Key derivation functions are performed in software.

For the SSL-KM and TLS-KM mechanisms, an attribute list is required if encryption keys are to be generated.

For the IKE1PHA1, IKE2PHA1, IKE1PHA2, and IKE2PHA2 mechanisms, the following attribute rules apply to the derived keys:

• Derivation keys will have the following attributes which may not be overridden by other values in the attribute list:
  • CKA_CLASS=CKO_SECRET_KEY
  • CKA_KEY_TYPE=CKK_GENERIC_SECRET
  • CKA_DERIVE=TRUE
  • CKA_VALUE_LEN=as specified in the parms list
• Authentication keys will have the following attributes which may not be overridden by other values in the attribute list:
  • CKA_CLASS=CKO_SECRET_KEY
  • CKA_KEY_TYPE=CKK_GENERIC_SECRET
  • CKA_SIGN=TRUE=TRUE
  • CKA_VERIFY=TRUE=TRUE
  • CKA_VALUE_LEN= as specified in the parms list
• Encryption, GMAC, and GCM keys will be typed according to information found in the attribute list. However, they will have the following attributes which may not be overridden by other values in the attribute list:
  • CKA_CLASS=CKO_SECRET_KEY
  • For key types other than CKK_DES, CKK_DES2, and CKK_DES3, CKA_VALUE_LEN= as specified in the parms list
• All key types will inherit the values of the CKA_SENSITIVE, CKA_ALWAYS_SENSITIVE, CKA_EXTRACTABLE, and CKA_NEVER_EXTRACTABLE attributes from the base key. These may not be overridden by other values in the attribute list. If an additional key is specified, its values will be applied after setting the base key values as follows:
  • If the additional key has CKA_SENSITIVE=TRUE, so will the derived key(s)
  • If the additional key has CKA_EXTRACTABLE=FALSE, so will the derived keys(s)
  • If the additional key has CKA_ALWAYS_SENSITIVE=FALSE, so will the derived keys(s)
  • If the additional key has CKA_NEVER_EXTRACTABLE=FALSE, so will the derived keys(s)
• If encryption, GMAC, or GCM keys are to be derived, an attribute list is required for the key typing information. Otherwise, it is optional. For all keys, other applicable secret key attributes may be specified in the attribute list. Any attribute not specified will be assigned the default value normally assigned to a newly created secret key.

For the IKE1PHA1, IKE1PHA2, and IKE2PHA2 mechanisms, the additional key must be a secret key (CKA_CLASS=CKO_SECRET_KEY) capable of performing key derivation (CKA_DERIVE=TRUE). It must also be contained in the same PKCS #11 token as the base key.

The IKE1PHA1, IKE2PHA1, IKE1PHA2, and IKE2PHA2 mechanisms have the following limitations if the operation is FIPS 140 restricted:

• The MD5 PRF may not be specified.
• The length of the base key must be at least half the length of the output of the PRF function.