Reference Guide
18 Crypto-C ME Cryptographic Toolkit
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy
Level 1
2.5 Cryptographic Algorithms
To achieve compliance with the FIPS 140-2 standard, only FIPS 140-2-approved or
allowed algorithms can be used in an approved mode of operation.
The following table lists the FIPS 140-2-approved and allowed algorithms supported
by Crypto-C ME with validation certificate numbers.
Table 4 Crypto-C ME FIPS 140-2-approved and allowed Algorithms
Algorithm Type Algorithm
Validation
Certificate
Symmetric Key AES in CBC, CFB 128-bit, ECB, OFB 128-bit, CTR, and CCM
modes (with 128, 192, and 256-bit key sizes)
AES in XTS mode (with 128 and 256-bit key sizes)
AES in GCM mode with automatic Initialization Vector (IV)
generation (with 128, 192, and 256-bit key sizes).
2859
Triple-DES in ECB, CBC, CFB 64-bit, and OFB 64-bit modes.
Note: The use of two-key Triple-DES for encryption is restricted.
For more information, see “Crypto Officer and Crypto User
Guidance” on page 22
1706
Asymmetric Key DSA (2048 to 4096-bit key sizes) 858
ECDSA (224 to 571-bit key sizes)
ECDSA2 Component Test
507
299
RSA (2048 to 4096-bit key size)
RSASP1 Component Test
RSADP Component Test
1499
298
300
Key Agreement
DH (2048 to 4096-bit key size) and ECDH (224 to 571-bit key size)
KASECC_(ECCCDH) Primitive Component Test
Non-approved
(Allowed in FIPS
140-2 mode).
296
Key Derivation
Functions (KDFs)
X9.63 KDF - Component Test 297
TLS Pseudo-random Function (TLS PRF) - Component Test 297
Password-based Key Derivation Function 2 (PBKDF2)
As defined in NIST Special Publication 800-132, PBKDF2 can be
used in FIPS 140-2 mode when used with FIPS 140-2-approved
symmetric key and message digest algorithms. For more information,
see
“Crypto Officer and Crypto User Guidance” on page 22
.
Vendor affirmed
1
Random Number CTR DRBG 507
HMAC DRBG 507
FIPS 186-2 PRNG - Change Notice 1, with and without the mod q step
1282