Deprecation Notifications
From time to time, AWS CloudHSM may deprecate functionality in order to remain compliant with the requirements of FIPS 140, PCI-DSS, PCI-PIN, PCI-3DS and SOC2. This page lists the changes that currently apply.
FIPS 140 Compliance: 2024 Mechanism Deprecation
The National Institute of Standards and Technology (NIST)1 advises that support for Triple DES (DESede, 3DES, DES3) encryption and RSA key wrap and unwrap with PKCS#1 v1.5 padding is disallowed after December 31, 2023. Therefore, support for these end on January 1, 2024 in our Federal Information Processing Standard (FIPS) mode clusters. Support for these remain for clusters in non-FIPs mode.
This guidance applies to the following cryptographic operations:
Triple DES key generation
CKM_DES3_KEY_GEN
for the PKCS#11 LibraryDESede
Keygen for the JCE ProvidergenSymKey
with-t=21
for the KMU
-
Encryption with Triple DES keys (note: decrypt operations are allowed)
For the PKCS #11 Library:
CKM_DES3_CBC
encrypt,CKM_DES3_CBC_PAD
encrypt, andCKM_DES3_ECB
encryptFor the JCE Provider:
DESede/CBC/PKCS5Padding
encrypt,DESede/CBC/NoPadding
encrypt,DESede/ECB/Padding
encrypt, andDESede/ECB/NoPadding
encrypt
-
RSA key wrap, unwrap, encrypt, and decrypt with PKCS#1 v1.5 padding
CKM_RSA_PKCS
wrap, unwrap, encrypt, and decrypt for the PKCS#11 SDKRSA/ECB/PKCS1Padding
wrap, unwrap, encrypt, and decrypt for the JCE SDKwrapKey
andunWrapKey
with-m 12
for the KMU (note12
is the value for mechanismRSA_PKCS
)
[1] For details on this change, refer to Table 1 and Table 5 in
Transitioning the Use of Cryptographic Algorithms and Key Lengths