Transition Plans for Key Establishment Schemes using Public Key Cryptography

Summary:

NIST guidelines on approved public key key-establishments schemes are specified in the NIST SP 800-56 series of publications. While legacy key establishment schemes have been programmatically allowed for use by agencies in FIPS 140-validated modules, NIST SP 800-131A Rev. 1, Transitioning the Use of Cryptographic Algorithms and Key Lengths, specifies that only schemes specified in the SP 800-56 series will be allowed after 2017.  However, there are widely used key-establishment schemes in protocols and applications that are not included in the current revisions of the SP 800-56 series publications.  These publications are being revised to align with current industry standards and best practices.  Compliance with the SP 800-56 series will not be required by the Cryptographic Module Validation Program (CMVP) until these revisions are complete.

Background

NIST recommendations on key establishment schemes using public key cryptography are published in the SP 800-56 series.  NIST SP 800-56A Rev. 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves. NIST SP 800-56B Rev. 1 specifies RSA-based schemes.

The Diffie-Hellman and MQV-based schemes in NIST SP 800-56A were originally based on standards developed by American Standards Committee (ASC) X9: American National Standard (ANS) X9.42, Agreement of Symmetric Keys using Discrete Logarithm Cryptography, and ANS X9.63, Key Agreement and Key Transport using Elliptic Curve Cryptography.  The groups used for Finite Field Cryptography follow those used for the Digital Signature Algorithm as specified in Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS). However, widely used applications and protocols, including those used in the Internet Engineering Task Force (IETF), instead use so-called “safe-prime” groups.  Because such groups are more resilient to certain classes of implementation errors, the next revision of SP 800-56A will allow these groups, and require their use for security strengths above 112 bits.  This change will bring SP 800-56A into alignment with current best practices for using Diffie-Hellman.  Draft SP 800-56A Rev. 3 was released for comment in August 2017 with these, and other changes; comments are requested on the revision by November 6, 2017.  A final publication is expected in early 2018.

In addition, NIST guidelines on Elliptic Curve Cryptography are also being revised to propose the adoption of new elliptic curves specified in the Internet Engineering Task Force (IETF) RFC 7748. The upcoming draft of SP 800-186, which will specify approved elliptic curves, will include the curves currently specified in FIPS 186-4 and two additional curves: Curve25519 and Curve448.  Their associated key agreement schemes, X25519 and X448, will be considered for inclusion in a subsequent revision to SP 800-56A.  The CMVP does not intend to enforce compliance with SP 800-56A until these revisions are complete.

Guidelines for the RSA-based schemes in SP 800-56B are based on ANS X9.44, Key Establishment Using Integer Factorization Cryptography, and include RSA-OAEP and RSA-KEM-KWS key-transport schemes.  RSA-OAEP was standardized as an improvement over a common earlier scheme using RSA with PKCS#1 v1.5 padding, which is vulnerable to attacks if implementations do not employ certain countermeasures.  Due to those attacks, NIST sought to encourage implementers to migrate from RSA PKCS#1 v1.5 padding to RSA-OAEP, or to DH/ECDH schemes offering forward security, and did not include PKCS#1 v1.5 padding in SP 800-56B.  However, applications and protocols in common use today, including some common TLS v1.2 cipher suites and S/MIME e-mail encryption, continue to use PKCS #1 v1.5 padding.  Recognizing this widespread use, NIST is soliciting input from implementers, users and security researchers on whether to continue to allow RSA PKCS#1 v1.5 encryption as a deprecated scheme in certain protocols. Comments may be sent to CryptoTransitions@nist.gov by December 15, 2017. This feedback will be considered as part of the upcoming revision of SP 800-56B. NIST expects to release a draft of SP 800-56B Rev. 2 in the summer of 2018.

The transition schedule for key establishment schemes, currently specified in SP 800-131A, will be revised to reflect that CMVP will not require compliance with the SP 800-56 series until the in-process revisions are complete.  Additional details on the revised schedule will be released by the CMVP as the relevant standards and guidelines are finalized.