Cryptographic Token Interface Standard

PKCS#11


Mechanisms


Sections

RSA mechanisms
DSA mechanisms
About ECDSA
ECDSA mechanisms
Diffie-Hellman mechanisms
KEA mechanism parameters
KEA mechanisms
Generic secret key mechanisms
Wrapping/unwrapping private keys (RSA, Diffie-Hellman, and DSA)
About RC2
RC2 mechanism parameters
RC2 mechanisms
RC4 mechanisms
About RC5
RC5 mechanism parameters
RC5 mechanisms
General block cipher mechanism parameters
General block cipher mechanisms
Double and Triple-length DES mechanisms
SKIPJACK mechanism parameters
SKIPJACK mechanisms
BATON mechanisms
JUNIPER mechanisms
MD2 mechanisms
MD5 mechanisms
SHA-1 mechanisms
FASTHASH mechanisms
Password-based encryption/authentication mechanism parameters
PKCS #5 and PKCS #5-style password-based encryption mechanisms
PKCS #12 password-based encryption/authentication mechanisms
SET mechanism parameters
SET mechanisms
LYNKS mechanisms
SSL mechanism parameters
SSL mechanisms
Parameters for miscellaneous simple key derivation mechanisms
Miscellaneous simple key derivation mechanisms
RIPE-MD 128 mechanisms
RIPE-MD 160 mechanisms

Detailed Description

A mechanism specifies precisely how a certain cryptographic process is to be performed.

The following table shows which Cryptoki mechanisms are supported by different cryptographic operations. For any particular token, of course, a particular operation may well support only a subset of the mechanisms listed. There is also no guarantee that a token which supports one mechanism for some operation supports any other mechanism for any other operation (or even supports that same mechanism for any other operation). For example, even if a token is able to create RSA digital signatures with the CKM_RSA_PKCS mechanism, it may or may not be the case that the same token can also perform RSA encryption with CKM_RSA_PKCS.

Table 55, Mechanisms vs. Functions
 
Functions
           
Mechanism
Encrypt
&
Decrypt
Sign
&
Verify
SR
&
VR1
Digest
Gen.
Key/
Key
Pair
Wrap
&
Unwrap
Derive
CKM_RSA_PKCS_KEY_PAIR_GEN        
X
   
CKM_RSA_PKCS
X2
X2
X
   
X
 
CKM_RSA_PKCS_OAEP
X2
       
X
 
CKM_RSA_9796  
X2
X
       
CKM_RSA_X_509
X2
X2
X
   
X
 
CKM_MD2_RSA_PKCS  
X
         
CKM_MD5_RSA_PKCS  
X
         
CKM_SHA1_RSA_PKCS  
X
         
CKM_RIPEMD128_RSA_PKCS  
X
         
CKM_RIPEMD160_RSA_PKCS  
X
         
CKM_DSA_KEY_PAIR_GEN        
X
   
CKM_DSA  
X2
         
CKM_DSA_SHA1  
X
         
CKM_FORTEZZA_TIMESTAMP  
X2
         
CKM_ECDSA_KEY_PAIR_GEN        
X
   
CKM_ECDSA  
X2
         
CKM_ECDSA_SHA1  
X
         
CKM_DH_PKCS_KEY_PAIR_GEN        
X
   
CKM_DH_PKCS_DERIVE            
X
CKM_KEA_KEY_PAIR_GEN        
X
   
CKM_KEA_KEY_DERIVE            
X
CKM_GENERIC_SECRET_KEY_GEN        
X
   
CKM_RC2_KEY_GEN        
X
   
CKM_RC2_ECB
X
       
X
 
CKM_RC2_CBC
X
       
X
 
CKM_RC2_CBC_PAD
X
       
X
 
CKM_RC2_MAC_GENERAL  
X
         
CKM_RC2_MAC  
X
         
CKM_RC4_KEY_GEN        
X
   
CKM_RC4
X
           
CKM_RC5_KEY_GEN        
X
   
CKM_RC5_ECB
X
       
X
 
CKM_RC5_CBC
X
       
X
 
CKM_RC5_CBC_PAD
X
       
X
 
CKM_RC5_MAC_GENERAL  
X
         
CKM_RC5_MAC  
X
         
CKM_DES_KEY_GEN        
X
   
CKM_DES_ECB
X
       
X
 
CKM_DES_CBC
X
       
X
 
CKM_DES_CBC_PAD
X
       
X
 
CKM_DES_MAC_GENERAL  
X
         
CKM_DES_MAC  
X
         
CKM_DES2_KEY_GEN        
X
   
CKM_DES3_KEY_GEN        
X
   
CKM_DES3_ECB
X
       
X
 
CKM_DES3_CBC
X
       
X
 
CKM_DES3_CBC_PAD
X
       
X
 
CKM_DES3_MAC_GENERAL  
X
         
CKM_DES3_MAC  
X
         
CKM_CAST_KEY_GEN        
X
   
CKM_CAST_ECB
X
       
X
 
CKM_CAST_CBC
X
       
X
 
CKM_CAST_CBC_PAD
X
       
X
 
CKM_CAST_MAC_GENERAL  
X
         
CKM_CAST_MAC  
X
         
CKM_CAST3_KEY_GEN        
X
   
CKM_CAST3_ECB
X
       
X
 
CKM_CAST3_CBC
X
       
X
 
CKM_CAST3_CBC_PAD
X
       
X
 
CKM_CAST3_MAC_GENERAL  
X
         
CKM_CAST3_MAC  
X
         
CKM_CAST128_KEY_GEN ( CKM_CAST5_KEY_GEN)        
X
   
CKM_CAST128_ECB ( CKM_CAST5_ECB)
X
       
X
 
CKM_CAST128_CBC ( CKM_CAST5_CBC)
X
       
X
 
CKM_CAST128_CBC_PAD ( CKM_CAST5_CBC_PAD)
X
       
X
 
CKM_CAST128_MAC_GENERAL ( CKM_CAST5_MAC_GENERAL)  
X
         
CKM_CAST128_MAC ( CKM_CAST5_MAC)  
X
         
CKM_IDEA_KEY_GEN        
X
   
CKM_IDEA_ECB
X
       
X
 
CKM_IDEA_CBC
X
       
X
 
CKM_IDEA_CBC_PAD
X
       
X
 
CKM_IDEA_MAC_GENERAL  
X
         
CKM_IDEA_MAC  
X
         
CKM_CDMF_KEY_GEN        
X
   
CKM_CDMF_ECB
X
       
X
 
CKM_CDMF_CBC
X
       
X
 
CKM_CDMF_CBC_PAD
X
       
X
 
CKM_CDMF_MAC_GENERAL  
X
         
CKM_CDMF_MAC  
X
         
CKM_SKIPJACK_KEY_GEN        
X
   
CKM_SKIPJACK_ECB64
X
           
CKM_SKIPJACK_CBC64
X
           
CKM_SKIPJACK_OFB64
X
           
CKM_SKIPJACK_CFB64
X
           
CKM_SKIPJACK_CFB32
X
           
CKM_SKIPJACK_CFB16
X
           
CKM_SKIPJACK_CFB8
X
           
CKM_SKIPJACK_WRAP          
X
 
CKM_SKIPJACK_PRIVATE_WRAP          
X
 
CKM_SKIPJACK_RELAYX          
X3
 
CKM_BATON_KEY_GEN        
X
   
CKM_BATON_ECB128
X
           
CKM_BATON_ECB96
X
           
CKM_BATON_CBC128
X
           
CKM_BATON_COUNTER
X
           
CKM_BATON_SHUFFLE
X
           
CKM_BATON_WRAP          
X
 
CKM_JUNIPER_KEY_GEN        
X
   
CKM_JUNIPER_ECB128
X
           
CKM_JUNIPER_CBC128
X
           
CKM_JUNIPER_COUNTER
X
           
CKM_JUNIPER_SHUFFLE
X
           
CKM_JUNIPER_WRAP          
X
 
CKM_MD2      
X
     
CKM_MD2_HMAC_GENERAL  
X
         
CKM_MD2_HMAC  
X
         
CKM_MD2_KEY_DERIVATION            
X
CKM_MD5      
X
     
CKM_MD5_HMAC_GENERAL  
X
         
CKM_MD5_HMAC  
X
         
CKM_MD5_KEY_DERIVATION            
X
CKM_SHA_1      
X
     
CKM_SHA_1_HMAC_GENERAL  
X
         
CKM_SHA_1_HMAC  
X
         
CKM_SHA1_KEY_DERIVATION            
X
CKM_RIPEMD128      
X
     
CKM_RIPEMD128_HMAC_GENERAL  
X
         
CKM_RIPEMD128_HMAC  
X
         
CKM_RIPEMD160      
X
     
CKM_RIPEMD160_HMAC_GENERAL  
X
         
CKM_RIPEMD160_HMAC  
X
         
CKM_FASTHASH      
X
     
CKM_PBE_MD2_DES_CBC        
X
   
CKM_PBE_MD5_DES_CBC        
X
   
CKM_PBE_MD5_CAST_CBC        
X
   
CKM_PBE_MD5_CAST3_CBC        
X
   
CKM_PBE_MD5_CAST128_CBC ( CKM_PBE_MD5_CAST5_CBC)        
X
   
CKM_PBE_SHA1_CAST128_CBC ( CKM_PBE_SHA1_CAST5_CBC)        
X
   
CKM_PBE_SHA1_RC4_128        
X
   
CKM_PBE_SHA1_RC4_40        
X
   
CKM_PBE_SHA1_DES3_EDE_CBC        
X
   
CKM_PBE_SHA1_DES2_EDE_CBC        
X
   
CKM_PBE_SHA1_RC2_128_CBC        
X
   
CKM_PBE_SHA1_RC2_40_CBC        
X
   
CKM_PBA_SHA1_WITH_SHA1_HMAC        
X
   
CKM_PKCS5_PBKD2        
X
   
CKM_KEY_WRAP_SET_OAEP          
X
 
CKM_KEY_WRAP_LYNKS          
X
 
CKM_SSL3_PRE_MASTER_KEY_GEN        
X
   
CKM_SSL3_MASTER_KEY_DERIVE            
X
CKM_SSL3_KEY_AND_MAC_DERIVE            
X
CKM_SSL3_MD5_MAC  
X
         
CKM_SSL3_SHA1_MAC  
X
         
CKM_CONCATENATE_BASE_AND_KEY            
X
CKM_CONCATENATE_BASE_AND_DATA            
X
CKM_CONCATENATE_DATA_AND_BASE            
X
CKM_XOR_BASE_AND_DATA            
X
CKM_EXTRACT_KEY_FROM_KEY            
X

1 SR = SignRecover, VR = VerifyRecover.

2 Single-part operations only.

3 Mechanism can only be used for wrapping, not unwrapping.

The remainder of Section 11.17.2 will present in detail the mechanisms supported by Cryptoki Version 2.1 and the parameters which are supplied to them.

In general, if a mechanism makes no mention of the ulMinKeyLen and ulMaxKeyLen fields of the CK_MECHANISM_INFO structure, then those fields have no meaning for that particular mechanism.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v210