Supported Cryptographic Operations for PKCS#11
CADP for C PKCS#11 allows you to implement data privacy, confidentiality, and integrity in a simple, scalable, and secure manner.
The operations supported are as follows:
| Security Provided | Algorithm | Functions Supported |
|---|---|---|
| Data Privacy and Confidentiality (Symmetric) | AES AES/GCM FPE (Charset Required) FF1 (Charset Required) | Encrypt/Decrypt |
| Data Privacy and Confidentiality (Asymmetric) | RSA | Encrypt/Decrypt |
| Data Integrity | HMAC-SHA1 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 | MAC/MAC Verify |
| Data Signatures | RSA SHA1withRSA SHA256withRSA SHA384withRSA SHA512withRSA | Sign/Sign Verify |
Note
FPE and FF1 algorithms are supported in local mode.
To encrypt or decrypt with a block algorithm, it must be possible to divide the plaintext value into full blocks of a specific size. (In the case of AES, the block size is sixteen bytes).
If the plaintext length is not a multiple of the algorithm’s block size, padding is used to fill the remainder of the last block. If the length of the plaintext value is a multiple of the block size, padding is used to fill an additional, trailing block.
This additional block indicates that the padding is not present in the preceding blocks. The ciphertext is greater than the original plaintext value, regardless of the algorithm used to encrypt the data.
The following table illustrates how this is true for the AES algorithms.
| Plaintext Size (in bytes) | Ciphertext Size (in bytes) |
|---|---|
| 15 | 16 |
| 16 | 32 |
| 17 | 32 |
| 127 | 128 |
| 128 | 144 |
Asymmetric algorithms, such as RSA, can be up to an order of magnitude slower than symmetric algorithms.
When using RSA keys to encrypt data, the ciphertext is always the size of the key. If your RSA key is 2048 bits (or 256 bytes), then the ciphertext is also 256 bytes. For example, if you use a 2048-bit RSA key, the maximum data size that you can encrypt with that key is 245 bytes.
The speed and size issues make public key cryptography impractical for encrypting data. Hence, it is recommended to use symmetric key algorithms to encrypt your data.
Modes of Operation
If you are using a block cipher with AES, decide whether you want to use the algorithm in Electronic Code Book (ECB) mode, or Cipher-Block Chaining (CBC) mode.
In ECB mode, each block is encrypted separately, through the same procedure. Thus, two identical plaintext blocks encrypt to the same ciphertext and any data patterns in the plaintext can be detected in the encrypted data.
In CBC mode, the first block is XORed with an initialization vector before being encrypted. All subsequent plaintext blocks are XORed with the previous ciphertext block before being encrypted. This dependency makes it more difficult for an attacker to swap blocks, because blocks must be decrypted in the same order in which they were encrypted to produce the original plaintext.
When the same key and different IVs are used, identical plaintexts are guaranteed to have different ciphertexts.
It is recommended to use CBC mode, unless you have a compelling reason to use ECB mode.
Initialization Vectors
An initialization vector (IV) is a sequence of random bytes appended to the front of the plaintext before encryption. Use of a unique IV eliminates the possibility that the initial ciphertext block is the same for any two encryption operations of the same plaintext that use the same key. In the CipherTrust Manager environment, IVs are only used by block ciphers in CBC mode. The size of the IV depends on the algorithm; AES uses a sixteen byte IV. The CipherTrust Manager can generate random IVs, or user can supply own IV.
The eight byte IV requires sixteen characters; likewise, a sixteen byte IV requires thirty-two characters. Sometimes, the examples in this documentation show impractical IVs for the sake of simplicity, for example 112233445566.... Make sure that IV is sufficiently complex, and if supplying own IV for anything other than data migration, it is crucial to remember the IV supplied.
To ensure a unique ciphertext during data migration, it is required to apply IVs at the field–level and not the column–level.
In general, it is recommended to use symmetric (one of the following) block ciphers to encrypt data in the CipherTrust Manager environment: AES or FPE. Out of the symmetric block ciphers, it is further recommended to use AES because it performs better and is considered to be more secure than others. To preserve the formatting of data, use FPE algorithm.
Supported Algorithms
The supported algorithms are:
AES
AES/GCM
HMAC-SHA
RSA
FPE
FF1
AES
| Attribute | Description |
|---|---|
| Block Size | 16 bytes |
| Supported Modes | ECB CBC CTR |
| Padding Schemes | PKCS5Padding None (No Padding): When using AES in No Padding mode, ciphertext in multiples of 16 bytes must be supplied. |
| IV | CBC mode requires a 16 byte IV. IV is not allowed in ECB mode. |
| Key Size (in bits) | 128 (default) 192 256 |
| Identifier Strings | AES/CBC/NoPadding AES/CBC/PKCS5Padding AES/ECB/NoPadding AES/CTR/NoPadding |
| Additional Notes | When using AES keys with No Padding, you must supply data (both ciphertext for decryption and plaintext for encryption) in multiples of 16 bytes. |
AES/GCM
| Attribute | Description |
|---|---|
| Block Size | 16 bytes |
| Supported Modes | GCM |
| IV (nonce) | 1 to 16 byte IV 96-bit (12 byte) IV values can be processed more efficiently, so that length is recommended for situations in which efficiency is critical. |
| Key Size (in bits) | 128 192 256 |
| Identifier Strings | AES/GCM |
| AAD | [Optional] This is the data that will be passed to the recipient in plaintext, but need to be "authenticated" to avoid being tampered. |
| TagLen | The tag will ensure the data is not accidentally altered or maliciously tampered with during transmission or storage. The TagLen is between 4 and 16 bytes. |
HMAC-SHA
| Attribute | Description |
|---|---|
| Supported Hash Function | SHA-1, SHA-256, SHA-384, SHA-512 |
| IV | No IV is required. |
| Key Size | Keys can be between 128 and 256 bits. It is recommended that the key size be at least 160 bits, and sets the default at 160. The HMAC keys you generate should be a multiple of 8 bytes. On some platforms, HMAC keys that are not a multiple of 8 bytes might yield incorrect results when generating MACs. |
| Identifier String | HmacSHA1 HmacSHA256 HmacSHA384 HmacSHA512 |
| Additional Notes | HMAC is a stream cipher. HMAC keys are bitstreams of multiples of 8 bits. |
RSA
| Attribute | Description |
|---|---|
| IV | No IV is required |
| Key Size | 512 1024 (default) 2048 3072 4096 RSA-3072 and RSA-4096 are not supported for cryptographic operations on i300 series CipherTrust Manager appliances. Keys using these algorithms can still be created, imported, and exported on those devices. |
| Identifier Strings | For encryption: RSA For signatures: SHA1withRSA SHA256withRSA SHA384withRSA SHA512withRSA |
FPE
| Attribute | Description |
|---|---|
| Cardinality | For FPE: ASCII (local mode only) UNICODE (local mode only) For FF1: ASCII (local mode only) UNICODE (local mode only) |
| Key Size (in bits) | 128 192 256 |
| Tweak Algorithm | Used to let caller specify a hashing algorithm to be applied to specified tweak data beforehand. Valid values: NONE SHA1 SHA256 |
| Tweak Data | Tweak data is optional but highly recommended. It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. |
