Luna Key Translation
On this page:
Mechanism Description
CKM_KEY_TRANSLATE
Key Translation function - allows to securely import subscriber authentication keys into a 5G authentication platform (UDM).
This is a Proprietary Luna mechanism.
This mechanism receives a cryptogram from the client and re-encrypts it using a different key and/or mechanism. The mechanism returns the resulting cryptogram to the client.
The mechanism is used with the C_WrapKey command with the following parameters:
| CK_SESSION_HANDLE hSession | current session |
| CK_MECHANISM_PTR pMechanism | Mechanism parameter is a pointer to CK_MECHANISM_PARAMS |
| CK_OBJECT_HANDLE hWrappingKey | handle of output wrapping key |
| CK_OBJECT_HANDLE hKey | In this case, it will be always set to CK_INVALID_HANDLE |
| CK_BYTE_PTR pWrappedKey | address to where new cryptogram is stored – (length prediction supported) |
| CK_ULONG_PTR pulWrappedKeyLen |
address where to store output buffer size and actual/predicted output length |
Data size
The maximum allowed data size for this mechanism is 8000 bytes
Summary
See CKM_KEY_TRANSLATE.
CK_MECHANISM_PARAM for KEY_TRANSLATE mechanism is structured as follow
typedef struct CK_MECHANISM{CK_MECHANISM_TYPE mechanism; /* CKM_KEY_TRANSLATE*/
CK_VOID_PTR pParameter; /* pointer to CK_KEY_TRANSLATE_PARAMs */
CK_ULONG ulParameterLen;
} CK_MECHANISM;
CK_ KEY_TRANSLATE_PARAMS is a structure that provides the parameters to the CKM_KEY_TRANSLATE mechanism. The structure is defined as follows:
typedef struct CK_KEY_TRANSLATE_PARAMS {CK_FLAGS flags;
CK_MECHANISM wrapMech;
CK_MECHANISM unWrapMech;
CK_BYTE_PTR pData;
CK_ULONG ulDataLen;
CK_OBJECT_HANDLE hUnwrapKey; /* input unwrapped handle (hA4key)*/
} CK_ KEY_TRANSLATE_PARAMS;
Notes
The flags field of the mechanism parameter is reserved for future use and must be set to zero.
The wrapMech parameter must be a valid key wrapping mechanism for the key type of hWrappingKey. The key hWrappingKey must have the CKA_WRAP attribute set true.
The pData is the wrapped key data with a length of ulDataLen to translate using the wrap mechanism
The unWrapMech parameter must be a valid key unwrapping mechanism for the key type of hUnwrapKey. The key hUnwrapKey must have the CKA_UNWRAP attribute set true. Any CKA_UNWRAP_TEMPLATE attribute on the hUnwrapKey is ignored.
If a key is wrapped/unwrapped with a mechanism that does not support content padding – such as CKA_AES_ECB then the implication is that the key content is a multiple of block size.
Partition Policy settings that control key import/export such as:
>Enable private key unwrapping,
>Enable secret key unwrapping,
>Enable private key unmasking,
...have no effect on the CKM_KEY_TRANSLATE.
These partition policies affect which values for the wrapMech or unWrapMech can be used:
>Enable CBC-PAD (un)wrap keys of any size
Handling of wrapping and padding
Wrapping mechanisms that do not encode a padding length automatically append zeros to the key value, if the length of the key being wrapped is not a multiple of the wrapping algorithm block size.
For example: CKM_AES_ECB has a block size of 16 and, if it is used to wrap a 24 byte key, then 8 zeros are appended to the key before wrapping.
When unwrapping a key that has such padding applied the extra zeros are NOT stripped from the key value, Therefore the key value that is wrapped includes the exrtra zeros.
Constants
| #define LUNA_MECH_KEY_TRANSLATE | 0x80000E10 |
Tooling
CKDemo
See item 69 Translate Key in KEY Menu Functions.
JCPROV:
JCPROV API supports the mechanism. A program “KeyTranslate” added to the JCPROV Samples.
Luna HSM Client 10.5.1 and newer has fixed input and output mechanisms (DES3_CBC and AES_KWP respectively). These mechanisms were chosen as they represent the initial use case.
multitoken:
The multitoken tool has an option to test performance of the KeyTranslate mechanism.
Luna HSM Client 10.5.1 and newer has fixed input and output mechanisms (DES3_CBC and AES_KWP respectively). These mechanisms were chosen as they represent the initial use case.
