Secret Key Objects

Secret key objects (object class CKO_SECRET_KEY) hold secret keys. This version of Cryptoki recognizes the following types of secret key: generic, RC2, RC4, DES, DES2, DES3, CAST128 (also known as CAST5), IDEA, and AES. The following table defines the attributes common to all secret keys, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes

Table 1: Common Secret Key Attributes
Attribute Data Type Meaning
CKA_SENSITIVE8(see below) CK_BBOOL TRUE, if object is sensitive (default FALSE)
CKA_ENCRYPT8 CK_BBOOL TRUE, if key supports encryption9
CKA_DECRYPT8 CK_BBOOL TRUE, if key supports decryption9
CKA_SIGN8 CK_BBOOL TRUE, if key supports signatures (that is, authentication codes) where the signature is an appendix to the data9
CKA_VERIFY8 CK_BBOOL TRUE, if key supports verification (that is, of authentication codes) where the signature is an appendix to the data9
CKA_WRAP8 CK_BBOOL TRUE, if key supports wrapping (that is, can be used to wrap other keys)9
CKA_UNWRAP8 CK_BBOOL TRUE, if key supports unwrapping (that is, can be used to unwrap other keys)9
CKA_EXTRACTABLE8(see below) CK_BBOOL TRUE, if key is extractable9
CKA_ALWAYS_SENSITIVE2,4,6 CK_BBOOL TRUE if key has always had the CKA_SENSITIVE attribute set to TRUE
CKA_NEVER_EXTRACTABLE2,4,6 CK_BBOOL TRUE, if key has never had the CKA_EXTRACTABLE attribute set to TRUE
CKA_SUBJECT8 Byte array DER-encoding of certificate subject name (default empty)
CKA_EXPORT10 CK_BBOOL TRUE, if the key may be used to wrap Exportable keys. Restrictions apply on who can set this attribute to TRUE.
CKA_EXPORTABLE10 CK_BBOOL TRUE, if key may be wrapped with a key attribute set with CKA_EXPORT.
CKA_IMPORT10 CK_BBOOL If TRUE and CKA_UNWRAP is FALSE supports unwrapping only using CKM_WRAPKEY_DES3_CBC.
CKA_CHECK_VALUE Byte Array A calculated key check value. Fixed size of 3 bytes.

Table 2: Common footnotes for key attribute tables

After an object is created, the CKA_SENSITIVE attribute may be changed, but only to the value TRUE. Similarly, after an object is created, the CKA_EXTRACTABLE attribute may be changed, but only to the value FALSE. Attempts to make other changes to the values of these attributes should return the error code CKR_ATTRIBUTE_READ_ONLY.

If the CKA_SENSITIVE attribute is TRUE, or if the CKA_EXTRACTABLE attribute is FALSE, then certain attributes of the secret key cannot be revealed in plain text outside the token. The attributes that are affected by the sensitive and extractable attributes are specified by the 7-superscript in the attribute table, in the section describing that type of key.

If the CKA_EXTRACTABLE and CKA_EXPORTABLE attribute is FALSE, then the key cannot be wrapped.

Generic Secret Key Objects

Generic secret key objects (object class CKO_SECRET_KEY, key type CKK_GENERIC_SECRET) hold generic secret keys. These keys do not support encryption, decryption, signatures or verification (other than HMAC algorithms); however, other keys can be derived from them.  The following table defines attributes of generic secret key objects, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 2: Generic Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (arbitrary length)
CKA_VALUE_LEN2,3,6 CK_ULONG Length in bytes of key value

Table 2: Common footnotes for key attribute tables

RC2 Secret Key Objects

RC2 secret key objects (object class CKO_SECRET_KEY, key type CKK_RC2) hold RC2 keys. The following table defines the RC2 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 3: RC2 Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (1 to 128 bytes)
CKA_VALUE_LEN2,3,6 CK_ULONG Length in bytes of key value

Table 2: Common footnotes for key attribute tables

RC4 Secret Key Objects

RC4 secret key objects (object class CKO_SECRET_KEY, key type CKK_RC4) hold RC4 keys. The following table defines the RC4 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 4: RC4 Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (1 to 256 bytes)
CKA_VALUE_LEN2,3,6 CK_ULONG Length in bytes of key value

Table 2: Common footnotes for key attribute tables

AES Secret Key Objects

AES secret key objects (object class CKO_SECRET_KEY, key type CKK_AES) hold AES keys. The following table defines the AES secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 5: AES Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (16 to 32 bytes)
CKA_VALUE_LEN2,3,6 CK_ULONG Length in bytes of key value

Table 2: Common footnotes for key attribute tables

DES Secret Key Objects

DES secret key objects (object class CKO_SECRET_KEY, key type CKK_DES) hold single-length DES keys. The following table defines the DES secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 6: DES Secret Key Object

Attribute

Data Type

Meaning

CKA_VALUE1,4,6,7

Byte array

Key value (always 8 bytes long)

Table 2: Common footnotes for key attribute tables

DES keys should always have their parity bits properly set as described in FIPS PUB 46-2.  However, attempting to create or unwrap a DES key with incorrect parity will not return an error as the key will still function correctly.

DES2 Secret Key Objects

DES2 secret key objects (object class CKO_SECRET_KEY, key type CKK_DES2) hold double-length DES keys.  The following table defines the DES2 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 7: DES2 Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (always 16 bytes long)

Table 2: Common footnotes for key attribute tables

DES2 keys should have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES2 key should have its parity bits properly set).  However, attempting to create or unwrap a DES2 key with incorrect parity will not return an error as the key will still function correctly.

DES3 Secret Key Objects

DES3 secret key objects (object class CKO_SECRET_KEY, key type CKK_DES3) hold triple-length DES keys.  The following table defines the DES3 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 8: DES3 Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (always 24 bytes long)

Table 2: Common footnotes for key attribute tables

DES3 keys should always have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES3 key should have its parity bits properly set). However, attempting to create or unwrap a DES3 key with incorrect parity will not return an error as the key will still function correctly.

CAST128 (CAST5) Secret Key Objects

CAST128 (also known as CAST5) secret key objects (object class CKO_SECRET_KEY, key type CKK_CAST128 or CKK_CAST5) hold CAST128 keys.  The following table defines the CAST128 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 9: CAST128 (CAST5) Secret Key Object Attributes
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (1 to 16 bytes)
CKA_VALUE_LEN2,3,6 CK_ULONG Length in bytes of key value

Table 2: Common footnotes for key attribute tables

IDEA Secret Key Objects

IDEA secret key objects (object class CKO_SECRET_KEY, key type CKK_IDEA) hold IDEA keys.  The following table defines the IDEA secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 10: IDEA Secret Key Object
Attribute Data Type Meaning
CKA_VALUE1,4,6,7 Byte array Key value (always 16 bytes long)

Table 2: Common footnotes for key attribute tables

SEED Secret Key Objects

SEED secret key objects (object class CKO_SECRET_KEY, key type CKK_SEED) hold SEED keys.  The following table defines the SEED secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:

Table 11: SEED Secret Key Object
Attribute Data type Meaning
CKA_VALUE1,4,6,7,10 Byte array Key value (always 16 bytes long)

Table 2: Common footnotes for key attribute tables