CKM_EC_KEY_PAIR_GEN

Supported Operations

Encrypt and Decrypt

No

Sign and Verify

No

SignRecover and VerifyRecover

No

Digest

No

Generate Key/Key-Pair

Yes

Wrap and Unwrap

No

Derive

No

FIPS-approved

Yes

Key Size Range (bytes) and Parameters

Minimum 64
FIPS Minimum

224

Maximum 571
Parameter None

Description

The elliptic curve key pair generation mechanism, denoted CKM_EC_KEY_PAIR_GEN, is a key pair generation mechanism for EC Operation.

This mechanism operates as specified in PKCS#11, with the following adjustments.

The CKA_EC_PARAMS or CKA_ECDSA_PARAMS attribute value must be supplied in the Public Key Template. This attribute is known as the “EC domain parameters” and is defined in ANSI X9.62 as a choice of three parameter representation methods with the following syntax:

Parameters ::= CHOICE {
ecParameters ECParameters,
namedCurve CURVES.&id({CurveNames}),
implicitlyCA NULL
}

If the CKA_EC_PARAMS attribute contains a namedCurve then it must be the of DER OID-encoding of one of the following supported curves:

>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) characteristicTwo(0)
c2tnb191v1(5) }

>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) prime(1) prime192v1(1) }

>{ iso(1) identified-organization(3) Certicom(132) certicom_ellipticCurve(0)
secp224r1(33) }

>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) prime(1) prime256v1(7) }

>{ iso(1) identified-organization(3) Certicom(132) certicom_ellipticCurve(0)
secp384r1(34) }

>{ iso(1) identified-organization(3) Certicom(132) certicom_ellipticCurve(0)
secp521r1(35) }

Plus the custom curve with unofficial OID:

>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) characteristicTwo(0) c2tnb191v1e (15) }

Refer to the CT_DerEncodeNamedCurve function in the CTUTIL library for a convenient way to obtain the encodings of supported namedCurve OIDs.

If the CKA_EC_PARAMS attribute is in the form of the ECParameters sequence then the domain parameters may be described explicitly. In this way the developer is able to specify the curve parameters for curves that the firmware has no prior knowledge of.

Support for ECParameters sequence is disabled unless the Security Configuration “User Specified ECC Domain Parameters Allowed”is enabled (see ctconf –fE).

Refer to the CT_GetECCDomainParameters function in the CTUTILS library and the KM_EncodeECParamsP and KM_EncodeECParams2M functions from the KMLIB library for convenient methods to obtain ECParameters encodings.

Return to SafeNet ProtectToolkit-C Mechanisms