CISSP · Question #1332
Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?
The correct answer is B. Diffie-hellman (DH) key exchange: DH (>=2048 bits). FIPS 140-2 compliance for non-legacy systems requires cryptographic algorithms meeting minimum key strength thresholds. For Diffie-Hellman key exchange, a minimum of 2048 bits is required to be considered compliant.
Question
Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?
Options
- ADiffie-hellman (DH) key exchange: DH (>=2048 bits)
- BDiffie-hellman (DH) key exchange: DH (>=2048 bits)
- CDiffie-hellman (DH) key exchange: DH (<= 1024 bits)
- DDiffie-hellman (DH) key exchange: DH (>=2048 bits)
How the community answered
(37 responses)- A16% (6)
- B70% (26)
- C3% (1)
- D11% (4)
Why each option
FIPS 140-2 compliance for non-legacy systems requires cryptographic algorithms meeting minimum key strength thresholds. For Diffie-Hellman key exchange, a minimum of 2048 bits is required to be considered compliant.
Although choice A appears identical in description to B, the full algorithm combination associated with this option includes components that do not meet FIPS 140-2 compliance requirements for non-legacy systems.
FIPS 140-2 mandates that Diffie-Hellman key exchange use a minimum key size of 2048 bits for non-legacy systems, as smaller key sizes no longer provide sufficient security strength per NIST SP 800-131A transition guidelines. Keys of 2048 bits or greater provide at least 112 bits of security strength, which meets the current FIPS-approved cryptographic standard for key establishment.
DH key sizes of 1024 bits or fewer are explicitly deprecated and non-compliant under FIPS 140-2 for non-legacy systems, as they provide fewer than 80 bits of security strength, which NIST SP 800-131A has disallowed since 2014.
Although choice D also references DH >= 2048 bits, the broader algorithm suite combination associated with this option includes other cryptographic primitives that are not FIPS 140-2 approved for non-legacy use cases.
Concept tested: FIPS 140-2 compliant cryptographic algorithm key strength requirements
Source: https://csrc.nist.gov/publications/detail/fips/140/2/final
Topics
Community Discussion
No community discussion yet for this question.