FIPS 140 Compliance: 2024 Mechanism Deprecation

Deprecation Notifications

From time to time, AWS CloudHSM may deprecate functionality in order to remain compliant with the requirements of FIPS 140, PCI-DSS, PCI-PIN, PCI-3DS and SOC2. This page lists the changes that currently apply.

FIPS 140 Compliance: 2024 Mechanism Deprecation

The National Institute of Standards and Technology (NIST)¹ advises that support for Triple DES (DESede, 3DES, DES3) encryption and RSA key wrap and unwrap with PKCS#1 v1.5 padding is disallowed after December 31, 2023. Therefore, support for these end on January 1, 2024 in our Federal Information Processing Standard (FIPS) mode clusters. Support for these remain for clusters in non-FIPs mode.

This guidance applies to the following cryptographic operations:

Triple DES key generation
- CKM_DES3_KEY_GEN for the PKCS#11 Library
- DESede Keygen for the JCE Provider
- genSymKey with -t=21 for the KMU
Encryption with Triple DES keys (note: decrypt operations are allowed)
- For the PKCS #11 Library: CKM_DES3_CBC encrypt, CKM_DES3_CBC_PAD encrypt, and CKM_DES3_ECB encrypt
- For the JCE Provider: DESede/CBC/PKCS5Padding encrypt, DESede/CBC/NoPadding encrypt, DESede/ECB/Padding encrypt, and DESede/ECB/NoPadding encrypt
RSA key wrap, unwrap, encrypt, and decrypt with PKCS#1 v1.5 padding
- CKM_RSA_PKCS wrap, unwrap, encrypt, and decrypt for the PKCS#11 SDK
- RSA/ECB/PKCS1Padding wrap, unwrap, encrypt, and decrypt for the JCE SDK
- wrapKey and unWrapKey with -m 12 for the KMU (note 12 is the value for mechanism RSA_PKCS)

[1] For details on this change, refer to Table 1 and Table 5 in Transitioning the Use of Cryptographic Algorithms and Key Lengths.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

PCI-PIN FAQs

Resilience