Cryptographic Token Interface Standard

PKCS#11


GOST 28147-89 encryption mode except ECB

GOST 28147-89 encryption mode except ECB, denoted CKM_GOST28147, is a mechanism for single and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on [GOST 28147-89] and CFB, counter mode, and additional CBC mode defined in [RFC 4357] section 2. Encryption's parameters are specified in object identifier of attribute CKA_GOST28147_PARAMS.

It has a parameter, a 8-byte initialization vector. This parameter may be omitted then a zero initialization vector is used.

This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports.

For wrapping (C_WrapKey), the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped.

For unwrapping (C_UnwrapKey), the mechanism decrypts the wrapped key, and contributes the result as the CKA_VALUE attribute of the new key.

Constraints on key types and the length of data are summarized in the following table:

Table 5, GOST 28147-89 encryption modes except ECB: Key And Data Length
Function Key type Input length
C_Encrypt CKK_GOST28147
Any
C_Decrypt CKK_GOST28147
Any
C_WrapKey CKK_GOST28147
Any
C_UnwrapKey CKK_GOST28147
Any

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230mechanism1