Algorithms and key sizes
When executing in FIPS mode, System SSL continues to take advantage of the CP Assist for
Cryptographic Function (CPACF) when available 
either directly or through ICSF
.
Hardware cryptographic card functions allowed in FIPS mode support clear keys (requires a
cryptographic card to be defined as an accelerator and online prior to the startup of ICSF) and
secure PKCS #11 keys. Secure keys stored in the PKDS are not supported.
Table 1 summarizes the differences between FIPS mode
and non-FIPS mode algorithm support. Hardware availability depends on the processor and CPACF
feature installed. See Using cryptographic features with System SSL for more information about processors,
CPACF algorithm availability, and cryptographic card support.
| Non-FIPS | FIPS | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Algorithm | Sizes | System SSL software | Direct calls to CPACF | Support through ICSF1 | Sizes | System SSL software | Direct calls to CPACF | Support through ICSF (zEC12, zBC12, z13, z13s, z14, z14 ZR1) | |||
| Software | CPACF | CEXnA | CEXnP | ||||||||
| 3DES | 168 | X | X | 168 | X | X | |||||
| AES | 128 and 256 | X | X | 128 and 256 | X | X | |||||
| AES-GCM | 128 and 256 | X | 128 and 256 | X | |||||||
| Brainpool Curves - ECC, ECDH, ECDHE | 160-512 | X | |||||||||
| DES | 56 | X | X | ||||||||
| DH, DHE | 512–2048 | X | 2048 | X | X - Key agreement | ||||||
| DSA | 512–2048 | X | 1024-2048 | X | |||||||
| MD5 | 48 | X | |||||||||
| NIST Curves - ECC, ECDSA, ECDH, ECDHE | 192-521 | X | 192-521 | X | X - ECDSA signature generate, ECDH/ECDHE key agreement | ||||||
| RC2 | 40 and 128 | X | |||||||||
| RC4 | 40 and 128 | X | |||||||||
| RSA | 512–4096 | X | X | 1024–4096 | X | X – Encrypt, Decrypt, Signature Verify | X – Encrypt, Decrypt, Signature Generate | ||||
| RSASSA-PSS |
2048 – 4096 | X | 2048 – 4096 | X | |||||||
| SHA-1 | 160 | X | X | 160 | X | X | |||||
| SHA-2 | 224, 256, 384, and 512 | X | X | 160 | X | X | |||||
Notes:
- 1 For information on usage of ICSF in non-FIPS
mode, see Table 1.
- In FIPS mode, only NIST ECC recommended curves are currently supported. Curves under 224 bits are not recommended. Enforcement is the responsibility of the calling application or the system administrator.
- NIST SP800-131 recommended transition algorithm key sizes of RSA >= 2048, DSA
>=2048, NIST ECC recommended curves >= 224, and the disallowment of SHA-1 for digital
signature generation. Enforcement is the responsibility of the calling application
or the system administrator.
Brainpool ECC curves are not
supported in
FIPS mode.
Table 2 summarizes the differences between FIPS
modes ON and LEVEL1 thru LEVEL3 algorithm support.
Footnotes for Table 2:
| Algorithm | ON or LEVEL1 | LEVEL2 | LEVEL3 |
|---|---|---|---|
| 3DES | 168 | ||
| AES | 128 and 256 | ||
| Digital Signature Generation functions3, 4 | SHA-1 thru SHA-512 | SHA-224 thru SHA-512 | |
| Digital Signature Verification functions3, 4 | SHA-1 thru SHA-512 | SHA-224 thru SHA-512 | |
| HMAC | 80 bits and higher | 112 bits and higher | |
| DSA1 | 1024 thru 2048 | 2048 | |
| DH | 2048 | ||
| ECC | NIST ECC 192 thru 521 | NIST ECC 224 thru 521 | |
| RSA2 | 1024 thru 4096 | 2048-4096 | |
- 1
- For DSA keys, when functioning at GSK_FIPS_STATE_LEVEL2 or GSK_FIPS_STATE_LEVEL3, generating new keys and digital signatures are enforced at the 112 bit security strength. When performing digital signature verification, GSK_FIPS_STATE_ON (GSK_FIPS_STATE_LEVEL1) and GSK_FIPS_STATE_LEVEL2 80 bit security is allowed. Key sizes 1024 or less are associated with 80 bit security strength. Keys sizes 2048 or higher are associated with 112 bit security strength.
- 2
- For RSA keys, when functioning at GSK_FIPS_STATE_LEVEL2 or GSK_FIPS_STATE_LEVEL3, generating new keys and digital signatures are enforced at the 112 bit security strength. When performing digital signature verification, GSK_FIPS_STATE_ON (GSK_FIPS_STATE_LEVEL1) and GSK_FIPS_STATE_LEVEL2 80 bit security is allowed. Key sizes 1024 or less are associated with 80 bit security strength. Keys sizes 2048 or higher are associated with 112 bit security strength.
- 3
- For Digital Signature Generation and Digital Signature Verification using RSASSA-PSS, digest
sizes SHA-1 and SHA-224 are not supported, only digest sizes SHA-256, SHA-384, and SHA-512 are
supported.
- 4
- Digital Signature Generation and Digital Signature Verification using SHA-1 when used by the TLS
protocol is allowed for all settings.
System SSL RSASSA-PSS only supports digest algorithms SHA-256, SHA-384, and
SHA-512. FIPS LEVEL support for RSASSA-PSS signatures:- GSK_FIPS_STATE_LEVEL2 and GSK_FIPS_STATE_LEVEL3 signature generation requires the digest algorithm size to be SHA-256, SHA-384, or SHA-512.
- GSK_FIPS_STATE_LEVEL2 and GSK_FIPS_STATE_LEVEL3 signature verification does not tolerate digest SHA-1 and SHA-224 for already created objects.