Learn
PKI Standards Compliance Summary
This list highlights some of the components of Entrust products and the standards with which these products comply.
Symmetric Encryption Algorithms
- U.S. Data Encryption Standard (DES) in accordance with U.S. FIPS PUB 46-2 and ANSI X3.92
- U.S. Advanced Encryption Standard (AES) in accordance with U.S. FIPS PUB 197 (256-bit keys supported) and NIST SP 800-38D section 8.22
- CAST block cipher in accordance with RFC 2144 (64-bit, 80-bit, and 128-bit variations are supported)
- Triple-DES in accordance with ANSI X9.52 (3-key variant for an effective key size of 168-bits is supported)
- RC2® in accordance with RFC 2268 (40-bit and 128-bit variations are supported);
- IDEA as listed in the ISO/IEC 9979 Register of Cryptographic Algorithms (128-bit supported)
Note: DES, CAST, Triple-DES, RC2 and IDEA encryption all use CBC mode of operation in accordance with U.S. FIPS PUB 81, ANSI X3.106 and ISO/IEC 10116
Digital Signature Algorithms
- RSA in accordance with Public Key Cryptographic Standards (PKCS) specification PKCS#1 Version 2.1(PKCS1-v1.5 and PKCS-v2 OAEP encryption schemes, RSASSA-PKCS1-v1.5 and RSASSA-PSS signature schemes with EMSA-PKCS1-v1.5 and EMSA-PSS encoding, and I2OSP,OS2IP, RSASP1 and RSAVP primitives), ANSI X9.31, IEEE 1363, ISO/IEC 14888-3 and U.S. FIPS PUB 186-3 (1024-bit, 2048-bit, 3072-bit) and support for 4096-bit and 6144-bit keys.
- DSA in accordance with the Digital Signature Standard, U.S. FIPS PUB 186-2, ANSI X9.30 Part 1, IEEE P1363 and ISO/IEC 14888-3 (1024-bit supported)
- ECDSA in accordance with ANSI X9.62, IEEE P1363, ISO/IEC 14888-3 and U.S. FIPS PUB 186-3 (192-bit default)
One-Way Hash Functions
- SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 in accordance to U.S. FIPS PUB 180-2 and ANSI X9.30 Part 2
- MD5 Message-Digest algorithm in accordance with RFC 1321
- MD2 Message-Digest algorithm in accordance with RFC 1319
- RIPEMD-160 in accordance with ISO/IEC 10118-3:1998
Key Exchange Algorithms
- RSA key transfer in accordance with RFC 1421 and RFC 1423 (PEM), PKCS#1 Version 2.0, IEEE P1363
- Elliptic Curve Diffie-Hellman (ECDH) in accordance with NIST SP 800-56A and ANSI X9.63
- Diffie-Hellman key agreement in accordance with PKCS#3
- Simple Public-Key GSS-API Mechanism (SPKM) authentication and key agreement in accordance with RFC 2025, ISO/IEC 9798-3 and U.S. FIPS PUB 196
- SSL v3 and TLS v1 in accordance with RFC 2246
Symmetric Integrity Techniques
- MAC in accordance with U.S. FIPS PUB 113 (for DES-MAC) and X9.19
- CMAC in accordance with NIST SP 800-38B
- HMAC in accordance with RFC 2104
Psuedo Random Number Generator
- Psuedo random number generator in accordance with ANSI X9.17 (Appendix C) and FIPS 186-3
- DRBG using SHA512 in accordance with NIST SP 800-90 and FIPS 186-3
Certificate Revocation Lists (CRLs)
- Version 3 public-key certificates and Version 2 CRLs in accordance with ITU-T X.509 Recommendation and ISO/IEC 9594-8 (4th edition, 2000 as well as earlier editions)
- Version 3 public-key certificate and Version 2 CRL extensions in accordance with RFC 2459 and RFC 3280
- Version 3 public-key certificate and Version 2 CRL extensions in accordance with U.S. FPKI X.509 Certificate and CRL Extensions Profile
- Version 3 public-key certificate and Version 2 CRL extensions in accordance with NIST X.509 Certificate and CRL Extensions Profile for the Common Policy
- Version 3 “Qualified” certificates in accordance with RFC 3039 and ETSI TS 101 862
- Version 3 public-key certificates and Version 2 CRLs in accordance with de-facto standards for Web browsers and servers
- WTLS Certificate support in accordance with WAP WTLS Version 1.1. (Entrust.net certificate issuance)
- RSA algorithm identifiers and public key formats in accordance with RFC 1422 and 1423 (PEM) and PKCS#1
File Envelope Formats
- Standard file envelope format based on Internet RFC 1421 (PEM)
- PKCS#7 Version 1.5 based on RFC 2315 and Cryptographic Message Syntax (CMS) based on RFC 3369 and 3370
- S/MIME Version 2 based on RFC 2311
Secure Session Formats
- On-line GSS-API public key implementation mechanism using SPKM in accordance with Internet RFC 2025 and SPKM entity authentication in accordance with FIPS 196
- SSL v3 and TLS v1 in accordance with RFC 2246
Repositories
- LDAP Version 2 in accordance with RFC 1777 and RFC 2559
- LDAP Version 3 in accordance with RFC 2251-2256
Private Key Storage
- Private key storage in accordance with PKCS#5 and PKCS#8
Certificate Management
- Secure Exchange Protocol (SEP), built using Generic Upper Layers Security (GULS) standards ITU-T Recs. X.830, X.831, X.832 and ISO/IEC 11586-1, 11586-2, 11586-3 (SEP continues to be supported for backward compatibility only)
- PKIX-CMP in accordance with RFC 2510 and PKIX-CRMF in accordance with RFC 2511
- PKCS 7/10 (for Web based clients and VPN solutions)
- Cisco Certificate Enrollment Protocol (CEP) (for VPN solutions)
Application Programming Interfaces (APIs)
- Hardware cryptographic interface in accordance with PKCS#11
- Generic Security Services API (GSS-API) in accordance with RFC 1508 and 1509
- IDUP-GSS-API in accordance with Internet Draft draft-ietf-cat-idup-gss-08.txt