The Cryptographic specification is the component that defines aspects of your cryptographic module, including its cryptographic purpose and which encryption algorithm to use.

Cryptographic specifications can be tailored to a specified cryptographic purpose, covering both asymmetric and symmetric key-based cryptographic operations. Selection of a cryptographic purpose offers further choices, namely to a set of supported algorithms and key length configurations.

Table 1. Cryptographic purposes, algorithms, and key information
Cryptographic Purpose Algorithm Key Information
Asymmetric Data Decryption RSA Asymmetric – 2048-bit, 3072-bit, and 4096-bit key
Asymmetric Data Encryption RSA Asymmetric – 2048-bit, 3072-bit, and 4096-bit key
Asymmetric Key Unwrapping RSA Asymmetric – 2048-bit, 3072-bit, and 4096-bit key
Asymmetric Key Wrapping RSA Asymmetric – 2048-bit, 3072-bit, and 4096-bit key
Signature Generation RSA Asymmetric – 2048-bit, 3072-bit, and 4096-bit key
Signature Verification RSA Asymmetric – 2048-bit, 3072-bit, and 4096-bit key
Symmetric Authenticity HMAC Symmetric – 256-bit, 384-bit, and 512-bit key
Symmetric Data Encryption/Decryption* AES-CBC * Symmetric – 128-bit, 192-bit, 256-bit key
AES-CFB
AES-OFB
AES-CTR
AES-GCM **
Symmetric Key Wrapping/Unwrapping* AES-CBC * Symmetric – 128-bit, 192-bit, 256-bit key
AES-CFB
AES-OFB
AES-CTR
AES-GCM **

* AES-CBC supports equality-preserving options.  Field Encryption Enterprise utilizes AES-CBC.

** AES-GCM has built-in data integrity.

The configuration of these parameters is covered in Create a cryptographic module.