Algorithms and key sizes
When executing in FIPS mode, System SSL continues to take advantage of the CP Assist for Cryptographic Function (CPACF) when available either directly or through ICSF. Hardware cryptographic card functions allowed in FIPS mode support clear keys (requires a cryptographic card to be defined as an accelerator and online prior to the startup of ICSF) and secure PKCS #11 keys. Secure keys stored in the PKDS are not supported.
Table 1 summarizes the differences between
FIPS mode and non-FIPS mode algorithm support. Hardware availability depends on the processor and
CPACF feature installed. See Using cryptographic features with System SSL for more information about
processors, CPACF algorithm availability, and cryptographic card support.
| Non-FIPS | FIPS | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Algorithm | Sizes | System SSL software | Direct calls to CPACF | Support through ICSF1 | Sizes | System SSL software | Direct calls to CPACF | Support through ICSF (IBM z14, IBM z15, IBM z16) | |||
| Software | CPACF | CEXnA | CEXnP | ||||||||
| 3DES | 168 | X | X | 168 | X | X | |||||
| AES | 128 and 256 | X | X | 128 and 256 | X | X | |||||
| AES-GCM | 128 and 256 | X | 128 and 256 | X | |||||||
| Brainpool Curves - ECC, ECDH, ECDHE | 160-512 | X | |||||||||
| DES | 56 | X | X | ||||||||
| DH, DHE | 512–2048 | X | 2048 | X | X - Key agreement | ||||||
| DSA | 512–2048 | X | 1024-2048 | X | |||||||
| MD5 | 48 | X | |||||||||
| NIST Curves - ECC, ECDSA, ECDH, ECDHE | 192-521 | X | 192-521 | X | X - ECDSA signature generate, ECDH/ECDHE key agreement | ||||||
| RC2 | 40 and 128 | X | |||||||||
| RC4 | 40 and 128 | X | |||||||||
| RSA | 512–4096 | X | X | 1024–4096 | X | X – Encrypt, Decrypt,  Signature
Generate, Signature Verify |
X – Encrypt, Decrypt, Signature Generate | ||||
| RSASSA-PSS | 2048 – 4096 | X | 2048 – 4096 | X | |||||||
| SHA-1 | 160 | X | X | 160 | X | X | |||||
| SHA-2 | 224, 256, 384, and 512 | X | X | 160 | X | X | |||||
Notes:
- 1 For information on usage of ICSF in non-FIPS mode, see Table 1.
- In FIPS mode, only NIST ECC recommended curves are currently supported. Curves under 224 bits are not recommended. Enforcement is the responsibility of the calling application or the system administrator.
- NIST SP800-131 recommended transition algorithm key sizes of RSA >= 2048, DSA >=2048, NIST
ECC recommended curves >= 224, and the disallowment of SHA-1 for digital signature generation.
Enforcement is the responsibility of the calling application or the system
administrator.
Brainpool ECC curves are not supported in FIPS mode.
Table 2 summarizes the differences between FIPS
modes ON and LEVEL1 thru LEVEL3 algorithm support.
Footnotes for Table 2:
| Algorithm | ON or LEVEL1 | LEVEL2 | LEVEL3 |
|---|---|---|---|
| 3DES | 168 | ||
| AES | 128 and 256 | ||
| Digital Signature Generation functions3, 4 | SHA-1 thru SHA-512 | SHA-224 thru SHA-512 | |
| Digital Signature Verification functions3, 4 | SHA-1 thru SHA-512 | SHA-224 thru SHA-512 | |
| HMAC | 80 bits and higher | 112 bits and higher | |
| DSA1 | 1024 thru 2048 | 2048 | |
| DH | 2048 | ||
| ECC | NIST ECC 192 thru 521 | NIST ECC 224 thru 521 | |
| RSA2 | 1024 thru 4096 | 2048-4096 | |
- 1
- For DSA keys, when functioning at GSK_FIPS_STATE_LEVEL2 or GSK_FIPS_STATE_LEVEL3, generating new keys and digital signatures are enforced at the 112 bit security strength. When performing digital signature verification, GSK_FIPS_STATE_ON (GSK_FIPS_STATE_LEVEL1) and GSK_FIPS_STATE_LEVEL2 80 bit security is allowed. Key sizes 1024 or less are associated with 80 bit security strength. Keys sizes 2048 or higher are associated with 112 bit security strength.
- 2
- For RSA keys, when functioning at GSK_FIPS_STATE_LEVEL2 or GSK_FIPS_STATE_LEVEL3, generating new keys and digital signatures are enforced at the 112 bit security strength. When performing digital signature verification, GSK_FIPS_STATE_ON (GSK_FIPS_STATE_LEVEL1) and GSK_FIPS_STATE_LEVEL2 80 bit security is allowed. Key sizes 1024 or less are associated with 80 bit security strength. Keys sizes 2048 or higher are associated with 112 bit security strength.
- 3
- For Digital Signature Generation and Digital Signature Verification using RSASSA-PSS, digest sizes SHA-1 and SHA-224 are not supported, only digest sizes SHA-256, SHA-384, and SHA-512 are supported.
- 4
- Digital Signature Generation and Digital Signature Verification using SHA-1 when used by the TLS protocol is allowed for all settings.
System SSL RSASSA-PSS only supports digest algorithms SHA-256, SHA-384, and
SHA-512. FIPS LEVEL support for RSASSA-PSS signatures:
- GSK_FIPS_STATE_LEVEL2 and GSK_FIPS_STATE_LEVEL3 signature generation requires the digest algorithm size to be SHA-256, SHA-384, or SHA-512.
- GSK_FIPS_STATE_LEVEL2 and GSK_FIPS_STATE_LEVEL3 signature verification does not tolerate digest SHA-1 and SHA-224 for already created objects.