Secret Key Objects
Secret key objects (object class CKO_SECRET_KEY
) hold secret keys. This version of Cryptoki recognizes the following types of secret key: generic, RC2, RC4, DES, DES2, DES3, CAST128 (also known as CAST5), IDEA, and AES. The following table defines the attributes common to all secret keys, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes
Table 2: Common footnotes for key attribute tables
After an object is created, the CKA_SENSITIVE
attribute may be changed, but only to the value TRUE
. Similarly, after an object is created, the CKA_EXTRACTABLE
attribute may be changed, but only to the value FALSE
. Attempts to make other changes to the values of these attributes should return the error code CKR_ATTRIBUTE_READ_ONLY
.
If the CKA_SENSITIVE
attribute is TRUE
, or if the CKA_EXTRACTABLE
attribute is FALSE
, then certain attributes of the secret key cannot be revealed in plain text outside the token. The attributes that are affected by the sensitive and extractable attributes are specified by the 7-superscript in the attribute table, in the section describing that type of key.
If the CKA_EXTRACTABLE
and CKA_EXPORTABLE
attribute is FALSE
, then the key cannot be wrapped.
Generic Secret Key Objects
Generic secret key objects (object class CKO_SECRET_KEY
, key type CKK_GENERIC_SECRET
) hold generic secret keys. These keys do not support encryption, decryption, signatures or verification (other than HMAC algorithms); however, other keys can be derived from them. The following table defines attributes of generic secret key objects, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (arbitrary length) |
CKA_VALUE_LEN 2,3,6
|
CK_ULONG
|
Length in bytes of key value |
Table 2: Common footnotes for key attribute tables
RC2 Secret Key Objects
RC2 secret key objects (object class CKO_SECRET_KEY
, key type CKK_RC2
) hold RC2 keys. The following table defines the RC2 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (1 to 128 bytes) |
CKA_VALUE_LEN 2,3,6
|
CK_ULONG
|
Length in bytes of key value |
Table 2: Common footnotes for key attribute tables
RC4 Secret Key Objects
RC4 secret key objects (object class CKO_SECRET_KEY
, key type CKK_RC4
) hold RC4 keys. The following table defines the RC4 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (1 to 256 bytes) |
CKA_VALUE_LEN 2,3,6
|
CK_ULONG
|
Length in bytes of key value |
Table 2: Common footnotes for key attribute tables
AES Secret Key Objects
AES secret key objects (object class CKO_SECRET_KEY
, key type CKK_AES
) hold AES keys. The following table defines the AES secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (16 to 32 bytes) |
CKA_VALUE_LEN 2,3,6
|
CK_ULONG
|
Length in bytes of key value |
Table 2: Common footnotes for key attribute tables
DES Secret Key Objects
DES secret key objects (object class CKO_SECRET_KEY
, key type CKK_DES
) hold single-length DES keys. The following table defines the DES secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute |
Data Type |
Meaning |
---|---|---|
|
Byte array |
Key value (always 8 bytes long) |
Table 2: Common footnotes for key attribute tables
DES keys should always have their parity bits properly set as described in FIPS PUB 46-2. However, attempting to create or unwrap a DES key with incorrect parity will not return an error as the key will still function correctly.
DES2 Secret Key Objects
DES2 secret key objects (object class CKO_SECRET_KEY
, key type CKK_DES2
) hold double-length DES keys. The following table defines the DES2 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (always 16 bytes long) |
Table 2: Common footnotes for key attribute tables
DES2 keys should have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES2 key should have its parity bits properly set). However, attempting to create or unwrap a DES2 key with incorrect parity will not return an error as the key will still function correctly.
DES3 Secret Key Objects
DES3 secret key objects (object class CKO_SECRET_KEY
, key type CKK_DES3
) hold triple-length DES keys. The following table defines the DES3 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (always 24 bytes long) |
Table 2: Common footnotes for key attribute tables
DES3 keys should always have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES3 key should have its parity bits properly set). However, attempting to create or unwrap a DES3 key with incorrect parity will not return an error as the key will still function correctly.
CAST128 (CAST5) Secret Key Objects
CAST128 (also known as CAST5) secret key objects (object class CKO_SECRET_KEY
, key type CKK_CAST128
or CKK_CAST5
) hold CAST128 keys. The following table defines the CAST128 secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (1 to 16 bytes) |
CKA_VALUE_LEN 2,3,6
|
CK_ULONG
|
Length in bytes of key value |
Table 2: Common footnotes for key attribute tables
IDEA Secret Key Objects
IDEA secret key objects (object class CKO_SECRET_KEY
, key type CKK_IDEA
) hold IDEA keys. The following table defines the IDEA secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7
|
Byte array | Key value (always 16 bytes long) |
Table 2: Common footnotes for key attribute tables
SEED Secret Key Objects
SEED secret key objects (object class CKO_SECRET_KEY
, key type CKK_SEED
) hold SEED keys. The following table defines the SEED secret key object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, Table 3: Common Key Attributes, and Common Secret Key Attributes:
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7,10
|
Byte array | Key value (always 16 bytes long) |