Certifications
& Standards

PKI Standards Compliance Summary

This list highlights some of the components of Entrust products and the standards with which these products comply.

Symmetric Encryption Algorithms

  • U.S. Data Encryption Standard (DES) in accordance with U.S. FIPS PUB 46-2 and ANSI X3.92
  • U.S. Advanced Encryption Standard (AES) in accordance with U.S. FIPS PUB 197 (256-bit keys supported) and NIST SP 800-38D section 8.22
  • CAST block cipher in accordance with RFC 2144 (64-bit, 80-bit, and 128-bit variations are supported)
  • Triple-DES in accordance with ANSI X9.52 (3-key variant for an effective key size of 168-bits is supported)
  • RC2® in accordance with RFC 2268 (40-bit and 128-bit variations are supported);
  • IDEA as listed in the ISO/IEC 9979 Register of Cryptographic Algorithms (128-bit supported)
Note: DES, CAST, Triple-DES, RC2 and IDEA encryption all use CBC mode of operation in accordance with U.S. FIPS PUB 81, ANSI X3.106 and ISO/IEC 10116

Digital Signature Algorithms

  • RSA in accordance with Public Key Cryptographic Standards (PKCS) specification PKCS#1 Version 2.1(PKCS1-v1.5 and PKCS-v2 OAEP encryption schemes, RSASSA-PKCS1-v1.5 and RSASSA-PSS signature schemes with EMSA-PKCS1-v1.5 and EMSA-PSS encoding, and I2OSP,OS2IP, RSASP1 and RSAVP primitives), ANSI X9.31, IEEE 1363, ISO/IEC 14888-3 and U.S. FIPS PUB 186-3 (1024-bit, 2048-bit, 3072-bit) and support for 4096-bit and 6144-bit keys.
  • DSA in accordance with the Digital Signature Standard, U.S. FIPS PUB 186-2, ANSI X9.30 Part 1, IEEE P1363 and ISO/IEC 14888-3 (1024-bit supported)
  • ECDSA in accordance with ANSI X9.62, IEEE P1363, ISO/IEC 14888-3 and U.S. FIPS PUB 186-3 (192-bit default)

One-Way Hash Functions

  • SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 in accordance to U.S. FIPS PUB 180-2 and ANSI X9.30 Part 2
  • MD5 Message-Digest algorithm in accordance with RFC 1321
  • MD2 Message-Digest algorithm in accordance with RFC 1319
  • RIPEMD-160 in accordance with ISO/IEC 10118-3:1998

Key Exchange Algorithms

  • RSA key transfer in accordance with RFC 1421 and RFC 1423 (PEM), PKCS#1 Version 2.0, IEEE P1363
  • Elliptic Curve Diffie-Hellman (ECDH) in accordance with NIST SP 800-56A and ANSI X9.63
  • Diffie-Hellman key agreement in accordance with PKCS#3
  • Simple Public-Key GSS-API Mechanism (SPKM) authentication and key agreement in accordance with RFC 2025, ISO/IEC 9798-3 and U.S. FIPS PUB 196
  • SSL v3 and TLS v1 in accordance with RFC 2246

Symmetric Integrity Techniques

  • MAC in accordance with U.S. FIPS PUB 113 (for DES-MAC) and X9.19
  • CMAC in accordance with NIST SP 800-38B
  • HMAC in accordance with RFC 2104

Psuedo Random Number Generator

  • Psuedo random number generator in accordance with ANSI X9.17 (Appendix C) and FIPS 186-3
  • DRBG using SHA512 in accordance with NIST SP 800-90 and FIPS 186-3

Certificate and Certificate Revocation Lists (CRLs)

  • Version 3 public-key certificates and Version 2 CRLs in accordance with ITU-T X.509 Recommendation and ISO/IEC 9594-8 (4th edition, 2000 as well as earlier editions)
  • Version 3 public-key certificate and Version 2 CRL extensions in accordance with RFC 2459 and RFC 3280
  • Version 3 public-key certificate and Version 2 CRL extensions in accordance with U.S. FPKI X.509 Certificate and CRL Extensions Profile
  • Version 3 public-key certificate and Version 2 CRL extensions in accordance with NIST X.509 Certificate and CRL Extensions Profile for the Common Policy
  • Version 3 “Qualified” certificates in accordance with RFC 3039 and ETSI TS 101 862
  • Version 3 public-key certificates and Version 2 CRLs in accordance with de-facto standards for Web browsers and servers
  • WTLS Certificate support in accordance with WAP WTLS Version 1.1. (Entrust.net certificate issuance)
  • RSA algorithm identifiers and public key formats in accordance with RFC 1422 and 1423 (PEM) and PKCS#1

File Envelope Formats

  • Standard file envelope format based on Internet RFC 1421 (PEM)
  • PKCS#7 Version 1.5 based on RFC 2315 and Cryptographic Message Syntax (CMS) based on RFC 3369 and 3370
  • S/MIME Version 2 based on RFC 2311

Secure Session Formats

  • On-line GSS-API public key implementation mechanism using SPKM in accordance with Internet RFC 2025 and SPKM entity authentication in accordance with FIPS 196
  • SSL v3 and TLS v1 in accordance with RFC 2246

Repositories

  • LDAP Version 2 in accordance with RFC 1777 and RFC 2559
  • LDAP Version 3 in accordance with RFC 2251-2256

Private Key Storage

  • Private key storage in accordance with PKCS#5 and PKCS#8

Certificate Management

  • Secure Exchange Protocol (SEP), built using Generic Upper Layers Security (GULS) standards ITU-T Recs. X.830, X.831, X.832 and ISO/IEC 11586-1, 11586-2, 11586-3 (SEP continues to be supported for backward compatibility only)
  • PKIX-CMP in accordance with RFC 2510 and PKIX-CRMF in accordance with RFC 2511
  • PKCS 7/10 (for Web based clients and VPN solutions)
  • Cisco Certificate Enrollment Protocol (CEP) (for VPN solutions)

Application Programming Interfaces (APIs)

  • Hardware cryptographic interface in accordance with PKCS#11
  • Generic Security Services API (GSS-API) in accordance with RFC 1508 and 1509
  • IDUP-GSS-API in accordance with Internet Draft draft-ietf-cat-idup-gss-08.txt