A new or a zeroized Enterprise PKCS #11 coprocessor (or domain)
comes with an initial set of Access Control Points (ACPs) that are
enabled by default. All other ACPs, representing potential future
support, are left disabled. When a firmware upgrade is applied to
an existing Enterprise PKCS #11 coprocessor , the upgrade may introduce
new ACPs. The firmware upgrade does not retroactively enable these
ACPs, so they are disabled by default. These ACPs must be enabled
via the TKE (or subsequent zeroize) in order to utilize the new support
they govern. See Table 28. PKCS #11 Access Control Points in Writing
PKCS #11 Applications for a complete description of the Access Control
Points.
Table 1. Mapping of Enterprise
PKCS #11 ACPs to firmware levels
Enterprise PKCS #11 firmware level |
ACPs supported at this level |
ACPs that need to be enabled when this code
level is obtained via firmware upgrade |
Initial release |
- Control Point Management
- Allow addition (activation) of Control Points(0)
- Allow removal (deactivation) of Control Points(1)
- Cryptographic Operations
- Sign with private keys(2)
- Sign with HMAC or CMAC(3)
- Verify with HMAC or CMAC(4)
- Encrypt with symmetric keys(5)
- Decrypt with private keys(6)
- Decrypt with private keys(7)
- Key export with public keys(8)
- Key export with symmetric keys(9)
- Key import with private keys(10)
- Key import with symmetric keys(11)
- Generate asymmetric key pairs(12)
- Generate symmetric keys(13)
- Cryptographic Algorithms
- RSA private-key use(30)
- DSA private-key use(31)
- EC private-key use(32)
- Brainpool (E.U.) EC curves(33)
- NIST/SECG EC curves(34)
- Allow non-BSI algorithms (as of 2009) (21)
- Allow non-FIPS-approved algorithms (as of 2011) (35)
- Allow non-BSI algorithms (as of 2011) (36)
- Key Size
- Allow 80 to 111-bit algorithms(24)
- Allow 112 to 127-bit algorithms(25)
- Allow 128 to 191-bit algorithms(26)
- Allow 192 to 255-bit algorithms(27)
- Allow 256-bit algorithms(28)
- Allow RSA public exponents below 0x10001(29)
- Miscellaneous
- Allow backend to save semi-retained keys not applicable(14)
- Allow keywrap without attribute-binding(16)
- Allow changes to key objects (usage flags only) (17)
- Allow mixing external seed to RNG not applicable(18)
- Allow non-administrators to mark key objects TRUSTED(37)
- Do not double-check sign/decrypt operations(38)
- Allow dual-function keys - key wrapping and data encryption(39)
- Allow dual-function keys - digital signature and data encryption(40)
- Allow dual-function keys - key wrapping and digital signature(41)
- Allow non-administrators to mark public key objects ATTRBOUND(42)
- Allow clear passphrases for password-based-encryption(43)
- Allow wrapping of stronger keys by weaker keys(44)
- Allow clear public keys as non-attribute bound wrapping keys(45)
|
None - all default ACPs enabled in the initial
release. |
Version 2 Sept. 2013 or later licensed internal
code (LIC) |
Set for initial release plus
- Cryptographic Operations
- Allow key derivation (47)
- Cryptographic Algorithms
- DH Private Key Use (46)
|
- Cryptographic Operations
- Allow key derivation (47)
- Cryptographic Algorithms
- DH Private Key Use (46)
|