Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE Crypto-J

36 Secure Operation of the Module

RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1

with Level 2 Roles, Services and Authentication

2.3.3 Crypto User Guidance on Obtaining Assurances for

Key Agreement Applications

The module provides support for the NIST SP800.56A recommendations for key

agreement. NIST Special Publication 800-56A: “Recommendation for Pair-Wise Key

Establishment Schemes Using Discrete Logarithm Cryptography” provides the

methods to obtain these assurances.

The tables below describe the SP 800-56A recommendations for key establishment

and the corresponding module capabilities and recommendations.

Obtain assurance of the

validity of the public key.

The module provides APIs to explicitly validate the public

key according to SP 800-89. For the JCM API,

PublicKey.isValid(SecureRandom

secureRandom)

Obtain assurance that the

claimed signatory actually

possessed the private key that

was used to generate the

digital signature at the time

that the signature was

generated.

Outside the scope of the module.

Table 12 Key Establishment Recommendations

NIST SP 800-56A

Recommendations

Module Capabilities and Recommendations

Obtain appropriate FFC and

ECC domain parameters.

The generation of FFC parameters is in accordance with the

FIPS 186-4 standard for the generation of probable primes.

For ECC, use the NIST recommended curves as defined in

section

2.3.1.

Obtain assurance of the

validity of those domain

parameters.

The module provides APIs to validate FFC parameters for

probable primes as described in FIPS 186-4.

For ECC, use the NIST recommended curves as defined in

section

2.3.1. For the JCM API,

AlgParamGenerator.verify()

Obtain a key establishment

key pair that is generated as

specified for the appropriate

algorithm.

The module generates the digital signature key pair according

to the required standards.

Choose a FIPS-Approved DRBG like HMAC DRBG to

generate the key pair.

Owner assurance of the

validity of the public key.

The module provides APIs to explicitly validate the public

key according to SP 800-89. For the JCM API,

PublicKey.isValid(SecureRandom secureRandom)

Table 11 Verifier Requirements (continued)

FIPS 186-4 Requirement Module Capabilities and Recommendations