6 Cryptographic Algorithm Specifications

The TA100 device calculates cryptographic digests using SHA-256:

• NIST FIPS Publication 180-4

HMAC calculations are performed with key sizes varying from 16 to 64 bytes. The underlying algorithm is always SHA-256.

• NIST FIPS Publication 198-1

Authorization session establishment uses the HMAC/SHA-256 - counter key derivation function specified in the following document. This KDF is also supported by the KDF command for general purpose use:

• NIST Special Publication 800-108

Symmetric encryption implemented in the devices uses AES-128 per:


• NIST FIPS Publication 197

The AES-CMAC algorithm is implemented according to:

• NIST Special Publication 800-38B

AES encryption/decryption for authorization sessions uses the GCM AEAD mode per:

• NIST Special Publication 800-38D

RSA signatures are generated and/or verified using the RSASSA-PKCS1-V1_5 scheme according to the PKCS#1 procedures documented in the following. The exponent is fixed at 0x10001, except for 3072-bit verify, which optionally supports e = 3:

• IETF RFC8017 PKCS #1 RSA Cryptography Specifications Version 2.2
• NIST FIPS Publication 186-5

The TA100 device can also calculate and verify RSA signatures using the RSASSA-PSS schemes according to the PKCS#1 procedures documented in:

• IETF RFC8017 PKCS #1 RSA Cryptography Specifications Version 2.2
• NIST FIPS Publication 186-5

RSA (RSAES-OAEP) encryption and decryption with an exponent of 0x10001 is supported for 1024-bit and 2048-bit key lengths using the RSAES_OAEP PKCS#1 V2.2 scheme documented in:

• IETF RFC8017 PKCS #1 RSA Cryptography Specifications Version 2.2

Elliptic Curve ECDSA signatures using the NIST curves P224, P256 and P384 are generated/verified according to the following specification. Keys for all three curves can be generated using the RNG.

• ANSI X9.62-2005 http://www.ansi.org/
• NIST FIPS 186-5 specification NIST FIPS Publication 186-5

The TA100 device executes the ECDH key agreement according to NIST Special Publication 800-56A r3 recommendations. All ECDH public and private keys are treated as ephemeral keys with the corresponding key validation. P224, P256 and P384 curves are supported.

• nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf

Elliptic Curve computations for the 256-bit Brainpool curve are supported according to the following document. Sign, verify, key generation and ECDH are all supported. The TA100 device does not support Brainpool curves for X.509 certificate parsing.

• IETF RFC7027 Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)

ECDSA sign and verify operations are supported for the SECP256K1 curve, often used in block chain applications. ECDH is not supported for this curve. It is specified in:

• SECG SEC 2: Recommended Elliptic Curve Domain Parameters v2.0

The TA100 device supports the TLS 1.2 KDF (PRF), as specified in:

• IETF RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2

The TA100 device supports the TLS 1.3 KDF, aka HKDF, as specified in:

• IETF RFC5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF)

The TA100 device can execute the Burmester-Desmedt protocol variation of ECDH described at Eurocrypt ’94. Contact Microchip for more technical details. A version of that paper is available here:

• A Secure and Scalable Group Key Exchange System

The TA100 device is designed to support the cryptographic protocols, as specified in:

• “High-Bandwidth Digital Content Protection System, Interface Independent Adaptation, Rev. 2.2”

Microchip uses various evaluation methods to determine the security of the storage within the device. In this document, the protection level of the private/secret keys uses the vulnerability analysis in the following JIL document:

• JIL-Application-of-Attack-Potential-to-Smartcards-V3-1.pdf