Supported Cryptographic Operations for CAPI
CADP for C CAPI allows you to implement data privacy, confidentiality, and integrity in a simple, scalable, and secure manner.
The operations supported are as follows:
| Security Provided | Algorithm | Functions Supported |
|---|---|---|
| Data Privacy and Confidentiality (Symmetric) | AES DES DESede AES/GCM RC4 SEED ARIA FPE/AES/CARD10 FPE/AES/CARD26 FPE/AES/CARD62 FPE/AES/UNICODE FPE/FF1/CARD10 FPE/FF1/CARD26 FPE/FF1/CARD62 FPE/FF1/ASCII FPE/FF1/UNICODE FPE/FF1v2/CARD10 FPE/FF1v2/CARD26 FPE/FF1v2/CARD62 FPE/FF1v2/ASCII FPE/FF1v2/UNICODE FPE/FF3/CARD10 FPE/FF3/CARD26 FPE/FF3/CARD62 FPE/FF3/ASCII FPE/FF3/UNICODE FPE/FF3-1/CARD10 FPE/FF3-1/CARD26 FPE/FF3-1/CARD62 FPE/FF3-1/ASCII FPE/FF3-1/UNICODE | Encrypt/Decrypt |
| Data Privacy and Confidentiality (Asymmetric) | RSA ECIES | Encrypt/Decrypt |
| Data Integrity | HMAC-SHA1 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 | MAC/MAC Verify |
| Data Signatures | RSA SHA1withRSA SHA256withRSA SHA384withRSA SHA512withRSA SHA1withECDSA SHA256withECDSA SHA384withECDSA SHA512withECDSA SHA1withRSA/PSSPadding SHA256withRSA/PSSPadding SHA384withRSA/PSSPadding SHA512withRSA/PSSPadding | Sign/Sign Verify |
For FPE in remote mode, only FPE/AES/CARD10 and FPE/FF3-1/CARD10 is supported. However, in local mode all the cardinalities are supported.
Note
Following algorithms are only supported in local mode:
• FPE/AES
• FPE/FF1
• FPE/FF1v2
• FPE/FF3
• FPE/FF3-1
For MacVerify, session cannot be shared between multiple operations in the remote mode.
SHA-1 must not be used to hash a message for signature purpose.
To encrypt or decrypt with a block algorithm, it must be possible to divide the plaintext value into full blocks of a specific size. (In the case of AES, the block size is sixteen bytes; in the case of DESede and DES, the block size is eight bytes).
If the plaintext length is not a multiple of the algorithm’s block size, padding is used to fill the remainder of the last block. If the length of the plaintext value is a multiple of the block size, padding is used to fill an additional, trailing block.
This additional block is used to indicate that padding is not present in the preceding blocks. The ciphertext is greater than the original plaintext value, regardless of the algorithm used to encrypt the data.
The following table illustrates how this is true for the AES and SEED algorithms.
| Plaintext Size (in bytes) | Ciphertext Size (in bytes) |
|---|---|
| 15 | 16 |
| 16 | 32 |
| 17 | 32 |
| 127 | 128 |
| 128 | 144 |
As mentioned, DESede and DES use a block size of eight bytes. The following table illustrates how padding affects the length of ciphertexts from DES and DESede algorithms.
| Plaintext Size (in bytes) | Ciphertext Size (in bytes) |
|---|---|
| 7 | 8 |
| 8 | 16 |
| 9 | 19 |
| 95 | 96 |
| 96 | 104 |
Asymmetric algorithms, such as RSA, can be up to an order of magnitude slower than symmetric algorithms.
When using RSA keys to encrypt data, the ciphertext is always the size of the key; if your RSA key is 2048 bits (or 256 bytes), then the ciphertext is also 256 bytes. For example, if you use a 2048-bit RSA key, the maximum data size that you can encrypt with that key is 245 bytes.
MaximumAllowedInputSize for Crypto Operation using different padding
| Padding | MaximumAllowedInputSize for Crypto Operation |
|---|---|
| PKCS1Padding (default) | InputDataLength <= ( (RSAKeySize/8) – 11 ) |
| PKCS1OAEPPadding | InputDataLength <= ( (RSAKeySize/8) – 42 ) |
| PKCS1OAEPPaddingSHA256 PKCS1OAEPPaddingSHA384 PKCS1OAEPPaddingSHA512 | InputDataLength <= ( (RSAKeySize/8) – (2*HashLength/8) - 2 ) |
The speed and size issues make public key cryptography impractical for encrypting data. Therefore, we recommend that you use symmetric key algorithms to encrypt your data.
Modes of Operation
If you are using a block cipher (AES, DESede, or DES) decide whether you want to use the algorithm in Electronic Code Book (ECB) mode, or Cipher-Block Chaining (CBC) mode.
In ECB mode, each block is encrypted separately, through the same procedure. Thus, two identical plaintext blocks encrypt to the same ciphertext and any data patterns in the plaintext can be detected in the encrypted data.
In CBC mode, the first block is XORed with an initialization vector before being encrypted. All subsequent plaintext blocks are XORed with the previous ciphertext block before being encrypted. This dependency makes it more difficult for an attacker to swap blocks, because blocks must be decrypted in the same order in which they were encrypted to produce the original plaintext.
When the same key and different IVs are used, identical plaintexts are guaranteed to have different ciphertexts.
It is recommended to use CBC mode, unless you have a compelling reason to use ECB mode.
Initialization Vectors
An initialization vector (IV) is a sequence of random bytes appended to the front of the plaintext before encryption. Use of a unique IV eliminates the possibility that the initial ciphertext block is the same for any two encryption operations of the same plaintext that use the same key. In the CipherTrust Manager environment, IVs are only used by block ciphers in CBC mode. The size of the IV depends on the algorithm; AES and SEED use a sixteen byte IV. DESede and DES uses an eight byte IV. The CipherTrust Manager can generate random IVs, or user can supply own IV.
The eight byte IV requires sixteen characters; likewise, a sixteen byte IV requires thirty-two characters. Sometimes, the examples in this documentation show impractical IVs for the sake of simplicity, for example 112233445566.... Make sure that IV is sufficiently complex, and if supplying own IV for anything other than data migration, it is crucial to remember the IV supplied.
To ensure a unique ciphertext during data migration, it is required to apply IVs at the field–level and not the column–level.
In general, it is recommended to use symmetric (one of the following) block ciphers to encrypt data in the CipherTrust Manager environment: AES, FPE, or DESede. Out of the symmetric block ciphers, it is further recommended to use AES because it performs better and is considered to be more secure than others. To preserve the formatting of data, use FPE algorithm.
It is recommended to not to use TDES/DES algorithm as they are known to be a weak algorithm and are supported only for backward compatibility. The algorithms AES, DES, and DESede supports default IV.
FPE requires an IV depending on the variants of FPE, cardinality, and it’s block size. For example, FPE will have a 56 bytes IV having a cardinality 10 when data size is > 56 bytes, 40 bytes IV having a cardinality 26 when data size is > 40 bytes and 32 bytes IV having a cardinality 62 when data size is > 32 bytes.
Supported Content
There are no restrictions on the type of data and content that a CipherTrust Manager can secure. Whether it is a 10-byte string of data, a 10K image, a 1MB text file, a 10MB PDF file, a financial spreadsheet, or a line of code, a CipherTrust Manager can perform all desired cryptographic operations. In short, a CipherTrust Manager can handle any type of data or content.
Supported Algorithms
The CipherTrust Manager supports the following algorithms:
AES
AES/GCM
DES
DESede
HMAC-SHA
HMAC-SHA1
HMAC-SHA256
HMAC-SHA384
HMAC-SHA512
RC4
RSA
SEED
EC
Supported proprietary algorithms:
FPE
FF1
FF1v2
FF3
FF3-1
A proprietary format that utilizes the DES algorithm is also supported.
AES
| Attribute | Description |
|---|---|
| Block Size | 16 bytes |
| Supported Modes | ECB (default) CBC |
| Padding Schemes | PKCS5Padding None (No Padding): When using AES in No Padding mode, ciphertext in multiples of 16 bytes must be supplied. |
| IV | CBC mode requires a 16 byte IV. IV is not allowed in ECB mode. |
| Key Size (in bits) | 128 (default) 192 256 |
| Identifier Strings | AES/CBC/NoPadding AES/CBC/PKCS5Padding AES/ECB/NoPadding AES/ECB/PKCS5Padding AES – This is equivalent to AES/ECB/PKCS5Padding |
| Additional Notes | When using AES keys with No Padding, you must supply data (both ciphertext for decryption and plaintext for encryption) in multiples of 16 bytes. |
AES/GCM
| Attribute | Description |
|---|---|
| Block Size | 16 bytes |
| Supported Modes | GCM |
| Padding Schemes | None (No Padding) |
| IV (nonce) | 1 to 16 byte IV 96-bit (12 byte) IV values can be processed more efficiently, so that length is recommended for situations in which efficiency is critical. |
| Key Size (in bits) | 128 192 256 |
| Identifier Strings | AES/GCM |
| AAD | [Optional] This is the data that will be passed to the recipient in plaintext, but need to be "authenticated" to avoid being tampered. |
| TagLen | The tag will ensure the data is not accidentally altered or maliciously tampered with during transmission or storage. The TagLen is between 4 and 16 bytes. |
DES
| Attribute | Description |
|---|---|
| Block Size | 8 bytes |
| Supported Modes | ECB (default) CBC |
| Padding Schemes | PKCS5Padding (default) None (No Padding) |
| IV | CBC mode requires an 8 byte IV. IV is not allowed in ECB mode. |
| Key Size | Supported key size is 56 bits. The key contains an extra 8 bits of parity, for a total key size to 64 bits. |
| Identifier Strings | DES/CBC/NoPadding – Uses outer CBC mode DES/CBC/PKCS5Padding – Uses outer CBC mode DES/ECB/NoPadding DES/ECB/PKCS5Padding DES – This is equivalent to DES/ECB/PKCS5Padding |
| Additional Notes | When using DES keys with NoPadding, you must supply data (both ciphertext for decryption and plaintext for encryption) in multiples of 8 bytes. |
DESede
| Attribute | Description |
|---|---|
| Block Size | 8 bytes |
| Supported Modes | ECB (default) CBC |
| Padding Schemes | PKCS5Padding (default) None (No Padding) |
| IV | CBC mode requires an 8 byte IV. IV is not allowed in ECB mode. |
| Key Size | Supported key sizes are 168 (default) and 112 bits. Each key contains an extra 8 bits of parity. Thus, when you create a key of 112 bits, the actual key size is 128 bits; when you create a key of 168 bits, the actual key size is 192 bits. A key size of 112 bits refers to two–key triple DES. The sequence of operations in two–key triple DES is: Encrypt with Key1 Decrypt with Key2 Encrypt with Key1 A key size of 168 bits refers to three–key triple DES. The sequence of operations in three–key triple DES is: Encrypt with Key1 Decrypt with Key2 Encrypt with Key3 |
| Identifier Strings | DESede/CBC/NoPadding – Uses outer CBC mode DESede/CBC/PKCS5Padding – Uses outer CBC mode DESede/ECB/NoPadding DESede/ECB/PKCS5Padding DESede – This is equivalent to DESede/ECB/PKCS5Padding |
| Additional Notes | When using DESede keys with NoPadding, you must supply data (both ciphertext for decryption and plaintext for encryption) in multiples of 8 bytes. |
HMAC-SHA
| Attribute | Description |
|---|---|
| Supported Hash Function | SHA-1, SHA-256, SHA-384, SHA-512 |
| Padding Schemes | Uses padding from SHA-1 algorithm. No additional padding. |
| IV | No IV is required. |
| Key Size | Keys can be between 128 and 256 bits. It is recommended that the key size be at least 160 bits, and sets the default at 160. The HMAC keys you generate should be a multiple of 8 bytes. On some platforms, HMAC keys that are not a multiple of 8 bytes might yield incorrect results when generating MACs. |
| Identifier String | HmacSHA1 HmacSHA256 HmacSHA384 HmacSHA512 |
| Additional Notes | HMAC is a stream cipher. HMAC keys are bitstreams of multiples of 8 bits. |
RC4
| Attribute | Description |
|---|---|
| IV | No IV is required |
| Key Size | Supported key sizes are 40 and 128 bits |
| Identifier String | RC4 |
| Additional Notes | RC4 is a stream cipher with byte–oriented operations, which means that RC4 keys are bitstreams of multiples of 8 bits. |
RSA
| Attribute | Description |
|---|---|
| Padding Schemes | For encryption: PKCS1Padding (default) PKCS1OAEPPadding For signatures: PSSPadding |
| IV | No IV is required |
| Key Size | 512 1024 (default) 2048 3072 4096 RSA-3072 and RSA-4096 are not supported for cryptographic operations on i300 series CipherTrust Manager appliances. Keys using these algorithms can still be created, imported, and exported on those devices. |
| Identifier Strings | For encryption: RSA RSA/PKCS1Padding RSA/PKCS1OAEPPadding RSA/PKCS1OAEPPaddingSHA256 RSA/PKCS1OAEPPaddingSHA384 RSA/PKCS1OAEPPaddingSHA512 For signatures: SHA1withRSA SHA256withRSA SHA384withRSA SHA512withRSA SHA1withRSA/PSSPadding SHA256withRSA/PSSPadding SHA384withRSA/PSSPadding SHA512withRSA/PSSPadding |
| Additional Notes | The ciphertext is always the size of the RSA key; if your RSA key is 2048 bits (256 bytes), then the ciphertext is 256 bytes. Because they use PKCS#1 padding, RSA keys can encrypt data up to 11 bytes smaller than the key size. If you use a 2048–bit RSA key, then the maximum data size that you can encrypt with that key is 245 bytes. RSA keys cannot be used to perform data migration operations. RSA supports PKCS1Padding as default. If “RSA” is specified as algorithm then it is equivalent to RSA/PKCS1Padding. RSA 512 Key does not work with SHA384 and SHA512 in remote mode. |
Note
For RSA encryption/decryption, it is recommended to use the Optimal Asymmetric Encryption Padding (OAEP) method.
SEED
| Attribute | Description |
|---|---|
| Block Size | 16 bytes |
| Supported Modes | ECB CBC |
| Padding Schemes | PKCS5Padding NoPadding |
| IV | CBC mode requires a 16 byte IV. IV is not allowed in ECB mode. |
| Key Size | Supported key size is 128 bits. |
| Additional Notes | Support for the SEED algorithm is only available on devices that are not FIPS compliant, and must be feature–activated. Both server and client must be running version 4.3 or later. |
EC
| Attribute | Description |
|---|---|
| Curve id and Key Size | secp224k1-225 secp224r1- 224 secp256k1-256 secp384r1-384 secp521r1-521 prime256v1-256 brainpoolP224r1-224 brainpoolP224t1-224 brainpoolP256r1-256 brainpoolP256t1-256 brainpoolP384r1-384 brainpoolP384t1-384 brainpoolP512r1-512 brainpoolP512t1-512 |
| Identifier Strings | For signatures: SHA1withECDSA SHA256withECDSA SHA384withECDSA SHA512withECDSA For Encryption/Decryption: ECIESwithSHA1/AES/CBC/PKCS5Padding ECIESwithSHA224/AES/CBC/PKCS5Padding ECIESwithSHA256/AES/CBC/PKCS5Padding ECIESwithSHA384/AES/CBC/PKCS5Padding ECIESwithSHA512/AES/CBC/PKCS5Padding ECIESwithSHA1/AES/CBC/NoPadding ECIESwithSHA224/AES/CBC/NoPadding ECIESwithSHA256/AES/CBC/NoPadding ECIESwithSHA384/AES/CBC/NoPadding ECIESwithSHA512/AES/CBC/NoPadding ECIESwithSHA1/DESede/CBC/NoPadding ECIESwithSHA224/DESede/CBC/NoPadding ECIESwithSHA256/DESede/CBC/NoPadding ECIESwithSHA384/DESede/CBC/NoPadding ECIESwithSHA512/DESede/CBC/NoPadding ECIESwithSHA1/DESede/CBC/PKCS5Padding ECIESwithSHA224/DESede/CBC/PKCS5Padding ECIESwithSHA256/DESede/CBC/PKCS5Padding ECIESwithSHA384/DESede/CBC/PKCS5Padding ECIESwithSHA512/DESede/CBC/PKCS5Padding |
| IV | IV is required for Encryption/Decryption algorithms but optional for Signature algorithms. |
| Additional Notes | Prime size may differ from the key size. SEC1 key format is default key format for EC key creation and export. EC Sign/Sign Verify is not supported with I_C_CryptBulk_Enhanced API. Supported operations: Key Creation (Use EC as identifier string) Key Export Key Import Sign/Sign Verify Encryption/Decryption |
FPE
| Attribute | Description |
|---|---|
| Block Size | MAXb For CARD10 MAXb = 56 bytes, for CARD26 MAXb = 40 bytes and for CARD62 MAXb = 32 bytes |
| Cardinality | For AES: CARD10 (both local and remote mode) CARD26 (local mode only) CARD62 (local mode only) UNICODE For FF1 and FF1v2: CARD10 (local mode only) CARD26 (local mode only) CARD62 (local mode only) UNICODE (local mode only) ASCII (local mode only) For FF3: CARD10 (local mode only) CARD26 (local mode only) CARD62 (local mode only) UNICODE (local mode only) ASCII (local mode only) For FF3-1: CARD10 (both local and remote mode) CARD26 (local mode only) CARD62 (local mode only) UNICODE (local mode only) ASCII (local mode only) |
| IV | FPE accepts a HEX encoded MAXb integer. If the length of data exceeds MAXb value then IV must be provided. FPE breaks long data into MAXb integer blocks and uses block chaining algorithm similar to CBC mode to perform encryption. • a 56 bytes IV in hex encoded form having a cardinality 10 when data size is >56 bytes • a 40 bytes IV in hex encoded form having a cardinality 26 when data size is >40 bytes • a 32 bytes IV in hex encoded form having a cardinality 62 when data size is >32 bytes NOTE: IV is not supported for FF1, FF1v2, and FF3 algorithms. |
| Key Size (in bits) | 128 192 256 |
| Identifier Strings | FPE/AES/CARD10 FPE/AES/CARD26 FPE/AES/CARD62 FPE/AES/UNICODE FPE/FF1/CARD10 FPE/FF1/CARD26 FPE/FF1/CARD62 FPE/FF1/ASCII FPE/FF1/UNICODE FPE/FF1v2/CARD10 FPE/FF1v2/CARD26 FPE/FF1v2/CARD62 FPE/FF1v2/ASCII FPE/FF1v2/UNICODE FPE/FF3/CARD10 FPE/FF3/CARD26 FPE/FF3/CARD62 FPE/FF3/ASCII FPE/FF3/UNICODE FPE/FF3-1/CARD10 FPE/FF3-1/CARD26 FPE/FF3-1/CARD62 FPE/FF3-1/ASCII FPE/FF3-1/UNICODE |
| Tweak Algorithm | Used to let caller specify a hashing algorithm to be applied to specified tweak data beforehand. Valid values: NONE SHA1 SHA256 |
| Tweak Data | Tweak data is optional but highly recommended. It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. It accepts ASCII strings of maximum 256 characters. If tweak data algorithm is “NONE” or absent, • For AES, the value must be HEX encoded string representing 64 bit long (hence, HEX encoding will consume 16 characters.) If tweak data algorithm represents a valid argument then the tweak data need not be hex encoded string but any ASCII string. • For FF1, FF1v2, FF3, and FF3-1, the value can be an ASCII string (with length equal to 8 bytes). |
| Additional Notes | FPE AES works on both local and remote mode. FF1, FF1v2, FF3 algorithms work in local mode only. FF3-1/CARD10 work in both local mode and remote mode Default Tweak Algorithm will be NONE, if Null value is provided. For details on FPE, refer to Format Preserving Encryption. |
