nerdexam
(ISC)2

CISSP · Question #1332

Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?

The correct answer is B. Diffie-hellman (DH) key exchange: DH (>=2048 bits). FIPS 140-2 compliance for non-legacy systems requires cryptographic algorithms meeting minimum key strength thresholds. For Diffie-Hellman key exchange, a minimum of 2048 bits is required to be considered compliant.

Submitted by jaden.t· Mar 5, 2026Security Architecture and Engineering

Question

Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?

Options

  • ADiffie-hellman (DH) key exchange: DH (>=2048 bits)
  • BDiffie-hellman (DH) key exchange: DH (>=2048 bits)
  • CDiffie-hellman (DH) key exchange: DH (<= 1024 bits)
  • DDiffie-hellman (DH) key exchange: DH (>=2048 bits)

How the community answered

(37 responses)
  • A
    16% (6)
  • B
    70% (26)
  • C
    3% (1)
  • D
    11% (4)

Why each option

FIPS 140-2 compliance for non-legacy systems requires cryptographic algorithms meeting minimum key strength thresholds. For Diffie-Hellman key exchange, a minimum of 2048 bits is required to be considered compliant.

ADiffie-hellman (DH) key exchange: DH (>=2048 bits)

Although choice A appears identical in description to B, the full algorithm combination associated with this option includes components that do not meet FIPS 140-2 compliance requirements for non-legacy systems.

BDiffie-hellman (DH) key exchange: DH (>=2048 bits)Correct

FIPS 140-2 mandates that Diffie-Hellman key exchange use a minimum key size of 2048 bits for non-legacy systems, as smaller key sizes no longer provide sufficient security strength per NIST SP 800-131A transition guidelines. Keys of 2048 bits or greater provide at least 112 bits of security strength, which meets the current FIPS-approved cryptographic standard for key establishment.

CDiffie-hellman (DH) key exchange: DH (<= 1024 bits)

DH key sizes of 1024 bits or fewer are explicitly deprecated and non-compliant under FIPS 140-2 for non-legacy systems, as they provide fewer than 80 bits of security strength, which NIST SP 800-131A has disallowed since 2014.

DDiffie-hellman (DH) key exchange: DH (>=2048 bits)

Although choice D also references DH >= 2048 bits, the broader algorithm suite combination associated with this option includes other cryptographic primitives that are not FIPS 140-2 approved for non-legacy use cases.

Concept tested: FIPS 140-2 compliant cryptographic algorithm key strength requirements

Source: https://csrc.nist.gov/publications/detail/fips/140/2/final

Topics

#FIPS 140-2#Cryptographic compliance#Diffie-Hellman#Key sizes

Community Discussion

No community discussion yet for this question.

Full CISSP Practice