CKM_RSA_PKCS

NOTE   This mechanism name and RSASSA-PKCS1-v1_5 are referring to the same underlying RSA signature scheme.

Firmware 7.8.4 and Newer Summary

NOTE   Using Luna HSM Firmware 7.8.4 and newer, this mechanism is restricted from all wrap/unwrap/encrypt/decrypt operations in FIPS mode. No exceptions are made for decrypt/unwrap operations using larger key sizes. This limited legacy use was permitted under FIPS 140-2; it is no longer approved under FIPS 140-3.

FIPS approved? Yes
Supported functions Sign | Verify | Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use Cannot wrap | Cannot decrypt | Cannot unwrap | Cannot encrypt
Minimum key length (bits) 256
Minimum key length for FIPS use (bits) 2048
Minimum legacy key length for FIPS use (bits) 1024
Maximum key length (bits) 8192
Block size 0
Digest size 0
Key types RSA
Algorithms None
Modes None
Flags None

Firmware 7.7.2-7.8.1 Summary

NOTE   Under Functions restricted from FIPS use, "Cannot legacy decrypt and "Cannot legacy unwrap" means that these operations are restricted with smaller keys (1024-bits, the previous minimum key size for FIPS use), but keys that meet the minimum FIPS size requirement (2048 bits) can still be used for decrypt and unwrap operations.

FIPS approved? Yes
Supported functions Sign | Verify | Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use Cannot wrap | Cannot legacy decrypt | Cannot legacy unwrap | Cannot encrypt
Minimum key length (bits) 256
Minimum key length for FIPS use (bits) 2048
Minimum legacy key length for FIPS use (bits) 1024
Maximum key length (bits) 8192
Block size 0
Digest size 0
Key types RSA
Algorithms None
Modes None
Flags None

Firmware 7.7.0-7.7.1 Summary

FIPS approved? Yes
Supported functions Sign | Verify | Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use Cannot wrap
Minimum key length (bits) 256
Minimum key length for FIPS use (bits) 2048
Minimum legacy key length for FIPS use (bits) 1024
Maximum key length (bits) 8192
Block size 0
Digest size 0
Key types RSA
Algorithms None
Modes None
Flags None

NOTE   To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to wrap objects.

Firmware 7.4.2 and Older Summary

FIPS approved? Yes
Supported functions Sign | Verify | Encrypt | Decrypt | Wrap | Unwrap
Functions restricted from FIPS use None
Minimum key length (bits) 256
Minimum key length for FIPS use (bits) 2048
Minimum legacy key length for FIPS use (bits) 1024
Maximum key length (bits) 8192
Block size 0
Digest size 0
Key types RSA
Algorithms None
Modes None
Flags None

NOTE   When the HSM is in FIPS mode, this mechanism cannot be used to sign data using less than 224 bits.

This algorithm must be combined with a FIPS-approved hash algorithm to be FIPS compliant.