RSA Mechanism Remap for FIPS Compliance
Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.
| Supported Mechanisms | FIPS-mode Allowed Mechanisms |
|---|---|
| PKCS, X9.31, 186-3 with primes, 186-3 with aux primes | 186-3 with primes, 186-3 with aux primes |
Luna HSM Client allows you to automatically remap calls to these old, less-secure mechanisms, to new mechanisms that are FIPS-approved. This remapping can allow you to operate the HSM securely without having to rewrite your applications. With this feature enabled, the following remapping is applied:
>Calls for PKCS key generation using CKM_RSA_PKCS_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN, which uses 186-3 Prime key generation.
>Calls for X9.31 key generation using CKM_RSA_X9_31_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN, which uses 186-3 Aux Prime key generation
Effects of Remapping in FIPS Mode
When the Luna HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to
>CKM_RSA_PKCS_KEY_PAIR_GEN appears in the C_GetMechanismList output.
>C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default information from the client library.
>CKM_RSA_X9_31_KEY_PAIR_GEN appears in the C_GetMechanismList output.
>C_GetMechanismInfo for CKM_RSA_X9_31_KEY_PAIR_GEN returns the default information from the client library.
