Home > |
---|
The multitoken utility allows you to specify an operation, and one or more “slots” or HSM Partitions on which to perform that operation. The multitoken utility runs the operations and returns a summary, or progress report, of the results.
CAUTION: To achieve maximum performance with SafeNet Network HSM 5.x and 6.x, client applications must spawn 30+ threads. The 10 threads indicated for legacy SafeNet Network HSM 4.x is not sufficient to stress the current product.
multitoken -mode <mode> -slots <slot list> [-nodestroy] [-key <key size>] [-curve <curve num>] [-blob <blob count>] [-packet <packet size>] [-logfile <logfile name>] [-force] [-help] [-symm] [-password <password>] [-timed <fixed time>] [-nodec] [-parmfile <param file>] [-noverifyr] [-multipartsignatures] [-subprime <subprime size>] [-noverify] [-nslots] [-keychoice <key index>] [-kdfchoice <kdf index>] [-kdfscnt [counter index>] [-sharefile <data file>] [-noenc] [-nosign] [-verbose] [-alarm <secs>] [-template]
Parameter | Shortcut | Description |
---|---|---|
-alarm | -al | Sound periodic alarm (every <secs> seconds) if error occurs. |
-blob | -b | Number of data blobs to be signed during each multisign operation. |
-curv | -crv | ID number of ECC curve. If user-defined (99), then must specify -parmfile. |
-force | -f | Avoid prompts for responses. |
-ped | -ped | Specify ped id (-ped 0 for local, -ped 1 for remote). This applies only to the first HSM slot to be specified using the '-s' option. |
-help | -h | Display help information only. |
-key | -k | Size of key: asymmetric in bits (default = 1024 for RSA, 2048 for DSA). symmetric in bytes (i.e. 16, 24, 32 for AES/ARIA). |
-keychoice | -kc | Select key type to derive/generate - specify choice list index. |
-kdfchoice | -kdf | Select key derivation function - specify choice list index. |
-kdfscnt | -kds | Select key derivation session counter type - specify choice list index. |
-usage | -u | Number of times a key is allowed to be used. |
-logfile | -l | File for results logging. |
-mode | -m | Operating mode. See mode values available below. |
-multipartsig | -msig | Use multipart signatures. |
-nodec | -nod | Decryption operation will not be performed. Only symmetric and asymmetric encryption will be performed and measured. |
-nodestroy | -n | Leaves created objects on the HSM after test completes. |
-noenc | -noe | Perform only one encryption operation. Only symmetric and asymmetric decryption will be performed and measured. |
-nosign | -nos | Perform only one sign operation. Only verify will be performed and measured. |
-noverify | -nov | Verify operation will not be performed. Only sign will be performed and measured. |
-noverifyr | -nvr | Do not verify decryption results. |
-packet | -p | Size of packet used in operation. |
-parmfile | -prm | File for EC curve parameters or OAEP source data (0 = none for OAEP). |
-password | -pwd | Specify password to use for token. |
-prftype | -prf | Specify the type of PRF to use for PRF based key derivation. |
-sharefile | -shf | Shared data file used for operation. |
-slots | -s | List of of slots to use (slot numbers separated by commas). |
-subprme | -sub | Size of the subprime in bits. |
-symm | -sym | Select symmetric key mechanism for symderive/pbegen or key choice for symgen (can also use -kc). |
-timed | -t | Fixed amount of time to run (seconds). |
-nslots | -ns | Slots and threads to be specified as slot number times (x or X)
number of threads, then comma for next pair. Ex. -ns 1x5,2X10
This will create 5 threads on slot 1 and 10 threads on slot 2. |
-verbose | -v | Show all thread performances. Default is only first and last threads. |
-template | -tp | Attaches a generic unwrap template or derive template for the wrapunwrap or symderive mode respectively. |
The following table lists the available operating modes for the multitoken utility. The operating mode is specified using the -mode parameter.
Mode | Description |
---|---|
rsakeygen | RSA key generation |
rsax931keygen | RSA X9.31 key generation |
rsasigver | RSA sign |
sha512rsasigver | SHA1 with RSA sign |
sha224rsasigver | SHA224 with RSA sign |
sha256rsasigver | SHA256 with RSA sign |
sha384rsasigver | SHA384 with RSA sign |
sha512rsasigver | SHA512 with RSA sign |
rsax931sigver | X9.31 RSA sign |
sha1rsax931sigver | SHA1 X9.31 RSA sign |
sha224rsax931sigver | SHA224 X9.31 RSA sign |
sha256rsax931sigver | SHA256 X9.31 RSA sign |
sha384rsax931sigver | SHA384 X9.31 RSA sign |
sha512rsax931sigver | SHA512 X9.31 RSA sign |
sha1rsapsssigver | SHA1 RSA PSS sign |
rsaenc | RSA encrypt |
rsaoaepenc | RSA OAEP encrypt |
dsakeygen | DSA Key Generation |
dsasigver | DSA bare sign |
sha1dsasigver | SHA1 DSA sign |
sha224dsasigver | SHA224 DSA sign |
sha256dsasigver | SHA256 DSA sign |
ecdsakeygen | ECDSA Key Generation |
ecdsasigver | ECDSA sign |
ecdsasha1sigver | SHA1 ECDSA sign |
ecdsasha224sigver | SHA224 ECDSA sign |
ecdsasha256sigver | SHA256 ECDSA sign |
ecdsasha384sigver | SHA384 ECDSA sign |
ecdsasha512sigver | SHA512 ECDSA sign |
kcdsakeygen | KCDSA Key Generation |
kcdsasigver | HAS160 KCDSA 1024-bit sign |
kcdsasha1sigver | SHA51 KCDSA sign |
kcdsasha224sigver | SHA224 KCDSA sign |
kcdsasha256sigver | SHA256 KCDSA sign |
kcdsasha384sigver | SHA384 KCDSA sign |
kcdsasha512sigver | SHA512 KCDSA sign |
pbegen | PBE key generation |
symgen | Symmetric key generation |
symderive | Symmetric key derivation |
rc4enc | RC4 encrypt |
des3enc | DES3 ECB encrypt |
des3enccbc | DES3 CBC encrypt |
des3enccfb8 | DES3 CFB8 encrypt |
des3enccfb64 | DES3 CFB64 encrypt |
des3encofb | DES3 OFB encrypt |
desmac | DES3 MAC sign |
descmac | DES3 CMAC sign |
aesenc | AES ECB encrypt |
aesenccbc | AES CBC encrypt |
aesencfb8 | AES CFB8 encrypt |
aesenccfb128 | AES CFB128 encrypt |
aesencofb | AES OFB encrypt |
aesencgcm | AES GCM encrypt |
aesmac | AES MAC sign |
aescmac | AES CMAC sign |
ariaenc | ARIA ECB encrypt |
ariaenccbc | ARIA CBC encrypt |
ariaenccfb8 | ARIA CFB8 encrypt |
ariaenccfb128 | ARIA CFB128 encrypt |
ariacencofb | ARIA OFB sign |
ariamac | ARIA MAC sign |
ariacmac | ARIA CMAC sign |
seedenc | SEED ECB encrypt |
seedmac | SEED MAC sign |
seedcmac | SEED CMAC sign |
extractinsert | Extract Insert masked objects |
multisignvalue | Multisign w/ masked key |
simextractinsert | SIMExtract Insert masked objects |
simmultisign | SIMMultisign w/ masked key |
sim3extractinsert | SIM3 Extract Insert masked objects |
md5 | MD5 Hashing |
sha1 | SHA-1 Hashing |
sha224 | SHA-224 Hashing |
sha256 | SHA-256 Hashing |
sha384 | SHA-384 Hashing |
sha512 | SHA-512 Hashing |
sha1hmac | SHA1 HMAC sign |
sha224hmac | SHA224 HMAC sign |
sha256hmac | SHA256 HMAC sign |
sha384hmac | SHA384 HMAC sign |
sha512hmac | SHA512 HMAC sign |
ecdhderive | ECDH derive key |
ecdhcderive | ECDH Cofactor derive key |
eciesxorhmacsha1 | ECIES XOR enc/dec with HMAC SHA1 |
eciesxorhmacsha1shared | ECIES XOR enc/dec with HMAC SHA1 and shared data |
eciesdes3hmacsha224 | ECIES DES3 enc/dec with HMAC SHA224 |
eciesdes3hmacsha224shared | ECIES DES3 enc/dec with HMAC SHA224 and shared data |
eciesaes128hmacsha256 | ECIES AES-128 enc/dec with HMAC SHA256 |
eciesaes128hmacsha256shared | ECIES AES-128 enc/dec with HMAC SHA256 and shared data |
eciesaes192hmacsha384 | ECIES AES-192 enc/dec with HMAC SHA384 |
eciesaes192hmacsha384shared | ECIES AES-192 enc/dec with HMAC SHA384 and shared data |
eciesaes256hmacsha512 | ECIES AES-256 enc/dec with HMAC SHA512 |
eciesaes256hmacsha512shared | ECIES AES-256 enc/dec with HMAC SHA512 and shared data |
wrapunwrap | Wrap/unwrap operations |
randgen | Random number generation |
1.If you are performing RSA operations, you have the option of specifying a key size (512, 1024, 2048, 4096, 8192). If no key size is specified, the default key size of 1024 will be used. For example:
multitoken -mode rsasigver -key 512 -slots 1
2.If you are performing wrapunwrap operation, it will perform the following operations:
–Generate RSA key pair and a symmetric DES key.
–Wrap DES key with RSA public key.
–Unwrap wrapped key above with RSA private key.
– Verify the unwrapped key.
3.If you are performing a Multisign operation, you have the option of specifying a key size (512, 1024, 2048, 4096, 8192). If no key size is specified, the default key size of 1024 will be used. You must also specify a blob count, indicating the number of data blobs to be signed during each multisign operation. For example:
multitoken -mode multisignvalue -key 512 -blob 10 -s 1,1,2,2,2
multitoken -mode multisignvalue -blob 10 -s 1,1,2,2,2,2
4.A thread will be spawned to perform tests on each slot specified. A slot can be specified multiple times, in which
case multiple threads will be created for the slot.
5.Options for the followiong modes can be used with the default 1024 bit key size only:
–sha256rsasign - SHA256 with RSA
–sha384rsasign - SHA384 with RSA
–sha512rsasign - SHA512 with RSA
If you specify a keysize on the command line (any of 1024, 2048 or 4096), the result is the 1024 bit benchmark speed, and a file called "1024" or "2048" or "4096" is created - that is the keysize parameter is parsed as a filename to which results are saved.
The SafeNet HSMs employ named and user-defined curves.Multitoken supports this option, as illustrated in the following example:
C:\Program Files\SafeNet\LunaClient>multitoken -mode ecdsasigver -s 1,1,1,1,1,1,1,1
Prime field curves:
[0]secp112r1
[1]secp112r2
[2]secp128r1
[3]secp128r2 [4]secp160k1
[5]secp160r1
[6]secp160r2
[7]secp192k1 [8]secp224k1
[9]secp224r1
[10]secp256k1
[11]secp384r1 [12]secp521r1 [13]X9_62_prime192v1
[14]X9_62_prime192v2
[15]X9_62_prime192v3 [16]X9_62_prime239v1
[17]X9_62_prime239v2
[18]X9_62_prime239v3 [19]X9_62_prime256v1
Characteristic two field curves:
[20]sect113r1
[21]sect113r2
[22]sect131r1
[23]sect131r2 [24]sect163k1
[25]sect163r1
[26]sect163r2
[27]sect193r1 [28]sect193r2
[29]sect233k1
[30]sect233r1
[31]sect239k1 [32]sect283k1
[33]sect283r1
[34]sect409k1
[35]sect409r1 [36]sect571k1
[37]sect571r1 [38]X9_62_c2pnb163v1
[39]X9_62_c2pnb163v2
[40]X9_62_c2pnb163v3
[41]X9_62_c2pnb176v1
[42]X9_62_c2tnb191v1
[43]X9_62_c2tnb191v2 [44]X9_62_c2tnb191v3
[45]X9_62_c2pnb208w1
[46]X9_62_c2tnb239v1 [47]X9_62_c2tnb239v2
[48]X9_62_c2tnb239v3
[49]X9_62_c2pnb272w1 [50]X9_62_c2pnb304w1
[51]X9_62_c2tnb359v1
[52]X9_62_c2pnb368w1 [53]X9_62_c2tnb431r1 [54]Brainpool_P160r1
[55]Brainpool_P160t1
[56]Brainpool_P192r1 [57]Brainpool_P192t1
[58]Brainpool_P224r1
[59]Brainpool_P224t1 [60]Brainpool_P256r1
[61]Brainpool_P256t1
[62]Brainpool_P320r1 [63]Brainpool_P320t1
[64]Brainpool_P384r1
[65]Brainpool_P384t1 [66]Brainpool_P512r1
[67]Brainpool_P512t1
Please pick a curve (0-67) or enter (99) for a user defined curve:99 Please enter the filename for the EC parameters:
Here, you would provide the filepath to the file specifying the Elliptical Curve parameters. The format and content of the parameter file follow industry standards, and are discussed in more detail in Named Curves and User-Defined Parameters