CKM_DES3_DERIVE_ECB
NOTE The CKM_DES3_DERIVE_ECB mechanism is deprecated in this release. Use of CKM_DES3_DERIVE_ECB is no longer recommended.
Supported Operations
Encrypt and Decrypt |
No |
Sign and Verify |
No |
SignRecover and VerifyRecover |
No |
Digest |
No |
Generate Key/Key-Pair |
No |
Wrap and Unwrap |
No |
Derive |
Yes |
FIPS-approved |
No |
Key Size Range (bytes) and Parameters
Minimum | 0 |
FIPS Minimum |
N/A |
Maximum | 0 |
Parameter | Multiple of 8 bytes |
Description
The CKM_DES_DERIVE_ECB
and CKM_DES3_DERIVE_ECB
mechanisms are used with the C_DeriveKey function to derive a secret key by performing an ECB (no padding) encryption. They create a new secret key whose value is generated by encrypting the provided data with the provided single, double or triple length DES key.
The CKM_DES_DERIVE_ECB
and CKM_DES3_DERIVE_ECB
mechanisms require the pParameter in the CK_MECHANISM
structure to be the pointer to the data that is to be encrypted. The parameterLen is the length of the provided data, which must be a multiple of 8 bytes.
The following rules apply to the provided attribute template:
>If no length or key type is provided in the template, then the key produced by these mechanisms is a generic secret key. Its length is equal to the length of the provided data.
>If no key type is provided in the template, but a length is, then the key produced by these mechanisms is a generic secret key of the specified length, extracted from the left bytes of the cipher text.
>If no length is provided in the template, but a key type is, then that key type must have a well-defined length. If it does, then the key produced by these mechanisms is of the type specified in the template. If it doesn’t, an error is returned.
>If both a key type and a length are provided in the template, the length must be compatible with that key type. The key produced by these mechanisms is of the specified type and length, extracted from the left bytes of the cipher text.
If a DES key is derived with these mechanisms, the parity bits of the key are set properly. If the requested type of key requires more bytes than the length of the provided data, an error is generated.
The mechanisms have the following rules about key sensitivity and extractability:
>If the base key has its CKA_SENSITIVE
attribute set to TRUE
, so does the derived key. If not, then the derived key’s CKA_SENSITIVE
attribute is set either from the supplied template or else it defaults to TRUE
.
>Similarly, the derived key’s CKA_EXTRACTABLE
attribute is set either from the supplied template or else it defaults to the value of the CKA_EXTRACTABLE
of the base key.
>The derived key’s CKA_ALWAYS_SENSITIVE
attribute is set to TRUE
if and only if the base key has its CKA_ALWAYS_SENSITIVE
attribute set to TRUE
.
>Similarly, the derived key’s CKA_NEVER_EXTRACTABLE
attribute is set to TRUE
if and only if the base key has its CKA_NEVER_EXTRACTABLE
attribute set to TRUE
.
Return to SafeNet ProtectToolkit-C Mechanisms