Cryptoki: a cryptographic Token Interface



Download 360.55 Kb.
Page60/196
Date22.12.2023
Size360.55 Kb.
#63026
1   ...   56   57   58   59   60   61   62   63   ...   196
v201-95
pkcs11-base-v2.40-cos01

9.8. Secret key objects


Secret key objects (object class CKO_SECRET_KEY) hold secret keys. This version of Cryptoki recognizes the following types of secret key: generic, RC2, RC4, RC5, DES, DES2, DES3, CAST, CAST3, CAST128 (also known as CAST5), IDEA, CDMF, SKIPJACK, BATON, and JUNIPER. The following table defines the attributes common to all secret keys, in addition to the common attributes listed in Table 14 and Table 19:
Table 32, Common Secret Key Attributes

Attribute

Data type

Meaning

CKA_SENSITIVE8 (see below)

CK_BBOOL

TRUE if object is sensitive (default FALSE)

CKA_ENCRYPT8

CK_BBOOL

TRUE if key supports encryption9

CKA_DECRYPT8

CK_BBOOL

TRUE if key supports decryption9

CKA_SIGN8

CK_BBOOL

TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data9

CKA_VERIFY8

CK_BBOOL

TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data9

CKA_WRAP8

CK_BBOOL

TRUE if key supports wrapping (i.e., can be used to wrap other keys)9

CKA_UNWRAP8

CK_BBOOL

TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9

CKA_EXTRACTABLE8 (see below)

CK_BBOOL

TRUE if key is extractable9

CKA_ALWAYS_SENSITIVE2,4,6

CK_BBOOL

TRUE if key has always had the CKA_SENSITIVE attribute set to TRUE

CKA_NEVER_EXTRACTABLE2,4,6

CK_BBOOL

TRUE if key has never had the CKA_EXTRACTABLE attribute set to TRUE

After an object is created, the CKA_SENSITIVE attribute may be changed, but only to the value TRUE. Similarly, after an object is created, the CKA_EXTRACTABLE attribute may be changed, but only to the value FALSE. Attempts to make other changes to the values of these attributes should return the error code CKR_ATTRIBUTE_READ_ONLY.


If the CKA_SENSITIVE attribute is TRUE, or if the CKA_EXTRACTABLE attribute is FALSE, then certain attributes of the secret key cannot be revealed in plaintext outside the token. Which attributes these are is specified for each type of secret key in the attribute table in the section describing that type of key.
If the CKA_EXTRACTABLE attribute is FALSE, then the key cannot be wrapped.

Download 360.55 Kb.

Share with your friends:
1   ...   56   57   58   59   60   61   62   63   ...   196



The database is protected by copyright ©ininet.org 2024
send message
    Main page
project coordinator