Bits of security | Recommended for managing keys up to | RSA / D-H | Elliptic curve | Hash function or XOF with specified output length (d) | Symmetric encryption |
---|---|---|---|---|---|
112 | RSA2048 secp224r1 |
RSA2048 D-H(2048) |
secp224r1 | SHA224 | |
128 | RSA3072 secp256r1 Ed25519 |
RSA3072 D-H(3072) |
secp256r1 Ed25519/X25519 |
SHA256 SHAKE128(d=256) |
AES-128 |
192 | secp384r1 | secp384r1 | SHA384 | AES-192 | |
224 | Ed448 | Ed448/X448 | |||
256 | secp521r1 | secp521r1 | SHA512 SHAKE256(d=512) |
AES-256 |
Bits of secu- rity |
Recommended for managing keys up to | CMP protection | Key management technique | Key-wrap and symmetric encryption |
---|---|---|---|---|
MSG_SIG_ALG, MSG_MAC_ALG | PROT_ENC_ALG or KM_KA_ALG, KM_KT_ALG, KM_KD_ALG | PROT_SYM_ALG, SYM_PENC_ALG or KM_KW_ALG |
||
112 | RSA2048, secp224r1 |
RSASSA-PSS (2048, SHA224 or SHAKE128), RSAEncryption (2048, SHA224), ECDSA (secp224r1, SHA224 or SHAKE128), PBMAC1 (HMAC-SHA224) |
ESDH (2048), RSAES-OAEP (2048, SHA224), RSAEncryption (2048), ECDH (secp224r1, SHA224), PBKDF2 (HMAC-SHA224) |
|
128 | RSA3072, secp256r1, Ed25519 |
RSASSA-PSS (3072, SHA256 or SHAKE128), RSAEncryption (3072, SHA256), ECDSA (secp256r1, SHA256 or SHAKE128), Ed25519 (SHA512), PBMAC1 (HMAC-SHA256) |
ESDH (3072), RSAES-OAEP (3072, SHA256), RSAEncryption (3072), ECDH (secp256r1, SHA256), ECDH (X25519), PBKDF2 (HMAC-SHA256) |
AES-128 |
192 | secp384r1 | ECDSA (secp384r1, SHA384), PBMAC1 (HMAC-SHA384) |
ECDH (secp384r1, SHA384), PBKDF2 (HMAC-SHA384) |
AES-192 |
224 | Ed448 | Ed448 (SHAKE256) | ECDH (X448) | |
256 | secp521r1 | ECDSA (secp521r1, SHA512 or SHAKE256), PBMAC1 (HMAC-SHA512) |
ECDH (secp521r1, SHA512), PBKDF2 (HMAC-SHA512) |
AES-256 |
Name | Use | Mandatory | Optional | Deprecated |
---|---|---|---|---|
MSG_SIG_ALG | protection of PKI messages using signature | RSA | ECDSA, EdDSA | DSA, combinations with MD5 and SHA-1 |
MSG_MAC_ALG | protection of PKI messages using MACing | PBMAC1 | PasswordBasedMac, HMAC, KMAC | X9.9 |
SYM_PENC_ALG | symmetric encryption of an end entity's private key where symmetric key is distributed out-of-band | AES-wrap | 3-DES(3-key-EDE, CBC Mode), RC5, CAST-128 | |
PROT_ENC_ALG | asymmetric algorithm used for encryption of (symmetric keys for encryption of) private keys transported in PKIMessages | D-H | ECDH, RSA | |
PROT_SYM_ALG | symmetric encryption algorithm used for encryption of private key bits (a key of this type is encrypted using PROT_ENC_ALG) | AES-CBC | 3-DES(3-key-EDE, CBC Mode), RC5, CAST-128 |
Name | Use | Examples |
---|---|---|
MSG_SIG_ALG | protection of PKI messages using signature and for SignedData, e.g., a private key transported in PKIMessages | RSA, ECDSA, EdDSA |
MSG_MAC_ALG | protection of PKI messages using MACing | PasswordBasedMac (see |
KM_KA_ALG | asymmetric key agreement algorithm used for agreement of a symmetric key for use with KM_KW_ALG | D-H, ECDH |
KM_KT_ALG | asymmetric key encryption algorithm used for transport of a symmetric key for PROT_SYM_ALG | RSA |
KM_KD_ALG | symmetric key derivation algorithm used for derivation of a symmetric key for use with KM_KW_ALG | PBKDF2 |
KM_KW_ALG | algorithm to wrap a symmetric key for PROT_SYM_ALG | AES-wrap |
PROT_SYM_ALG | symmetric content encryption algorithm used for encryption of EnvelopedData, e.g., a private key transported in PKIMessages | AES-CBC |