Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE Crypto-J

Secure Operation of the Module 33

RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1

– For three-key Triple-DES:

• The use of three-key Triple-DES is approved.

• The user is responsible for ensuring the same Triple-DES key has a limit

of:

• 2

64-bit data block encryptions when keys are generated as part of

one of the recognized IETF protocols.

• 2

64-bit data block encryptions otherwise.

For more information about the use of three-key Triple-DES, see

NIST Special Publication 800-67 revision 2: Recommendation for the Triple

Data Encryption Algorithm (TDEA) Block Cipher.

2.3.2 Crypto User Guidance on Obtaining Assurances for

Digital Signature Applications

The module provides support for the FIPS 186-4 standard for digital signatures. The

following gives an overview of the assurances required by FIPS 186-4. NIST Special

Publication 800-89: “Recommendation for Obtaining Assurances for Digital

Signature Applications” provides the methods to obtain these assurances.

The tables below describe the FIPS 186-4 requirements for signatories and verifiers

and the corresponding module capabilities and recommendations.

Table 6 Signatory Requirements

FIPS 186-4 Requirement Module Capabilities and Recommendations

Obtain appropriate DSA and

ECDSA parameters when

using DSA or ECDSA.

The generation of DSA parameters is in accordance with the

FIPS 186-4 standard for the generation of probable primes.

For ECDSA, use the NIST recommended curves as defined

in section

2.3.1.

Obtain assurance of the

validity of those parameters.

The module provides APIs to validate DSA parameters for

probable primes as described in FIPS 186-4.

For ECDSA, use the NIST recommended curves as defined

in section

2.3.1. For the JCM API,

AlgParamGenerator.verify()

Obtain a digital signature key

pair that is generated as

specified for the appropriate

digital signature algorithm.

The module generates the digital signature key pair

according to the required standards.

Choose a FIPS-Approved DRBG like HMAC DRBG to

generate the key pair.

Obtain assurance of the

validity of the public key.

The module provides APIs to explicitly validate the public

key according to SP 800-89. For the JCM API,

PublicKey.isValid(SecureRandom

secureRandom)

Obtain assurance that the

signatory actually possesses

the associated private key.

The module verifies the signature created using the private

key, but all other assurances are outside the scope of the

module.