The National Institute of Standards and Technology (NIST)
SP 800-131A is a United States standard that provides guidance for
protecting data by using cryptographic algorithms that have key strengths
of 112 bits.
NIST SP 800-131A
defines which cryptographic algorithms are valid and which cryptographic algorithm parameter values
are required to achieve a specific security strength in a specific time period. Starting in 2014, a
minimum security strength of 112 bits is required when new data is processed or created. Existing
data processed with a security strength of 80 bits should remain secure until around 2031, subject
to additional NIST standards with guidelines for managing secure data.
In general, storage systems allow the use of 112-bit security strengths if
the other unit that is attached to the network connection supports 112-bit security strength. If
security levels are set to conform with NIST SP 800-131A guidelines, the
DS8880 storage
system requires 112-bit security strength on all SSL/TLS connections, other than
remote support network connections.
On network connections that use SSL/TLS protocols, 112-bit
security has the following requirements:
- The client and server must negotiate the use of TLS 1.2.
- The client and server must negotiate an approved cipher suite
that uses cryptographic algorithms with at least 112-bit security
strength.
- The client or server must limit hash and signature algorithms
to provide at least 112-bit security strength; for example, the client
must prevent the use of SHA-1 hashes.
- Certificates that are used by the client or server must have public
keys and digital signatures with at least 112-bit security strength,
such as RSA-2048 keys with SHA-256 digital signatures.
- Deterministic random bit generators (DRBGs) must use approved
algorithms with a least 112-bit security strength and must be provided
with entropy sources that have at least 112 bits of entropy.
To enable
NIST SP 800-131A security conformance in
your environment, update the following entities. It might not be feasible
to update all of these entities at the same time because of various
dependencies. Therefore, you can upgrade them for
NIST SP 800-131A security conformance independently
of each other.
- Encryption key servers
- Remote authentication servers
- DS Network Interface clients
- DS Network Interface server
- DS8000® Storage Management GUI and DS Service GUI servers
- SMI-S agents
Attention: Before you disable earlier SSL/TLS protocols on the storage systems, you must ensure that all external system networks connected to the DS8880 storage systems are enabled for TLS 1.2 and are NIST SP 800-131A compliant.
Otherwise, network connection to these systems will be prohibited.
For information about configuring your environment for NIST SP 800-131A conformance, see security
best practices.