Mechanisms

Sections
RSA
DSA
Elliptic Curve
Diffie-Hellman
KEA
Wrapping/unwrapping private keys
Generic secret key
HMAC mechanisms
RC2
RC4
RC5
AES
General block cipher
Key derivation by data encryption - DES & AES
Double and Triple-length DES
SKIPJACK
BATON
JUNIPER
MD2
MD5
SHA-1
SHA-256
SHA-384
SHA-512
FASTHASH
PKCS #5 and PKCS #5-style password-based encryption (PBE)
PKCS #12 password-based encryption/authentication mechanisms
RIPE-MD
SET
LYNKS
SSL
TLS
WTLS
Miscellaneous simple key derivation mechanisms
CMS
Blowfish
Twofish

Detailed Description

A mechanism specifies precisely how a certain cryptographic process is to be performed.

The following table shows which Cryptoki mechanisms are supported by different cryptographic operations. For any particular token, of course, a particular operation may well support only a subset of the mechanisms listed. There is also no guarantee that a token which supports one mechanism for some operation supports any other mechanism for any other operation (or even supports that same mechanism for any other operation). For example, even if a token is able to create RSA digital signatures with the CKM_RSA_PKCS mechanism, it may or may not be the case that the same token can also perform RSA encryption with CKM_RSA_PKCS.

Table 34, Mechanisms vs. Functions
Functions

Mechanism Encrypt & Decrypt Sign & Verify SR & VR1 Digest Gen. Key/ Key Pair Wrap & Unwrap Derive

CKM_RSA_PKCS_KEY_PAIR_GEN X

CKM_RSA_X9_31_KEY_PAIR_GEN X

CKM_RSA_PKCS X² X² X X

CKM_RSA_PKCS_OAEP X² X

CKM_RSA_PKCS_PSS X²

CKM_RSA_9796 X² X

CKM_RSA_X_509 X² X² X X

CKM_RSA_X9_31 X²

CKM_MD2_RSA_PKCS X

CKM_MD5_RSA_PKCS X

CKM_SHA1_RSA_PKCS X

CKM_SHA256_RSA_PKCS X

CKM_SHA384_RSA_PKCS X

CKM_SHA512_RSA_PKCS X

CKM_RIPEMD128_RSA_PKCS X

CKM_RIPEMD160_RSA_PKCS X

CKM_SHA1_RSA_PKCS_PSS X

CKM_SHA256_RSA_PKCS_PSS X

CKM_SHA384_RSA_PKCS_PSS X

CKM_SHA512_RSA_PKCS_PSS X

CKM_SHA1_RSA_X9_31 X

CKM_DSA_KEY_PAIR_GEN X

CKM_DSA_PARAMETER_GEN X

CKM_DSA X²

CKM_DSA_SHA1 X

CKM_FORTEZZA_TIMESTAMP X²

CKM_EC_KEY_PAIR_GEN ( CKM_ECDSA_KEY_PAIR_GEN) X

CKM_ECDSA X²

CKM_ECDSA_SHA1 X

CKM_ECDH1_DERIVE X

CKM_ECDH1_COFACTOR_DERIVE X

CKM_ECMQV_DERIVE X

CKM_DH_PKCS_KEY_PAIR_GEN X

CKM_DH_PKCS_PARAMETER_GEN X

CKM_DH_PKCS_DERIVE X

CKM_X9_42_DH_KEY_PAIR_GEN X

CKM_X9_42_DH_PKCS_PARAMETER_GEN X

CKM_X9_42_DH_DERIVE X

CKM_X9_42_DH_HYBRID_DERIVE X

CKM_X9_42_MQV_DERIVE X

CKM_KEA_KEY_PAIR_GEN X

CKM_KEA_KEY_DERIVE X

CKM_GENERIC_SECRET_KEY_GEN X

CKM_RC2_KEY_GEN X

CKM_RC2_ECB X X

CKM_RC2_CBC X X

CKM_RC2_CBC_PAD X X

CKM_RC2_MAC_GENERAL X

CKM_RC2_MAC X

CKM_RC4_KEY_GEN X

CKM_RC4 X

CKM_RC5_KEY_GEN X

CKM_RC5_ECB X X

CKM_RC5_CBC X X

CKM_RC5_CBC_PAD X X

CKM_RC5_MAC_GENERAL X

CKM_RC5_MAC X

CKM_AES_KEY_GEN X

CKM_AES_ECB X X

CKM_AES_CBC X X

CKM_AES_CBC_PAD X X

CKM_AES_MAC_GENERAL X

CKM_AES_MAC X

CKM_DES_KEY_GEN X

CKM_DES_ECB X X

CKM_DES_CBC X X

CKM_DES_CBC_PAD X X

CKM_DES_MAC_GENERAL X

CKM_DES_MAC X

CKM_DES2_KEY_GEN X

CKM_DES3_KEY_GEN X

CKM_DES3_ECB X X

CKM_DES3_CBC X X

CKM_DES3_CBC_PAD X X

CKM_DES3_MAC_GENERAL X

CKM_DES3_MAC X

CKM_CAST_KEY_GEN X

CKM_CAST_ECB X X

CKM_CAST_CBC X X

CKM_CAST_CBC_PAD X X

CKM_CAST_MAC_GENERAL X

CKM_CAST_MAC X

CKM_CAST3_KEY_GEN X

CKM_CAST3_ECB X X

CKM_CAST3_CBC X X

CKM_CAST3_CBC_PAD X X

CKM_CAST3_MAC_GENERAL X

CKM_CAST3_MAC X

CKM_CAST128_KEY_GEN ( CKM_CAST5_KEY_GEN) X

CKM_CAST128_ECB ( CKM_CAST5_ECB) X X

CKM_CAST128_CBC ( CKM_CAST5_CBC) X X

CKM_CAST128_CBC_PAD ( CKM_CAST5_CBC_PAD) X X

CKM_CAST128_MAC_GENERAL ( CKM_CAST5_MAC_GENERAL) X

CKM_CAST128_MAC ( CKM_CAST5_MAC) X

CKM_IDEA_KEY_GEN X

CKM_IDEA_ECB X X

CKM_IDEA_CBC X X

CKM_IDEA_CBC_PAD X X

CKM_IDEA_MAC_GENERAL X

CKM_IDEA_MAC X

CKM_CDMF_KEY_GEN X

CKM_CDMF_ECB X X

CKM_CDMF_CBC X X

CKM_CDMF_CBC_PAD X X

CKM_CDMF_MAC_GENERAL X

CKM_CDMF_MAC X

CKM_DES_ECB_ENCRYPT_DATA X

CKM_DES_CBC_ENCRYPT_DATA X

CKM_DES3_ECB_ENCRYPT_DATA X

CKM_DES3_CBC_ENCRYPT_DATA X

CKM_AES_ECB_ENCRYPT_DATA X

CKM_AES_CBC_ENCRYPT_DATA X

CKM_SKIPJACK_KEY_GEN X

CKM_SKIPJACK_ECB64 X

CKM_SKIPJACK_CBC64 X

CKM_SKIPJACK_OFB64 X

CKM_SKIPJACK_CFB64 X

CKM_SKIPJACK_CFB32 X

CKM_SKIPJACK_CFB16 X

CKM_SKIPJACK_CFB8 X

CKM_SKIPJACK_WRAP X

CKM_SKIPJACK_PRIVATE_WRAP X

CKM_SKIPJACK_RELAYX X³

CKM_BATON_KEY_GEN X

CKM_BATON_ECB128 X

CKM_BATON_ECB96 X

CKM_BATON_CBC128 X

CKM_BATON_COUNTER X

CKM_BATON_SHUFFLE X

CKM_BATON_WRAP X

CKM_JUNIPER_KEY_GEN X

CKM_JUNIPER_ECB128 X

CKM_JUNIPER_CBC128 X

CKM_JUNIPER_COUNTER X

CKM_JUNIPER_SHUFFLE X

CKM_JUNIPER_WRAP X

CKM_MD2 X

CKM_MD2_HMAC_GENERAL X

CKM_MD2_HMAC X

CKM_MD2_KEY_DERIVATION X

CKM_MD5 X

CKM_MD5_HMAC_GENERAL X

CKM_MD5_HMAC X

CKM_MD5_KEY_DERIVATION X

CKM_SHA_1 X

CKM_SHA_1_HMAC_GENERAL X

CKM_SHA_1_HMAC X

CKM_SHA1_KEY_DERIVATION X

CKM_SHA256 X

CKM_SHA256_HMAC_GENERAL X

CKM_SHA256_HMAC X

CKM_SHA256_KEY_DERIVATION X

CKM_SHA384 X

CKM_SHA384_HMAC_GENERAL X

CKM_SHA384_HMAC X

CKM_SHA384_KEY_DERIVATION X

CKM_SHA512 X

CKM_SHA512_HMAC_GENERAL X

CKM_SHA512_HMAC X

CKM_SHA512_KEY_DERIVATION X

CKM_RIPEMD128 X

CKM_RIPEMD128_HMAC_GENERAL X

CKM_RIPEMD128_HMAC X

CKM_RIPEMD160 X

CKM_RIPEMD160_HMAC_GENERAL X

CKM_RIPEMD160_HMAC X

CKM_FASTHASH X

CKM_PBE_MD2_DES_CBC X

CKM_PBE_MD5_DES_CBC X

CKM_PBE_MD5_CAST_CBC X

CKM_PBE_MD5_CAST3_CBC X

CKM_PBE_MD5_CAST128_CBC ( CKM_PBE_MD5_CAST5_CBC) X

CKM_PBE_SHA1_CAST128_CBC ( CKM_PBE_SHA1_CAST5_CBC) X

CKM_PBE_SHA1_RC4_128 X

CKM_PBE_SHA1_RC4_40 X

CKM_PBE_SHA1_DES3_EDE_CBC X

CKM_PBE_SHA1_DES2_EDE_CBC X

CKM_PBE_SHA1_RC2_128_CBC X

CKM_PBE_SHA1_RC2_40_CBC X

CKM_PBA_SHA1_WITH_SHA1_HMAC X

CKM_PKCS5_PBKD2 X

CKM_KEY_WRAP_SET_OAEP X

CKM_KEY_WRAP_LYNKS X

CKM_SSL3_PRE_MASTER_KEY_GEN X

CKM_SSL3_MASTER_KEY_DERIVE X

CKM_SSL3_MASTER_KEY_DERIVE_DH X

CKM_SSL3_KEY_AND_MAC_DERIVE X

CKM_SSL3_MD5_MAC X

CKM_SSL3_SHA1_MAC X

CKM_TLS_PRE_MASTER_KEY_GEN X

CKM_TLS_MASTER_KEY_DERIVE X

CKM_TLS_MASTER_KEY_DERIVE_DH X

CKM_TLS_KEY_AND_MAC_DERIVE X

CKM_TLS_PRF X

CKM_WTLS_PRE_MASTER_KEY_GEN X

CKM_WTLS_MASTER_KEY_DERIVE X

CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC X

CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE X

CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE X

CKM_WTLS_PRF X

CKM_CMS_SIG X X

CKM_CONCATENATE_BASE_AND_KEY X

CKM_CONCATENATE_BASE_AND_DATA X

CKM_CONCATENATE_DATA_AND_BASE X

CKM_XOR_BASE_AND_DATA X

CKM_EXTRACT_KEY_FROM_KEY X

¹ SR = SignRecover, VR = VerifyRecover.

² Single-part operations only.

³ Mechanism can only be used for wrapping, not unwrapping.

The remainder of this section will present in detail the mechanisms supported by Cryptoki and the parameters which are supplied to them.

In general, if a mechanism makes no mention of the ulMinKeyLen and ulMaxKeyLen fields of the CK_MECHANISM_INFO structure, then those fields have no meaning for that particular mechanism.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v220

	Functions
Mechanism	Encrypt & Decrypt	Sign & Verify	SR & VR1	Digest	Gen. Key/ Key Pair	Wrap & Unwrap	Derive
CKM_RSA_PKCS_KEY_PAIR_GEN					X
CKM_RSA_X9_31_KEY_PAIR_GEN					X
CKM_RSA_PKCS	X²	X²	X			X
CKM_RSA_PKCS_OAEP	X²					X
CKM_RSA_PKCS_PSS		X²
CKM_RSA_9796		X²	X
CKM_RSA_X_509	X²	X²	X			X
CKM_RSA_X9_31		X²
CKM_MD2_RSA_PKCS		X
CKM_MD5_RSA_PKCS		X
CKM_SHA1_RSA_PKCS		X
CKM_SHA256_RSA_PKCS		X
CKM_SHA384_RSA_PKCS		X
CKM_SHA512_RSA_PKCS		X
CKM_RIPEMD128_RSA_PKCS		X
CKM_RIPEMD160_RSA_PKCS		X
CKM_SHA1_RSA_PKCS_PSS		X
CKM_SHA256_RSA_PKCS_PSS		X
CKM_SHA384_RSA_PKCS_PSS		X
CKM_SHA512_RSA_PKCS_PSS		X
CKM_SHA1_RSA_X9_31		X
CKM_DSA_KEY_PAIR_GEN					X
CKM_DSA_PARAMETER_GEN					X
CKM_DSA		X²
CKM_DSA_SHA1		X
CKM_FORTEZZA_TIMESTAMP		X²
CKM_EC_KEY_PAIR_GEN ( CKM_ECDSA_KEY_PAIR_GEN)					X
CKM_ECDSA		X²
CKM_ECDSA_SHA1		X
CKM_ECDH1_DERIVE							X
CKM_ECDH1_COFACTOR_DERIVE							X
CKM_ECMQV_DERIVE							X
CKM_DH_PKCS_KEY_PAIR_GEN					X
CKM_DH_PKCS_PARAMETER_GEN					X
CKM_DH_PKCS_DERIVE							X
CKM_X9_42_DH_KEY_PAIR_GEN					X
CKM_X9_42_DH_PKCS_PARAMETER_GEN					X
CKM_X9_42_DH_DERIVE							X
CKM_X9_42_DH_HYBRID_DERIVE							X
CKM_X9_42_MQV_DERIVE							X
CKM_KEA_KEY_PAIR_GEN					X
CKM_KEA_KEY_DERIVE							X
CKM_GENERIC_SECRET_KEY_GEN					X
CKM_RC2_KEY_GEN					X
CKM_RC2_ECB	X					X
CKM_RC2_CBC	X					X
CKM_RC2_CBC_PAD	X					X
CKM_RC2_MAC_GENERAL		X
CKM_RC2_MAC		X
CKM_RC4_KEY_GEN					X
CKM_RC4	X
CKM_RC5_KEY_GEN					X
CKM_RC5_ECB	X					X
CKM_RC5_CBC	X					X
CKM_RC5_CBC_PAD	X					X
CKM_RC5_MAC_GENERAL		X
CKM_RC5_MAC		X
CKM_AES_KEY_GEN					X
CKM_AES_ECB	X					X
CKM_AES_CBC	X					X
CKM_AES_CBC_PAD	X					X
CKM_AES_MAC_GENERAL		X
CKM_AES_MAC		X
CKM_DES_KEY_GEN					X
CKM_DES_ECB	X					X
CKM_DES_CBC	X					X
CKM_DES_CBC_PAD	X					X
CKM_DES_MAC_GENERAL		X
CKM_DES_MAC		X
CKM_DES2_KEY_GEN					X
CKM_DES3_KEY_GEN					X
CKM_DES3_ECB	X					X
CKM_DES3_CBC	X					X
CKM_DES3_CBC_PAD	X					X
CKM_DES3_MAC_GENERAL		X
CKM_DES3_MAC		X
CKM_CAST_KEY_GEN					X
CKM_CAST_ECB	X					X
CKM_CAST_CBC	X					X
CKM_CAST_CBC_PAD	X					X
CKM_CAST_MAC_GENERAL		X
CKM_CAST_MAC		X
CKM_CAST3_KEY_GEN					X
CKM_CAST3_ECB	X					X
CKM_CAST3_CBC	X					X
CKM_CAST3_CBC_PAD	X					X
CKM_CAST3_MAC_GENERAL		X
CKM_CAST3_MAC		X
CKM_CAST128_KEY_GEN ( CKM_CAST5_KEY_GEN)					X
CKM_CAST128_ECB ( CKM_CAST5_ECB)	X					X
CKM_CAST128_CBC ( CKM_CAST5_CBC)	X					X
CKM_CAST128_CBC_PAD ( CKM_CAST5_CBC_PAD)	X					X
CKM_CAST128_MAC_GENERAL ( CKM_CAST5_MAC_GENERAL)		X
CKM_CAST128_MAC ( CKM_CAST5_MAC)		X
CKM_IDEA_KEY_GEN					X
CKM_IDEA_ECB	X					X
CKM_IDEA_CBC	X					X
CKM_IDEA_CBC_PAD	X					X
CKM_IDEA_MAC_GENERAL		X
CKM_IDEA_MAC		X
CKM_CDMF_KEY_GEN					X
CKM_CDMF_ECB	X					X
CKM_CDMF_CBC	X					X
CKM_CDMF_CBC_PAD	X					X
CKM_CDMF_MAC_GENERAL		X
CKM_CDMF_MAC		X
CKM_DES_ECB_ENCRYPT_DATA							X
CKM_DES_CBC_ENCRYPT_DATA							X
CKM_DES3_ECB_ENCRYPT_DATA							X
CKM_DES3_CBC_ENCRYPT_DATA							X
CKM_AES_ECB_ENCRYPT_DATA							X
CKM_AES_CBC_ENCRYPT_DATA							X
CKM_SKIPJACK_KEY_GEN					X
CKM_SKIPJACK_ECB64	X
CKM_SKIPJACK_CBC64	X
CKM_SKIPJACK_OFB64	X
CKM_SKIPJACK_CFB64	X
CKM_SKIPJACK_CFB32	X
CKM_SKIPJACK_CFB16	X
CKM_SKIPJACK_CFB8	X
CKM_SKIPJACK_WRAP						X
CKM_SKIPJACK_PRIVATE_WRAP						X
CKM_SKIPJACK_RELAYX						X³
CKM_BATON_KEY_GEN					X
CKM_BATON_ECB128	X
CKM_BATON_ECB96	X
CKM_BATON_CBC128	X
CKM_BATON_COUNTER	X
CKM_BATON_SHUFFLE	X
CKM_BATON_WRAP						X
CKM_JUNIPER_KEY_GEN					X
CKM_JUNIPER_ECB128	X
CKM_JUNIPER_CBC128	X
CKM_JUNIPER_COUNTER	X
CKM_JUNIPER_SHUFFLE	X
CKM_JUNIPER_WRAP						X
CKM_MD2				X
CKM_MD2_HMAC_GENERAL		X
CKM_MD2_HMAC		X
CKM_MD2_KEY_DERIVATION							X
CKM_MD5				X
CKM_MD5_HMAC_GENERAL		X
CKM_MD5_HMAC		X
CKM_MD5_KEY_DERIVATION							X
CKM_SHA_1				X
CKM_SHA_1_HMAC_GENERAL		X
CKM_SHA_1_HMAC		X
CKM_SHA1_KEY_DERIVATION							X
CKM_SHA256				X
CKM_SHA256_HMAC_GENERAL		X
CKM_SHA256_HMAC		X
CKM_SHA256_KEY_DERIVATION							X
CKM_SHA384				X
CKM_SHA384_HMAC_GENERAL		X
CKM_SHA384_HMAC		X
CKM_SHA384_KEY_DERIVATION							X
CKM_SHA512				X
CKM_SHA512_HMAC_GENERAL		X
CKM_SHA512_HMAC		X
CKM_SHA512_KEY_DERIVATION							X
CKM_RIPEMD128				X
CKM_RIPEMD128_HMAC_GENERAL		X
CKM_RIPEMD128_HMAC		X
CKM_RIPEMD160				X
CKM_RIPEMD160_HMAC_GENERAL		X
CKM_RIPEMD160_HMAC		X
CKM_FASTHASH				X
CKM_PBE_MD2_DES_CBC					X
CKM_PBE_MD5_DES_CBC					X
CKM_PBE_MD5_CAST_CBC					X
CKM_PBE_MD5_CAST3_CBC					X
CKM_PBE_MD5_CAST128_CBC ( CKM_PBE_MD5_CAST5_CBC)					X
CKM_PBE_SHA1_CAST128_CBC ( CKM_PBE_SHA1_CAST5_CBC)					X
CKM_PBE_SHA1_RC4_128					X
CKM_PBE_SHA1_RC4_40					X
CKM_PBE_SHA1_DES3_EDE_CBC					X
CKM_PBE_SHA1_DES2_EDE_CBC					X
CKM_PBE_SHA1_RC2_128_CBC					X
CKM_PBE_SHA1_RC2_40_CBC					X
CKM_PBA_SHA1_WITH_SHA1_HMAC					X
CKM_PKCS5_PBKD2					X
CKM_KEY_WRAP_SET_OAEP						X
CKM_KEY_WRAP_LYNKS						X
CKM_SSL3_PRE_MASTER_KEY_GEN					X
CKM_SSL3_MASTER_KEY_DERIVE							X
CKM_SSL3_MASTER_KEY_DERIVE_DH							X
CKM_SSL3_KEY_AND_MAC_DERIVE							X
CKM_SSL3_MD5_MAC		X
CKM_SSL3_SHA1_MAC		X
CKM_TLS_PRE_MASTER_KEY_GEN					X
CKM_TLS_MASTER_KEY_DERIVE							X
CKM_TLS_MASTER_KEY_DERIVE_DH							X
CKM_TLS_KEY_AND_MAC_DERIVE							X
CKM_TLS_PRF							X
CKM_WTLS_PRE_MASTER_KEY_GEN					X
CKM_WTLS_MASTER_KEY_DERIVE							X
CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC							X
CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE							X
CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE							X
CKM_WTLS_PRF							X
CKM_CMS_SIG		X	X
CKM_CONCATENATE_BASE_AND_KEY							X
CKM_CONCATENATE_BASE_AND_DATA							X
CKM_CONCATENATE_DATA_AND_BASE							X
CKM_XOR_BASE_AND_DATA							X
CKM_EXTRACT_KEY_FROM_KEY							X

Mechanisms

Sections

Detailed Description