NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Standards

Symmetric Key

Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple-DES, and Skipjack Algorithms

Currently, there exist four FIPS-approved symmetric key algorithms for encryption: Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple-DES, and Skipjack. AES is the FIPS-Approved symmetric encryption algorithm of choice.

  • FIPS 197, Advanced Encryption Standard (AES), specifies the AES algorithm.
  • Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, NIST Special Publication 800-67, May 2004.
  • Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001. Appendix E references Modes of Triple-DES.
  • Triple Data Encryption Algorithm Modes of Operation, ANSI X9.52-1998. Copies of X9.52-1998 may be obtained from X9, a standards committee for the financial services industry. NIST does NOT have copies of the standard available for distribution.
  • The Skipjack algorithm is referenced in FIPS 185, Escrowed Encryption Standard (EES), and a complete specification is available in SKIPJACK and KEA Algorithm Specifications (Version 2.0, 29 May 1998).

Testing Requirements:

Validation testing for AES, Triple-DES, DES, and Skipjack algorithms are handled by the Cryptographic Module Validation (CMV) Program's CMT labs.

Validation List:

NIST maintains validation lists for AES, Triple-DES, and Skipjack. These lists identify the algorithm implementations which have been tested as correctly implementing the AES, Triple-DES, and Skipjack algorithms. Points of contact and implementation descriptions are also included.

Other Information:

  • AES Known Answer Test (KAT) Vectors - This file provides an electronic version of the KAT vectors that can be used to informally verify the correctness of an AES algorithm implementation, using the Known Answer Test (KAT) described in The Advanced Encryption Standard Algorithm Validation Suite (AESAVS). However, use of these vectors does not take the place of validation obtained through the Cryptographic Module Validation Program.
  • Triple-DES Sample Vectors - This file provides sample vectors that can be used to informally verify the correctness of a Triple-DES implementation, using the Monte Carlo Tests described in NIST Special Publication 800-20. However, use of these vectors does not take the place of validation obtained through the Cryptographic Module Validation Program.

Back to Top

Asymmetric Key

Digital Signature Standard (DSS) (DSA, RSA, and ECDSA algorithms)

On February 15, 2000, NIST announced the approval of FIPS 186-2 with Change Notice 1 dated October 5, 2001, Digital Signature Standard (DSS), which supersedes FIPS 186-1. This standard specifies three FIPS-approved algorithms for generating and verifying digital signatures:

  • Digital Signature Algorithm (DSA),
  • RSA (as specified in ANSI X9.31), and
  • Elliptic Curve DSA (ECDSA; as specified in ANSI X9.62).

New items in the DSS include:

Copies of the ANSI X9.31 and ANSI X9.62 standards are available from X9, a standards committee accredited by the American National Standards Institute (ANSI). NIST does NOT have copies of these standards available for distribution.

All three digital signature techniques in FIPS 186-2 (with Change Notice 1 dated October 5, 2001) make use of the Secure Hash Algorithms specified in FIPS 180-2 (with Change Notice 1 dated February 25, 2004), Secure Hash Standard (SHS) accessible via the hashing section of this webpage.

DSA, RSA, and ECDSA are currently the only FIPS-approved methods for digital signatures.

Testing Requirements:

CMT labs can test for conformance to the algorithm specifications in FIPS 186-2 (with Change Notice 1 dated October 5, 2001). Algorithm specifications included in this standard are the DSA, the RSA and the ECDSA algorithms. In addition, NIST can test for conformance to two other versions of the RSA algorithm specified in PKCS#1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 2002.

The testing requirements are specified in:

Digital Signature Algorithm Validation System (DSAVS)
Additional testing note: For the Domain Parameter Generation and Verification, and the Signature Generation and Verification functions, the underlying SHA-1 algorithm must be validated as part of the DSA validation. In a future release, the other SHA algorithms will be supported.

RSA Validation System (RSAVS)
Beginning September 28, 2006: Validation testing for RSA algorithm implementations of the RSASSA-PKCS1-v1_5, as specified in Public Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Standard-2002, and the RSA X9.31 algorithms include additional testing to assure the encoded message EM and the intermediate integer IR are in the correct formats. This testing verifies that an implementation under test (IUT) does not contain a potential implementation design that could introduce a vulnerability in these algorithms. This testing has been added to the Signature Verification validation test described in the RSAVS document. No modification to this document was necessary to add this feature. Below in the Test Vectors section, there are test vectors available to informally test if this vulnerability exists in an implementation.

For all validated cryptographic modules that incorporate RSA, the CMVP and CAVP strongly suggest re-testing of the RSA algorithmic implementations to determine if the vulnerability is present.

If new CAVP testing is performed and the vulnerability is determined not to be present, the CMTL can submit the new test results to the CAVP along with a letter indicating that the implementation passed the RSA testing in CAVS5.2 and the vulnerability is not present. The letter should request that a new algorithm certificate be printed to replace the already issued certificate referencing the new version of CAVS. Please indicate the already issued certificate number. This letter should be included in the zip file along with the other files. Note that the certificate number will not change. Only the reference to the version of the CAVS tool and the signatory date will be changed. (Note the validation request will be submitted using already established procedures.)

If CAVP testing is performed and the vulnerability is discovered, the following revalidation process shall be followed:

  • The algorithm implementation is changed to remove the vulnerability resulting in a different version number,
  • Submit the new test results to the CAVP for the new version of the implementation. A new algorithm certificate will be issued for the new version of the implementation. The certificate will reference CAVS5.2.

Additional testing note: For the RSA functions, all underlying SHA algorithm(s) supported by the RSA implementation must be validated as part of the RSA validation.

Eliptic Curve Digial Signature Algorithm (ECDSA) Validation System (ECDSAVS)
Additional testing note: For the Signature Generation and Verification functions, the underlying SHA-1 algorithm must be validated as part of the ECDSA validation. In a future release, the other SHA algorithms will be supported.

Validation Listings:

NIST maintains the current DSA, ECDSA, and RSA Validation Lists.


Test Vectors:

These files provide an electronic version of the test vectors that can be used to informally verify the correctness of the algorithm implementation using the associated validation system document (DSAVS, ECDSAVS, or RSAVS). However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).


Other Information:

Elliptic curves recommended for Federal Government use are specified in Appendix 6 of FIPS 186-2 with Change Notice 1 dated October 5, 2001. They are also listed separately: PDF, Postscript, and Word.



Back to Top

Secure Hash Standard (SHS)

(SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms)

The Secure Hash Algorithms (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512) are specified in FIPS 180-2 with Change Notice 1 dated February 25, 2004, Secure Hash Standard (SHS).

Testing Requirements:

CMT labs can test for conformance to the SHA algorithms in FIPS 180-2. The testing requirements for these algorithms can be found in the document titled The Secure Hash Algorithm Validation System (SHAVS).

Validation List:

NIST maintains the current SHA Validation List.

Test Vectors:

SHA Test Vectors - These files provide an electronic version of the test vectors that can be used to informally verify the correctness of a SHA algorithm implementation using the SHAVS. However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).


Back to Top

Random Number Generators (RNG)

The algorithms for generating approved random numbers are referenced in FIPS 140-2 Annex C.

Testing Requirements:

CMT labs can test for conformance to the following RNG algorithms that are referenced in FIPS 140-2 Annex C:

The testing requirements for these algorithms can be found in the document titled The Random Number Generator Validation System (RNGVS).

Validation List:

NIST maintains the current RNG Validation List.

Test Vectors:

RNG Test Vectors - These files provide an electronic version of the test vectors that can be used to informally verify the correctness of an RNG algorithm implementation using the RNGVS. However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).

RNG Test Vectors

Back to Top

Deterministic Random Bit Generators (DRBG)

SP 800-90 Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised_March2007) specifies mechanisms for the generation of random bits using deterministic methods. There are four mechanisms discussed in this Special Publication. These mechanisms are based on either hash functions (Hash_DRBG, HMAC_DRBG), block cipher algorithms using Counter mode (CTR_DRBG ) or number theoretic (Dual EC_DRBG) problems.

 

Testing Requirements:

CMT labs can test for conformance to the DRBG algorithms in Special Publication 800-90. The testing requirements for this algorithm can be found in the document titled The DRBG Validation System (DRBGVS). Additional testing note: Each of the mechanisms containing underlying algorithms which must be validated as part of the DBRG validation. For HASH_DRBG, the SHA algorithm(s) must be tested. For HMAC_DRBG, the HMAC algorithm must be tested. For the block cipher algorithms using Counter mode CTR_DRBG, a NIST-Approved symmetric key algorithm using Counter mode, must be validated as part of the CMAC validation. Currently, NIST approves both the AES and TDES algorithms for use with DRBG. For Dual EC_DRBG, the ECDSA Key Generation function and the SHA algorithm must be tested. The ECDSA Key Generation function tests the point multiplication function used in the Dual EC_DRBG..

Validation List:

NIST maintains the current DRBG Validation List.

Test Vectors:

DRBG Test Vectors - These files provide an electronic version of the test vectors that can be used to informally verify the correctness of a DRBG algorithm implementation using the DRBGVS. However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).

DRBG Test Vectors In this zip file, there are 3 text files. Hashbased.txt contains test vectors for HASH_DRBG and HMAC_DRGB. Blockcipher.txt contains testvectors for CTR_DRBG. And dualec.txt contains test vectors for Dual EC_DRGB.


Back to Top

Message Authentication (MAC)

Block Cipher-based MAC Algorithm (CMAC)

The CMAC algorithm is specified in Special Publication 800-38B dated May 2005, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. CMAC can be considered a mode of operation of the block cipher because it is based on an approved symmetric key block cipher, such as the Advanced Encryption Standard (AES) algorithm currently specified in Federal Information Processing Standard (FIPS) Pub. 197. CMAC is also an approved mode of the Triple Data Encryption Algorithm (TDEA).

Testing Requirements:

CMT labs can test for conformance to the CMAC algorithm in Special Publication 800-38B. The testing requirements for this algorithm can be found in the document titled The CMAC Validation System (CMACVS). Additional testing note: The underlying NIST-Approved symmetric key algorithm must be validated as part of the CMAC validation. Currently, NIST approves both the AES and TDES algorithms for use with CMAC.

Validation List:

NIST maintains the current CMAC Validations. CMAC Validations are included on the validation list of its approved symmetric key block cipher -- therefore it is included on either the AES Validation List or the TDES Validation List.

Test Vectors:

CMAC Test Vectors - These files provide an electronic version of the test vectors that can be used to informally verify the correctness of a CMAC algorithm implementation using the CMACVS. However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).

CMAC Test Vectors

Counter with Cipher Block Chaining-Message Authentication Code (CCM)

The Counter with Cipher Block Chaining-Message Authentication Code (CCM) is specified in Special Publication 800-38C dated May, 2004, Counter with Cipher Block Chaining-Message Authentication Code (CCM). CCM is based on an approved symmetric key block cipher algorithm whose block size is 128 bits, such as the Advanced Encryption Standard (AES) algorithm currently specified in Federal Information Processing Standard (FIPS) Pub. 197 [2]; thus, CCM cannot be used with the Triple Data Encryption Algorithm [3], whose block size is 64 bits. Currently the only NIST-Approved 128 bit symmetric key algorithm is AES.

Testing Requirements:

CMT labs can test for conformance to the CCM algorithm in Special Publication 800-38C. The testing requirements for this algorithm can be found in the document titled The Counter with Cipher Block Chaining-Message Authentication Code (CCM) Validation System (CCMVS). Additional testing note: The underlying NIST-Approved 128 bit symmetric key algorithm must be validated as part of the CCM validation. Currently, the only 128 bit symmetric key algorithm approved by NIST is AES.

Validation List:

NIST maintains the current CCM Validations. CCM Validations are included on the validation list of its approved symmetric key block cipher whose block size is 128 bits-- therefore it is included on the AES Validation List. NIST maintains the original CCM Validation List. for historical purposes. The information contained on the CCM Validation List has been duplicated in the AES Validation List.

Test Vectors:

CCM Test Vectors - These files provide an electronic version of the test vectors that can be used to informally verify the correctness of a CCM algorithm implementation using the CCMVS. However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).

CCM Test Vectors


Keyed-Hash Message Authentication Code (HMAC)

The Keyed-Hash Message Authentication Code (HMAC) is specified in FIPS 198 dated March 6, 2002, Keyed-Hash Message Authentication Code (HMAC). This algorithm utilizes the Secure Hash Algorithms as an underlying primitive.

Testing Requirements:

CMT labs can test for conformance to the HMAC algorithm in FIPS 198. The testing requirements for these algorithms can be found in the document titled The Keyed-Hash Message Authentication Code (HMAC) Validation System (HMACVS). Additional testing note: All underlying SHA algorithm(s) supported by the HMAC implementation must be validated as part of the HMAC validation.

Validation List:

NIST maintains the current HMAC Validation List.

Test Vectors:

HMAC Test Vectors - These files provide an electronic version of the test vectors that can be used to informally verify the correctness of an HMAC algorithm implementation using the HMACVS. However, use of these vectors does not take the place of validation obtained through the Cryptographic Algorithm Validation Program (CAVP).

HMAC Test Vectors

Data (Message) Authentication Code (MAC) and Key Management Using ANSI X9.17

The automated conformance tests for FIPS 113 and 171 are no longer operational. Currently, if a FIPS 140-1 or FIPS 140-2 cryptographic module implements either of these two standards, the CMT testing laboratories perform some testing that these FIPS requirements are implemented correctly in the cryptographic module.

Message Authentication Code (MAC), FIPS 113

The MAC Validation System (MVS) tested for compliance with FIPS 113, Computer Data Authentication. A list of validated products is maintained by the Security Technology Group.

Key Management Using ANSI X9.17, FIPS 171

The Key Management Validation System (KMVS) tested for compliance with FIPS 171, Key Management Using ANSI X9.17. A list of validated products is maintained by the Security Technology Group.