PKCS #11 Coprocessor Access Control Points

The following table lists the Access Control Points that are available on the Enterprise PKCS #11 coprocessors and the PKCS #11 mechanisms or functions that would be disabled for secure keys if the control point is deactivated. A new or a zeroized Enterprise PKCS #11 coprocessor (or domain) comes with an initial set of Access Control Points (ACPs) that are enabled by default. All other ACPs, representing potential future support, are left disabled. When a firmware upgrade is applied to an existing Enterprise PKCS #11 coprocessor , the upgrade may introduce new ACPs. The firmware upgrade does not retroactively enable these ACPs, so they are disabled by default. These ACPs must be enabled via the TKE (or subsequent zeroize) in order to utilize the new support they govern.

See the Enabling Access Control Points for PKCS #11 coprocessor firmware section in the Migration topic of the z/OS Cryptographic Services ICSF System Programmer's Guide for the list of default ACPs and those ACPs that need to be enabled via TKE for PKCS #11 coprocessor firmware upgrades.

The following table lists the Access Control Points that are available on the Enterprise PKCS #11 coprocessors and the PKCS #11 mechanisms or functions that would be disabled for secure keys if the control point is deactivated.

Table 1. PKCS #11 Access Control Points. The information is presented by Access Control Points name or group.
Access Control Point name or group Mechanism/Function requiring enablement Number
Control Point Management    
Allow addition (activation) of Control Points not applicable 0
Allow removal (deactivation) of Control Points not applicable 1
Cryptographic Operations    
Sign with private keys Sign using CKK_RSA, CKK_DSA, of CKK_ECDSA keys. 2
Sign with HMAC or CMAC

Sign using CKM_SHA_1_HMAC,
CKM_SHA224_HMAC,
CKM_SHA256_HMAC,
CKM_SHA384_HMAC, or
CKM_SHA512_HMAC.

 3
Verify with HMAC or CMAC

Verify using CKM_SHA_1_HMAC,
CKM_SHA224_HMAC,
CKM_SHA256_HMAC,
CKM_SHA384_HMAC, or
CKM_SHA512_HMAC.

 4
Encrypt with symmetric keys

Encrypt with CKK_DES3 of CKK_AES
keys.

Create Object or Copy Object where
source is a clear key.

 5
Decrypt with private keys Decrypt with CKK_RSA keys. 6
Decrypt with symmetric keys Decrypt with CKK_DES3 of CKK_AES keys. 7
Key export with public keys Wrap Key using a CKK_RSA wrapping key. 8
Key export with symmetric keys Wrap Key using a CKK_DES3 or CKK_AES wrapping key. 9
Key import with private keys Unwrap Key using a CKK_RSA unwrapping key. 10
Key import with symmetric keys

Unwrap Key using a CKK_DES3 or
CKK_AES unwrapping key.

Create Object or Copy Object where
source is a clear key.

 11
Generate asymmetric key pairs Generate Key Pair for CKK_RSA, CKK_DSA, or CKK_ECDSA keys 12
Generate symmetric keys Generate key for CKK_DES2 or CKK_AES keys 13
Allow key derivation Derive key using a CKK_DH key 47
Cryptographic Algorithms    
RSA private-key use

Generate Key Pair for CKK_RSA
Sign or Decrypt using a CKK_RSA key

 30
DSA private-key use

Generate Key Pair for CKK_DSA
Sign using a CKK_DSA key

 31
EC private-key use

Generate Key Pair for CKK_EC
Sign or Derive Key using a CKK_EC key

 32
DH private-key use Generate Key Pair for CKK_DH 46
Brainpool (E.U.) EC curves Sign or Verify using the Brainpool curves 33
NIST/SECG EC curves Sign or Verify using the NIST EC curves 34
Allow non-BSI algorithms (as of 2009) not applicable 21
Allow non-FIPS-approved algorithms (as of 2011) not applicable 35
Allow non-BSI algorithms (as of 2011) not applicable 36
Key Size    
Allow 80 to 111-bit algorithms Any use of CKK_GENERIC_SECRET keys smaller than 112 bits, or 160 or 192 bit CKK_ECDSA keys
If in a BSI mode:
Any use of CKK_DSA keys, or CKK_RSA keys smaller than 2432 bits
If not in a BSI mode:
Any use of CKK_DSA, or CKK_RSA keys smaller than 2048 bits
 24
Allow 112 to 127-bit algorithms Any use of 2048 bit CKK_DSA keys, CKK_GENERIC_SECRET keys larger than 111 bits but less than 128 bits, 224 bit CKK_ECDSA keys, or CKK_DES3 keys
If in a BSI mode:
Any use of CKK_RSA keys larger that 2431 bits but less than 3248 bits
If not in a BSI mode:
Any use of CKK_RSA keys larger that 2047 bits but less than 3072 bits
 25
Allow 128 to 191-bit algorithms Any use of CKK_GENERIC_SECRET keys larger than 127 bits but less than 192 bits, 128 bit CKK_AES keys, or 256 bit CKK_ECDSA keys
If in a BSI mode:
Any use of CKK_RSA keys larger that 3247 bits
If not in a BSI mode:
Any use of CKK_RSA keys larger that 3071 bits
 26
Allow 192 to 255-bit algorithms Any use of CKK_GENERIC_SECRET keys larger than 191 bits, 192 bit CKK_AES keys or 384 bit CKK_ECDSA keys. 27
Allow 256-bit algorithms Any coprocessor use other than random number generation. 28
Allow RSA public exponents below 0x10001 Generate Key or Generate Key Pair for CKK_RSA where the exponent is 3. 29
Miscellaneous    
Allow backend to save semi-retained keys not applicable 14
Allow keywrap without attribute-binding Wrap Key or Unwrap Key using CKM_RSA_PKCS, CKM_AES_CBC_PAD, or CKM_DES3_CBC_PAD

Create Object or Copy Object where source is a clear key.

 16
Allow changes to key objects (usage flags only) Set Attribute Value or Copy Object where the key usage flags are modified 17
Allow mixing external seed to RNG not applicable 18
Allow non-administrators to mark key objects TRUSTED Set Attribute Value where CKA_TRUSTED is set TRUE 37
Do not double-check sign/decrypt operations not applicable 38

Allow dual-function keys - key
wrapping and data encryption

 Generate Key or Generate Key Pair where CKA_WRAP / CKA_UNWRAP and CKA_ENCRYPT / CKA_DECRYPT combinations are requested (or defaulted)

Wrap Key, Unwrap Key, Encrypt or Decrypt with a previously created key containing the above combination.

Create Object or Copy Object where source is a clear key.

 39
Allow dual-function keys - digital signature and data encryption Create Object, Generate Key or Generate Key Pair where CKA_SIGN / CKA_VERIFY and CKA_ENCRYPT / CKA_DECRYPT combinations are requested (or defaulted)

Sign, Verify, Encrypt or Decrypt with a previously created key containing the above combination

 40
Allow dual-function keys - key wrapping and digital signature Create Object, Generate Key or Generate Key Pair where CKA_SIGN / CKA_VERIFY and CKA_WRAP / CKA_UNWRAP combinations are requested (or defaulted)

Sign, Verify, Wrap Key or Unwrap Key with a previously created key containing the above combination

 41
Allow non-administrators to mark public key objects ATTRBOUND Create Object where CKA_IBM_ATTRBOUND is set TRUE 42
Allow clear passphrases for password-based-encryption Generate Key using CKM_PBE_SHA1_DES3_EDE_CBC 43
Allow wrapping of stronger keys by weaker keys Wrap Key where the to-be-wrapped key is stronger than the wrapping key. 44
Allow clear public keys as non-attribute bound wrapping keys Wrap Key where the wrapping key is an CKK_RSA clear public key and the to-be-wrapped key is a secure CKK_DES3, CKK_AES, or CKK_GENERIC_SECRET key. 45
Parent topic: Enterprise PKCS #11 coprocessors