Object Usage Count

You may wish to create keys that have a limited number of uses. You can set attributes on a key object to track and limit the number of cryptographic operations that object may perform. The relevant attributes are:

>CKA_USAGE_COUNT: the number of operations that have been performed using the key

>CKA_USAGE_LIMIT: the maximum number of operations allowed for the key.

When the limit set by CKA_USAGE_LIMIT is reached, attempts to use the key for operations like encrypt/decrypt, sign/verify, etc. will return an error (CKR_KEY_NOT_ACTIVE).

Setting CKA_USAGE_LIMIT on a key using CKDEMO

You can use CKDEMO to set this limit for a specific key on the HSM.

To set CKA_USAGE_LIMIT on a key:

1.Navigate to the SafeNet LunaClient directory and run CKDEMO.

2.Select Option 1 (Open Session).

3.Select Option 3 (Login), select the partition where the key is located, and present the Crypto Officer login credential.

4.If you do not know the key's object handle, select Option 27 (Display Object) and enter 0 to view a list of available objects.

5.Select Option 25 (Set Attribute) and enter the key's object handle when prompted.

6.Select Sub-option 1 (Add Attribute), and 53 (CKA_USAGE_LIMIT) from the list of attributes.

7.Enter the desired maximum number of uses in hexadecimal (Allowable range: 1 - FFFFFFFF).

8.Select Option 27 and enter the key's object handle to view the key attributes. When you set CKA_USAGE_LIMIT in step 7, CKA_USAGE_COUNT is also set, with a value of 0:

Enter your choice: 27
 
Enter handle of object to display (0 to list available objects) : 247
Object handle=247
CKA_CLASS=0003 (3)
CKA_TOKEN=01
CKA_PRIVATE=01
CKA_LABEL=Generated RSA Private Key
CKA_KEY_TYPE=0000 (0)
CKA_SUBJECT=
CKA_ID=
CKA_SENSITIVE=01
CKA_DECRYPT=01
CKA_UNWRAP=01
CKA_SIGN=01
CKA_SIGN_RECOVER=00
CKA_DERIVE=00
CKA_START_DATE=
CKA_END_DATE=
CKA_MODULUS=bc613525ae8c5b30ca086c0e688f2f0ed6928805bf007d4fc...
CKA_MODULUS_BITS=0400 (1024)
CKA_PUBLIC_EXPONENT=010001
CKA_LOCAL=01
CKA_MODIFIABLE=01
CKA_EXTRACTABLE=01
CKA_ALWAYS_SENSITIVE=01
CKA_NEVER_EXTRACTABLE=00
CKA_CCM_PRIVATE=00
CKA_FINGERPRINT_SHA1=6beddef34f9f5c8023e3422daecd6bd91c2dc40d
CKA_OUID=b00800000300000d1b030100
CKA_X9_31_GENERATED=00
CKA_EKM_UID=
CKA_USAGE_LIMIT=000e (15)
CKA_USAGE_COUNT=0000 (0)
CKA_GENERIC_1=
CKA_GENERIC_2=
CKA_GENERIC_3=
CKA_FINGERPRINT_SHA256=a8293ea9ddb578bcca644279c9753de4df772958563d259bed28c5d2a2e04e7d
 
Status: Doing great, no errors (CKR_OK)
 

Using this key to perform cryptographic operations will now increment the value of CKA_USAGE_COUNT.

Creating multiple keys with CKA_USAGE_LIMIT using CKDEMO

If you are creating multiple, usage-limited keys in CKDEMO, you can simplify this procedure by changing a CKDEMO setting. You will then have the option to set a usage limit for all new keys created in that session.

To create multiple keys with CKA_USAGE_LIMIT set:

1.Navigate to the SafeNet LunaClient directory and run CKDEMO.

2.Select Option 98 (Options).

3.Select Option 10 (Object Usage Counters).

Note that the option value has changed from "disabled" to "selectable".

4.Enter 0 to exit the (Options) menu.

5.Open a session and begin creating your new keys. In addition to setting the attributes governing key capabilities, you will be prompted to enter a value for CKA_USAGE_LIMIT (in hexadecimal):

Select type of key to generate
[ 1] DES     [ 2] DES2   [ 3] DES3             [ 5]  CAST3
[ 6] Generic [ 7] RSA    [ 8] DSA   [ 9] DH    [10]  CAST5
[11] RC2     [12] RC4    [13] RC5   [14] SSL3  [15]  ECDSA
[16] AES     [17] SEED   [18] KCDSA-1024   [19] KCDSA-2048
[20] DSA Domain Param    [21] KCDSA Domain Param
[22] RSA X9.31           [23] DH X9.42         [24] ARIA
[25] DH PKCS Domain Param [26] RSA 186-3 Aux Primes
[27] RSA 186-3 Primes     [28] DH X9.42 Domain Param
[29] ECDSA with Extra Bits [30] EC Edwards
[31] EC Montgomery
> 7
 
Enter Key Length in bits: 1024
 
Enter Is Token Attribute [0-1]: 1
 
Enter Is Sensitive Attribute [0-1]: 1
 
Enter Is Private Attribute [0-1]: 1
 
Enter Is Modifiable Attribute [0-1]: 1
 
Enter Extractable Attribute [0-1]: 1
 
Enter Encrypt/Decrypt Attribute [0-1]: 1
 
Enter Sign/Verify Attribute [0-1]: 1
 
Enter Wrap/Unwrap Attribute [0-1]: 1
 
Enter Derive Attribute [0-1]: 1
 
Would you like to specify a usage count limit? [0-no, 1-yes]: 1
 
Please enter the limit in HEX: 0E
Generated RSA Public Key:        160 (0x000000a0)
Generated RSA Private Key:        247 (0x000000f7)
 
Status: Doing great, no errors (CKR_OK)