Cryptographic Token Interface Standard

PKCS#11

General block cipher ECB

Cipher <NAME> has an electronic codebook mechanism, "<NAME>-ECB", denoted CKM_<NAME>_ECB. It is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping with <NAME>.

It does not have a parameter.

This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports. For wrapping, the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped, padded on the trailing end with null bytes so that the resulting length is a multiple of <NAME>'s blocksize. The output data is the same length as the padded input data. It does not wrap the key type, key length or any other information about the key; the application must convey these separately.

For unwrapping, the mechanism decrypts the wrapped key, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one, and the key type supports it, the CKA_VALUE_LEN attribute of the template. The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.

Constraints on key types and the length of data are summarized in the following table: 




 Table 80, General Block Cipher ECB: Key And Data Length   
Function Key type 

Input length

 

Output length

 

Comments

   


C_Encrypt <NAME> 

multiple of blocksize

 

same as input length

 

no final part

   


C_Decrypt <NAME> 

multiple of blocksize

 

same as input length

 

no final part

   


C_WrapKey <NAME> 

any

 

input length rounded up to multiple of blocksize

 		    


C_UnwrapKey <NAME> 

any

 

determined by type of key being unwrapped or CKA_VALUE_LEN

 		   

 



 
 



RSA Security Inc. Public-Key Cryptography Standards - 
PKCS#11 - v210