Updates for the EP11 token for openCryptoki versions 3.11 up to 3.15
The following enhancements are implemented for the EP11 enablement for openCryptoki version 3.15. For complete exploitation of the listed enhancements, the EP11 host library version 3.0 is required.
- The performance of the EP11 token is improved by the following features:
- For single part sign- and verify-operations, as well as for single part encrypt- or decrypt-operations, the init call is not passed through the EP11 host library as long as there is no corresponding multi-part operation. You must explicitly enable this feature with the new option OPTIMIZE_SINGLE_PART_OPERATIONS in the EP11 token configuration file.
- You can request to increase the performance of hash operations. Setting the new DIGEST_LIBICA option in the EP11 token configuration file causes the EP11 token to load the default libica library on initialization. For required hash operations during processing, the EP11 token then uses the libica SHA-based hash functions. These hash functions perform on the CPACF, thus avoiding hash processing on a cryptographic coprocessor and therefore avoiding I/O operations to the coprocessor.
- You can set the new USE_PRANDOM option in the EP11 token configuration file to control from where the EP11 token reads random data. When you specify USE_PRANDOM, then the token does not read random data from the random number generator of the EP11 cryptographic coprocessor. Instead, random data is read from /dev/prandom, or /dev/urandom if /dev/prandom is not available, .
- With GA2 of the IBM z14®, the
EP11 token provides the following enhancements:
- Support of the bit coin curve secp256k1 is added to the EP11 token.
- Support of the RSA OAEP mechanism CKM_RSA_PKCS_OAEP for encrypt and decrypt, as well as for wrap and unwrap operations.
- Support of a new domain control point (access control point) related to a new BSICC2017 compliance mode. When enabled, this compliance mode disables the RSAPKCS #11 v1.5 mechanisms.
-
With the availability of the IBM z15™ in September 2019, the
EP11 token provides the following new features:
- SHA3 support via a vendor-specific mechanisms.
- Support of CMAC via standard and vendor-specific mechanisms.
- Support of the CKM_ECDH1_DERIVE mechanism according to PKCS #11 v2.4 semantics.
With these enhancements provided as a prerequisite in the EP11 host library version 3.0, you can additionally exploit the following features of the EP11 token with the availability of the IBM z15 in November 2019:
- Support of the RSA OAEP mechanism with SHA2 and SHA3 as hashing algorithms and mask generation function (MGF) algorithm is available.
- New IBM®-specific mechanisms are provided for the support of elliptic curve cryptography (ECC). With these, you can use Edwards Curves ed25519 and ed448 for EdDSA and Montgomery curves curve25519 and curve448 for ECDH.
- New domain (access) control points are implemented to control elliptic curve cryptography, to allow data key generation and import for protected keys, and to enable the use of the post-quantum Dilithium signature algorithm.
- Function C_DigestKey now always returns CKR_FUNCTION_NOT_SUPPORTED since the EP11 library does no longer support it.
- The EP11 token is getting ready for post-quantum
cryptography:
- You can use the quantum safe CRYSTALS-Dilithium Digital Signature Algorithm for generating keys and for signing and verifying digital signatures.
- You can import and transport externally generated Dilithium keys.
- openCryptoki now implements the PKCS #11 version 3.0 Baseline Provider specification. A library implementing PKCS #11 according to the Baseline Provider Clause as described in PKCS #11 Cryptographic Token Interface Profiles Version 3.0 is called a PKCS #11 version 3.0 Baseline Provider. Such a library can be exploited by an application conforming to the Baseline Consumer Clause described in the same document. Such applications are in turn called PKCS #11 version 3.0 Baseline Consumers.
- A new vendor-specific function called C_IBM_ReencryptSingle is introduced into openCryptoki and is supported by all tokens. Data that is already encrypted with a specific key and mechanism can be re-encrypted with this function, using a different key and mechanism. For secure key encryption with an EP11 token or a CCA token, the data is never visible in the clear anywhere outside the cryptographic coprocessor.
- You can use the pkcstok_migrate utility to transform an EP11 token, a CCA token, an ICA token, or a Soft Token created with any version of openCryptoki into a data format that was generated by FIPS compliant operations. This new data format can be used with openCryptoki version 3.12 or later. However, also for version 3.12 or later, the old non-compliant format is the default. Being FIPS compliant, the token data is stored in a format that is better protected against attacks than the previously used data format without FIPS compliance.