Cryptographic algorithms on the management module
The management module in FIPS mode supports the following FIPS 140-2-approved cryptographic algorithms:
- Advanced Encryption Algorithm (AES) including AES-CBC, AES-CTR, and AES-CFB
- AES Key Wrap (KW) RFC 3394
- Cipher-based MAC (CMAC) with AES 128
-
Secure Hash Algorithm (SHA) (including all SHA variants the module supports: SHA-1, SHA-256, and SHA-384)
- Key-Based Key Derivation Functions (KBKDF SP800-108)
- Keyed-Hash Message Authentication Code (HMAC-SHA1, HMAC-SHA256)
- Counter-based Deterministic Random Bit Generator (DRBG)
-
Rivest Shamir Adleman (RSA) signature algorithm including RSA2, FIPS 186-4 KeyGen, SigGen, SigVer
- Elliptic Curve Digital Signature Algorithm (ECDSA) FIPS 186-4 KeyGen, SigGen, SigVer
- TLS 1.1 and TLS 1.2 KDF SP800-135
- SSH Key exchange algorithm diffie-hellman-group-exchange-sha256
- SNMPv3 (in authPriv security mode) KDF SP800-135
- SSHv2 Key Derivation Function (KDF)
Allowed exceptions include:
- RSA Key Wrapping
- Message Digest 5 (MD5)
- Hash Message Authentication Codes - HMAC-MD5
- Non-Deterministic Random Number Generator (NDRNG)
The device in FIPS mode does not support the following cryptographic algorithms:
- DES
- 3-DES
- HMAC-SHA1-96
- RSA 1024-bit key size
- SSH key exchange algorithm (diffie-hellman-group1-sha1)
- SNMPv1
- SNMPv2C
- SNMPv3 in noAuthNoPriv and authNoPriv security mode
