Cryptographic Token Interface Standard

PKCS#11


Mechanisms


Sections

RSA
DSA
Elliptic Curve
Diffie-Hellman
Wrapping/unwrapping private keys
Generic secret key
HMAC mechanisms
AES
AES with Counter
AES CBC with Cipher Text Stealing CTS
Additional AES Mechanisms
AES CMAC
AES Key Wrap
Key derivation by data encryption - DES & AES
Double and Triple-length DES
Double and Triple-length DES CMAC
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
PKCS #5 and PKCS #5-style password-based encryption (PBE)
PKCS #12 password-based encryption/authentication mechanisms
SSL
TLS
WTLS
Miscellaneous simple key derivation mechanisms
CMS
Blowfish
Twofish
CAMELLIA
Key derivation by data encryption - Camellia
ARIA
Key derivation by data encryption - ARIA
SEED
Key derivation by data encryption - SEED
OTP
CT-KIP
GOST
GOST 28147-89
GOST R 34.10-2001

Detailed Description

A mechanism specifies precisely how a certain cryptographic process is to be performed.

The following table shows which Cryptoki mechanisms are supported by different cryptographic operations. For any particular token, of course, a particular operation may well support only a subset of the mechanisms listed. There is also no guarantee that a token which supports one mechanism for some operation supports any other mechanism for any other operation (or even supports that same mechanism for any other operation). For example, even if a token is able to create RSA digital signatures with the CKM_RSA_PKCS mechanism, it may or may not be the case that the same token can also perform RSA encryption with CKM_RSA_PKCS.

Each mechanism description shall be preceeded by a table, of the following format, mapping mechanisms to API functions.

Table 1, Mechanisms vs. Functions
 
Functions
           
Mechanism
Encrypt
&
Decrypt
Sign
&
Verify
SR
&
VR1
Digest
Gen.
Key/
Key
Pair
Wrap
&
Unwrap
Derive
               

1 SR = SignRecover, VR = VerifyRecover.

2 Single-part operations only.

3 Mechanism can only be used for wrapping, not unwrapping.

The remainder of this section will present in detail the mechanisms supported by Cryptoki and the parameters which are supplied to them.

In general, if a mechanism makes no mention of the ulMinKeyLen and ulMaxKeyLen fields of the CK_MECHANISM_INFO structure, then those fields have no meaning for that particular mechanism.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230mechanism1