The SafeLogic Blog

On October 21, NIST released the initial public draft of the third revision of SP 800-131A. This standard is the primary source of cryptographic algorithm transition guidance for FIPS 140-3 and for FIPS approved cryptography.

This guidance impacts all federal agencies that use cryptography to protect sensitive but unclassified information.

Key Takeaways from the Initial Draft of SP 800-131A Rev3

The primary update is to reflect the upcoming transition from a minimum security strength of 112 bits to a minimum security strength of 128 bits. This transition will occur at the end of 2030, i.e. December 31, 2030.

Cryptographic algorithms that have less than 128 bits of security strength use cryptographic primitives that are either based on asymmetric cryptography or hashes. Because a transition to post-quantum cryptography (PQC, or quantum-resistant cryptography) is also pending, the draft guidance specifies that NIST will not enforce a transition to 128 bits of security for asymmetric algorithms. Upcoming guidance from NIST will define the transition from asymmetric cryptography to post-quantum cryptography.

Transitions for algorithms with at least 112 bits of security but less than 128 bits:

• Hash-based cryptography:

  • To apply cryptographic protection

    • Deprecated when the standard is published

    • Disallowed after 2030

  • To process already protected information

    • Legacy use after 2030

• Asymmetric-based cryptography:

  • To apply cryptographic protection

    • Deprecated after 2030

• • To process already protected information

    • No impact (still acceptable after 2030)

The draft guidance also includes some transitions for AES:

• AES ECB will be disallowed for encryption and legacy use for decryption when the standard is published

• Combinations of separate AES encryption and authentication for key wrapping will be deprecated when the standard is published

Finally, the guidance has been updated to better reflect all available FIPS approved algorithms, including newly added algorithms for post quantum cryptography (PQC). For more information on PQC in FIPS 140-3, please see our blog post https://www.safelogic.com/blog/implementing-pqc-in-fips-140-3.

Background

The current version of SP 800-131A is revision 2 (Rev2), which was released in 2019. It defines cryptographic algorithm transitions that have now been completed. These completed transitions include the transitions for Triple-DES (TDES, or TDEA), DSA, RSA ANSI X9.31, and SHA-1. The new draft of the third revision (Rev3) of SP 800-131A outlines upcoming cryptographic algorithm transitions.

SP 800-131A uses several terms to define the approval status of algorithms.

Three statuses are possible for algorithms applying cryptographic protection (e.g. performing encryption):

• “Acceptable” algorithms can be used

• “Disallowed” algorithms cannot be used

• “Deprecated” algorithms may be used, but their use has some security risk. The data owner should assess this risk for the application and determine if the risk is acceptable or if the algorithm should be considered disallowed for that application.

Two statuses are possible for algorithms processing already protected information (e.g. performing decryption):

• “Acceptable” algorithms can be used

• “Legacy use” algorithms may be used, but their use has some security risk. The guidance indicates that processed data should be treated as having been unprotected. Legacy algorithms only include algorithms that were acceptable in the past, and typically have lower security strengths than acceptable algorithms.

The terms above are also used to describe the status of algorithms in validated FIPS modules, but note that algorithms in FIPS validations are separated into “approved” and “non-approved” algorithms. FIPS approved algorithms correspond to “acceptable” algorithms above, and to conformant uses of “deprecated” or “legacy use” algorithms. FIPS non-approved algorithms correspond to “disallowed” algorithms above, and to non-conformant uses of “deprecated” or “legacy use” algorithms.

The draft transition guidance focuses on the transition from a minimum security strength of 112 bits to 128 bits. All currently acceptable algorithms already have a security strength of at least 112 bits. Additional NIST guidance on security strengths of various algorithms and recommendations for transitions is provided in section 5.6 of NIST SP 800-57 Part 1 Rev. 5.

The descriptions below outline the algorithms whose statuses will change from “Acceptable” based on this draft guidance. Only the new upcoming transitions are described; previous transitions are not described.

Algorithms Disallowed or Legacy Use When SP 800-131A Rev3 is Published

When the standard is published, the status of AES ECB will be impacted. AES ECB will be disallowed for encrypting secret data. The standard references some applications where AES ECB mode will remain acceptable (where confidentiality is not required). AES ECB will be legacy use for decryption.

For additional context, and a NIST assessment of possible security property failures in block ciphers, we recommend referencing NIST IR 8459.

Algorithms Deprecated When SP 800-131A Rev3 is Published

Key wrapping by combining AES encryption with a separate method for authentication for key wrapping will be deprecated when the standard is published. Additional guidance may be provided for combining these securely. When this additional guidance is available, the secure combinations will no longer be deprecated. There is no scheduled transition to move these combinations to disallowed.

These deprecated combinations are formed by combining acceptable encryption and authentication algorithms:

• Encryption: AES CBC, AES CFB, AES OFB, AES CTR

• Authentication: AES CMAC, AES GMAC, HMAC, KMAC, digital signature (RSA, ECDSA, EdDSA, ML-DSA, SLH-DSA, LMS, HSS, XMSS, XMSS^MT)

There is no impact to AES KW, AES KWP, AES CCM, or AES GCM because these algorithms include both encryption and authentication.

Hash-based cryptography with less than 128 bits of security strength will be impacted when the guidance is published. Algorithms used to apply cryptographic protection will be deprecated when the guidance is published.

Impacted algorithms are as follows:

• SHA-1, SHA-224, SHA-512/224, SHA3-224:

  • When used for DRBGs, i.e. HASH_DRBG or HMAC_DRBG

  • When used for key derivation functions, i.e. SP 800-56C KDFs, SP 800-108 KDFs, and SP 800-132 KDFs

  • When used as a hash to apply protection, including for digital signatures

    • Note: SHA-1 is already disallowed for digital signature generation

  • When used for HMAC generation

These hash algorithms will remain deprecated through 2030. In 2031, they will either become disallowed or legacy use.

Algorithms Disallowed or Legacy Use After 2030

The deprecated hash-based cryptography listed above (deprecated when the guidance is published) will become either disallowed or legacy use at the start of 2031. Those algorithms provide hash-based cryptography with less than 128 bits of security strength.

Hash-based algorithms that will be disallowed after 2030, used for applying cryptographic protection:

• SHA-1, SHA-224, SHA-512/224, SHA3-224:

  • When used for DRBGs, i.e. HASH_DRBG or HMAC_DRBG

  • When used as a hash to apply protection, including for digital signatures

    • Note: SHA-1 is already disallowed for digital signature generation

  • When used for HMAC generation

• HMAC, KMAC generation:
  • When using a hash with at least 128 bits of security, but a key strength below 128 bits of security

Hash-based algorithms that will be legacy use after 2030, used for processing already protected information:

• SHA-1, SHA-224, SHA-512/224, SHA3-224:

  • When used for key derivation functions, i.e. SP 800-56C KDFs, SP 800-108 KDFs, and SP 800-132 KDFs

  • When used as a hash to verify protection, including for digital signatures

    • Note: SHA-1 is already legacy use for digital signature verification

  • When used for HMAC verification

• HMAC, KMAC verification:

  • When using a hash with at least 128 bits of security, but a key strength below 128 bits of security

Algorithms Deprecated After 2030

Asymmetric cryptography can also have a security strength of less than 128 bits, however, the transition to a minimum security strength of 128 will not be enforced for asymmetric cryptography in the same way as for hash-based cryptography.

Asymmetric (public-key) cryptography is vulnerable to attacks from quantum computers. NIST guidance is pending to address the transition from asymmetric cryptography to post-quantum cryptography (PQC, or quantum-resistant cryptography). To avoid two separate transitions, NIST plans to only enforce a PQC transition for asymmetric algorithms. For the security strength transition, asymmetric algorithms with less than 128 bits of security will be deprecated in 2030 (instead of being deprecated when the standard is published) and impacted algorithms will not become disallowed or legacy use. NIST also recommends moving to PQC as soon as feasible, and plans to include the PQC transition in the final version of SP 800-131A Rev3.

Impacted asymmetric cryptography (less than 128 bits of security strength, used for cryptographic protection):

• Digital signature generation:

  • ECDSA with len(n) less than 256

  • RSA with len(n) less than 3072

• Asymmetric key agreement or key transport:

  • Finite field cryptography for DH or MQV key agreement (SP 800-56Ar3)

    • 186-type domain parameters FB (2048, 224) and FC (2048, 256)

    • Safe-prime groups MODP-2048 and ffdhe2048

  • Elliptic curve cryptography for DH or MQV key agreement (SP 800-56Ar3)

    • P-224, brainpoolP224r1 and brainpoolP224t1

  • RSA (IFC) cryptography for key agreement or key transport (SP 800-56Br2)

    • RSA with len(n) less than 3072

The guidance also notes that no post-quantum transition is planned for AES due to minimal risk anticipated, including from attacks with Grover’s algorithm. AES also already meets the minimum security strength of 128 bits.

Next Steps

The guidance in SP 800-131A Rev3 is currently in draft. NIST is accepting comments on this draft until December 4, 2024. If you have questions or concerns, this is a great opportunity to directly influence the upcoming standard!

Comments can be emailed directly to sp800-131a_comments@nist.gov. Or reach out to fips@safelogic.com if you would like us to include your comments in our submission.

As mentioned above, NIST also plans to release guidance soon for the transition for post-quantum cryptography. Stay tuned!

To learn more about SafeLogic’s FIPS modules and find a solution for your company to meet the current and upcoming cryptography requirements, please reach out to sales@safelogic.com!