Secret key objects

Sections
Generic secret key objects
RC2 secret key objects
RC4 secret key objects
RC5 secret key objects
DES secret key objects
DES2 secret key objects
DES3 secret key objects
CAST secret key objects
CAST3 secret key objects
CAST128 (CAST5) secret key objects
IDEA secret key objects
CDMF secret key objects
SKIPJACK secret key objects
BATON secret key objects
JUNIPER secret key objects

Detailed Description

Secret key objects (object class CKO_SECRET_KEY) hold secret keys. This version of Cryptoki recognizes the following types of secret key: generic, RC2, RC4, RC5, DES, DES2, DES3, CAST, CAST3, CAST128 (also known as CAST5), IDEA, CDMF, SKIPJACK, BATON, and JUNIPER. The following table defines the attributes common to all secret keys, in addition to the common attributes listed in Table 14 , Table 18 and Table 24 :

Table 39, Common Secret Key Attributes
Attribute Data type Meaning

CKA_SENSITIVE⁸ (see below) CK_BBOOL TRUE if object is sensitive (default FALSE)

CKA_ENCRYPT⁸ CK_BBOOL TRUE if key supports encryption⁹

CKA_DECRYPT⁸ CK_BBOOL TRUE if key supports decryption⁹

CKA_SIGN⁸ CK_BBOOL TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data⁹

CKA_VERIFY⁸ CK_BBOOL TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data⁹

CKA_WRAP⁸ CK_BBOOL TRUE if key supports wrapping (i.e., can be used to wrap other keys)⁹

CKA_UNWRAP⁸ CK_BBOOL TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)⁹

CKA_EXTRACTABLE⁸ (see below) CK_BBOOL TRUE if key is extractable⁹

CKA_ALWAYS_SENSITIVE^2,4,6 CK_BBOOL TRUE if key has always had the CKA_SENSITIVE attribute set to TRUE

CKA_NEVER_EXTRACTABLE^2,4,6 CK_BBOOL TRUE if key has never had the CKA_EXTRACTABLE attribute set to TRUE

After an object is created, the CKA_SENSITIVE attribute may be changed, but only to the value TRUE. Similarly, after an object is created, the CKA_EXTRACTABLE attribute may be changed, but only to the value FALSE. Attempts to make other changes to the values of these attributes should return the error code CKR_ATTRIBUTE_READ_ONLY.

If the CKA_SENSITIVE attribute is TRUE, or if the CKA_EXTRACTABLE attribute is FALSE, then certain attributes of the secret key cannot be revealed in plaintext outside the token. Which attributes these are is specified for each type of secret key in the attribute table in the section describing that type of key.

If the CKA_EXTRACTABLE attribute is FALSE, then the key cannot be wrapped.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v210

Attribute	Data type	Meaning
CKA_SENSITIVE⁸ (see below)	CK_BBOOL	TRUE if object is sensitive (default FALSE)
CKA_ENCRYPT⁸	CK_BBOOL	TRUE if key supports encryption⁹
CKA_DECRYPT⁸	CK_BBOOL	TRUE if key supports decryption⁹
CKA_SIGN⁸	CK_BBOOL	TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data⁹
CKA_VERIFY⁸	CK_BBOOL	TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data⁹
CKA_WRAP⁸	CK_BBOOL	TRUE if key supports wrapping (i.e., can be used to wrap other keys)⁹
CKA_UNWRAP⁸	CK_BBOOL	TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)⁹
CKA_EXTRACTABLE⁸ (see below)	CK_BBOOL	TRUE if key is extractable⁹
CKA_ALWAYS_SENSITIVE^2,4,6	CK_BBOOL	TRUE if key has always had the CKA_SENSITIVE attribute set to TRUE
CKA_NEVER_EXTRACTABLE^2,4,6	CK_BBOOL	TRUE if key has never had the CKA_EXTRACTABLE attribute set to TRUE

Secret key objects

Sections

Detailed Description