the validity for in certificate (e.g., is checked claimed the of the in possession is key private the valid, and is public key that the owner); and sign used private to the provides the for key The RA adequate protection request. certification A and 3072- establish keys using receiver the act as Registration Authorities (RAs) fully by the checked RA When Algorithms No are One of the entities can generate a 128 generate can the entities of One Each organization has a policythatEach organization a the allows has policies, own its enforce will entity other the that trusts entity Each that c capability a TLS is There using and decrypt information can AESencrypt Each with entity a - 128 key- Section 4 Section in as discussed capabilities cryptographic Interoperable material keying appropriate Share 5.3 • • • • • • • • • • 6.4 in Section 5.2.3.1 discussed As by generated certificate a in included be to information other authenticates and certificate (CA). Authority Certification a which t a signed using generation certificate for CA to is a information submitted appropriate as the deem RA CA e.g., must trustworthy, request.certification The 6.3 then the two entities have entities two the then used to no is algorithm an that case the In For example, if entities A and B are and B entitiesA if inFor two different example, organizations, and to performed be to needs (e.g.,haverisk assessment may been the “broken”), a algorithm determine whether the should information be re protect will that size key and SP 800Section for 5.6.4 NIST 800 SP security strength that can be provided by an encryption opera an by be provided can that security strength since- both 3072 Section 6.1
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ne CA
referred referred TANDARDS ECHANISMS
). S M RYPTO ificate C certificate NG
SI U RYPTOGRAPHIC in a C UIDELINE FOR G operate in accordance with those those with accordance in operate public key Certification Certification two between relationship trust
58
certificates provide a means to create a chain of trust trust of a chain create to a means provide certificates - and trusts that and CA to with subscribers in other CA domains (e.g., the subscriber in subscriber the (e.g., domains in other CA subscribers with Cross
." he establishment of a of establishment he safely is t other's each of thethrough signing
certificate (CAs)
-175B
acceptable them finds , CrossCertification orities ross certification ross certification C Auth - "cross to as a only beCross performed when certification examines each should the CA otherCA's policies 6.5 NIST 800 SP o in that subscribers so CAs other to multiple CA root trusted, single, a from domain can interact interact can domain andother domain has the assuranceone subscriberin domain of CA identity the the of by hisinformation cert the provided other of the accurateness of assurance policies.
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: . - 1, -
for d
/16]. TANDARDS ECHANISMS /16]. S M 8/18 8 . /1 was desired. desired. was 8 Secure Hash Hash Secure RYPTO of cryptography cryptography of C 4, Digital Signature - [accessed [accessed NG 512/224 and SHA
- Security Security SI 19, 2015] 25, 2001 (updated 4, , [accessed - Escrowed Encryption Encryption Escrowed U
RYPTOGRAPHIC 180 2
C -
186 .
185, 185, , May 140
512, SHA . - 2/fips1402.pdf - UIDELINE FOR
G 4 4 - - ithdrawn October in a key escrow system thatescrow provide in a system key 384, SHA
- References protecting U.S. Government information. Government information. protectingU.S. lawfully authorized.
: 59 telecommunications when access to the the to access when telecommunications an encryption/decryption algorithm an encryption/decryption of use algorithm the A
256, SHA - specifies the requirements that must be met by met be that must requirements the specifies , July 2013. , August 2015. specifies a suite of algorithms that can be used to to used be can that algorithms of suite a specifies 2 4 rmation Processing Standard Processing rmation - 4 specifies seven cryptographic4 specifies hash SHA algorithms: seven - - for the generation of key pairs,forcertain requires key the and of generation Appendix Appendix Information Processing Standard Processing Information
was intendeduse for Law Enforcement Access Field (LEAF) creation method that method creation (LEAF) Field Access Enforcement Law used protecting for devicesand in electronic be implemented . 224, SHA
decryption of were classified. The classified. were creation method LEAF and the algorithm FIPS 186 FIPS 185 specifiedFIPS FIPS 180 FIPS 140 the and a could such telecommunications protectiogovernment when n The LEAF was telecommunications Standard Processing Information Federal Standard (DSS) and This Standard RSA. ECDSA generate a signature: digital DSA, digital of includes generation the for signatures, methods methods and and parameters ECDSA), (for DSA domain thefor of generation methods Federal Federal Standard, February [w 9, 1994 http://csrc.nist.gov/publications/fips/fips185/fips185.pdf cryptographic modules security of levThe standard qualitative provides increasing, els four design the secure to related areas cover requirements security The and a implementation cryptographic module. of ProcessingFederal Standard Information Standard (SHS) http://dx.doi.org/10.6028/NIST.FIPS.180 SHA- Federal Info Federal Requirements for Cryptographic Modules 3,December (Change 2002 Notice 2)) http://csrc.nist.gov/publications/fips/fips140 512/256. http://dx.doi.org/10.6028/NIST.FIPS.180 overnment
-175B
FIPS 186 FIPS 185 FIPS 180 in G the Federal http://csrc.nist.gov/publications at are available publications All FIPS 140 the use Special to (SP) andThe following NIST FIPS use apply the Publications NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - s, key that The -
Hash - TANDARDS ECHANISMS , August August , /16]. S Standard: M [accessed 18
MAC) [accessed
( Keyed 8/ 3 - for all three three all for RYPTO Standards for algorithm. algorithm. - 384 and SHA3
C 1, output functions functions output - - SHA final.pdf - NG
SI [accessed 198 1_final.pdf
199, 199, Advanced Encryption Encryption Advanced U - 199 certain events occur RYPTOGRAPHIC
-
C
202, 202, assurance public of 198
Output FunctionsOutput PUB 197, - -
197.pdf 256, SHA3- - block cipher block , July 2008.
key possession 1/FIPS- . - - UIDELINE FOR individuals.
G
. (HMAC) 224, SHA3- - message authentication code code authentication message
60
, November 26, 2001 defines a defines Based and Extendable Hash establishes securityestablishes categories for both information 1 - assets, fulfillassets, its legal responsibilities,maintain its -
. supports key sizes of 128, 192, andsupports 256 bits keya sizes block of and day functions, and protect
s, February 2004. - jeopardize the information and systems information to - /16]. /16]. FIPS 202 specifies SHA3 202 FIPS 199 FIPS FIPS 198 symmetric key a symmetric 197 specifies FIPS Federal Information ProcessingFederalInformation Standard Permutation themselve not, in which are and (SHAKE128 SHAKE256), considered be hash to functions http://csrc.nist.gov/publications/fips/fips199/FIPS 8/18 and information The systems. security categories are based on the potential on impact an organization if needed organization by accomplish the assigned to mission, its protect its day extendable specifies also two FIPS 512. This validity and assurance of privateof assurance validity and Standard size 128 bits. of Federal Information Processing Standard Message Code Authentication http://csrc.nist.gov/publications/fips/fips198 8/18 key secret with a in conjunction function cryptographicuses hash a the MACs. of verification and the calculation for Federal Information Processing Standard Security of Information Categorization Federal and Information System that 2015. parameter validity (DSA and ECDSA), and ECDSA), and (DSA validity parameter algorithms Standard Processing Information Federal Standard (AES) http://csrc.nist.gov/publications/fips/fips197/fips assurances for using digital signatures: assurance of domain of assurance signatures: digital using for assurances http://dx.doi.org/10.6028/NIST.FIPS.202
-175B
IPS 197 FIPS 202 FIPS 199 FIPS 198 F NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ., , May May , TANDARDS ECHANISMS akers in akers in S M m - integrity of of integrity
(i.e., AES or or (i.e., AES RYPTO
C NG 2001. SI U RYPTOGRAPHIC , December , December 2001. C for providingfor random
A Statistical Test Suite for for Suite Test A Statistical
, OFB), and Counter (CTR). (CTR). and Counter OFB),
UIDELINE FOR
, February 26, G 38A 22r1a 32 e from truly output.e from random 38B Recommendation for Block Cipher Recommendation forCipher Block Recommendation for Block Cipher Cipher for Recommendation Block Introduction to Public Key Technology Technology to Key Public Introduction
based MAC algorithm, called CMAC, called CMAC, algorithm, MAC based Revision 1a Revision -
underlying block cipher algorithm (i.eunderlying block cipher algorithm specifying modes of operation for block block of operation for modes specifying 38B, 38B, 38A, 38A,
- - 22 32, he CMAC Mode for Authentication Mode he CMAC for -
- 61 Methods and Techniques :
specifies a message authentication code (MAC) (MAC) code authentication a message specifies approved
was developed to assist agency decision agency to assist developed was defines five confidentiality modes of operation defines use five confidentiality modes for discusses some aspects of selecting and testing random random testing and selecting aspects of some discusses
, April 2010.
38B 32 - 22 38A - - - that indistinguishabl are that s . This block cipher - /dx.doi.org/10.6028/NIST.SP.800 des Operation:of t SP 800 SP 800 SP 800 SP 800 2005. basedcipherkey blockalgorithm symmetric on a TDEA) be used the and may to of source provide assurance binary data. http:/ cipherkey algorithm: block with symmetric an underlying Cipher (CBC), Block Chaining Cipher (ECB), Electronic Codebook ( Output Feedback Feedback (CFB), Used with an Special Publication 800 Mo and pseudorandom numberand pseudorandom generators a if determining isPKI their appropriate for agency, PKI and how agency. a Federal within effectively most deployed be can services It PKI intended to is of their provide an overview functions and applications. series publications A of cipher algorithms. Special 800 Publication Modes of Operation and TDEA), theseAES can provide protection modes cryptographic data. sensitive computer for Random andRandom Number Pseudorandom Generators for Cryptographic Applications - http://dx.doi.org/10.6028/NIST.SP.800 number 800 Special Publication and the Infrastructure PKI Federal - http://dx.doi.org/10.6028/NIST.SP.800 Special Publication 800 SpecialPublication - http://dx.doi.org/10.6028/NIST.SP.800
-175B
38B 38 38A 32 22 - - - - - SP 800 SP 800 SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , MAC) - TANDARDS ECHANISMS S M key block key - and the Cipher RYPTO , C ng the techniques techniques ng the . bit block size (i.e., size block bit NG the algorithm AES
38A SI - U symmetric RYPTOGRAPHIC currently for approved for Confidentiality on on Confidentiality for
C
. SP 800 by combini - 128 with a
UIDELINE FOR
, but not approved G AES mode of AES mode - 38E 38C AES Mode Mode AES 38D - - Recommendation for Block Cipher Recommendation forCipher Block 90B Recommendation for Block Cipher Cipher for Block Recommendation Recommendation for Block Cipher Cipher for Recommendation Block -
, specified in
the Galois/Counter Mode (GCM), an Mode (GCM), an the Galois/Counter , subject to one additional requirement, as one, subject additional requirement, to 38E, 38C, 38C, 38D
- - - ot encrypted. GCM and GCM ot are encrypted. GMAC modes he XTS
SP 800 ST.SP.800 62 is n
Message Authentication Code (CBC Authentication Code Message bit bit block size (i.e., AES) specifies defines a mode of operation, called CCM, for a a for of operation, CCM, called mode defines a
(updated 20, 2007) 2004 July , May approves the XTS
. key block cipher algorithm cipher block key specified in specified ) 38D - ( 38C 38E -
- -
with a with 128- . CCM beused may to the provide assurance confidentiality of SP 800 SP 800 SP 800 cipher Special 800 Publication Modes Operation: t of 2010. , January Devices Storage - http://dx.doi.org/10.6028/NIST.SP.800 an option protecting the for data confidentiality of storage on doesdevices. the The mode not of data provideauthentication or its source. AES) data computer of authenticity and the theof Counter mode (CTR) algorithm Special 800 Publication andModesOperation:Galois/Counter Mode GMAC of (GCM) 2007. November with forand associated data, its encryption algorithm authenticated code authentication a message for generating GMAC, specialization, (MAC) on data that to IEEby reference 1619 E Modes of Operation: the CCM Mode for Authentication and Authentication and for Mode Operation: the CCM Modes of Confidentiality http://dx.doi.org/10.6028/NI symmetric Block Chaining- general use SpecialPublication 800 operation anof for underlying, - http://dx.doi.org/10.6028/NIST.SP.800
-175B C 38E 38D 38 - - - SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , - - n ril ril , and , and , Ap TANDARDS ECHANISMS k Cipher k S M
RYPTO C and a process for a processand for NG SI , based cipher suites as as suites cipher based U RYPTOGRAPHIC - preserving encryption, Security and Privacy Privacy and Security C existing methods, this this methods, existing - Preserving Encryption Preserving - (specified in SPs) (specified
4,
Guidelines for the Selection, Selection, the for Guidelines
,
UIDELINE FOR
ision G while making effective use of use effective making while the selection and configuration of configuration of selection and the
38G 52r1 53r4 38F . , Recommendation for Block Cipher Recommendation forCipher Block Recommendation for Bloc for Recommendation
Revision 1 Revision
53 Rev P) mode. An analogous mode with the with the P) analogous mode An mode. - 38F, 38G, 38G, - - configured with FIPS 52
- other recommended extensions.other recommended 63 , April 2014. specifies methods for format for methods specifies
describes cryptographic methods that for methods approved are describes cryptographic
provides a catalog of security and privacy controls for for controls privacy and security of catalog provides a
Padding (KW and FF3. Each of th Eachese and of FF3. operation of methodsmode is of a 38G 53 38F - - - ith ith provides guidance about provides guidance w 52 SP 800 Transport (TLS) provides to Security Layer mechanisms protect SP 800 SP 800 recommended cryptographic algorithms Federal Information ProcessingFederal Standards Information and NIST (FIPS) federal and organizations systems information the minimum appropriate secure transport protocol. This publicatio This protocol. transport secure appropriate minimum the 800 Publication Special Controls Federal for Information Systems and Organizations (including operations organizational protect to controls selecting Implementations SP Internet. the across dissemination electronic during data sensitive 800- protocolTLS implementations 1.1 be TLS requires that . In approving key wrapping additionto Special 800 Publication eration:ModesFormat Methods for of Op March 2016. FF1 called algorithm,the which AES to is construct used a round function encryption. for structure Feistel the within Special 800 Publication (TLS) Security and Use of Layer Transport Configuration, must be support mandatory extensionsalso which TLS for identifies provided identifies and 2013 (updated January 2015) 22, Modes, December Wrapping 2012. Methods for of Key Operation: authenticated deterministic new, two specifies publication asTriplethe (TDEA) EncryptionAlgorithm Data underlying block is also to TKW, applications. supportlegacy cipher,called specified Special Publication 800 SpecialPublication operationencryption of modes the of Advanced EncryptionStandard Key AES and the Key themode (KW) (AES) algorithm: AES Wrap Wrap - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800
-175B
53 38G 52 38F - - - - SP 800 SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - - - - Qu TANDARDS ECHANISMS S M focuses on on focuses It establishment establishment RYPTO C 56B through an through 56B - NG . SI Recommendation for for Recommendation U
RYPTOGRAPHIC , 800
C Recommendation Pair for Recommendation Pair for SP
, , - Menezes and Hellman
-
UIDELINE FOR
s for the derivation of keying keying derivation of the for s Revision 4 Revision G
, January 2016
57pt1r4 56Ar2 56Br1 56C attacks, natural disasters, structural structural disasters, natural attacks,
56A or56A Recommendation for Key Derivation Derivation for Key Recommendation establishment schemes based on the the on based schemes establishment
establishment schemes using integer schemes using establishment Revision 2 Revision 1 Revision - -
(RSA). (RSA). Both key transport key- and Part 1 Part s of Diffie
, 800-
56C, Expansion , November 2011. 57 56B 56A - -
- - - provides general guidance and best practices practices best and guidance general provides 64 establishment schemes. establishment then 57 - - Part 1: General 1: , Part specifies technique specifies expansion procedure. expansion specifies key specifies specifies key specifies -
. , May 2013 , September 2014. Establishment Schemes Using Discrete Logarithm UsingEstablishment DiscreteSchemes Logarithm Establishment Using Integer Factorization Schemes - then - 56C 56A 56B - - - (MQV) key- - including hostile cyberhostile including , Part SP 800 of 1 SP 800 SP 800 SP 800 issues cryptographic management of involving the their keys: such as topics, use,generation, Related and eventual destruction. selection and appropriate key algorithm size, cryptographic policy, selection,areand included. cryptographic also module agreement schemes are specified. schemes agreement through Extraction a key- during established secret a shared from material extraction Special 800 Publication Key Management - http://dx.doi.org/10.6028/NIST.SP.800 Vanstone Special 800 Publication Wise Key Cryptography factorization cryptography Special 800 Publication in SP defined scheme of thecryptographic for keying management material. individuals, otherindividuals, and thea organizations, diverse Nation from set of threats errors. human and failures, Special 800 Publication Wise Key Cryptography - http://dx.doi.org/10.6028/NIST.SP.800 curves, elliptic and fields over finite problem logarithm discrete variation several including mission, functions, image, and reputation), organizational assets, assets, functions, organizational mission, image, and reputation), - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800
-175B 57, Part 1 56B 56C 56A - - - - SP 800 SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: ry 89 - TANDARDS ECHANISMS , Janua S M This part of part of This management management - RYPTO C NG SI management issues issues management Recommendation for for Recommendation - U
RYPTOGRAPHIC , , November 2006. , November C Recommendation the for Specific Key Management Specific Recommendation for Key , - management infrastructure, infrastructure, management
-
UIDELINE FOR ation Revision 1 Revision
G
Recommendation for Obtaining for Recommendation Obtaining 89 57pt3r1 67r1 57p2
Revision 1 Revision management practices statements, an an statements, practices management
89, addresses the key addresses Mail Extensions (S/MIME), Kerberos, Kerberos, (S/MIME), Extensions Mail - 57, Part 2, 57, Part - the Triple Data Encryption Algorithm Algorithm Encryption Data Triple the 67 - provides on policy guidance and security 57, Part 3
- 57 management information thatmanagement information to needs be 65 57 800 ecurity plansecurity general and for support systems 800- ugust 2005. Part 2: Best Practices for Key Management Management Key for Practices Best 2: Part
specifies SP contains a key generic contains , 67 - Air Rekeying (OTAR), Domain Name System Security Security System Name Domain (OTAR), Rekeying Air , January 2015. 57 - - management information that needs to be documented allmanagement for Data Encryption Algorithm BlockData (TDEA) Cipher the - Entities participating in the generation or verification of digital digital of verification or generation the in participating Entities SP 800 Part 3 of of SP of 800- 2 Part ent cryptographic engine, the the engine, ent compon cryptographic its primary including(TDEA), (DEA). Algorithm Encryption Data Special Publication 800 Assurances Digital Signature for Applications - http://dx.doi.org/10.6028/NIST.SP.800 SP 800 process. the of authenticity the on depend signatures valid for necessary assurances the obtaining for methods specifies assurance validity, parameter domain of assurance signatures: digital (IPsec), the Transport Layer Security protocol (TLS), (TLS), protocol Security Layer Transport the (IPsec), Internet Secure/Multipart Over and the Shell Secure Encrypted Systems Extensions File (DNSSEC), protocol. (SSH) Special 800 Publication Triple of key- of Federal cryptography. applications of Special Publication Key Management, 3: Applic Part Guidance - http://dx.doi.org/10.6028/NIST.SP.800 such mechanisms, cryptographic available currently with associated Security Protocol Internet (PKI), infrastructure Key Public the as 2012. Management Organization, A government U.S. agencies. for planningrequirements SP 800 organizational of key development the guidance for key- of identification incorporated into s cryptography,andan identification employ applications that major Special Publication 800 Publication Special policy statements and key- policy statements - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800
-175B
89 67 57, Part 3 57, Part 2 - - - - SP 800 SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
:
and are and are TANDARDS ECHANISMS
S /16]. /16]. M , including , including 8/18 8/18
RYPTO owner actually owner
C DRBGs must be , January. 2016 NG . pair SI
- U [accessed [accessed Recommendation for RYPTOGRAPHIC
C , deterministic random bit bit random deterministic entropyand sources as 90C 90B - - Recommendation for the
ecommendation for Random , ) R
90A , UIDELINE FOR - ) , April 2016. raft G D mechanisms for themechanisms of generation 90Ar1 ( Revision 1 -
Draft ( SP 800 90B 90B 90A - - DRBG 90C 90C . -
66 90B - specifies constructions for the implementation of of implementation the for constructions specifies tion 800 tion specifies specifies specifies the design principles and requirements for for requirements and principles design the specifies
/10.6028/NIST.SP.800 SP 800
90C 90A 90B - - - SP 800 SP 800 SP 800 Special Publica Special ConstructionsBit (RBG) Generator deterministic a be may RBG An (RBGs). generators bit random bitor generator random a non- (DRBG) DRBG consist RBGs generator The constructed of (NRBG). as specified mechanisms in specified initialized from a randomness source that provides sufficient entropy entropy sufficient provides that source a randomness from initialized be supported by the the to for DRBG. strength security 800 Publication Special Bit Generation Entropy Random Used for Sources Bit sources GeneratorstheRandom by entropy used and thattheto entropy source hashealth determine not tests failed entropyvalidationthe sources. of tests for possesses the private key, and assurance of the theidentity of key of assurance and private key, the possesses pair owner. 800 Publication Special Number Bit GenerationRandom Deterministic Random Using , June Generators 2015. bitsrandom using methods. The deterministic methods provided are based on either hash functions or cipher algorithms block strengths security selected support to designed of publicof assurance key validity, that the key http://csrc.nist.gov/publications/PubsSPs.html#800 http://csrc.nist.gov/publications/PubsSPs.html#800 http://dx.doi.org
-175B 90C 90B 90A - - - SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: -
en
be using
TANDARDS ECHANISMS . S M have
od to enhance od to enhance RYPTO may C based KDFs). based NG SI derivation key) U , August 2012. , August Recommendation for RYPTOGRAPHIC - C
ion for Key Derivation Derivation for Key ion , , October 2009. length message digest from from digest message length specifies a specifies meth
UIDELINE FOR derivation key derivation key
provides security guidelines for provides guidelinesfor security (i.e., a key establishment scheme or shared shared or scheme establishment G
- 106 - 106 107r1 108 102 Randomized Hashing for Digital Randomized Digital Hashing for Revision 1 Revision (Revised)
107 Recommendat
Recommendation for Digital Signature DigitalRecommendation Signature for
ovides no assurance that the private key key private that the assurance no ovides (e.g., a manual key distribution) 107 106, SP 800 - - 108, 102, -
. These include functions such as digital digital as suchinclude functions . These - 67
ta that is included in the signed message, the the message, the signed in is included ta that hash Message Authentication Codes (HMACs) (HMACs) Codes Authentication Message hash - FIPS 180 - based(hash Derivation Key Functions cryptographic hash function in the generation and and in generation cryptographic hash the function , February 2009. ength messages are widely used for many purposes in in purposes many for used widely are messages ength 108 specifies techniques for the derivation of additional additional derivation of the 108 specifies techniques for
- supplied da supplied hed- approved digital signature algorithms require the use of an of the require use signature algorithms digital approved material from a secret key a secret from material - can provide some level of assurance about the time that the that the time the about assurance level of some provide can ed in
SP 800 Hash functions that compute a- fixed that compute Hash functions NIST Establishing the time when a digital signature was generated is generated was signature when a digital the time Establishing Special Publication 800 Special Publication Using Pseudorandom Functions keying through other some manner approved UsingApplications Approved Algorithms Hash l arbitrary 800- security.information SP using when strengths security or desired required the achieving hash functions the approved that employ cryptographic applications specifi Keyed signatures, and Has Special Publication 800 Publication Special Signatures - http://dx.doi.org/10.6028/NIST.SP.800 verification of signatures. digital hash used the functions in of cryptographic the security signed. are that the messages randomizing by applications signature Special 800 Publication functions. pseudorandom The key- , September , September 2009. Timeliness the that includes message signed A consideration. a critical often (purported)signing pr time and/or Authority Timestamp a Trusted from timestamps based - verifier signer was signed. message Special Publication 800 SpecialPublication the of the accuracy unless time at that message the to sign used was signature digital of use appropriate the With trusted. be can time key a through established either - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800
-175B 108 106 107 102 - - - - SP 800 SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - a Based Based - TANDARDS ECHANISMS powerful S M
Transitions: Transitions: RYPTO
, C a CKMS designer designer a CKMS NG , or disallowed. SI U 77 RYPTOGRAPHIC
C , December 2010. , December
, August 2013. ts.
Revision 1 Revision provides for recommendations
UIDELINE FOR
G A Framework for Designing for Designing Framework A
131Ar1 132 133 130 protected information, but there may be theremay but protected information,
- Recommendation for Cryptographic Recommendation forRecommendation Password
131A
- , November 2015. , November 130, - 57, Part 1 cryptographic algorithms. - 133, 132, - -
offers more specific guidance for such such for guidance more specific offers 68
131A , December 2012. - Part 1: Storage, Part 1: Applications discusses the generation of the keys to be managed the to be discusses of keys managed generation the specifies techniques for the derivation of master keys keys of master the derivation for techniques specifies 133 132 130 contains topics to be considered by be130 contains considered topics to -
- - SP 800 SP 800 SP 800 Section 5.6.4 of SPSection of 800 5.6.4 SP 800 and used by theand used approved by Key Derivation Key Special 800 Publication Generation Key - http://dx.doi.org/10.6028/NIST.SP.800 and key lengths algorithms totransitioning cryptographic new breaksbecause algorithm of or availability of the more thatcomputers cryptographic for used could to efficiently search be keys. 800 SP in addressed is service and algorithm Each transitions. d, deprecate is use acceptable, its whether indicating 131A, only applications legacy restricted, for allowed Special 800 Publication or data electronic stored protect to passwords or passphrases from keys.data protection Cryptographic Key Management Systems Cryptographic Key Management design include developing awhen Topics CKMS specification. interoperability metadata, and keys cryptographic policies, security assurances, system testing and controls, security transitioning, and assessmen security and recovery, disaster 800 Special Publication of Cryptographic the Transitioning Use Recommendation for LengthsAlgorithmsand Key Special Publication 800 Publication Special - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800 - http://dx.doi.org/10.6028/NIST.SP.800
-175B 133 132 131A 130 - - - - 800
risk in doing so. doing in risk The algorithm and key length may be used to process already process to used be may length key and algorithm The
77
SP SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: TANDARDS ECHANISMS S M ence Security Security ence [accessed RYPTO
C , October 2015. NG 7924 Refer - SI
U Recommendation for RYPTOGRAPHIC IR - C
, raft), D
ederal their organizations and UIDELINE FOR
G A ProfileA S. U. for Federal 175A 152 135r1 Guideline for Using Cryptographic UsingGuideline Cryptographic for Revision 1 Revision
(Second
152, 135 - - provides security requirements for those for requirements provides security 175A, 175A, 7924 -
69
, December December , Functions Derivation Key Specific - 135
used internet security protocols haveused theirsecurity internet own is intended to identify a set of security controls and and controls security of set a identify to intended is sments to determine what needs to be protected and how and protected to what be needs to determine sments specific Key Derivation Functions (KDFs) that are used are used that (KDFs) Functions Derivation Key specific SP 800- SP 175A provides175A determination the guidance on of - 152 contains for requirements the implementation, design, - related documents variousrelated practice (e.g., policy and -
800-
, May 2014. , May es, August 2016. 130. /16]. generate the their cryptographic icrequired cryptograph for keys
overnment’s guidance conduct sensitiveinformation, the regarding NIST 7924 NIST SP SP 800 Many widely- use of ause CKMS by and of f U.S. for risk asses of Policy http://csrc.nist.gov/publications/PubsDrafts.html#NIST 8/18 written It was certificates. of issuance secure the support to practices for format standard a (CP), Policy Certificate a of form the in defining expectations and the requirements the of relying party Certificate its by issued certificates the trust will that community (CAs). Authorities - http://dx.doi.org/10.6028/NIST.SP.800 using for requirements laws cryptography. It of a summary includes Federal theprotection of the and regulations concerning G andrelevant a discussion thebest of to that information, protect security documents). Report Internal NIST - http://dx.doi.org/10.6028/NIST.SP.800 operationprocurement, installation, configuration, and management, The Profile Specialcontractors. ison NIST based Publication SP 800- Special Publication 800 and Mandates Government:Standards the Directives, in Federal Polici Existing Application Existing 2011. application to KDFs. 800 Publication Special (CKMS) Systems Management Key Cryptographic Special Publication 800 SpecialPublication functions. - http://dx.doi.org/10.6028/NIST.SP.800
-175B 175A 152 135 - - -
NISTIR 7924 NISTIR SP 800 SP 800 SP 800 NIST 800 SP
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: - −
will will
3 - .
TANDARDS , ECHANISMS Oriented Oriented 2004. -
S M
. 38A - .
2014 - 38B RYPTO 8: - C , March 2 family of hash of 2 family NG Security techniques techniques Security SP 800 Security techniques Security techniques Security techniques -
SI
. U Security techniques techniques Security − RYPTOGRAPHIC Key Cryptography − − ISO/IEC 10118 ISO/IEC
- C − Part 1: Mechanisms using Part 2: Mechanisms using functions , February 2006.
, 2008
. Public UIDELINE FOR for ) | ISO/IEC 9594 ISO/IEC ) | , 2004. G 1 and the SHA - 2012 . A revision of of revision . A
[web page] [web
Cryptography bit block cipherbit block
May 2011. , May Open Systems Interconnection Interconnection Systems Open 70 Information technology Information Key Key - Information technology Information technology -
certificate attribute and key Information technology technology Information FIPS 180 FIPS function 3:2004, 3:2004, - 1:2011, 2:2011, Standard Specifications For PublicSpecifications Standard Key Cryptography - - , March 2011. Standard Specifications Standard Specifications
. . Based Public - Part 3: Dedicated hash - 3: Dedicated functions − Part October 2008. , October - Key Cryptographic Techniques Based on Hard Problems over over Problems Hard on Based Techniques Cryptographic Key -
T Recommendation X.509 ( Recommendation X.509 T - This standard includes all the modes specified in in specified the modes all includes standard This SHA includes This standard Message − Authentication(MACs) Codes 800- SP in as specified CMAC, includes standard This MessageAuthentication − Codes (MACs) 198 FIPS in as specified HMAC, includes standard This http://standards.ieee.org/about/get/802/802.11.html http://grouper.ieee.org/groups/1363/ frameworks Information technology - Public The Directory: ISO/IEC 10116:2006, Modes n- for of an operation ISO/IEC 10118 − Hash functions specified in ISO/IEC 9797 − ISO/IEC 9797 − Public Lattices Password Standard Cryptographic for Protection on Block of Data . , 2008 Devices Storage ITU a block cipher a dedicated hash - Wireless Local Area Networks Area Local Wireless IEEE P1363: page] [web IEEE P1363a: Techniques 1:Amendment Additional
3
- 1 2 8 - - -
-175B
NIST Publications: NIST - Non NIST 800 SP ISO/IEC 10118 ISO/IEC 10116 ISO/IEC 9797 ISO/IEC 9594 ISO/IEC 9797 IEEE P1363.2 IEEE IEEE P1619 IEEE P1363a P1363.1 IEEE IEEE P1363 IEEE 802.11 IEEE
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: . TANDARDS ECHANISMS
S M and elliptic
s RYPTO C NG Security techniques techniques Security Security techniques Security techniques Security techniques techniques Security techniques Security techniques Security
Trusted Platform
SI .
and AES is specified specified is AES and
− U − − − − December 2010. , December RYPTOGRAPHIC − C 67 August 2015. , August - key derivation key methods . , 2015 for finite field finite for
FIPS 202 Part 2: Integer factorization factorization Integer 2: Part step - SP 800 UIDELINE FOR Part 3: Discretelogarithm based G establishment schemes specified in in specified schemes establishment − bit block ciphers: TDEA, MISTY1, TDEA, ciphers: bit block bit block ciphers: AES, Camellia,AES, and ciphers: block bit , August 2015. . Part 3: Mechanisms using asymmetric asymmetric using Mechanisms 3: Part
, as specified DSA, Information technology 71 Informationtechnology 56B
Information technology Information technology Information technology Information Information technology − Trusted Platform Information technology Information technology − Trusted Platform Information technology − Trusted Platform . - s 6, - 56C - . April 2008. , April 3 functions in specified - 2:2008, 2:2008, 3:2016, 3:2010, 3: 2015, 3: 2015, 4:2015, 1:2015, 2:2015, 3:2015, , as well as the two the as as well , - - - - - 108 and SP 800 , March. 2016 SP 800 . August 2015. - , 56A TDEA is specified in in is specified Note that TDEA 128, HIGHT and 128- 128, HIGHT - FIPS 186 in FIPS - s -- Key management SP 800 Digital signatures with appendix − Digital signatures appendix with FIPS 197 This standard include 64- includes This standard atures, as specified in FIPS 186 as specified signatures, includesThis RSA standard This draft standard will include all key derivation functions specified Thisfunctions derivation draft standard specified include will all key This standard specifies key establishment mechanisms, some of some mechanisms, establishment key specifies standard This Digital appendix with signatures curve Module Supporting Routines − Part Library 4: mechanisms ISO/IEC 18033 − Encryption algorithms − Part 3: ciphers Block CAST SEED. in ISO/IEC 11889- ISO/IEC 14888 − based mechanisms ISO/IEC 14888 − in in specified ISO/IEC 11889 , August 2015. Architecture Module 1: − Part Library ISO/IEC 11889- 2015. , August Module 2: Structures − Part ISO/IEC 11889- Module 3: Commands − Part ISO/IEC 11770 ISO/IEC − techniques key- with instantiated be can which SP 800 ISO/IEC FDIS 11770 derivation 6: Key − Part − Key management include the SHA
3 2 3 3 - - -
- -175B DIS F 6 NIST 800 SP ISO/IEC 18033 ISO/IEC 14888 ISO/IEC 14888 ISO/IEC 11889 ISO/IEC ISO/IEC 11770- ISO/IEC 11770 ISO/IEC
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: , , , - − key - 2001 1998 - - - SP 800 TANDARDS ECHANISMS rsa - logarithm logarithm S M 2 - - ), GCM (as ), GCM
Hellman and Hellman - 1v2 - RYPTO 38C - C . discrete pkcs NG RSA Cryptography Cryptography RSA , specifies schemes schemes specifies , - Diffie SI 3 U parameter generation, generation, parameter Security techniques techniques Security wp RYPTOGRAPHIC
- - C −
domain /16].
pair generation, public pair generation, UIDELINE FOR - G 8/18 1, version 2.2, 1, version 2.2, , 1998 [withdrawn] # dations implementation of the for labs/pkcs/files/h11300 - [accessed
72 , February 2009. ), and Key wrapping (as specified in in specified wrapping (as ), and Key plus/rsa Information technology technology Information - 38D agreement schemes. agreement -
standard.pdf . 31 defined a method for digital signature (signature)signature31 digital for defined a method SP 800 . and verification for the verification for protection financialand of and messages based key- based parameter validation,parameter key - - key cryptography based on the RSA algorithm, covering covering algorithm, thebased RSA cryptography on key - cryptography- [withdrawn]
). ANS ISOANS X9.42, 11770- partially adapted from ANS X9 This standard includes CCM (as specified in SP 800 (as specified CCM includes standard This 1 providesrecommen PKCS http://www.emc.com/emc 2001 validation,shared derivation, and test calculation, value key secret for computation code authentication message message recovery.message public In the for addition, of criteria generation and and the controls procedural theprivate required algorithm keys by were the provided.thealgorithm of required secure use for X9.42 Services Financial for Standard National American Public Key Cryptography for the Financial Services Industry: Using Logarithm Discrete Keys Cryptography ofSymmetric Agreement symmetric of the usingfor agreement keys the It algorithms. covers forMQV methods public with signatureschemes, schemes encryption cryptographic primitives, and for representingfor keys syntax appendix the ASN.1 and schemes. identifying the X9.31 Services Financial for Standard National American for the Cryptography Key Public Reversible Using Signatures Digital (rDSA) Industry Services Financial generation data reversible using public key cryptography systems without problem Authenticated encryptionAuthenticated in specified 38E System Cryptography Public Key Standard. , October 27, 2012 ISO/IEC 19772:2009,ISO/IEC domain
-175B
NIST 800 SP X9.42 X9.31 PKCS 1 ISO/IEC 19772 ISO/IEC
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B
: key - Key Key , TANDARDS ECHANISMS S M agreement agreement 2007 - , 2007. RYPTO C ation of public and public and ation of and Key Transport NG
SI U RYPTOGRAPHIC C Public Key Cryptography he Elliptic Curve Digital Digital Curve Elliptic he , Public Key Cryptography ,
UIDELINE FOR 2011 2005 G - - , 2011. ters that and required are ECDSA by establishment schemes that employ that employ schemes establishment X9.62 , 2005. establishment schemes using public using schemes establishment -
73 Standard X9.63
based Two on the typesinteger of factorization problem. curve domain parame domain curve - transport schemes are specified. arespecified. schemes transport establishment schemes are specified: key transport and key key and transport key are specified: schemes establishment elliptic ANS ANS X9.63 defines key- ANS X9.44 specifies key specifies X9.44 ANS (signature) for signature methods digital X9.62 defines ANS asymmetric cryptographicasymmetric The arithmetic operations techniques. algebraic take place in the the schemes of the operation in involved Both key- curve ana elliptic finite over field. e of structur generation and verification for the protection of and protectionof data messages the andverification for generation This (ECDSA). Algorithm Signature Digital Curve Elliptic the using gener the criteria for and Standard provides methods private that keys are and required the by ECDSA controls procedural with algorithm This the these keys. use the of required secure for generation the for and criteria Standard methods ECDSA provides also of thethe required use the for of algorithm procedural secure controls parameters. domain these with National American Agreement Key Industry: Services Financial for the Using Elliptic Curve Cryptography and key- Establishment Using Integer Cryptography Factorization agreement. Standard National American for the Financial Services Industry:t (ECDSA)Signature Algorithm American National Standard for Financial Services X9.44 Services Financial for Standard National American , cryptography key-
-175B
.44
NIST 800 SP X9.63 X9.62 X9
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-175B