The National Institute of Standards and Technology (NIST) has recently published an Initial Public Draft for the third revision of its special publication, Transitioning the Use of Cryptographic Algorithms and Key Lengths (NIST SP 800-131A Rev. 3). NIST has consistently updated its guidance through this publication to address the increasing vulnerability of older algorithms to attacks from emerging computing technologies and the evolving techniques used by threat actors.

This draft proposes the discontinuation of ECB as a confidentiality mode of operation, the retirement of DSA for digital signature generation, and a timeline for phasing out SHA-1 and 224-bit hash functions. This draft also addresses the transition from a 112-bit security strength to 128-bit security strength, along with the shift to quantum-resistant algorithms for digital signatures and key establishment.

If approved, the changes proposed in this draft will go into effect on December 31st, 2030.

Acceptable alternatives for affected algorithms

With the ECB block cipher mode of operation being recategorized as legacy, NIST leaves the a number of common block cipher modes in acceptable status, including the CBC, GCM, and XTS-AES modes.

Meanwhile, the existing DSA algorithm has been marked as disallowed for generation of new digital signatures, and should only be used to verify existing digital signatures. While ECDSA and RSA are both acceptable replacements for the time being, these are both slated to be deprecated by the year 2030. EdDSA and ML-DSA are the best candidates for replacing the DSA algorithm to ensure long-term security.

The SHA-1, and well SHA-224 and its derivatives (SHA3-224 and SHA-512/224), will be considered deprecated for all functions by 2030. They should be replaced by hashing algorithms of a stronger bit strength (256, 384, and 512) of the SHA-2 and SHA-3 families, or by the new TupleHash and ParallelHash algorithms.

The overall guidance for key establishment mechanisms is to shift away from the key agreement mechanisms relied upon by Diffie-Hellman and RSA, and towards key encapsulation, which are used by the ML-KEM family of post-quantum cryptography algorithms.

How to identify affected algorithms in your ICSF environment

The following ICSF services support ECB mode and at least one acceptable mode. Calls to these services should be checked to ensure that updates are made to phase out use of ECB.

• Cipher Text Translate2 (CSNBCTT2, CSNBCTT3, CSNECTT2, CSNECTT3)

• Symmetric Algorithm Encipher (CSNBSAE, CSNBSAE1, CSNESAE, CSNESAE1)

• Secure Messaging for PINs (CSNBSPN and CSNESPN)

• DK PIN Change (CSNBDPC and CSNEDPC)

• PKCS #11 Secret Key Encrypt (CSFPSKE and CSFPSKE6)

• PKCS #11 Secret Key Reencrypt (CSFPSKR and CSFPSKR6)

The following ICSF services support SHA-1 & SHA-224. Calls to these services should be checked to ensure that updates are made to move to at least SHA-256.

• One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)

• Digital Signature Generate (CSNDDSG and CSNFDSG)

• PKA Encrypt (CSNDPKE and CSNFPKE)

• HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1)

• MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3)

• PKCS #11 Generate Keyed MAC (CSFPHMG and CSFPHMG6)

• PKCS #11 One-Way Hash, Sign, or Verify (CSFPOWH and CSFPOWH6)

• PKCS #11 Private Key Sign (CSFPPKS and CSFPPKS6)

ICSF currently only supports the pre-standard versions of ML-KEM and ML-DSA, CRYSTALS-Kyber and CRYSTALS-Dilithium respectively. ICSF services that support the CRYSTALS algorithms will be enhanced to support their standardized versions in the near future.