Cryptographic Token Interface Standard

PKCS#11


ActivIdentity ACTI

ACTI secret key objects (object class CKO_OTP_KEY, key type CKK_ACTI) hold ActivIdentity ACTI secret keys.

For ACTI keys, the CKA_OTP_COUNTER value shall be an 8 bytes unsigned integer in big endian (i.e. network byte order) form. The same holds true for the CK_OTP_COUNTER value in the CK_OTP_PARAM structure.

The CKA_OTP_COUNTER value may be set at key generation; however, some tokens may set it to a fixed initial value. Depending on the token's security policy, this value may not be modified and/or may not be revealed if the object has its CKA_SENSITIVE attribute set to CK_TRUE or its CKA_EXTRACTABLE attribute set to CK_FALSE.

The CKA_OTP_TIME value may be set at key generation; however, some tokens may set it to a fixed initial value. Depending on the token's security policy, this value may not be modified and/or may not be revealed if the object has its CKA_SENSITIVE attribute set to CK_TRUE or its CKA_EXTRACTABLE attribute set to CK_FALSE.

The following is a sample template for creating an ACTI secret key object:

CK_OBJECT_CLASS class = CKO_OTP_KEY;
CK_KEY_TYPE keyType = CKK_ACTI;
CK_UTF8CHAR label[] = "ACTI secret key object";
CK_BYTE keyId[]= {...};
CK_ULONG outputFormat = CK_OTP_FORMAT_DECIMAL;
CK_ULONG outputLength = 6;
CK_DATE endDate = {...};
CK_BYTE counterValue[8] = {0};
CK_BYTE value[] = {...};
CK_BBOOL true = CK_TRUE;
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &keyType, sizeof(keyType)},
{CKA_END_DATE, &endDate, sizeof(endDate)},
{CKA_TOKEN, &true, sizeof(true)},
{CKA_SENSITIVE, &true, sizeof(true)},
{CKA_LABEL, label, sizeof(label)-1},
{CKA_SIGN, &true, sizeof(true)},
{CKA_VERIFY, &true, sizeof(true)},
{CKA_ID, keyId, sizeof(keyId)},
{CKA_OTP_FORMAT, &outputFormat,
sizeof(outputFormat)},
{CKA_OTP_LENGTH, &outputLength,
sizeof(outputLength)},
{CKA_OTP_COUNTER, counterValue,
sizeof(counterValue)},
{CKA_VALUE, value, sizeof(value)}
};

The ACTI key generation mechanism, denoted CKM_ACTI_KEY_GEN, is a key generation mechanism for the ACTI algorithm.

It does not have a parameter.

The mechanism generates ACTI keys with a particular set of attributes as specified in the template for the key.

The mechanism contributes at least the CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE and CKA_VALUE_LEN attributes to the new key. Other attributes supported by the ACTI key type may be specified in the template for the key, or else are assigned default initial values.

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure specify the supported range of ACTI key sizes, in bytes.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230