CKM_WRAPKEY_AES_KWP
Supported Operations
| Encrypt and Decrypt | No |
| Sign and Verify | No |
| SignRecover and VerifyRecover | No |
| Digest | No |
| Generate Key/Key-Pair | No |
| Wrap and Unwrap | Yes |
| Derive | No |
| Available in FIPS Mode | Yes |
| Restrictions in FIPS Mode | None |
Key Size Range (bytes) and Parameters
| Minimum | 16 |
| FIPS Minimum | 16 |
| Maximum | 32 |
| Parameter | None |
Description
The CKM_WRAPKEY_AES_KWP mechanism is used to wrap a key value plus all of its attributes so that the entire key can be reconstructed without a template at the destination. This mechanism is the same as CKM_WRAPKEY_DES3_CBC, but uses only NIST-approved cryptographic algorithms and key sizes.
Encoding Format
The encoding is a proprietary encoding where fields are identified by their position (no tags). All fields are preceded by an encoding of the length of the content. The length may be zero indicating an empty field but must always be present. Where the length is zero the content is not present (zero bytes). Where the length is non zero the content has the number of bytes equal to the value of the encoded length. The length is encoded as a 32-bit big-endian binary value and can thus take values from 0 to (232 -1) i.e. around 4 gigabytes.
Definitions
| wK | This is the wrapping key under which the subject key is to be wrapped. This key must be valid for the operation Ex. |
| mK | This is a randomly generated 256-bit MAC key using CKM_GENERIC_SECRET_KEY_GEN. This key is used with Mx. |
| cK | This is clear encoding of the subject key. For single part symmetric keys, this is just the key value. For compound (e.g., RSA) keys, it is a BER encoding as per PKCS#1. |
| a | This is the encoded non-sensitive subject key attributes. The attributes are encoded with an attribute header, which is the number of attributes (4 byte), followed by a list of sub encodings which contain the attribute type (4 byte), content length (4 byte), a content presence indicator (1 byte), and the content bytes. The presence indicator allows the content length value to be non-zero, but, where presence indicator = 0, no content bytes are included. If the presence indicator is 1 then the content length must be the number of bytes indicated by the content length field. All numeric values are encoded as big-endian. Note that the sensitive attributes are contained in cK. |
| E x | This is encryption using CKM_AES_KWP with key 'x'. |
| M x | This is MAC generation using CKM_SHA512_HMAC_GENERAL (16 byte MAC result) with key 'x'. |
A wrapped key using CKM_WRAPKEY_AES_KWP is made up of the following fields:
>ecK the encrypted key value, ecK = EwK(cK).
>a the encoded non-sensitive subject key attributes.
>m a MAC of the key value and attributes, m = MmK(cK + a).
>emK the encrypted MAC key value, emK = EwK(mK).
These fields are then encoded as described above.
For a full description of this mechanism, refer to NIST Special Publication 800-38F.
Return to SafeNet ProtectToolkit-C Mechanisms
