Key types and mechanisms supported

ICSF supports the following PKCS #11 key types (CK_KEY_TYPE). All of these key types are supported in software. Whether they are also supported in hardware will depend on the limitations of your cryptographic hardware configuration.

CKK_AES - key lengths 128, 192, and 256 bits
CKK_BLOWFISH - key lengths 8 up to 448 bits (in increments of 8 bits)
CKK_DES
CKK_DES2
CKK_DES3
CKK_DH - key lengths 512 up to 2048 bits (in increments of 64 bits)
CKK_DSA - key lengths 512 up to 2048 bit prime lengths (in increments of 64 bits)
CKK_EC (CKK_ECDSA) - key lengths 160 up to 521 bits
CKK_GENERIC_SECRET - key lengths 8 up to 2048 bits, unless further restricted by the generation mechanism:
- CKM_DH_PKCS_DERIVE - key lengths 512 up to 2048 bits
- CKM_SSL3_MASTER_KEY_DERIVE - 384-bit key lengths
- CKM_SSL3_MASTER_KEY_DERIVE_DH - 384-bit key lengths
- CKM_SSL3_PRE_MASTER_KEY_GEN - 384-bit key lengths
- CKM_TLS_MASTER_KEY_DERIVE - 384-bit key lengths
- CKM_TLS_MASTER_KEY_DERIVE_DH - 384-bit key lengths
- CKM_TLS_PRE_MASTER_KEY_GEN - 384-bit key lengths
CKK_RC4 - key lengths 8 up to 2048 bits
CKK_RSA - key lengths 512 up to 4096 bits

The following table shows the mechanisms supported by different hardware configurations. All the mechanisms are supported in software, and some may be available in hardware. If the mechanism is available in hardware, ICSF will use the hardware mechanism. If the mechanism is not available in hardware, ICSF will use the software mechanism. The following table also shows the flags returned by the C_GetMechanismInfo function in the CK_MECHANISM_INFO structure. Whether or not the CKF_HW flag is returned in the CK_MECHANISM_INFO structure indicates whether or not the mechanism is supported in the hardware.

Table 1. Mechanism information as returned by C_GetMechanismInfo (CK_MECHANISM_INFO)
Type (CK_MECHANISM_TYPE)	Size factor	Flags
CKM_RSA_PKCS_KEY_PAIR_GEN	Bits	[CKF_HW] CKF_GENERATE_KEY_PAIR
CKM_DES_KEY_GEN⁷	not applicable	[CKF_HW] CKF_GENERATE
CKM_DES2_KEY_GEN⁷	not applicable	[CKF_HW] CKF_GENERATE
CKM_DES3_KEY_GEN	not applicable	[CKF_HW] CKF_GENERATE
CKM_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT CKF_WRAP CKF_UNWRAP CKF_SIGN CKF_VERIFY CKF_SIGN_RECOVER CKF_VERIFY_RECOVER
CKM_RSA_X_509^{5, 6, 7}	Bits	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT CKF_SIGN CKF_VERIFY CKF_SIGN_RECOVER CKF_VERIFY_RECOVER
CKM_MD2_RSA_PKCS^{5, 6}	Bits	CKF_SIGN CKF_VERIFY
CKM_MD5_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA1_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA224_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA256_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA384_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA512_RSA_PKCS^{5, 6}	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_DES_ECB⁷	not applicable	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT
CKM_DES_CBC⁷	not applicable	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT
CKM_DES_CBC_PAD⁷	not applicable	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT CKF_WRAP CKF_UNWRAP
CKM_DES3_ECB³	not applicable	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT
CKM_DES3_CBC³	not applicable	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT
CKM_DES3_CBC_PAD³	not applicable	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT CKF_WRAP CKF_UNWRAP
CKM_SHA_1	not applicable	[CKF_HW] CKF_DIGEST
CKM_SHA224	not applicable	[CKF_HW] CKF_DIGEST
CKM_SHA256	not applicable	[CKF_HW] CKF_DIGEST
CKM_SHA384	not applicable	[CKF_HW] CKF_DIGEST
CKM_SHA512	not applicable	[CKF_HW] CKF_DIGEST
CKM_RIPEMD160	not applicable	CKF_DIGEST
CKM_MD2	not applicable	CKF_DIGEST
CKM_MD5	not applicable	CKF_DIGEST
CKM_AES_KEY_GEN	Bytes	[CKF_HW] CKF_GENERATE
CKM_AES_ECB³	Bytes	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT
CKM_AES_CBC³	Bytes	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT
CKM_AES_CBC_PAD³	Bytes	[CKF_HW] CKF_ENCRYPT CKF_DECRYPT CKF_WRAP CKF_UNWRAP
CKM_AES_GCM^{3, 7}	Bytes	CKF_ENCRYPT CKF_DECRYPT
CKM_DSA_KEY_PAIR_GEN	Bits	[CKF_HW] CKF_GENERATE_KEY_PAIR
CKM_DH_PKCS_KEY_PAIR_GEN	Bits	[CKF_HW] CKF_GENERATE_KEY_PAIR
CKM_EC_KEY_PAIR_GEN	Bits	[CKF_HW] CKF_GENERATE_KEY_PAIR CKF_EC_F_P¹ CKF_EC_NAMEDCURVE² CKF_EC_UNCOMPRESS
CKM_DSA_PARAMETER_GEN	Bits	[CKF_HW] CKF_GENERATE
CKM_DH_PKCS_PARAMETER_GEN	Bits	[CKF_HW] CKF_GENERATE
CKM_BLOWFISH_KEY_GEN⁷	Bytes	[CKF_HW] CKF_GENERATE
CKM_RC4_KEY_GEN⁷	Bits	[CKF_HW] CKF_GENERATE
CKM_SSL3_PRE_MASTER_KEY_GEN⁷	Bytes	[CKF_HW] CKF_GENERATE
CKM_TLS_PRE_MASTER_KEY_GEN⁷	Bytes	[CKF_HW] CKF_GENERATE
CKM_GENERIC_SECRET_KEY_GEN³	Bits	[CKF_HW] CKF_GENERATE
CKM_BLOWFISH_CBC^{4, 7}	Bytes	CKF_ENCRYPT CKF_DECRYPT
CKM_RC4^{4, 7}	Bits	CKF_ENCRYPT CKF_DECRYPT
CKM_DSA_SHA1	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_DSA	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_ECDSA_SHA1	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY CKF_EC_F_P¹ CKF_EC_NAMEDCURVE² CKF_EC_UNCOMPRESS
CKM_ECDSA	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY CKF_EC_F_P¹ CKF_EC_NAMEDCURVE² CKF_EC_UNCOMPRESS
CKM_MD5_HMAC	not applicable	CKF_SIGN CKF_VERIFY
CKM_SHA_1_HMAC	not applicable	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA224_HMAC	not applicable	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA256_HMAC	not applicable	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA384_HMAC	not applicable	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA512_HMAC	not applicable	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SSL3_MD5_MAC⁷	Bits	CKF_SIGN CKF_VERIFY
CKM_SSL3_SHA1_MAC⁷	Bits	CKF_SIGN CKF_VERIFY
CKM_DH_PKCS_DERIVE	Bits	[CKF_HW] CKF_DERIVE
CKM_ECDH1_DERIVE	Bits	[CKF_HW] CKF_DERIVE CKF_EC_F_P¹ CKF_EC_NAMEDCURVE² CKF_EC_UNCOMPRESS
CKM_SSL3_MASTER_KEY_DERIVE⁷	Bytes	CKF_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH⁷	Bytes	CKF_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE⁷	not applicable	CKF_DERIVE
CKM_TLS_MASTER_KEY_DERIVE⁷	Bytes	CKF_DERIVE
CKM_TLS_MASTER_KEY_DERIVE_DH⁷	Bytes	CKF_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE⁷	not applicable	CKF_DERIVE
CKM_TLS_PRF⁷	not applicable	CKF_DERIVE
CKM_IBM_ATTRIBUTEBOUND_WRAP⁸ (vendor specific mechanism - 0x80020004). IBM proprietary wrap/unwrap mechanism that includes the Boolean usage attributes along with the key data. Only supported for secure keys that have the CKA_IBM_ATTRBOUND attribute set TRUE	not applicable	[CKF_HW] CKF_WRAP CKF_UNWRAP
CKM_PBE_SHA1_DES3_EDE_CBC	not applicable	[CKF_HW] CKF_GENERATE
CKM_RSA_PKCS_PSS⁹	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA1_RSA_PKCS_PSS⁹	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA224_RSA_PKCS_PSS⁹	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA256_RSA_PKCS_PSS⁹	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA384_RSA_PKCS_PSS⁹	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY
CKM_SHA512_RSA_PKCS_PSS⁹	Bits	[CKF_HW] CKF_SIGN CKF_VERIFY

Footnotes for Table 1

¹ The PKCS #11 standard designates two ways of implementing Elliptic Curve Cryptography, nicknamed F_p and F₂^m. z/OS PKCS #11 supports the F_p variety only.

² ANSI X9.62 has the following ASN.1 definition for Elliptic Curve domain parameters:

      Parameters ::= CHOICE {
        ecParameters  ECParameters,
        namedCurve    OBJECT IDENTIFIER,
        implicitlyCA  NULL }

z/OS PKCS #11 supports the specification of CKA_EC_PARAMS attribute using the namedCurved CHOICE. The following NIST-recommended named curves are supported:

secp192r1 – { 1 2 840 10045 3 1 1 }
secp224r1 – { 1 3 132 0 33 }
secp256r1 – { 1 2 840 10045 3 1 7 }
secp384r1 – { 1 3 132 0 34 }
secp521r1 – { 1 3 132 0 35 }

The following Brainpool-defined named curves are supported:

brainpoolP160r1 – { 1 3 36 3 3 2 8 1 1 1 }
brainpoolP192r1 – { 1 3 36 3 3 2 8 1 1 3 }
brainpoolP224r1 – { 1 3 36 3 3 2 8 1 1 5 }
brainpoolP256r1 – { 1 3 36 3 3 2 8 1 1 7 }
brainpoolP320r1 – { 1 3 36 3 3 2 8 1 1 9 }
brainpoolP384r1 – { 1 3 36 3 3 2 8 1 1 11 }
brainpoolP512r1 – { 1 3 36 3 3 2 8 1 1 13 }

In addition, z/OS PKCS #11 has limited support for the ecParameters CHOICE. When specified, the DER encoding must contain the optional cofactor field and must not contain the optional Curve.seed field. Also, calls to C_GetAttributeValue to retrieve the CKA_EC_PARAMS attribute will always return the value in the namedCurve form regardless of how the attribute was specified when the object was created. Due to these limitations, the CKF_EC_ECPARAMETERS flag is not turned on for the applicable mechanisms.

³ Mechanism not present on a system that is export controlled.

⁴ Mechanism limited to 56-bit on a system that is export controlled.

⁵ In general, z/OS PKCS #11 expects RSA private keys to be in Chinese Remainder Theorem (CRT) format. However, for Decrypt, Sign, or UnwrapKey (z890, z990 or higher only) where one of the following is true, the shorter Modulus Exponent (ME) is permitted:

There is an accelerator present and the key is less than or equal to 2048 bits in length.
There is a coprocessor present and the key is less than or equal to 1024 bits in length and FIPS restrictions don’t apply.

⁶ RSA public or private keys that have a public exponent greater than 8 bytes in length can only be used when a coprocessor or accelerator is present.

⁷ Mechanism supported for clear keys only.

⁸ Mechanism supported for secure keys only.

⁹ PARAM field restrictions for PSS algorithms:

typedef struct CK_RSA_PKCS_PSS_PARAMS {
CK_MECHANISM_TYPE hashAlg;
CK_RSA_PKCS_MGF_TYPE mgf;
CK_ULONG sLen;
} CK_RSA_PKCS_PSS_PARAMS;

For mechanisms other than CKM_RSA_PKCS_PSS, the hashAlg must match the mechanism specified. For mechanism CKM_RSA_PKCS_PSS, the hashAlg must be a supported SHA algorithm.
mgf must match the algorithm specified by hashAlg
slen must be either 0 or the size of the output of the hashAlg specified.

The following table lists the mechanisms supported by specific cryptographic hardware. When a particular mechanism is not available in hardware, ICSF will use the software implementation of the mechanism.

Table 2. Mechanisms supported by specific cryptographic hardware
Machine type and cryptographic hardware	Mechanisms supported	Notes
z890, z990 - PCIXCC	CKM_DES_KEY_GEN CKM_DES2_KEY_GEN CKM_DES3_KEY_GEN CKM_RSA_PKCS CKM_RSA_X_509 CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_SHA_1 CKM_BLOWFISH_KEY_GEN CKM_RC4_KEY_GEN CKM_AES_KEY_GEN CKM_SSL3_PRE_MASTER_KEY_GEN CKM_TLS_PRE_MASTER_KEY_GEN CKM_GENERIC_SECRET_KEY_GEN CKM_RSA_PKCS_KEY_PAIR_GEN CKM_EC_KEY_PAIR_GEN CKM_DES_ECB CKM_DES3_ECB	This is the base set. RSA private key operations limited to 1024 bits in length (maximum) and no key pair generation capability.
z890, z990 - CEX2C	PCIXCC set plus: CKM_RSA_PKCS_KEY_PAIR_GEN CKM_DES_ECB CKM_DES3_ECB	RSA private key operations limited to 40496 bits in length (maximum).
z9 - CEX2C	PCIXCC set plus: CKM_RSA_PKCS_KEY_PAIR_GEN CKM_DES_ECB CKM_DES3_ECB CKM_SHA224_RSA_PKCS CKM_SHA256_RSA_PKCS CKM_SHA224 CKM_SHA256 CKM_AES_CBC CKM_AES_CBC_PAD CKM_AES_ECB	AES key operations limited to 128 bits in length (maximum).
z10 - CEX2C or CEX3C	z9 CEX2C set plus: CKM_SHA384_RSA_PKCS CKM_SHA512_RSA_PKCS CKM_SHA384 CKM_SHA512	AES key operations limited to 256 bits in length (maximum).
IBM zEnterprise 196 - CEX3C	z9 CEX2C set plus: CKM_SHA384_RSA_PKCS CKM_SHA512_RSA_PKCS CKM_SHA384 CKM_SHA512	AES key operations limited to 256 bits in length (maximum). RSA private key operations limited to 4096 bits in length (maximum).
IBM zEnterprise EC12 or IBM zEnterprise BC12 with an Enterprise PKCS #11 coprocessor	z10 set plus: CKM_IBM_ATTRIBUTEBOUND_WRAP CKM_PBE_SHA1_DES3_EDE_CBC CKM_DSA_PARAMETER_GEN CKM_DH_PKCS_KEY_PAIR_GEN CKM_DH_PKCS_DERIVE CKM_ECDH1_DERIVE CKM_RSA_PKCS_PSS CKM_SHA1_RSA_PKCS_PSS CKM_SHA224_RSA_PKCS_PSS CKM_SHA256_RSA_PKCS_PSS CKM_SHA384_RSA_PKCS_PSS CKM_SHA512_RSA_PKCS_PSS	Requires the Sept. 2013 or later licensed internal code (LIC)
IBM z13	zEC12 and zBC12 set

The following table lists the algorithms and uses (by mechanism) that are not allowed when operating in compliance with FIPS 140-2. For more information about how the z/OS PKCS #11 services can be configured to operate in compliance with the FIPS 140-2 standard, refer to Operating in compliance with FIPS 140-2.

Table 3. Restricted algorithms and uses when running in compliance with FIPS 140-2
Algorithm	Mechanisms	Usage disallowed
RIPEMD	CKM_RIPEMD160	All
MD2	CKM_MD2, CKM_MD2_RSA_PKCS	All
MD5	CKM_MD5, CKM_MD5_RSA_PKCS, CKM_MD5_HMAC	All
SSL3	CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC, CKM_SSL3_MASTER_KEY_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_SSL3_KEY_AND_MAC_DERIVE	All
TLS	CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE_DH, CKM_TLS_KEY_AND_MAC_DERIVE	Base key sizes less than 10 bytes
Diffie Hellman	CKM_DH_PKCS_DERIVE	Prime size less than 1024 bits
	CKM_DH_PKCS_PARAMETER_GEN	Prime sizes other than 1024 or 2048 bits
DSA	CKM_DSA_SHA1, CKM_DSA	Prime sizes less than 1024 bits
DSA	CKM_DSA_PARAMETER_GEN, CKM_DSA_KEY_PAIR_GEN or Sign	Combinations other than the following: Prime size = 1024 bits, subprime size = 160 bits Prime size = 2048 bits, subprime size = 224 bits, or 256 bits
Single DES	CKM_DES_ECB, CKM_DES_CBC, CKM_DES_CBC_PAD	All
Triple DES	CKM_DES3_ECB, CKM_DES3_CBC, CKM_DES3_CBC_PAD	Two key Triple DES
Blowfish	CKM_BLOWFISH_KEY_GEN, CKM_BLOWFISH_CBC	All
RC4	CKM_RC4	All
RSA	CKM_RSA_X_509	All
RSA	CKM_RSA_PKCS	Key sizes less than 1024 bits
RSA	CKM_RSA_PKCS_KEY_PAIR_GEN or Sign without an active accelerator	Key sizes that are less than 1024 bits or not a multiple of 256 bits or public key exponents less than 0x010001
HMAC	CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512	Base key sizes less than one half the output size
AES GCM	CKM_AES_GCM	GCM encryption or GMAC generation with externally generated initialization vectors. Initialization vector lengths other than 12 bytes. Tag byte sizes 4 and 8