NIST Security Strength Time Frames

Security Strength Time Frames of NIST SP 800-57 Part 1
Security Strength80112128192256
applying processing applying processing
through 2010 acceptable acceptable acceptable acceptable acceptable acceptable acceptable
2011 through2013 deprecated legacy use acceptable acceptable acceptable acceptable acceptable
2014 through 2030 disallowed legacy use acceptable acceptable acceptable acceptable acceptable
2031 and Beyond disallowed legacy use disallowed legacy use acceptable acceptable acceptable
Symmetric Algorithms 2TDEA 3TDEA AES-128 AES-192 AES-256
FFC (e.g., DSA, D-H) L = 1024
N = 160 		L = 2048
N = 224 		L = 3072
N = 256 		L = 7680
N = 384 		L = 15360
N = 512
IFC (e.g., RSA) k = 1024 k = 2048 k = 3072 k = 7680 k = 15360
ECC (e.g.,ECDSA) f = 160-223 f = 224-255 f = 256-383 f = 384-511 f = 512+
Digital Signatures and hash-only applications SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-256, SHA-384, SHA-512 SHA-384, SHA-512 SHA-512
HMAC SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-224, SHA-256, SHA-384, SHA-512 SHA-256, SHA-384, SHA-512
Key Derivation Functions SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-224, SHA-256, SHA-384, SHA-512 SHA-256, SHA-384, SHA-512
Random Number Generation SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512 		SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 SHA-224, SHA-256, SHA-384, SHA-512 SHA-256, SHA-384, SHA-512

Note (Reference from NIST SP 800-57 part 1, reversion 3):
  • "applying" and "processing" indicates whether cryptographic protection is being applied to data (e.g., encrypted), or whether cryptographically protected data is being processed (e.g., decrypted).
  • "Acceptable" indicates that the algorithm or key length is not known to be insecure. 
  • "Deprecated" means that the use of an algorithm or key length that provides the indicated security strength may be used if risk is accepted; note that the use deprecated algorithms or key lengths may have restrictions.
  • "Disallowed" means that an algorithm or key length shall not be used for applying cryptographic protection.
  • "Legacy use" means that an algorithm or key length may be used because of its use in legacy applications (i.e., the algorithm or key length can be used to process cryptographically-protected data).

Popular posts from this blog

TLS Server Name Indication Extension and Unrecognized_name

Image
Heavy Pond, Jianfengling National Forest Park, Ledong, Hainan, China It's getting hot that some TLS/HTTPS server failed with "unrecognized_name". For example, the Adobe AIR 3 Code Signing Certificate Problem , the ADT handshake alert , and the jarsigner issue with timestamp.geotrust.com , etc. This entry will discussion some background of the "unrecognized_name" alert, and the TLS Server Name Indication (SNI) extension. Background "Unrecognized_name" is an error alert, define by RFC4366 .  In section 4 of RFC4366 : - "unrecognized_name": this alert is sent by servers that receive a server_name extension request, but do not recognize the server name. This message MAY be fatal. And in section 3.1 of of RFC4366 : If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). From above sections, we see that "unrecognized
Read more

Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

Weak cryptographic algorithms can now be disabled in Java SE 7 release. The MD2 Message-Digest Algorithm was disabled by default in Sun PKIX provider and SunJSSE provider. The MD2 algorithm is a cryptographic hash function developed by Ronald Rivest in 1989 , and was published in 1992 as an Informational RFC (RFC 1319) .; RFC 6149 moves RFC 1319/MD2 to historic status, "Since its publication, MD2 has been shown to not be collision-free, albeit successful collision attacks for properly implemented MD2 are not that damaging. Successful pre-image and second pre-image attacks against MD2 have been shown." Although MD2 is no longer considered secure, it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA. An a countermeasure of the vulnerability, Java SE has disabled MD2 algorithm in certification path building and validation. You may wonder, Java SE has disabled MD2 algorithm in certification path building and validation in
Read more

Harness SSL and JSSE: Key Size Control

Image
Aged Bridge, Yulong River, Yangshuo, China Why Key Size Concerns The key size is an important security parameter to determine the strength of cryptography algorithms. For example, RSA keys with fewer than 1024 bits are considered forgeable.  If RSA keys less than 1024 bits are used in X.509 certificates, the private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. On August 14, 2012, Microsoft offered an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length.  As of October 9, 2012, the update is delivered via automatic update through the Microsoft update service.  Microsoft recommends that customers apply the update at the earliest opportunity. Since JDK 7u12,  RSA keys less than 1024 bits in X.509 certificates are disabled.  This is in line with the NI
Read more