Home >

Utilities Reference Guide > Multitoken > Using Multitoken

Using Multitoken

The multitoken utility allows you to specify an operation, and one or more “slots” or HSM Partitions on which to perform that operation. The multitoken utility runs the operations and returns a summary, or progress report, of the results.

CAUTION:  To achieve maximum performance with SafeNet Network HSM 5.x and 6.x, client applications must spawn 30+ threads. The 10 threads indicated for legacy SafeNet Network HSM 4.x is not sufficient to stress the current product.

Syntax

multitoken -mode <mode> -slots <slot list> [-nodestroy] [-key <key size>] [-curve <curve num>] [-blob <blob count>] [-packet <packet size>] [-logfile <logfile name>] [-force] [-help] [-symm] [-password <password>] [-timed <fixed time>] [-nodec] [-parmfile <param file>] [-noverifyr] [-multipartsignatures] [-subprime <subprime size>] [-noverify] [-nslots] [-keychoice <key index>] [-kdfchoice <kdf index>] [-kdfscnt [counter index>] [-sharefile <data file>] [-noenc] [-nosign] [-verbose] [-alarm <secs>] [-template]

 

Parameter Shortcut Description
-alarm   -al   Sound periodic alarm (every <secs> seconds) if error occurs.
-blob   -b   Number of data blobs to be signed during each multisign operation.
-curv   -crv   ID number of ECC curve. If user-defined (99), then must specify -parmfile.
-force   -f   Avoid prompts for responses.
-ped   -ped   Specify ped id (-ped 0 for local, -ped 1 for remote). This applies only to the first HSM slot to be specified using the '-s' option.
-help   -h   Display help information only.
-key   -k   Size of key: asymmetric in bits (default = 1024 for RSA, 2048 for DSA). symmetric in bytes (i.e. 16, 24, 32 for AES/ARIA).
-keychoice   -kc   Select key type to derive/generate - specify choice list index.
-kdfchoice   -kdf   Select key derivation function - specify choice list index.
-kdfscnt   -kds   Select key derivation session counter type - specify choice list index.
-usage   -u   Number of times a key is allowed to be used.
-logfile   -l   File for results logging.
-mode   -m   Operating mode. See mode values available below.
-multipartsig   -msig   Use multipart signatures.
-nodec   -nod   Decryption operation will not be performed. Only symmetric and asymmetric encryption will be performed and measured.
-nodestroy   -n   Leaves created objects on the HSM after test completes.
-noenc   -noe   Perform only one encryption operation. Only symmetric and asymmetric decryption will be performed and measured.
-nosign   -nos   Perform only one sign operation. Only verify will be performed and measured.
-noverify   -nov   Verify operation will not be performed. Only sign will be performed and measured.
-noverifyr   -nvr   Do not verify decryption results. 
-packet   -p   Size of packet used in operation. 
-parmfile   -prm   File for EC curve parameters or OAEP source data (0 = none for OAEP). 
-password   -pwd   Specify password to use for token. 
-prftype   -prf Specify the type of PRF to use for PRF based key derivation. 
-sharefile   -shf   Shared data file used for operation.  
-slots   -s   List of of slots to use (slot numbers separated by commas).  
-subprme   -sub   Size of the subprime in bits. 
-symm   -sym   Select symmetric key mechanism for symderive/pbegen or key choice for symgen (can also use -kc).  
-timed   -t   Fixed amount of time to run (seconds). 
-nslots   -ns   Slots and threads to be specified as slot number times (x or X) number of threads, then comma for next pair. Ex. -ns 1x5,2X10
This will create 5 threads on slot 1 and 10 threads on slot 2. 
-verbose   -v   Show all thread performances. Default is only first and last threads.  
-template -tp Attaches a generic unwrap template or derive template for the wrapunwrap or symderive mode respectively.

Operating Modes

The following table lists the available operating modes for the multitoken utility. The operating mode is specified using the -mode parameter.

Mode Description
rsakeygen RSA key generation
rsax931keygen RSA X9.31 key generation
rsasigver RSA sign
sha512rsasigver SHA1 with RSA sign
sha224rsasigver SHA224 with RSA sign
sha256rsasigver SHA256 with RSA sign
sha384rsasigver SHA384 with RSA sign
sha512rsasigver SHA512 with RSA sign
rsax931sigver X9.31 RSA sign
sha1rsax931sigver SHA1 X9.31 RSA sign
sha224rsax931sigver SHA224 X9.31 RSA sign
sha256rsax931sigver SHA256 X9.31 RSA sign
sha384rsax931sigver SHA384 X9.31 RSA sign
sha512rsax931sigver SHA512 X9.31 RSA sign
sha1rsapsssigver SHA1 RSA PSS sign
rsaenc RSA encrypt
rsaoaepenc RSA OAEP encrypt
dsakeygen DSA Key Generation
dsasigver DSA bare sign
sha1dsasigver SHA1 DSA sign
sha224dsasigver SHA224 DSA sign
sha256dsasigver SHA256 DSA sign
ecdsakeygen ECDSA Key Generation
ecdsasigver ECDSA sign
ecdsasha1sigver SHA1 ECDSA sign
ecdsasha224sigver SHA224 ECDSA sign
ecdsasha256sigver SHA256 ECDSA sign
ecdsasha384sigver SHA384 ECDSA sign
ecdsasha512sigver SHA512 ECDSA sign
kcdsakeygen KCDSA Key Generation
kcdsasigver HAS160 KCDSA 1024-bit sign
kcdsasha1sigver SHA51 KCDSA sign
kcdsasha224sigver SHA224 KCDSA sign
kcdsasha256sigver SHA256 KCDSA sign
kcdsasha384sigver SHA384 KCDSA sign
kcdsasha512sigver SHA512 KCDSA sign
pbegen PBE key generation
symgen Symmetric key generation
symderive Symmetric key derivation
rc4enc RC4 encrypt
des3enc DES3 ECB encrypt
des3enccbc DES3 CBC encrypt
des3enccfb8 DES3 CFB8 encrypt
des3enccfb64 DES3 CFB64 encrypt
des3encofb DES3 OFB encrypt
desmac DES3 MAC sign
descmac DES3 CMAC sign
aesenc AES ECB encrypt
aesenccbc AES CBC encrypt
aesencfb8 AES CFB8 encrypt
aesenccfb128 AES CFB128 encrypt
aesencofb AES OFB encrypt
aesencgcm AES GCM encrypt
aesmac AES MAC sign
aescmac AES CMAC sign
ariaenc ARIA ECB encrypt
ariaenccbc ARIA CBC encrypt
ariaenccfb8 ARIA CFB8 encrypt
ariaenccfb128 ARIA CFB128 encrypt
ariacencofb ARIA OFB sign
ariamac ARIA MAC sign
ariacmac ARIA CMAC sign
seedenc SEED ECB encrypt
seedmac SEED MAC sign
seedcmac SEED CMAC sign
extractinsert Extract Insert masked objects
multisignvalue Multisign w/ masked key
simextractinsert SIMExtract Insert masked objects
simmultisign SIMMultisign w/ masked key
sim3extractinsert SIM3 Extract Insert masked objects
md5 MD5 Hashing
sha1 SHA-1 Hashing
sha224 SHA-224 Hashing
sha256 SHA-256 Hashing
sha384 SHA-384 Hashing
sha512 SHA-512 Hashing
sha1hmac SHA1 HMAC sign
sha224hmac SHA224 HMAC sign
sha256hmac SHA256 HMAC sign
sha384hmac SHA384 HMAC sign
sha512hmac SHA512 HMAC sign
ecdhderive ECDH derive key
ecdhcderive ECDH Cofactor derive key
eciesxorhmacsha1 ECIES XOR enc/dec with HMAC SHA1 
eciesxorhmacsha1shared ECIES XOR enc/dec with HMAC SHA1 and shared data 
eciesdes3hmacsha224 ECIES DES3 enc/dec with HMAC SHA224 
eciesdes3hmacsha224shared ECIES DES3 enc/dec with HMAC SHA224 and shared data 
eciesaes128hmacsha256 ECIES AES-128 enc/dec with HMAC SHA256
eciesaes128hmacsha256shared ECIES AES-128 enc/dec with HMAC SHA256 and shared data 
eciesaes192hmacsha384 ECIES AES-192 enc/dec with HMAC SHA384 
eciesaes192hmacsha384shared  ECIES AES-192 enc/dec with HMAC SHA384 and shared data 
eciesaes256hmacsha512 ECIES AES-256 enc/dec with HMAC SHA512
eciesaes256hmacsha512shared ECIES AES-256 enc/dec with HMAC SHA512 and shared data 
wrapunwrap Wrap/unwrap operations
randgen Random number generation

Notes

1.If you are performing RSA operations, you have the option of specifying a key size (512, 1024, 2048, 4096, 8192). If no key size is specified, the default key size of 1024 will be used. For example:

multitoken -mode rsasigver -key 512 -slots 1
 

2.If you are performing wrapunwrap operation, it will perform the following operations:

Generate RSA key pair and a symmetric DES key.

Wrap DES key with RSA public key.

Unwrap wrapped key above with RSA private key.

Verify the unwrapped key.

3.If you are performing a Multisign operation, you have the option of specifying a key size (512, 1024, 2048, 4096, 8192). If no key size is specified, the default key size of 1024 will be used. You must also specify a blob count, indicating the number of data blobs to be signed during each multisign operation. For example:

multitoken -mode multisignvalue -key 512 -blob 10 -s 1,1,2,2,2 
multitoken -mode multisignvalue -blob 10 -s 1,1,2,2,2,2
 

4.A thread will be spawned to perform tests on each slot specified. A slot can be specified multiple times, in which
case multiple threads will be created for the slot.

5.Options for the followiong modes can be used with the default 1024 bit key size only:

sha256rsasign - SHA256 with RSA

sha384rsasign - SHA384 with RSA

sha512rsasign - SHA512 with RSA

If you specify a keysize on the command line (any of 1024, 2048 or 4096), the result is the 1024 bit benchmark speed, and a file called "1024" or "2048" or "4096" is created - that is the keysize parameter is parsed as a filename to which results are saved.

Named and User-defined Curves

The SafeNet HSMs employ named and user-defined curves.Multitoken supports this option, as illustrated in the following example:

C:\Program Files\SafeNet\LunaClient>multitoken -mode ecdsasigver -s 1,1,1,1,1,1,1,1
 
Prime field curves:

[0]secp112r1
[1]secp112r2
[2]secp128r1
[3]secp128r2 [4]secp160k1
[5]secp160r1
[6]secp160r2
[7]secp192k1 [8]secp224k1
[9]secp224r1
[10]secp256k1
[11]secp384r1 [12]secp521r1 [13]X9_62_prime192v1
[14]X9_62_prime192v2
[15]X9_62_prime192v3 [16]X9_62_prime239v1
[17]X9_62_prime239v2
[18]X9_62_prime239v3 [19]X9_62_prime256v1
 
Characteristic two field curves:

[20]sect113r1
[21]sect113r2
[22]sect131r1
[23]sect131r2 [24]sect163k1
[25]sect163r1
[26]sect163r2
[27]sect193r1 [28]sect193r2
[29]sect233k1
[30]sect233r1
[31]sect239k1 [32]sect283k1
[33]sect283r1
[34]sect409k1
[35]sect409r1 [36]sect571k1
[37]sect571r1 [38]X9_62_c2pnb163v1
[39]X9_62_c2pnb163v2
[40]X9_62_c2pnb163v3
[41]X9_62_c2pnb176v1 
[42]X9_62_c2tnb191v1
[43]X9_62_c2tnb191v2 [44]X9_62_c2tnb191v3
[45]X9_62_c2pnb208w1
[46]X9_62_c2tnb239v1 [47]X9_62_c2tnb239v2
[48]X9_62_c2tnb239v3
[49]X9_62_c2pnb272w1 [50]X9_62_c2pnb304w1
[51]X9_62_c2tnb359v1
[52]X9_62_c2pnb368w1 [53]X9_62_c2tnb431r1 [54]Brainpool_P160r1
[55]Brainpool_P160t1
[56]Brainpool_P192r1 [57]Brainpool_P192t1
[58]Brainpool_P224r1
[59]Brainpool_P224t1 [60]Brainpool_P256r1
[61]Brainpool_P256t1
[62]Brainpool_P320r1 [63]Brainpool_P320t1
[64]Brainpool_P384r1
[65]Brainpool_P384t1 [66]Brainpool_P512r1
[67]Brainpool_P512t1
Please pick a curve (0-67) or enter (99) for a user defined curve:99

Please enter the filename for the EC parameters:
 

Here, you would provide the filepath to the file specifying the Elliptical Curve parameters. The format and content of the parameter file follow industry standards, and are discussed in more detail in Named Curves and User-Defined Parameters