Key algorithms/usages that are unsupported or disallowed by the Enterprise PKCS #11 coprocessors

The following table lists the key algorithms/usages that are not supported by the Enterprise PKCS #11 coprocessors or disallowed due to FIPS restrictions that are always enforced. The results of requesting an unsupported algorithm depend on what is being requested. All these results assume the system is properly configured to use secure PKCS #11. Improper configuration would result in different errors:
  1. Key generation or creation – Explicitly requesting the generation or creation of an unsupported/disallowed secure key type results in CKR_TEMPLATE_INCONSISTENT being returned.
  2. Key derivation – Explicitly requesting the derivation of a secure key using a clear base key results CKR_TEMPLATE_INCONSISTENT being returned. Attempting key derivation using a secure base key results in CKR_IBM_CLEAR_KEY_REQ being returned.
  3. Standard unwrap key – The target key always has the security of the unwrapping key. Specifying the CKA_IBM_SECURE attribute in the unwrap template results in CKR_ATTRIBUTE_READ_ONLY being returned. Requesting the unwrapping of an unsupported/disallowed key type using a secure unwrapping key results in CKR_IBM_CLEAR_KEY_REQ being returned.
  4. Otherwise, requesting an unsupported/disallowed algorithm using a secure key results in CKR_IBM_CLEAR_KEY_REQ being returned.
Table 1. List of algorithms/uses not supported/disallowed by Enterprise PKCS #11 coprocessors
Algorithm PKCS #11 Mechanisms or key types Comments
MD2 CKM_MD2_RSA_PKCS Secure private key use for signing disallowed
MD5

CKM_MD5_RSA_PKCS,
CKM_MD5_HMAC  

 Secure private or secret key use for signing disallowed
SSL3

CKM_SSL3_MD5_MAC,
CKM_SSL3_SHA1_MAC,
CKM_SSL3_MASTER_KEY_DERIVE,
CKM_SSL3_MASTER_KEY_DERIVE_DH,
CKM_SSL3_KEY_AND_MAC_DERIVE

  
TLS

CKM_TLS_MASTER_KEY_DERIVE,
CKM_TLS_MASTER_KEY_DERIVE_DH,
CKM_TLS_KEY_AND_MAC_DERIVE

  
Diffie Hellman CKK_DH keys Prime size less than 1024 bits
DSA CKK_DSA keys Combinations other than the following are not supported:
  • Prime size = 1024 bits, subprime size = 160 bits
  • Prime size = 2048 bits, subprime size = 224 bits or 256 bits
Single DES CKK_DES keys  
Triple DES CKK_DES2 keys  
Blowfish CKK_BLOWFISH keys  
RC4 CKK_RC4 keys  
RSA CKK_RSA

CKM_RSA_PKCS_KEY_PAIR_GEN



CKM_RSA_X_509

 Key sizes less than 1024 bits

Key sizes that are less than 1024 bits or not
a multiple of 256 bits or public key
exponents less than 0x010001

Secure private key use for signing/decryption
disallowed
HMAC CKK_GENERIC_SECRET

CKM_SHA_1_HMAC,
CKM_SHA224_HMAC,
CKM_SHA256_HMAC,
CKM_SHA384_HMAC,
CKM_SHA512_HMAC

 Key sizes less than 10 bytes

Base key sizes less than ½ the output size
are not supported.

AES GCM CKM_AES_GCM  
Parent topic: Enterprise PKCS #11 coprocessors