Cryptographic Token Interface Standard

PKCS#11


GOST 28147-89-ECB

GOST 28147-89-ECB, denoted CKM_GOST28147_ECB, is a mechanism for single and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on GOST 28147-89 and electronic codebook mode.

It does not have a parameter.

This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports.

For wrapping (C_WrapKey), the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped, padded on the trailing end with up to block size so that the resulting length is a multiple of the block size.

For unwrapping (C_UnwrapKey), the mechanism decrypts the wrapped key, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one, and the key type supports it, the CKA_VALUE_LEN attribute of the template. The mechanism contributes the result as the CKA_VALUE attribute of the new key.

Constraints on key types and the length of data are summarized in the following table:

Table 4, GOST 28147-89-ECB: Key And Data Length
Function Key type Input length Output length
C_Encrypt CKK_GOST28147
Multiple of block size
Same as input length
C_Decrypt CKK_GOST28147
Multiple of block size
Same as input length
C_WrapKey CKK_GOST28147
Any
Input length rounded up to multiple of block size
C_UnwrapKey CKK_GOST28147
Multiple of block size
Determined by type of key being unwrapped

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230mechanism1