The following table lists the Access Control Points that are available on the Enterprise PKCS #11 coprocessors and the PKCS #11 mechanisms or functions that would be disabled for secure keys if the control point is deactivated. A new or a zeroized Enterprise PKCS #11 coprocessor (or domain) comes with an initial set of Access Control Points (ACPs) that are enabled by default. All other ACPs, representing potential future support, are left disabled. When a firmware upgrade is applied to an existing Enterprise PKCS #11 coprocessor , the upgrade may introduce new ACPs. The firmware upgrade does not retroactively enable these ACPs, so they are disabled by default. These ACPs must be enabled via the TKE (or subsequent zeroize) in order to utilize the new support they govern.
See the Enabling Access Control Points for PKCS #11 coprocessor firmware section in the Migration topic of the z/OS Cryptographic Services ICSF System Programmer's Guide for the list of default ACPs and those ACPs that need to be enabled via TKE for PKCS #11 coprocessor firmware upgrades.
The following table lists the Access Control Points that are available on the Enterprise PKCS #11 coprocessors and the PKCS #11 mechanisms or functions that would be disabled for secure keys if the control point is deactivated.
Access Control Point name or group | Mechanism/Function requiring enablement | Number |
---|---|---|
Control Point Management | ||
Allow addition (activation) of Control Points | not applicable | 0 |
Allow removal (deactivation) of Control Points | not applicable | 1 |
Cryptographic Operations | ||
Sign with private keys | Sign using CKK_RSA, CKK_DSA, of CKK_ECDSA keys. | 2 |
Sign with HMAC or CMAC | Sign using CKM_SHA_1_HMAC, |
3 |
Verify with HMAC or CMAC | Verify using CKM_SHA_1_HMAC, |
4 |
Encrypt with symmetric keys | Encrypt with CKK_DES3 of CKK_AES |
5 |
Decrypt with private keys | Decrypt with CKK_RSA keys. | 6 |
Decrypt with symmetric keys | Decrypt with CKK_DES3 of CKK_AES keys. | 7 |
Key export with public keys | Wrap Key using a CKK_RSA wrapping key. | 8 |
Key export with symmetric keys | Wrap Key using a CKK_DES3 or CKK_AES wrapping key. | 9 |
Key import with private keys | Unwrap Key using a CKK_RSA unwrapping key. | 10 |
Key import with symmetric keys | Unwrap Key using a CKK_DES3 or |
11 |
Generate asymmetric key pairs | Generate Key Pair for CKK_RSA, CKK_DSA, or CKK_ECDSA keys | 12 |
Generate symmetric keys | Generate key for CKK_DES2 or CKK_AES keys | 13 |
Allow key derivation | Derive key using a CKK_DH key | 47 |
Cryptographic Algorithms | ||
RSA private-key use | Generate Key Pair for CKK_RSA |
30 |
DSA private-key use | Generate Key Pair for CKK_DSA |
31 |
EC private-key use | Generate Key Pair for CKK_EC |
32 |
DH private-key use | Generate Key Pair for CKK_DH | 46 |
Brainpool (E.U.) EC curves | Sign or Verify using the Brainpool curves | 33 |
NIST/SECG EC curves | Sign or Verify using the NIST EC curves | 34 |
Allow non-BSI algorithms (as of 2009) | not applicable | 21 |
Allow non-FIPS-approved algorithms (as of 2011) | not applicable | 35 |
Allow non-BSI algorithms (as of 2011) | not applicable | 36 |
Key Size | ||
Allow 80 to 111-bit algorithms | Any use of CKK_GENERIC_SECRET keys smaller than
112 bits, or 160 or 192 bit CKK_ECDSA keys
|
24 |
Allow 112 to 127-bit algorithms | Any use of 2048 bit CKK_DSA keys, CKK_GENERIC_SECRET
keys larger than 111 bits but less than 128 bits, 224 bit CKK_ECDSA
keys, or CKK_DES3 keys
|
25 |
Allow 128 to 191-bit algorithms | Any use of CKK_GENERIC_SECRET keys larger than
127 bits but less than 192 bits, 128 bit CKK_AES keys, or 256 bit
CKK_ECDSA keys
|
26 |
Allow 192 to 255-bit algorithms | Any use of CKK_GENERIC_SECRET keys larger than 191 bits, 192 bit CKK_AES keys or 384 bit CKK_ECDSA keys. | 27 |
Allow 256-bit algorithms | Any coprocessor use other than random number generation. | 28 |
Allow RSA public exponents below 0x10001 | Generate Key or Generate Key Pair for CKK_RSA where the exponent is 3. | 29 |
Miscellaneous | ||
Allow backend to save semi-retained keys | not applicable | 14 |
Allow keywrap without attribute-binding | Wrap Key or Unwrap Key using CKM_RSA_PKCS, CKM_AES_CBC_PAD,
or CKM_DES3_CBC_PAD Create Object or Copy Object where source is a clear key. |
16 |
Allow changes to key objects (usage flags only) | Set Attribute Value or Copy Object where the key usage flags are modified | 17 |
Allow mixing external seed to RNG | not applicable | 18 |
Allow non-administrators to mark key objects TRUSTED | Set Attribute Value where CKA_TRUSTED is set TRUE | 37 |
Do not double-check sign/decrypt operations | not applicable | 38 |
Allow dual-function keys - key |
Generate Key or Generate Key Pair where CKA_WRAP
/ CKA_UNWRAP and CKA_ENCRYPT / CKA_DECRYPT combinations are requested
(or defaulted) Wrap Key, Unwrap Key, Encrypt or Decrypt with a previously created key containing the above combination. Create Object or Copy Object where source is a clear key. |
39 |
Allow dual-function keys - digital signature and data encryption | Create Object, Generate Key or Generate Key
Pair where CKA_SIGN / CKA_VERIFY and CKA_ENCRYPT / CKA_DECRYPT combinations
are requested (or defaulted) Sign, Verify, Encrypt or Decrypt with a previously created key containing the above combination |
40 |
Allow dual-function keys - key wrapping and digital signature | Create Object, Generate Key or Generate Key
Pair where CKA_SIGN / CKA_VERIFY and CKA_WRAP / CKA_UNWRAP combinations
are requested (or defaulted) Sign, Verify, Wrap Key or Unwrap Key with a previously created key containing the above combination |
41 |
Allow non-administrators to mark public key objects ATTRBOUND | Create Object where CKA_IBM_ATTRBOUND is set TRUE | 42 |
Allow clear passphrases for password-based-encryption | Generate Key using CKM_PBE_SHA1_DES3_EDE_CBC | 43 |
Allow wrapping of stronger keys by weaker keys | Wrap Key where the to-be-wrapped key is stronger than the wrapping key. | 44 |
Allow clear public keys as non-attribute bound wrapping keys | Wrap Key where the wrapping key is an CKK_RSA clear public key and the to-be-wrapped key is a secure CKK_DES3, CKK_AES, or CKK_GENERIC_SECRET key. | 45 |