Mechanism Remap for FIPS Compliance

Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.

Supported Mechanisms FIPS-mode Allowed Mechanisms
PKCS, X9.31, 186-3 with primes, 186-3 with aux primes 186-3 with primes, 186-3 with aux primes

Mechanism Remap Configuration Settings

Two configuration settings are available in the Chrystoki.conf (Linux/UNIX) or Crystoki.ini (Windows) configuration file installed with SafeNet Luna PCIe HSM Client, to deal with calls to newer-firmware HSMs for outdated mechanisms, or calls to older-firmware HSMs for newer mechanisms that they do not support. The configuration settings control redirecting or mapping of mechanism calls.

In FIPS mode

When RSAKeyGenMechRemap is enabled:

1.CKM_RSA_PKCS_KEY_PAIR_GEN is inserted into the C_GetMechanismList output by the client library, as the HSM does not return it in FIPS mode.

2.C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default Mechanism information from the client library. In FIPS mode, the HSM does not return it.

When RSAKeyGenMechRemap is disabled:

1.CKM_RSA_PKCS_KEY_PAIR_GEN is not returned by C_GetMachanismList.

2.C_GetMachanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN results in an Invalid Mechanism Attribute error.