12
Crypto-J Cryptographic Toolkit
RSA BSAFE Crypto-J 4.1 Security Policy
2.5 Cryptographic Key Management
2.5.1 Key Generation
The Crypto-J toolkit supports the generation of the DSA, RSA, and Diffie-Hellman
(DH) and ECC public and private keys. The toolkit also employs a Federal
Information Processing Standard 186-2, Digital Signature Standard (FIPS 186-2)
Approved Random Number Generator, a FIPS Approved HMAC Deterministic
Random Bit Generator (HMAC DRBG SP800-90), as well as a FIPS Approved Dual
Elliptic Curve Deterministic Random Bit Generator (ECDRBG SP 800-90) for
generating asymmetric and symmetric keys used in algorithms such as AES,
Triple-DES, RSA, DSA, DH and ECC.
2.5.2 Key Protection
All key data resides in internally allocated data structures and can only be output using
the Crypto-J API. The operating system and the Java Runtime Environment (JRE)
safeguards memory and process space from unauthorized access.
2.5.3 Key Access
An authorized operator of the module has access to all key data created during
Crypto-J operation.
Note:
The User and Officer roles have equal and complete access to all keys.
The following table lists the different services provided by the toolkit with the type of
access to keys or CSPs.
Table 2
Key and CSP Access
Service
Key or CSP
Type of Access
Encryption and decryption
Symmetric keys (AES, Triple-DES)
Read/Execute
Digital signature and
verification
Asymmetric keys (DSA, RSA, ECDSA)
Read/Execute
Hashing
None
N/A
MAC
HMAC keys
Read/Execute
Random number generation
FIPS 186-2 seed and key
X931Random seed and number of streams
HMAC DRBG entropy, strength, and seed
EC DRBG entropy, strength, and seed
Read/Write/Execute
Key establishment primitives
Asymmetric keys (RSA, DH, ECDH)
Read/Execute