PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
Data Fields | |
| CK_ULONG | ulWordsize |
| wordsize of RC5 cipher in bytes. More... | |
| CK_ULONG | ulRounds |
| number of rounds of RC5 encipherment. More... | |
| CK_ULONG | ulMacLength |
| length of the MAC produced, in bytes. More... | |
| ulWordsize | wordsize of RC5 cipher in bytes |
| ulRounds | number of rounds of RC5 encipherment |
| ulMacLength | length of the MAC produced, in bytes CK_RC5_MAC_GENERAL_PARAMS_PTR |
CK_RC5_MAC_GENERAL_PARAMS_PTR points to a CK_RC5_MAC_GENERAL_PARAMS structure. It is implementation-dependent.
RC5 mechanisms
RC5 key generation
The RC5 key generation mechanism, denoted CKM_RC5_KEY_GEN, is a key generation mechanism for RSA Data Security's block cipher RC5.
It does not have a parameter.
The mechanism generates RC5 keys with a particular length in bytes, as specified in the CKA_VALUE_LEN attribute of the template for the key.
The mechanism contributes the CKA_CLASS, CKA_KEY_TYPE, and CKA_VALUE attributes to the new key. Other attributes supported by the RC5 key type (specifically, the flags indicating which functions the key supports) may be specified in the template for the key, or else are assigned default initial values.
For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure specify the supported range of RC5 key sizes, in bytes.
RC5-ECB
RC5-ECB, denoted CKM_RC5_ECB, is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on RSA Data Security's block cipher RC5 and electronic codebook mode as defined in FIPS PUB 81.
It has a parameter, a CK_RC5_PARAMS, which indicates the wordsize and number of rounds of encryption to use.
This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports. For wrapping, the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped, padded on the trailing end with null bytes so that the resulting length is a multiple of the cipher blocksize (twice the wordsize). The output data is the same length as the padded input data. It does not wrap the key type, key length, or any other information about the key; the application must convey these separately.
For unwrapping, the mechanism decrypts the wrapped key, and truncates the result according to the CKA_KEY_TYPE attributes of the template and, if it has one, and the key type supports it, the CKA_VALUE_LEN attribute of the template. The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.
Constraints on key types and the length of data are summarized in the following table:
Table 10-17, RC5-ECB: Key And Data Length Constraints
| Function | Key type | Comments | ||
| C_Encrypt | no final part | |||
| C_Decrypt | no final part | |||
| C_WrapKey | ||||
| C_UnwrapKey |
RC5-CBC
RC5-CBC, denoted CKM_RC5_CBC, is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on RSA Data Security's block cipher RC5 and cipher-block chaining mode as defined in FIPS PUB 81.
It has a parameter, a CK_RC5_CBC_PARAMS structure, which specifies the wordsize and number of rounds of encryption to use, as well as the initialization vector for cipher block chaining mode.
This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports. For wrapping, the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped, padded on the trailing end with up to seven null bytes so that the resulting length is a multiple of eight. The output data is the same length as the padded input data. It does not wrap the key type, key length, or any other information about the key; the application must convey these separately.
For unwrapping, the mechanism decrypts the wrapped key, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one, and the key type supports it, the CKA_VALUE_LEN attribute of the template. The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.
Constraints on key types and the length of data are summarized in the following table:
Table 10-18, RC5-CBC: Key And Data Length Constraints
| Function | Key type | Comments | ||
| C_Encrypt | no final part | |||
| C_Decrypt | no final part | |||
| C_WrapKey | ||||
| C_UnwrapKey |
RC5-CBC with PKCS padding
RC5-CBC with PKCS padding, denoted CKM_RC5_CBC_PAD, is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on RSA Data Security's block cipher RC5; cipher-block chaining mode as defined in FIPS PUB 81; and the block cipher padding method detailed in PKCS #7.
It has a parameter, a CK_RC5_CBC_PARAMS structure, which specifies the wordsize and number of rounds of encryption to use, as well as the initialization vector for cipher block chaining mode.
The PKCS padding in this mechanism allows the length of the plaintext value to be recovered from the ciphertext value. Therefore, when unwrapping keys with this mechanism, no value should be specified for the CKA_VALUE_LEN attribute.
In addition to being able to wrap and unwrap secret keys, this mechanism can wrap and unwrap RSA, Diffie-Hellman, and DSA private keys (see Section for details). The entries in Table 10 -19 for data length constraints when wrapping and unwrapping keys do not apply to wrapping and unwrapping private keys.
Constraints on key types and the length of data are summarized in the following table:
Table 10-19, RC5-CBC with PKCS padding: Key And Data Length Constraints
| Function | Key type | ||
| C_Encrypt | |||
| C_Decrypt | |||
| C_WrapKey | |||
| C_UnwrapKey |
General-length RC5-MAC
General-length RC5-MAC, denoted CKM_RC5_MAC_GENERAL, is a mechanism for single- and multiple-part signatures and verification, based on RSA Data Security's block cipher RC5 and data authentication as defined in FIPS PUB 113.
It has a parameter, a CK_RC5_MAC_GENERAL_PARAMS structure, which specifies the wordsize and number of rounds of encryption to use and the output length desired from the mechanism.
The output bytes from this mechanism are taken from the start of the final RC5 cipher block produced in the MACing process.
Constraints on key types and the length of data are summarized in the following table:
Table 10-20, General-length RC2-MAC: Key And Data Length Constraints
| Function | Key type | ||
| C_Sign | |||
| C_Verify |
RC5-MAC
RC5-MAC, denoted by CKM_RC5_MAC, is a special case of the general-length RC5-MAC mechanism (see Section). Instead of taking a CK_RC5_MAC_GENERAL_PARAMS parameter, it takes a CK_RC5_PARAMS parameter. RC5-MAC always produces and verifies MACs half as large as the RC5 blocksize.
Constraints on key types and the length of data are summarized in the following table:
Table 10-21, RC5-MAC: Key And Data Length Constraints
| Function | Key type | ||
| C_Sign | |||
| C_Verify |
General block cipher mechanism parameters
typedef CK_ULONG CK_MAC_GENERAL_PARAMS;
General block cipher mechanisms
For brevity's sake, the mechanisms for the DES, DES3 (triple-DES), CAST, CAST3, CAST5, IDEA, and CDMF block ciphers will be described together here. Each of these ciphers has the following mechanisms, which will be described in a templatized form:
General block cipher key generation
Cipher <NAME> has a key generation mechanism, "<NAME> key generation", denoted CKM_<NAME>_KEY_GEN.
This mechanism does not have a parameter.
The mechanism contributes the CKA_CLASS, CKA_KEY_TYPE, and CKA_VALUE attributes to the new key. Other attributes supported by the key type (specifically, the flags indicating which functions the key supports) may be specified in the template for the key, or else are assigned default initial values.
When DES keys or CDMF keys are generated, their parity bits are set properly, as specified in FIPS PUB 46-2. Similarly, when a triple-DES key is generated, each of the DES keys comprising it has its parity bits set properly.
When DES or CDMF keys are generated, it is token-dependent whether or not it is possible for "weak" or "semi-weak" keys to be generated. Similarly, when triple-DES keys are generated, it is token dependent whether or not it is possible for any of the component DES keys to be "weak" or "semi-weak" keys.
When CAST, CAST3, or CAST5 keys are generated, the template for the secret key must specify a CKA_VALUE_LEN attribute.
For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure may or may not be used. The CAST, CAST3, and CAST5 ciphers have variable key sizes, and so for the the key generation mechanisms for these ciphers, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure specify the supported range of key sizes, in bytes. For the DES, DES3 (triple-DES), IDEA, and CDMF ciphers, these fields are not used.
General block cipher ECB
Cipher <NAME> has an electronic codebook mechanism, "<NAME>-ECB", denoted CKM_<NAME>_ECB. It is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping with <NAME>.
It does not have a parameter.
This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports. For wrapping, the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped, padded on the trailing end with null bytes so that the resulting length is a multiple of <NAME>'s blocksize. The output data is the same length as the padded input data. It does not wrap the key type, key length or any other information about the key; the application must convey these separately.
For unwrapping, the mechanism decrypts the wrapped key, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one, and the key type supports it, the CKA_VALUE_LEN attribute of the template. The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.
Constraints on key types and the length of data are summarized in the following table:
Table 10-22, General block cipher ECB: Key And Data Length Constraints
| Function | Key type | Comments | ||
| C_Encrypt | no final part | |||
| C_Decrypt | no final part | |||
| C_WrapKey | ||||
| C_UnwrapKey |
General block cipher CBC
Cipher <NAME> has a cipher-block chaining mode, "<NAME>-CBC", denoted CKM_<NAME>_CBC. It is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping with <NAME>.
It has a parameter, an initialization vector for cipher block chaining mode. The initialization vector has the same length as <NAME>'s blocksize.
Constraints on key types and the length of data are summarized in the following table:
Table 10-23, General block cipher CBC: Key And Data Length Constraints
| Function | Key type | Comments | ||
| C_Encrypt | no final part | |||
| C_Decrypt | no final part | |||
| C_WrapKey | ||||
| C_UnwrapKey |
General block cipher CBC with PKCS padding
Cipher <NAME> has a cipher-block chaining mode with PKCS padding, "<NAME>-CBC with PKCS padding", denoted CKM_<NAME>_CBC_PAD. It is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping with <NAME>. All ciphertext is padded with PKCS padding.
It has a parameter, an initialization vector for cipher block chaining mode. The initialization vector has the same length as <NAME>'s blocksize.
The PKCS padding in this mechanism allows the length of the plaintext value to be recovered from the ciphertext value. Therefore, when unwrapping keys with this mechanism, no value should be specified for the CKA_VALUE_LEN attribute.
In addition to being able to wrap and unwrap secret keys, this mechanism can wrap and unwrap RSA, Diffie-Hellman, and DSA private keys (see Section for details). The entries in Table 10 -24 for data length constraints when wrapping and unwrapping keys do not apply to wrapping and unwrapping private keys.
Constraints on key types and the length of data are summarized in the following table:
Table 10-24, General block cipher CBC with PKCS padding: Key And Data Length Constraints
| Function | Key type | ||
| C_Encrypt | |||
| C_Decrypt | |||
| C_WrapKey | |||
| C_UnwrapKey |
General-length general block cipher MAC
Cipher <NAME> has a general-length MACing mode, "General-length <NAME>-MAC", denoted CKM_<NAME>_MAC_GENERAL. It is a mechanism for single- and multiple-part signatures and verification.
It has a parameter, a CK_MAC_GENERAL_PARAMS, which specifies the size of the output.
The output bytes from this mechanism are taken from the start of the final cipher block produced in the MACing process.
Constraints on key types and the length of input and output data are summarized in the following table:
Table 10-25, General-length general block cipher MAC: Key And Data Length Constraints
| Function | Key type | ||
| C_Sign | |||
| C_Verify |
General block cipher MAC
Cipher <NAME> has a MACing mechanism, "<NAME>-MAC", denoted CKM_<NAME>_MAC. This mechanism is a special case of the CKM_<NAME>_MAC_GENERAL mechanism described in SECTION_ "Section ." It always produces an output of size half as large as <NAME>'s blocksize.
This mechanism has no parameters.
Constraints on key types and the length of data are summarized in the following table:
Table 10-26, General block cipher MAC: Key And Data Length Constraints
| Function | Key type | ||
| C_Sign | |||
| C_Verify |
Double-length DES mechanisms
Double-length DES key generation
The double-length DES key generation mechanism, denoted CKM_DES2_KEY_GEN, is a key generation mechanism for double-length DES keys. The DES keys making up a double-length DES key both have their parity bits set properly, as specified in FIPS PUB 46-2.
It does not have a parameter.
The mechanism contributes the CKA_CLASS, CKA_KEY_TYPE, and CKA_VALUE attributes to the new key. Other attributes supported by the double-length DES key type (specifically, the flags indicating which functions the key supports) may be specified in the template for the key, or else are assigned default initial values.
Double-length DES keys can be used with all the same mechanisms as triple-DES keys: CKM_DES_ECB, CKM_DES_CBC, CKM_DES_CBC_PAD, CKM_DES_MAC_GENERAL, and CKM_DES_MAC (these mechanisms are described in templatized form in Section). Triple-DES encryption with a double-length DES key consists of three steps: encryption with the first DES key; decryption with the second DES key; and encryption with the first DES key.
When double-length DES keys are generated, it is token-dependent whether or not it is possible for either of the component DES keys to be "weak" or "semi-weak" keys.
SKIPJACK mechanism parameters
|
|
wordsize of RC5 cipher in bytes. |
|
|
number of rounds of RC5 encipherment. |
|
|
length of the MAC produced, in bytes. |