If the initunit utility is used, you must specify the -s (--strong-kml)
option, if you want to operate at greater than 128 bits security strength
(as this will select a 3072 bit DSA KML). See Configuring a client to
communicate with an nShield Connect for details.
7.3. Application keys algorithms and key sizes
Depending on the application library used, a range of cryptographic algorithms are
available for selection. The algorithm used and key size selected (if applicable) should be
sufficient to protect customer data from threats identified in the deployed environment
for their data. In line with standard security best practice, the security strength, as
described in Security World security strengths, of the Security World ciphersuite will
effectively limit the security strength that can be claimed for any key or algorithm used
by the HSM. As advised in Security World security strengths a minimum security strength
of 112 bits is considered the industry standard.
The Cryptographic Algorithms appendix in the User Guide for your HSM identifies all
algorithms and key sizes available (both NIST approved and non approved). NIST SP
800-57 Part 1 Revision 4 has a section on Comparable Algorithm Strengths which
provides guidance on identifying the security strength of different NIST approved
algorithms and key sizes. BlueKrypt Cryptographic Key Length Recommendation could
be a useful reference for determining required key sizes for common cryptographic
functions:
•
Symmetric algorithms
•
Asymmetric algorithms (based on the following branches of cryptography: Integer
Factorization as a branch of Integer Factorization Cryptography as in NIST SP800-
56B e.g. RSA; Discrete Logarithm' as the branch of Discrete Logarithm Cryptography
(see NIST SP800-56A) e.g. DSA, Diffie-Hellman ; Elliptic Curve e.g. ECDSA)
•
Hashes.
The General Key Management Guidance section of NIST SP 800-57 Part 1 Revision 4
provides guidance on the risk factors that should be considered when assessing
cryptoperiods and the selection of algorithms and keysize.
The nfkmverify command-line utility can be used to identify algorithms and key sizes (in
bits). See the Cryptographic Algorithms appendix in the User Guide for your HSM for
more information.
7.4. Cryptoperiods
A cryptoperiod is the time span during which a specific cryptographic key is authorized
nShield® Security Manual 51 of 90
To Next Page
Loading...
Need help?
General
