CKM_DES3_MAC
TIP Some mechanisms in this collection have both a "general" variant and a similarly named variant without "general" in the name. Per the PKCS#11 specification the _GENERAL variant of mechanism accepts a mechanism parameter that is used to define the length of the signature that is returned. The length can typically be any value between 1 and the length of the underlying HASH algorithm.
The variants without _GENERAL do not accept any mechanism parameters and always return a fixed length signature; where the length is defined by the underlying HASH algorithm.
Firmware 7.8.7 and Newer Summary
| FIPS approved? | No |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | N/A |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | N/A |
| Minimum legacy key length for FIPS use (bits) | N/A |
| Maximum key length (bits) | 192 |
| Block size | 8 |
| Digest size | 0 |
| Key types | DES3 |
| Algorithms | DES3 |
| Modes | MAC |
| Flags | Extractable |
NOTE Using Luna HSM Firmware 7.7.0 and newer, 3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to 0). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects.
The CKA_BYTES_REMAINING attribute is available when HSM policy 12: Allow non-FIPS algorithms is set to 0, but cannot be viewed if the policy is set to 1.
The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.
The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.
Firmware 7.7.0-7.8.4 Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | Cannot sign |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 192 |
| Minimum legacy key length for FIPS use (bits) | 128 |
| Maximum key length (bits) | 192 |
| Block size | 8 |
| Digest size | 0 |
| Key types | DES3 |
| Algorithms | DES3 |
| Modes | MAC |
| Flags | Extractable |
CKM_DES3_MAC is no longer supported for MAC generation when 'HSM Policy (12) Allow Non-FIPS Algorithms' is off.
NOTE To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to sign data.
Firmware 7.4.2 and Older Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 192 |
| Minimum legacy key length for FIPS use (bits) | 128 |
| Maximum key length (bits) | 192 |
| Block size | 8 |
| Digest size | 0 |
| Key types | DES3 |
| Algorithms | DES3 |
| Modes | MAC |
| Flags | Extractable |
