NIST Security Strength Time Frames
Security Strength | 80 | 112 | 128 | 192 | 256 | ||
---|---|---|---|---|---|---|---|
applying | processing | applying | processing | ||||
through 2010 | acceptable | acceptable | acceptable | acceptable | acceptable | acceptable | acceptable |
2011 through2013 | deprecated | legacy use | acceptable | acceptable | acceptable | acceptable | acceptable |
2014 through 2030 | disallowed | legacy use | acceptable | acceptable | acceptable | acceptable | acceptable |
2031 and Beyond | disallowed | legacy use | disallowed | legacy use | acceptable | acceptable | acceptable |
Symmetric Algorithms | 2TDEA | 3TDEA | AES-128 | AES-192 | AES-256 | ||
FFC (e.g., DSA, D-H) | L = 1024 N = 160 |
L = 2048 N = 224 |
L = 3072 N = 256 |
L = 7680 N = 384 |
L = 15360 N = 512 |
||
IFC (e.g., RSA) | k = 1024 | k = 2048 | k = 3072 | k = 7680 | k = 15360 | ||
ECC (e.g.,ECDSA) | f = 160-223 | f = 224-255 | f = 256-383 | f = 384-511 | f = 512+ | ||
Digital Signatures and hash-only applications | SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-256, SHA-384, SHA-512 | SHA-384, SHA-512 | SHA-512 | ||
HMAC | SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-224, SHA-256, SHA-384, SHA-512 | SHA-256, SHA-384, SHA-512 | ||
Key Derivation Functions | SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-224, SHA-256, SHA-384, SHA-512 | SHA-256, SHA-384, SHA-512 | ||
Random Number Generation | SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 | SHA-224, SHA-256, SHA-384, SHA-512 | SHA-256, SHA-384, SHA-512 |
Note (Reference from NIST SP 800-57 part 1, reversion 3):
- "applying" and "processing" indicates whether cryptographic protection is being applied to data (e.g., encrypted), or whether cryptographically protected data is being processed (e.g., decrypted).
- "Acceptable" indicates that the algorithm or key length is not known to be insecure.
- "Deprecated" means that the use of an algorithm or key length that provides the indicated security strength may be used if risk is accepted; note that the use deprecated algorithms or key lengths may have restrictions.
- "Disallowed" means that an algorithm or key length shall not be used for applying cryptographic protection.
- "Legacy use" means that an algorithm or key length may be used because of its use in legacy applications (i.e., the algorithm or key length can be used to process cryptographically-protected data).