Secret Key Objects

Secret key objects (object class CKO_SECRET_KEY) hold secret keys.  This version of Cryptoki recognizes the following types of secret key: generic, RC2, RC4, DES, DES2, DES3, CAST128 (also known as CAST5), IDEA, and AES. The following table defines the attributes common to all secret keys, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes

Table 1: Common Secret Key Attributes

Attribute

Data Type

Meaning

CKA_SENSITIVE8(see below)

CK_BBOOL

TRUE, if object is sensitive (default FALSE)

CKA_ENCRYPT8

CK_BBOOL

TRUE, if key supports encryption9

CKA_DECRYPT8

CK_BBOOL

TRUE, if key supports decryption9

CKA_SIGN8

CK_BBOOL

TRUE, if key supports signatures (that is, authentication codes) where the signature is an appendix to the data9

CKA_VERIFY8

CK_BBOOL

TRUE, if key supports verification (that is, of authentication codes) where the signature is an appendix to the data9

CKA_WRAP8

CK_BBOOL

TRUE, if key supports wrapping (that is, can be used to wrap other keys)9

CKA_UNWRAP8

CK_BBOOL

TRUE, if key supports unwrapping (that is, can be used to unwrap other keys)9

CKA_EXTRACTABLE8(see below)

CK_BBOOL

TRUE, if key is extractable9

CKA_ALWAYS_SENSITIVE2,4,6

CK_BBOOL

TRUE if key has always had the CKA_SENSITIVE attribute set to TRUE

CKA_NEVER_EXTRACTABLE2,4,6

CK_BBOOL

TRUE, if key has never had the CKA_EXTRACTABLE attribute set to TRUE

CKA_SUBJECT8

Byte array

DER-encoding of certificate subject name (default empty)

CKA_EXPORT10

CK_BBOOL

TRUE, if the key may be used to wrap Exportable keys. Restrictions apply on who can set this attribute to TRUE.

CKA_EXPORTABLE10

CK_BBOOL

TRUE, if key may be wrapped with a key attribute set with CKA_EXPORT.

CKA_IMPORT10

CK_BBOOL

If TRUE and CKA_UNWRAP is FALSE supports unwrapping only using CKM_WRAPKEY_DES3_CBC.
CKA_CHECK_VALUE

Byte Array

A calculated key check value. Fixed size of 3 bytes.

Common footnotes for key attribute tables

After an object is created, the CKA_SENSITIVE attribute may be changed, but only to the value TRUE. Similarly, after an object is created, the CKA_EXTRACTABLE attribute may be changed, but only to the value FALSE. Attempts to make other changes to the values of these attributes should return the error code CKR_ATTRIBUTE_READ_ONLY.

If the CKA_SENSITIVE attribute is TRUE, or if the CKA_EXTRACTABLE attribute is FALSE, then certain attributes of the secret key cannot be revealed in plain text outside the token. The attributes that are affected by the sensitive and extractable attributes are specified by the 7-superscript in the attribute table, in the section describing that type of key.

If the CKA_EXTRACTABLE and CKA_EXPORTABLE attribute is FALSE, then the key cannot be wrapped.

Generic Secret Key Objects

Generic secret key objects (object class CKO_SECRET_KEY, key type CKK_GENERIC_SECRET) hold generic secret keys.  These keys do not support encryption, decryption, signatures or verification (other than HMAC algorithms); however, other keys can be derived from them.  The following table defines attributes of generic secret key objects, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 2: Generic Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (arbitrary length)

CKA_VALUE_LEN2,3,6

CK_ULONG

Length in bytes of key value

Common footnotes for key attribute tables

RC2 Secret Key Objects

RC2 secret key objects (object class CKO_SECRET_KEY, key type CKK_RC2) hold RC2 keys.  The following table defines the RC2 secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 3: RC2 Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (1 to 128 bytes)

CKA_VALUE_LEN2,3,6

CK_ULONG

Length in bytes of key value

Common footnotes for key attribute tables

RC4 Secret Key Objects

RC4 secret key objects (object class CKO_SECRET_KEY, key type CKK_RC4) hold RC4 keys. The following table defines the RC4 secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 4: RC4 Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (1 to 256 bytes)

CKA_VALUE_LEN2,3,6

CK_ULONG

Length in bytes of key value

Common footnotes for key attribute tables

AES Secret Key Objects

AES secret key objects (object class CKO_SECRET_KEY, key type CKK_AES) hold AES keys.  The following table defines the AES secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 5: AES Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (16 to 32 bytes)

CKA_VALUE_LEN2,3,6

CK_ULONG

Length in bytes of key value

Common footnotes for key attribute tables

DES Secret Key Objects

DES secret key objects (object class CKO_SECRET_KEY, key type CKK_DES) hold single-length DES keys.  The following table defines the DES secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 6: DES Secret Key Object

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (always 8 bytes long)

Common footnotes for key attribute tables

DES keys should always have their parity bits properly set as described in FIPS PUB 46-2.  However, attempting to create or unwrap a DES key with incorrect parity will not return an error as the key will still function correctly.

DES2 Secret Key Objects

DES2 secret key objects (object class CKO_SECRET_KEY, key type CKK_DES2) hold double-length DES keys.  The following table defines the DES2 secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 7: DES2 Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (always 16 bytes long)

Common footnotes for key attribute tables

DES2 keys should have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES2 key should have its parity bits properly set).  However, attempting to create or unwrap a DES2 key with incorrect parity will not return an error as the key will still function correctly.

DES3 Secret Key Objects

DES3 secret key objects (object class CKO_SECRET_KEY, key type CKK_DES3) hold triple-length DES keys.  The following table defines the DES3 secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 8: DES3 Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (always 24 bytes long)

Common footnotes for key attribute tables

DES3 keys should always have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES3 key should have its parity bits properly set). However, attempting to create or unwrap a DES3 key with incorrect parity will not return an error as the key will still function correctly.

CAST128 (CAST5) Secret Key Objects

CAST128 (also known as CAST5) secret key objects (object class CKO_SECRET_KEY, key type CKK_CAST128 or CKK_CAST5) hold CAST128 keys.  The following table defines the CAST128 secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 9: CAST128 (CAST5) Secret Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (1 to 16 bytes)

CKA_VALUE_LEN2,3,6

CK_ULONG

Length in bytes of key value

Common footnotes for key attribute tables

IDEA Secret Key Objects

IDEA secret key objects (object class CKO_SECRET_KEY, key type CKK_IDEA) hold IDEA keys.  The following table defines the IDEA secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 10: IDEA Secret Key Object

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (always 16 bytes long)

Common footnotes for key attribute tables

SEED Secret Key Objects

SEED secret key objects (object class CKO_SECRET_KEY, key type CKK_SEED) hold SEED keys.  The following table defines the SEED secret key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Secret Key Attributes :

Table 11: SEED Secret Key Object

Attribute

Data type

Meaning

CKA_VALUE1,4,6,7,10

Byte array

Key value (always 16 bytes long)

Common footnotes for key attribute tables


Customer Support Portal

SafeNet ProtectToolkit 5.5 Product Documentation  08 January 2020  Copyright 2009-2020 Gemalto. All rights reserved.