SP 800-131a

Special Publication 800-131a (SP 800-131a) is an information security standard of the National Institute of Standards and Technology (NIST). SP 800-131a requires longer key lengths and stronger cryptography than other standards.

We can run SP 800-131a in two modes: transition and strict. Use the transition mode to move gradually towards a strict enforcement of SP 800-131a. The transition mode allows the use of weaker keys and algorithms than strict enforcement allows. The transition mode also allows the use of Transport Layer Security (TLS) v1.0 and v1.1. A strict enforcement of SP 800-131a of the ISAM Base components requires the following configuration:

• TLS v1.2 protocol for the Secure Sockets Layer (SSL) context
• Certificates must have a minimum length of 2048
• Elliptical Curve (EC) certificates must have a minimum size of 244-bit curves
• Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signature algorithms include:
  • SHA256withRSA
  • SHA384withRSA
  • SHA512withRSA
  • SHA256withECDSA
  • SHA384withECDSA
  • SHA512withECDSA

• SP 800-131a approved cipher suites

The Security Verify Access Base component communication uses certificates generated by the policy server. The policy server uses the same key strength and algorithms to create certificates for both the transition and strict versions of the SP 800-131a security mode. As a result, we can convert between the transition and strict modes without completely regenerating all SVA certificates.

The SP 800-131a certificates are not compatible with previous releases of Security Verify Access. Previous release Security Verify Access clients cannot communicate with the policy server of previous releases of the ISAM in SP 800-131a mode.

For information about SP 800-131a, see http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf.

Parent topic: Security standards configurations (compliance types)