Embedded FIPS Cryptography
The Allegro Cryptography Engine (ACE) is a platform independent, high performance, resource sensitive, FIPS cryptography engine specifically engineered for the rigors of embedded computing. ACE enables OEM manufacturers to add sophisticated FIPS approved encryption technology to their designs and dramatically speed the development cycle. The ACE cryptography library is designed to meet the requirements needed for FIPS 140-2 validation.
ACE
Embedded systems are appearing in virtually all industries with the capability to communicate independently. The rapid adoption and deployment of modern communication technologies has enabled new applications in healthcare, military applications, energy management, consumer devices and many other areas. With these capabilities, comes the need for embedded device security. Any network-enabled device must be considered as a potential target for malicious intent. Encryption of sensitive data while in motion or at rest is a key component to thwarting malicious attacks and reducing risk.
ACE is a cryptographic library module for embedded computing systems that provides validated software implementations of FIPS approved algorithms for the calculation of message digests, digital signature creation and verification, bulk encryption and decryption, key generation and key exchange. Used stand-alone or pre-integrated with other Allegro toolkits, ACE provides CAVP validated implementations of sophisticated FIPS approved encryption algorithms for use in embedded systems.
In 2005, the National Security Agency (NSA) defined a set of cryptographic algorithms that when used together, are the preferred method for assuring the security and integrity of information passed over public networks such as the Internet. Today, Suite B is globally recognized as an advanced standard for cryptography that defines algorithms and strengths for encryption, hashing, calculating digital signatures and key exchange. ACE includes a platform independent, CAVP validated implementation of the NSA Suite B defined suite of cryptographic algorithms. ACE is delivered as ANSI C source.
ACE can used stand-alone or pre-integrated with Allegro’s suite of embedded device security protocols such as TLS and SSH in addition to the full RomPager suite of Internet software for embedded devices that include Web services using HTTP, XML and SOAP.
ACE – FIPS Mode
Digital Signature Algorithms
- RSA (FIPS 186-3) Key lengths: 2048, 3072
- DSA (FIPS 186-3) Key lengths: 1024, 2048, 3072
- ECDSA (FIPS 186-3) Curves: NIST P-192, P-224, P-256, P-384, P-521
Symmetric Keys
- AES Key lengths: 128, 192, 256
- AES-GCM Key lengths: 128, 192, 256
- AES-CCM Key lengths: 128, 192, 256
- AES-XTS Key lengths: 128, 256
- TripleDES
Hash Functions
- SHA-1
- SHA-224
- SHA-256
- SHA-384
- SHA-512
Message Authentication
- HMAC-SHA-1
- HMAC-SHA-224
- HMAC-SHA-256
- HMAC-SHA-384
- HMAC-SHA-512
- AES-GMAC Keylengths: 128, 192, 256
- AES-CMAC Keylengths: 128, 192, 256
Key Agreement
- DH (NIST SP 800-56A)
- ECDH Curves: NIST P-192, P-224, P-256, P-384, P-521
Random Number Generator
- DRBG (NIST SP 800-90A)
ACE – Non-FIPS Mode
All of the above in addition to the following:
Digital Signature Algorithms
- RSA: arbitrary key lengths 512 to 3072
- DSA: arbitrary key lengths 512 to 3072
Symmetric Keys
- DES
- RC4
Hash Functions
- MD2
- MD4
- MD5
Message Authentication
- HMAC-MD5
CAVP Validation References
AES Validation
http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2314
DSA Validation
http://csrc.nist.gov/groups/STM/cavp/documents/dss/dsaval.htm#728
RSA Validation
http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html#1197
ECDSA Validation
http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html#379
Triple-DES
http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html#1459
SHA Validation
http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1997
HMAC Validation
http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1430
ECC Component Validations
http://csrc.nist.gov/groups/STM/cavp/documents/components/componentval.html#50
DRBG Validation
http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#286
Features |
Benefits |
|---|---|
|
Small code footprint |
More resources available for application features |
|
ANSI C Source Code Distribution |
Broad processor architecture support, eases porting and support |
|
Processor, RTOS and TCP/IP stack agnostic |
Allegro’s products will work with new or existing hardware and software designs |
|
Flexible Security and External Security support |
Use software encryption or if available make use of hardware cryptography acceleration |
|
Compilation switches for size, feature and speed trade-offs |
Allows the development team to optimize for system resources |
Supported RFCs
- FIPS PUB 140-2, Security Requirements for Cryptographic Modules
- FIPS PUB 180-3, Secure Hash Standard
- FIPS PUB 186-3 Digital Signature Standard (DSS)
- FIPS PUB 197, Specification for the ADVANCED ENCRYPTION STANDARD (AES)
- FIPS PUB 198, The Keyed-Hash Message Authentication Code (HMAC)
- Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
- Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
- Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
- Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Application
- DRBG NIST Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, section 10.1.1 Hash_DRBG.
- RFC2898 – PBKDF PKCS #5: Password-Based Cryptography Specification, Version 2.0
- PKCS #7: Cryptographic Message Syntax Standard
- PKCS #8: Private-Key Information Syntax Standard
- The Advanced Encryption Standard Algorithm Validation Suite (AESAVS)
- The FIPS 186-3 Digital Signature Algorithm Validation System (DSA2VS)
- The FIPS 186-3 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS)
- The 186-3 RSA Validation System (RSA2VS)
- The Secure Hash Algorithm Validation System (SHAVS)
- The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)
- The Key Agreement Schemes Validation System (KASVS)
- The CMAC Validation System (CMACVS)
- The CCM Validation System (CCMVS)
- The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS)
- The Keyed-Hash Message Authentication Code Validation System (HMACVS)
- Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS):
- NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
System Requirements
- Processor Architecture – Works with any 16-bit, 32-bit or 64-bit processor
- Operating System(OS) – Works with any OS vendor and will function without an OS if needed
- Compiler – ANSI C