PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
List of cipher suites supported on firewalls running
PAN-OS® 9.1 in FIPS-CC mode.
The following table lists cipher suites that are supported
on firewalls running a PAN-OS® 9.1 release in FIPS-CC mode. The Cryptographic Algorithm Validation
Program has additional details regarding the algorithm implementation.
Also, there were no changes made to the Palo Alto Networks crypto module
between PAN-OS 9.0 and PAN-OS 9.1 so all FIPS certificates still
apply for this PAN-OS 9.1 release.
If your firewall is running in normal (non-FIPS-CC) operational mode,
see Cipher
Suites Supported in PAN-OS 9.1
Functions | Standards |
---|---|
Asymmetric key generation | |
FFC key pair generation (key size 2048 bits) | FIPS PUB 186-4 |
ECC key pair generation (NIST curves P-256, P-384) | FIPS PUB 186-4 |
RSA key generation (2048 bits or greater) | FIPS PUB 186-4 |
Cryptographic Key Generation
(for IKE Peer Authentication) | |
RSA key generation (2048 bits or greater) | FIPS PUB 186-4 |
ECDSA key pair generation (NIST curves P-256, P-384) | FIPS PUB 186-4 |
Cryptographic Key Establishment | |
ECDSA-based key establishment | NIST SP 800-56A Revision 2 |
FFC-based key establishment | NIST SP 800-56A Revision 2 |
AES Data Encryption/Decryption | |
|
|
Signature Generation and
Verification | |
RSA Digital Signature Algorithm (rDSA) (2048
bits or greater) | FIPS PUB 186-4, “Digital Signature Standard
(DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS
and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2 or Digital
Signature scheme 3 |
ECDSA (NIST curves P-256, P-384, and P-521) | FIPS PUB 186-4, “Digital Signature Standard
(DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256,
P-384, ISO/IEC 14888-3, Section 6.4 |
Cryptographic hashing | |
SHA-1, SHA-256, SHA-384, and SHA-512 (digest sizes
160, 256, 384, and 512 bits) | ISO/IEC 10118-3:2004 FIPS PUB 180-4 |
Keyed-hash message authentication | |
| ISO/IEC 9797-2:2011 FIPS PUB 198-1 |
Random bit generation | |
CTR_DRBG (AES-256) | ISO/IEC 18031:2011 NIST SP 800-90A |
Recommended For You
Recommended Videos
Recommended videos not found.