000022943 - Do RSA BSAFE FIPS libraries support PKCS#5 and PKCS#12 Password Based Encryption (PBE) and Key Generation?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022943
Applies ToRSA BSAFE Crypto-C ME 2.1
RSA BSAFE Crypto-J 3.6
RSA BSAFE
IssueDo RSA BSAFE FIPS libraries support PKCS#5 and PKCS#12 Password Based Encryption (PBE) and Key Generation?
Notes

RSA BSAFE FIPS validated libraries do support PKCS#5 and PKCS#12 Password Based Encryption (PBE) and Key Generation.  Unlike the rest of the non-FIPS-approved algorithms, PBE may still be available while in FIPS mode.  Crypto-C ME 2.1 and Crypto-J 3.6, for example, do not disable these features when the library is in FIPS mode even though PBE key generation and encryption are not FIPS approved. 

NIST has determined that PBE keys are not strong enough to be used with FIPS validated encryption algorithms.  The document "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program" (currently at http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf, linked from http://csrc.nist.gov/groups/STM/cmvp/standards.html), page 60 says:

  Password-Based Key Establishment Methods:  all password-based key establishment methods such as
  PKCS#5 are not to be used in the FIPS mode.  

Future versions of these libraries may disable PBE while in FIPS mode.  PBE key generation and encryption will always be available when the libraries are not in FIPS mode, just like the rest of the supported non-FIPS-approved algorithms.

Legacy Article IDa34484

Attachments

    Outcomes