![]() | Cryptographic Token Interface Standard |
PKCS#11 |
GOST 28147-89 encryption mode except ECB, denoted CKM_GOST28147, is a mechanism for single and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on [GOST 28147-89] and CFB, counter mode, and additional CBC mode defined in [RFC 4357] section 2. Encryption's parameters are specified in object identifier of attribute CKA_GOST28147_PARAMS.
It has a parameter, a 8-byte initialization vector. This parameter may be omitted then a zero initialization vector is used.
This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports.
For wrapping (C_WrapKey), the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped.
For unwrapping (C_UnwrapKey), the mechanism decrypts the wrapped key, and contributes the result as the CKA_VALUE attribute of the new key.
Constraints on key types and the length of data are summarized in the following table:
Table 25, GOST 28147-89 encryption modes except ECB: Key And Data Length
Function | Key type | Input length |
C_Encrypt | CKK_GOST28147 | |
C_Decrypt | CKK_GOST28147 | |
C_WrapKey | CKK_GOST28147 | |
C_UnwrapKey | CKK_GOST28147 |
For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.