CKM_DES3_CTR

Firmware 7.8.4 and Newer Summary

FIPS approved? Yes
Supported functions Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use Cannot wrap | Cannot encrypt
Minimum key length (bits) 128
Minimum key length for FIPS use (bits) 192
Minimum legacy key length for FIPS use (bits) 128
Maximum key length (bits) 192
Block size 8
Digest size 0
Key types DES3
Algorithms DES3
Modes CTR
Flags Extractable

NOTE   In this firmware version, "Functions restricted from FIPS use" has changed for this mechanism, to comply with FIPS 140-3 requirements.

Firmware 7.7.0-7.8.2 Summary

FIPS approved? Yes
Supported functions Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use Cannot wrap
Minimum key length (bits) 128
Minimum key length for FIPS use (bits) 192
Minimum legacy key length for FIPS use (bits) 128
Maximum key length (bits) 192
Block size 8
Digest size 0
Key types DES3
Algorithms DES3
Modes CTR
Flags Extractable

NOTE   Using Luna HSM Firmware 7.7.0 and newer, 3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects.

The CKA_BYTES_REMAINING attribute is available when HSM policy 12: Allow non-FIPS algorithms is set to OFF, but cannot be viewed if the policy is set to ON.

The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.

NOTE   To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to wrap objects.

Firmware 7.2.0-7.4.2 Summary

FIPS approved? Yes
Supported functions Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use None
Minimum key length (bits) 128
Minimum key length for FIPS use (bits) 192
Minimum legacy key length for FIPS use (bits) 128
Maximum key length (bits) 192
Block size 8
Digest size 0
Key types DES3
Algorithms DES3
Modes CTR
Flags Extractable

Firmware 7.1.0 and Older Summary

FIPS approved? Yes
Supported functions Encrypt | Decrypt
Minimum key length (bits) 128
Minimum key length for FIPS use (bits) 192
Minimum legacy key length for FIPS use (bits) 128
Maximum key length (bits) 192
Block size 8
Digest size 0
Key types DES3
Algorithms DES3
Modes CTR
Flags Extractable