Application Keys Algorithms And Key Sizes; Cryptoperiods - Entrust nShield Security Manual

If the
option, if you want to operate at greater than 128 bits security strength

(as this will select a 3072 bit DSA KML). See
communicate with an nShield Connect

7.3. Application keys algorithms and key sizes

Depending on the application library used, a range of cryptographic algorithms are
available for selection. The algorithm used and key size selected (if applicable) should be
sufficient to protect customer data from threats identified in the deployed environment
for their data. In line with standard security best practice, the security strength, as
described in Security World security
effectively limit the security strength that can be claimed for any key or algorithm used
by the HSM. As advised in
of 112 bits is considered the industry standard.
The Cryptographic Algorithms appendix in the User Guide for your HSM identifies all
algorithms and key sizes available (both NIST approved and non approved).
800-57 Part 1 Revision 4
provides guidance on identifying the security strength of different NIST approved
algorithms and key sizes.
be a useful reference for determining required key sizes for common cryptographic
functions:
• Symmetric algorithms
• Asymmetric algorithms (based on the following branches of cryptography: Integer
Factorization as a branch of Integer Factorization Cryptography as in NIST SP800-
56B e.g. RSA; Discrete Logarithm' as the branch of Discrete Logarithm Cryptography
(see NIST SP800-56A) e.g. DSA, Diffie-Hellman ; Elliptic Curve e.g. ECDSA)
• Hashes.
The General Key Management Guidance section of
provides guidance on the risk factors that should be considered when assessing
cryptoperiods and the selection of algorithms and keysize.
nfkmverify
The command-line utility can be used to identify algorithms and key sizes (in
bits). See the Cryptographic Algorithms appendix in the User Guide for your HSM for
more information.

7.4. Cryptoperiods

A cryptoperiod is the time span during which a specific cryptographic key is authorized
nShield® Security Manual
initunit
utility is used, you must specify the
strengths, of the Security World ciphersuite will
Security World security strengths
has a section on Comparable Algorithm Strengths which
BlueKrypt Cryptographic Key Length Recommendation
-s (--strong-kml)
Configuring a client to
for details.
a minimum security strength
NIST SP 800-57 Part 1 Revision 4
NIST SP
could
51 of 90