|Applies To||RSA BSAFE Crypto-C ME 2.1|
RSA BSAFE Crypto-J 3.6
|Issue||Do RSA BSAFE FIPS libraries support PKCS#5 and PKCS#12 Password Based Encryption (PBE) and Key Generation?|
RSA BSAFE FIPS validated libraries do support PKCS#5 and PKCS#12 Password Based Encryption (PBE) and Key Generation. Unlike the rest of the non-FIPS-approved algorithms, PBE may still be available while in FIPS mode. Crypto-C ME 2.1 and Crypto-J 3.6, for example, do not disable these features when the library is in FIPS mode even though PBE key generation and encryption are not FIPS approved.
NIST has determined that PBE keys are not strong enough to be used with FIPS validated encryption algorithms. The document "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program" (currently at http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf, linked from http://csrc.nist.gov/groups/STM/cmvp/standards.html), page 60 says:
Password-Based Key Establishment Methods: all password-based key establishment methods such as
Future versions of these libraries may disable PBE while in FIPS mode. PBE key generation and encryption will always be available when the libraries are not in FIPS mode, just like the rest of the supported non-FIPS-approved algorithms.
|Legacy Article ID||a34484|