This tech note describes the configuration that is required in IBM Tivoli Directory Server V220.127.116.11 (and later fix levels) for the transition to NIST SP 800-131A.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131A guidelines provide cryptographic key management guidance. These guidelines include:
- Key management procedures.
- How to use cryptographic algorithms.
- Algorithms to use and their minimum strengths.
- Key lengths for secure communications.
Suite B mode is a restrictive subset of the SP 800-131A specification. Suite B defines the cryptographic algorithm policies to use with the Transport Layer Security (TLS) protocol for national security applications.
Government agencies and financial institutions use the NIST SP 800-131A guidelines to ensure that the products conform to specified security requirements.
Support for the transition to NIST SP 800-131A
For the transition to NIST SP 800-131A guidelines, IBM Tivoli Directory Server V18.104.22.168 (and later fix levels including the latest recommended fix level) supports:
- The Transport Layer Security (TLS) 1.2 protocol.
- Disabling protocols other than TLS 1.2.
- Public keys with the following key strengths:
- The RSA keys with a minimum size of 2048 bits.
- The elliptic curve (EC) keys with a minimum size of 160-bits or curve p160.
- Certificates with the RSA keys 2048-bits or higher or with the EC keys 160-bits or curve p160 or higher.
- Digital signatures with a minimum of SHA2 encryption algorithm.
- Setting the TLS 1.2 signature and hash algorithm restrictions.
- Suite B mode.
For more information about how to configure Tivoli Directory Server, version 22.214.171.124 (and later fix levels) to support the transition to NIST SP 800-131A, see the Support for NIST SP 800-131A guide.
16 June 2018