Washington, DC - NIST guidelines on approved public key key-establishments schemes are specified in the NIST SP 800-56 series of publications. While legacy key establishment schemes have been programmatically allowed for use by agencies in FIPS 140-validated modules, NIST SP 800-131A Rev. 1, Transitioning the Use of Cryptographic Algorithms and Key Lengths, specifies that only schemes specified in the SP 800-56 series will be allowed after 2017. However, there are widely used key-establishment schemes in protocols and applications that are not included in the current revisions of the SP 800-56 series publications.
These publications are being revised to align with current industry standards and best practices. Compliance with the SP 800-56 series will not be required by the Cryptographic Module Validation Program (CMVP) until these revisions are complete.
NIST recommendations on key establishment schemes using public key cryptography are published in the SP 800-56 series. NIST SP 800-56A Rev. 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves. NIST SP 800-56B Rev. 1 specifies RSA-based schemes.
The Diffie-Hellman and MQV-based schemes in NIST SP 800-56A were originally based on standards developed by American Standards Committee (ASC) X9: American National Standard (ANS) X9.42, Agreement of Symmetric Keys using Discrete Logarithm Cryptography, and ANS X9.63, Key Agreement and Key Transport using Elliptic Curve Cryptography. The groups used for Finite Field Cryptography follow those used for the Digital Signature Algorithm as specified in Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS). However, widely used applications and protocols, including those used in the Internet Engineering Task Force (IETF), instead use so-called “safe-prime” groups. Because such groups are more resilient to certain classes of implementation errors, the next revision of SP 800-56A will allow these groups, and require their use for security strengths above 112 bits. This change will bring SP 800-56A into alignment with current best practices for using Diffie-Hellman. Draft SP 800-56A Rev. 3 was released for comment in August 2017 with these, and other changes; comments are requested on the revision by November 6, 2017. A final publication is expected in early 2018.
In addition, NIST guidelines on Elliptic Curve Cryptography are also being revised to propose the adoption of new elliptic curves specified in the Internet Engineering Task Force (IETF) RFC 7748. The upcoming draft of SP 800-186, which will specify approved elliptic curves, will include the curves currently specified in FIPS 186-4 and two additional curves: Curve25519 and Curve448. Their associated key agreement schemes, X25519 and X448, will be considered for inclusion in a subsequent revision to SP 800-56A. The CMVP does not intend to enforce compliance with SP 800-56A until these revisions are complete.
The transition schedule for key establishment schemes, currently specified in SP 800-131A, will be revised to reflect that CMVP will not require compliance with the SP 800-56 series until the in-process revisions are complete. Additional details on the revised schedule will be released by the CMVP as the relevant standards and guidelines are finalized.