KEA key derivation

The KEA key derivation mechanism, denoted CKM_KEA_DERIVE, is a mechanism for key derivation based on KEA, the Key Exchange Algorithm, as defined by NIST's "SKIPJACK and KEA Algorithm Specification Version 2.0", 29 May 1998.

It has a parameter, a CK_KEA_DERIVE_PARAMS structure.

This mechanism derives a secret value, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one and the key type supports it, the CKA_VALUE_LEN attribute of the template. (The truncation removes bytes from the leading end of the secret value.) The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.

As defined in the Specification, KEA can be used in two different operational modes: full mode and e-mail mode. Full mode is a two-phase key derivation sequence that requires real-time parameter exchange between two parties. E-mail mode is a one-phase key derivation sequence that does not require real-time parameter exchange. By convention, e-mail mode is designated by use of a fixed value of one (1) for the KEA parameter R_b (pRandomB).

The operation of this mechanism depends on two of the values in the supplied CK_KEA_DERIVE_PARAMS structure, as detailed in the table below. Note that, in all cases, the data buffers pointed to by the parameter structure fields pRandomA and pRandomB must be allocated by the caller prior to invoking C_DeriveKey. Also, the values pointed to by pRandomA and pRandomB are represented as Cryptoki "Big integer" data (i.e., a sequence of bytes, most-significant byte first).

Table 69, KEA Parameter Values and Operations
Value of boolean isSender Value of big integer pRandomB Token Action(after checking parameter and template values)

CK_TRUE 0 Compute KEA R_a value, store it in pRandomA, return CKR_OK. No derived key object is created.

CK_TRUE 1 Compute KEA R_a value, store it in pRandomA, derive key value using e-mail mode, create key object, return CKR_OK.

CK_TRUE >1 Compute KEA R_a value, store it in pRandomA, derive key value using full mode, create key object, return CKR_OK.

CK_FALSE 0 Compute KEA R_b value, store it in pRandomB, return CKR_OK. No derived key object is created.

CK_FALSE 1 Derive key value using e-mail mode, create key object, return CKR_OK.

CK_FALSE >1 Derive key value using full mode, create key object, return CKR_OK.

Note that the parameter value pRandomB == 0 is a flag that the KEA mechanism is being invoked to compute the party's public random value (R_a or R_b, for sender or recipient, respectively), not to derive a key. In these cases, any object template supplied as the C_DeriveKey pTemplate argument should be ignored.

This mechanism has the following rules about key sensitivity and extractability

^{Note that the rules regarding the CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, and CKA_NEVER_EXTRACTABLE attributes have changed in version 2.11 to match the policy used by other key derivation mechanisms such as CKM_SSL3_MASTER_KEY_DERIVE.}

The CKA_SENSITIVE and CKA_EXTRACTABLE attributes in the template for the new key can both be specified to be either CK_TRUE or CK_FALSE. If omitted, these attributes each take on some default value.
If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE, then the derived key will as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.
Similarly, if the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE, then the derived key will, too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute. For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure specify the supported range of KEA prime sizes, in bits.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v220

Value of boolean isSender	Value of big integer pRandomB	Token Action(after checking parameter and template values)
CK_TRUE	0	Compute KEA R_a value, store it in pRandomA, return CKR_OK. No derived key object is created.
CK_TRUE	1	Compute KEA R_a value, store it in pRandomA, derive key value using e-mail mode, create key object, return CKR_OK.
CK_TRUE	>1	Compute KEA R_a value, store it in pRandomA, derive key value using full mode, create key object, return CKR_OK.
CK_FALSE	0	Compute KEA R_b value, store it in pRandomB, return CKR_OK. No derived key object is created.
CK_FALSE	1	Derive key value using e-mail mode, create key object, return CKR_OK.
CK_FALSE	>1	Derive key value using full mode, create key object, return CKR_OK.