Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
protection. In addition, the signature must be generated using a hash algorithm of<br />
comparable or greater strength, such as SHA-224 or SHA-256.<br />
5.6.3 Using Algorithm Suites<br />
Algorithm suites that combine non-comparable strength algorithms are generally discouraged.<br />
However, algorithms of different strengths and key sizes may be used together for performance,<br />
availability or interoperability reasons, provided that sufficient protection is provided. In general,<br />
the weakest algorithm and key size used to provide cryptographic protection determines the<br />
strength of the protection. Exceptions to this principle require extensive analysis. Determination<br />
of the strength of protection provided for information includes an analysis not only of the<br />
algorithm(s) and key size(s) used to apply the cryptographic protection(s) to the information, but<br />
also any algorithms and key sizes associated with establishing the key(s) used for information<br />
protection, including those used by communication protocols.<br />
The following is a list of several algorithm combinations and discussions on the security<br />
implications of the combination:<br />
1. When a key establishment scheme is used to establish keying material for use with one or<br />
more algorithms (e.g., TDEA, AES, or HMAC), the strength of the selected combination<br />
is comparable to the weakest algorithm and key size used. For example, if a 160 bit ECC<br />
key is used to establish a 128-bit AES key (as defined in [SP800-56]), only 80 bits of<br />
security are provided for any information protected by that AES key, since the 160 bit<br />
ECC provides only 80 bits of security. If 128 bits of security are required for the<br />
information protected by AES, then either an ECC key size of at least 256 bits, or another<br />
key establishment algorithm of appropriate key size needs to be selected to provide the<br />
required protection.<br />
2. When a hash function and digital signature algorithm are used in combination to compute<br />
a digital signature, the strength of the signature is determined by the weaker of the two<br />
algorithms. For example, SHA-256 used with RSA using a 1024 bit key provides 80 bits<br />
of security because a 1024 bit RSA key provides only 80 bits of security. If 112 bits of<br />
security is required, a 2048 bit RSA key would be appropriate.<br />
3. When a random bit generator is used to generate a key for a cryptographic algorithm that<br />
is intended to provide X bits of security, an Approved random bit generator shall be used<br />
that provides at least X bits of security.<br />
If it is determined that a specific level of security is required for the protection of data, then an<br />
algorithm and key size suite needs to be selected that would provide that level of security as a<br />
minimum. For example, if 128 bits of security are required for data that is to be communicated<br />
and provided with confidentiality, integrity, authentication and non-repudiation protection, the<br />
following selection of algorithms and key sizes may be appropriate:<br />
a. Confidentiality: Encrypt the information using AES-128. Other AES key sizes would also<br />
be appropriate, but perform a bit slower.<br />
b. Integrity, authentication and non-repudiation: Suppose that only one cryptographic<br />
operation is preferred. Use digital signatures. SHA-256 could be selected for the hash<br />
function. Select an algorithm for digital signatures from what is available to an<br />
application (e.g., ECDSA with at least a 256-bit key). If more than one algorithm and key<br />
67