| Cryptographic Token Interface Standard |
PKCS#11
|
Elliptic curve Diffie-Hellman key derivation
The elliptic curve Diffie-Hellman (ECDH) key derivation mechanism, denoted CKM_ECDH1_DERIVE, is a mechanism for key derivation based on the Diffie-Hellman version of the elliptic curve key agreement scheme, as defined in the ANSI X9.63 draft, where each party contributes one key pair all using the same EC domain parameters.
It has a parameter, a CK_ECDH1_DERIVE_PARAMS structure.
This mechanism derives a secret value, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one and the key type supports it, the CKA_VALUE_LEN attribute of the template. (The truncation removes bytes from the leading end of the secret value.) The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.
This mechanism has the following rules about key sensitivity and extractability:
- The CKA_SENSITIVE and CKA_EXTRACTABLE attributes in the template for the new key can both be specified to be either TRUE or FALSE. If omitted, these attributes each take on some default value.
- If the base key has its CKA_ALWAYS_SENSITIVE attribute set to FALSE, then the derived key will as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.
- Similarly, if the base key has its CKA_NEVER_EXTRACTABLE attribute set to FALSE, then the derived key will, too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute. For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure specify the minimum and maximum supported number of bits in the field sizes, respectively. For example, if a Cryptoki library supports only EC using a field of characteristic 2 which has between 2200 and 2300 elements, then ulMinKeySize = 201 and ulMaxKeySize = 301 (when written in binary notation, the number 2200 consists of a 1 bit followed by 200 0 bits. It is therefore a 201-bit number. Similarly, 2300 is a 301-bit number).
RSA Security Inc. Public-Key Cryptography Standards -
PKCS#11 - v211