This page describes the algorithms supported by Fortanix Data Security Manager (DSM) in strict FIPS 1402 Level 3 mode.
For more information on Fortanix DSM cryptographic policies, refer to User's Guide: Cryptographic Policy.
Crypto  Primitive Type  Algorithm  Mode/Method  Key Size/Curve  Import/export key format (Private/Public)  Use 

Symmetric  Block cipher  AES  ECB, CBC, CBC (no padding), CFB, CTR, GCM, CCM, OFB, KW, KWP, FF1, CMAC  128, 192, or 256 bits  raw  Data Encryption/Decryption, Key, Wrapping/Unwrapping, MAC, Key Generation, and Key Derivation 
Cryptographic hash functions 
SHA2  SHA224, SHA256, SHA384, SHA512  HMAC key length: between 112 and 8192 bits  (HMAC) raw  Message Digest, MAC, Key Generation  
SHA3  SHA3224, SHA3256, SHA3384, SHA3512  Message Digest and Key Generation  
Asymmetric  Elliptic Curve  ECDSA  standard¹  NIST P224, NIST P256, NIST P384, NIST P521  PKCS#8 DER/SubjectPublicKeyInfo DER (RFC5480/RFC5915)  Digital Signature sign/verify and Key Generation 
RSA  RSA  PKCS#1 v1.5⁵, OAEP⁶, PSS⁶  Between 2048 and 8192 bits  PKCS#8 DER/SubjectPublicKeyInfo DER (RFC5208/RFC5280) 
¹  With hash algorithms: SHA1, RIPEMD160, SHA224, SHA256, SHA384, SHA512, SHA3224, SHA3256, SHA3384, SHA3512, Blake2b* (256, 384, 512), Blake2s256*
⁵  With hash algorithms (sign/verify): SHA1, RIPEMD160, SHA224, SHA256, SHA384, SHA512, SSL3*
⁶  Supported mask generation functions: MGF1 with SHA1, RIPEMD160, SHA224, SHA256, SHA384, SHA512. The MGF hash function must be the same as the data hash function..
*  Hash algorithms not listed as a supported “Cryptographic hash function” on this page can only be used in signature generation/verification with prehashed data.
Additional restrictions in FIPS mode are as follows:
Item 
Restrictions 
AES 

ECDSA 

RSA 

Sign and Verify Operations 

HMAC 
