SP800-131 compliance

SP800-131 requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131.

The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131. SP800-131 can be run in two modes, transition and strict. The transition mode is offered to give you a setting to move your environment to SP800-131 strict mode. In transition mode, it is optional to use the SP800-131 required certificates and to set the protocol to SP800-131.

The following requirements must be fulfilled to allow for the strict enforcement of SP800-131:
  • The use of the TLS version 1.2 protocol for the Secure Sockets Layer (SSL) context.
  • Certificates must have a minimum length of 2048 bytes. An Elliptic Curve (EC) certificate requires a minimum size of 244-bit curves.
  • Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signature algorithms include:
    • SHA256 with RSA
    • SHA384 with RSA
    • SHA512 with RSA
    • SHA256 with ECDSA
    • SHA384 with ECDSA
    • SHA512 with ECDSA
  • SP800-131 approved cipher suites.

For more information about the SP800-131 standard, see the web site run by National Institute of Standards and Technology.