CKM_DES3_MAC
Firmware 7.7.0 and Newer Summary
FIPS approved? | Yes |
Supported functions | Sign | Verify |
Functions restricted from FIPS use | Cannot sign |
Minimum key length (bits) | 128 |
Minimum key length for FIPS use (bits) | 192 |
Minimum legacy key length for FIPS use (bits) | 128 |
Maximum key length (bits) | 192 |
Block size | 8 |
Digest size | 0 |
Key types | DES3 |
Algorithms | DES3 |
Modes | MAC |
Flags | Extractable |
CKM_DES3_MAC is no longer supported for MAC generation when 'HSM Policy (12) Allow Non-FIPS Algorithms' is off.
NOTE For Luna HSM Firmware 7.7.0 and newer, triple-DES keys have a usage counter that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (that is, when the "Allow non-FIPS algorithms" policy [12] is set to 0). When the counter runs out for a key instance, that key instance can no longer be used for encryption or wrapping or deriving or signing, but can still be used for decrypting and unwrapping and verifying pre-existing objects.
The CKA_BYTES_REMAINING attribute is available when the Non-FIPS algorithms policy is set to 0, but cannot be viewed if the Non-FIPS algorithm policy is set to 1.
The attribute is preserved during backup/restore using a Luna Backup HSM 7; restoring puts the counter back to whatever value it had before backup.
The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring sets the counter to like-new state (no usage).
NOTE To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to sign data.
Firmware 7.4.2 and Older Summary
FIPS approved? | Yes |
Supported functions | Sign | Verify |
Functions restricted from FIPS use | None |
Minimum key length (bits) | 128 |
Minimum key length for FIPS use (bits) | 192 |
Minimum legacy key length for FIPS use (bits) | 128 |
Maximum key length (bits) | 192 |
Block size | 8 |
Digest size | 0 |
Key types | DES3 |
Algorithms | DES3 |
Modes | MAC |
Flags | Extractable |