6 Cryptographic Algorithm Specifications

The following describes the controlling documents for the cryptographic algorithms implemented within the TA101 device.

  1. The RNG function is comprised of an NRBG and a DRBG component combined according to the rules of NIST SP800-90C specified in the following documents:
    1. DRBG: NIST Special Publication 800-90Ar1
    2. NRBG: NIST Special Publication 800-90B
    3. RNG: NIST Special Publication 800-90C second draft
  2. Cryptographic digests using SHA-256, SHA-384, SHA-512:
    1. NIST FIPS Publication 180-4 – Secure Hash Standard (SHS)
  3. HMAC calculations are performed with key sizes varying from 16 to 128 bytes. The underlying algorithm is SHA-256, SHA-384 or SHA-512:
    1. NIST FIPS Publication 198-1 – The Keyed-Hash Message Authentication Code (HMAC)
  4. Authorization session establishment uses the HMAC-SHA256 – The counter key derivation function (KDF HMAC-Counter) specified in the following documents:
    1. KDF HMAC-Counter according to specification:

      NIST Special Publication 800-108 – Recommendation for Key Derivation Using Pseudorandom Functions

    2. Support for SHA-256 one-step KDF composed of a single SHA-256 iteration used in other protocols, as specified in the following document:

      NIST Special Publication 800-56Cr2 – Recommendation for Key-Derivation Methods in Key Establishment Schemes

  5. Support for the TLS 1.2 KDF (PRF), as specified in:
    1. IETF RFC5246 – The Transport Layer Security (TLS) Protocol Version 1.2
    2. NIST Special Publication 800-135 – Recommendation for Existing Application-Specific Key Derivation Functions
  6. Support for the TLS 1.3 KDF (HKDF), as specified in:
    1. IETF RFC5869 – HMAC-Based Extract-and-Expand Key Derivation Function (HKDF)
    2. IETF RFC8446 – The TLS Protocol Version 1.3
  7. Symmetric encryption/decryption AES-128 and AES-256 implemented according to:
    1. ECB: NIST FIPS Publication 197 – Advanced Encryption Standard (AES)
  8. The AES-CMAC algorithm is implemented according to:
    1. NIST Special Publication 800-38B – Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
  9. AES encryption/decryption for authorization sessions uses the GCM AEAD mode according to:
    1. NIST Special Publication 800-38D – Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
  10. RSA key generation and signatures are generated and/or verified using the RSASSA-PKCS1-V1_5 scheme according to the specified PKCS#1 procedures. The supported key sizes are 2048, 3072 and 4096. The exponent is fixed at 0x10001, except for the 3072-bit verify, which optionally supports e = 3 (support of the HDCP protocol).
    1. IETF RFC8017 – PKCS #1 RSA Cryptography Specifications Version 2.2
    2. NIST FIPS Publication 186-5 – Digital Signature Standard (DSS)
  11. RSA key generation and signatures are generated and/or verified using the RSASSA-PSS schemes according to the specified PKCS#1 procedures. The supported key sizes are 2048, 3072 and 4096.
    1. IETF RFC8017 – PKCS #1 RSA Cryptography Specifications Version 2.2
    2. NIST FIPS Publication 186-5 – DSS
  12. RSA (RSAES-OAEP) encryption and decryption with an exponent of 0x10001 are supported using the specified RSAES_OAEP PKCS#1 V2.2 scheme. The supported key sizes are 1024, 2048, 3072 and 4096.
    1. IETF RFC8017 – PKCS #1 RSA Cryptography Specifications Version 2.2
  13. Elliptic Curve ECDSA key generation and signatures using the NIST curves P-224, P-256, P-384 and P-521 are generated/verified according to the following specifications. Keys for all curves can be generated using the internal RNG.
    1. ANSI X9.62-2005, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA): www.ansi.org/
    2. NIST FIPS Publication 186-5 – DSS
  14. ECDH key agreement. All ECDH public and private keys are treated as ephemeral keys with the corresponding key validation. Ephemeral Unified C (2e, 0s, ECC CDH) scheme (56Ar3 6.1.2.2).
    1. P-224, P-256, P-384 and P-521 curves are supported according to this specification:

      NIST Special Publication 800-56Ar3 – Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography

  15. Edwards Curve Support:

    Ed25519/EdDSA key generation and signatures (128-bit security strength) are generated/verified according to the following document.

    1. Ed25519/EdDSA is supported according to this specification:

      IETF RFC8032 – Edwards-Curve Digital Signature Algorithm (EdDSA)

    ECDH X25519 key generation and key agreement (128-bit security strength) are supported according to the following document.

    1. X25519/ECDH is supported according to this specification:

      IETF RFC7748 Elliptic Curves for Security, Section 5 and 6

  16. Elliptic curve computations for the 256-bit Brainpool (ECC-256_R1) curve are supported according to the following document. Sign, verify, key generation and ECDH key agreement are all supported. The device does not support Brainpool curves for X.509 certificate parsing.
    1. IETF RFC7027 Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)
  17. ECDSA sign, verify and key generation operations are supported for the secp256k1 (Bitcoin) curve, often used in block chain applications. ECDH is not supported for this curve. It is specified in document:
    1. SECG SEC 2: Recommended Elliptic Curve Domain Parameters v2.0
  18. The TA101 device can execute the Burmester-Desmedt protocol variation of ECDH (ECBD) described at Eurocrypt ’94. Contact Microchip for more technical details. A version of that paper is available here:
    1. "A Secure and Scalable Group Key Exchange System"
  19. The TA101 device is designed to support the HDCP cryptographic protocols, as specified in:
    1. “High-Bandwidth Digital Content Protection System, Interface Independent Adaptation, Rev. 2.2”
  20. Qi Standard Point Expansion based upon the compression protocols specified in document:
    1. https://tools.ietf.org/id/draft-jivsov-ecc-compact-00.xml – Compact representation of an elliptic curve point

  21. Contact Microchip for CAVP certification status of the appropriate cryptographic algorithms.