Enabling access control points for PKCS #11 coprocessor firmware

A new or a zeroized Enterprise PKCS #11 coprocessor (or domain) comes with an initial set of Access Control Points (ACPs) that are enabled by default. All other ACPs, representing potential future support, are left disabled. When a firmware upgrade is applied to an existing Enterprise PKCS #11 coprocessor , the upgrade may introduce new ACPs. The firmware upgrade does not retroactively enable these ACPs, so they are disabled by default. These ACPs must be enabled via the TKE (or subsequent zeroize) in order to utilize the new support they govern. See Table 28. PKCS #11 Access Control Points in Writing PKCS #11 Applications for a complete description of the Access Control Points.

Table 1. Mapping of Enterprise PKCS #11 ACPs to firmware levels
Enterprise PKCS #11 firmware level ACPs supported at this level ACPs that need to be enabled when this code level is obtained via firmware upgrade
Initial release
  • Control Point Management
  • Allow addition (activation) of Control Points(0)
  • Allow removal (deactivation) of Control Points(1)
  • Cryptographic Operations
  • Sign with private keys(2)
  • Sign with HMAC or CMAC(3)
  • Verify with HMAC or CMAC(4)
  • Encrypt with symmetric keys(5)
  • Decrypt with private keys(6)
  • Decrypt with private keys(7)
  • Key export with public keys(8)
  • Key export with symmetric keys(9)
  • Key import with private keys(10)
  • Key import with symmetric keys(11)
  • Generate asymmetric key pairs(12)
  • Generate symmetric keys(13)
  • Cryptographic Algorithms
  • RSA private-key use(30)
  • DSA private-key use(31)
  • EC private-key use(32)
  • Brainpool (E.U.) EC curves(33)
  • NIST/SECG EC curves(34)
  • Allow non-BSI algorithms (as of 2009) (21)
  • Allow non-FIPS-approved algorithms (as of 2011) (35)
  • Allow non-BSI algorithms (as of 2011) (36)
  • Key Size
  • Allow 80 to 111-bit algorithms(24)
  • Allow 112 to 127-bit algorithms(25)
  • Allow 128 to 191-bit algorithms(26)
  • Allow 192 to 255-bit algorithms(27)
  • Allow 256-bit algorithms(28)
  • Allow RSA public exponents below 0x10001(29)
  • Miscellaneous
  • Allow backend to save semi-retained keys not applicable(14)
  • Allow keywrap without attribute-binding(16)
  • Allow changes to key objects (usage flags only) (17)
  • Allow mixing external seed to RNG not applicable(18)
  • Allow non-administrators to mark key objects TRUSTED(37)
  • Do not double-check sign/decrypt operations(38)
  • Allow dual-function keys - key wrapping and data encryption(39)
  • Allow dual-function keys - digital signature and data encryption(40)
  • Allow dual-function keys - key wrapping and digital signature(41)
  • Allow non-administrators to mark public key objects ATTRBOUND(42)
  • Allow clear passphrases for password-based-encryption(43)
  • Allow wrapping of stronger keys by weaker keys(44)
  • Allow clear public keys as non-attribute bound wrapping keys(45)
 None - all default ACPs enabled in the initial release.
Version 2 Sept. 2013 or later licensed internal code (LIC) Set for initial release plus
  • Cryptographic Operations
  • Allow key derivation (47)
  • Cryptographic Algorithms
  • DH Private Key Use (46)
  • Cryptographic Operations
  • Allow key derivation (47)
  • Cryptographic Algorithms
  • DH Private Key Use (46)