CKM_EC_KEY_PAIR_GEN
Supported Operations
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | Yes |
Wrap and Unwrap | No |
Derive | No |
Available in FIPS Mode | Yes |
Restrictions in FIPS Mode | None |
Key Size Range (bits) and Parameters
Minimum | 64 |
FIPS Minimum | 224 |
Maximum | 571 |
Parameter | None |
Description
The elliptic curve key pair generation mechanism, denoted CKM_EC_KEY_PAIR_GEN
, is a key pair generation mechanism for EC Operation.
This mechanism operates as specified in PKCS#11, with the following adjustments.
The CKA_EC_PARAMS
or CKA_ECDSA_PARAMS
attribute value must be supplied in the Public Key Template. This attribute is known as the “EC domain parameters” and is defined in ANSI X9.62 as a choice of three parameter representation methods with the following syntax:
Parameters ::= CHOICE {
ecParameters ECParameters,
namedCurve CURVES.&id({CurveNames}),
implicitlyCA NULL
}
If the CKA_EC_PARAMS
attribute contains a namedCurve then it must be the of DER OID-encoding of one of the following supported curves:
>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) characteristicTwo(0) c2tnb191v1(5) }
>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) prime(1) prime192v1(1) }
>{ iso(1) identified-organization(3) Certicom(132) certicom_ellipticCurve(0) secp224r1(33) }
>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) prime(1) prime256v1(7) }
>{ iso(1) identified-organization(3) Certicom(132) certicom_ellipticCurve(0) secp384r1(34) }
>{ iso(1) identified-organization(3) Certicom(132) certicom_ellipticCurve(0) secp521r1(35) }
Plus the custom curve with unofficial OID:
>{ iso(1) member-body(2) US(840) x9-62(10045) curves(3) characteristicTwo(0) c2tnb191v1e (15) }
Refer to the CT_DerEncodeNamedCurve function in the CTUTIL library for a convenient way to obtain the encodings of supported namedCurve OIDs.
If the CKA_EC_PARAMS
attribute is in the form of the ECParameters sequence then the domain parameters may be described explicitly. In this way the developer is able to specify the curve parameters for curves that the firmware has no prior knowledge of.
Support for ECParameters sequence is disabled unless the Security Configuration “User Specified ECC Domain Parameters Allowed” is enabled (see ctconf –fE).
Refer to the CT_GetECCDomainParameters function in the CTUTILS library and the KM_EncodeECParamsP and KM_EncodeECParams2M functions from the KMLIB library for convenient methods to obtain ECParameters encodings.
Return to SafeNet ProtectToolkit-C Mechanisms