ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
    - audit log
    - audit service
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
    - network domain
    - network hostname
    - network interface
    - network iptables
    - network ping
    - network route
    - network show
  - package
    - package list
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
    - sysconf etnetcfg
    - sysconf snmp
    - sysconf time
    - sysconf timezone
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

CKM_ECDH1_DERIVE

This section provides a summary of CKM_ECDH1_DERIVE.

Supported operations

Operation	Supported
Encrypt and Decrypt	No
Sign and Verify	No
SignRecover and VerifyRecover	No
Digest	No
Generate Key/Key-Pair	No
Wrap and Unwrap	No
Derive	Yes

FIPS Mode support

Available in FIPS Mode	Restrictions in FIPS Mode
Yes	When using 7.03.00 or newer Minimum 224-bit modulus for derive operations.

Key size range (bits) and parameters

Key size minimum/maximum	Value
Minimum	64
FIPS Minimum	When using firmware older than 7.03.00 224 When using 7.03.00 or newer 160
Maximum	571

Key size minimum/maximum

Value

Minimum

FIPS Minimum

When using firmware older than 7.03.00

224

When using 7.03.00 or newer

160

Maximum

571

Parameter

CKM_ECDH1_DERIVE_PARAMS

Mechanism description

The elliptic curve Diffie-Hellman (ECDH) key derivation mechanism, denoted CKM_ECDH1_DERIVE, is a mechanism for key derivation based on the Diffie- Hellman version of the elliptic curve key agreement scheme, as defined in ANSI X9.63, where each party contributes one key pair all using the same EC domain parameters.

This mechanism has a parameter, a CKM_ECDH1_DERIVE_PARAMS structure.

typedef struct CKM_ECDH1_DERIVE_PARAMS {
    CKM_EC_KDF_TYPE kdf;/* key derivation function */
    CKM_ULONG  ulSharedDataLen;/* optional extra shared data */
    CKM_BYTE_PTR pSharedData;
    CKM_ULONG   ulPublicDataLen;/* other party public key value */
    CKM_BYTE_PTR  pPublicData;
} CKM_ECDH1_DERIVE_PARAMS;
typedef struct CK_ECDH1_DERIVE_PARAMS * CKM_ECDH1_DERIVE_PARAMS_PTR;

The fields of the structure have the following meanings:

Field	Description
kdf	This is the key derive function (see below for the description of the possible values of this field).
ulSharedDataLen	This is the length of the optional shared data used by some of the key derive functions. This may be zero if there is no shared data.
pSharedData	This is the address of the optional shared data or NULL if there is no shared data.
ulPublicDataLen	This is the length of the other party public key.
pPublicData	This is the pointer to the other party public key. Only uncompressed format is accepted.

The mechanism calculates an agreed value using the EC Private key referenced by the base object handle and the EC Public key passed to the mechanism through the pPublicData field of the mechanism parameter.

The length of the agreed value is equal to the ‘q’ value of the underlying EC curve.

The agreed value is then processed by the KDF to produce the CKA_VALUE of the new Secret Key object.

Four main types of KDFs are supported:

The NULL KDF performs no additional processing and can be used to obtain the raw agreed value. Basically: Key = Z
The CKF_<hash>_KDF algorithms are based on the algorithm described in section 5.6.3 of ANSI X9.63 2001. Basically: Key = H(Z || counter || OtherInfo)
The CKF_<hash>_SES_KDF algorithms are based on the variant of the x9.63 algorithm specified in Technical Guideline TR-03111 - Elliptic Curve Cryptography (ECC) based on ISO 15946 Version 1.0, Bundesamt Fur Sicherheit in der Informationstechnik (BSI)

Basically: Key = H(Z || counter) where counter is a user specified parameter
The CKF_<hash>_NIST_KDF algorithms are based on the algorithm described in NIST 800-56A Concatenisation Algorithm

Basically: Key = H(counter || Z || OtherInfo)

The CKF_SES_<hash>_KDF algorithms require the value of the counter to be specified. This is done by arithmetically adding the counter value to the CKF value.

The following Counter values are defined in TR-03111:

Counter name	Value	Description
CKD_SES_ENC_CTR	0x00000001	Default encryption key
CKD_SES_AUTH_CTR	0x00000002	Default authentication key
CKD_SES_ALT_ENC_CTR	0x00000003	Alternate encryption key
CKD_SES_ALT_AUTH_CTR	0x00000004	Alternate Authentication key
CKD_SES_MAX_CTR	0x0000FFFF	Maximum counter value

Example

To derive a session key to be used as an Alternate key for Encryption the counter must equal 0x00000003. If the SHA-1 hash algorithm is required then the KDF value would be set like this:

CKM_ECDH1_DERIVE_PARAMS Params;
Params.kdf = CKD_SHA1_SES_KDF + CKD_SES_ALT_ENC_CTR;

The supported KDFs are listed below.

CKD_NULL: The null transformation. The derived key value is produced by taking bytes from the left of the agreed value. The new key size is limited to the size of the agreed value. The Shared Data is not used by this KDF and pSharedData should be NULL.

Note

If you are using ProtectToolkit 7.3.0 or newer with ProtectServer 3 HSM Firmware 7.03.00 or newer, this KDF is not available when the FIPS Algorithms Only security flag is set. For more information, refer to FIPS Algorithms Only.
CKD_SHA1_KDF: This KDF generates secret keys of virtually any length using the algorithm described in X9.63 with the SHA-1 hash algorithm. Shared data can be provided.

Note

If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, this KDF is not available when the FIPS Mode security flag is set. For more information, refer to FIPS Mode.
CKD_SHA224_KDF: This KDF generates secret keys of virtually any length using the algorithm described in X9.63 with the SHA-224 hash algorithm.Shared data can be provided.

Note

If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, this KDF is not available when the FIPS Mode security flag is set. For more information, refer to FIPS Mode.
CKD_SHA256_KDF: This KDF generates secret keys of virtually any length using the algorithm described in X9.63 with the SHA-256 hash algorithm. Shared data can be provided.

Note

If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, this KDF is not available when the FIPS Mode security flag is set. For more information, refer to FIPS Mode.
CKD_SHA384_KDF: This KDF generates secret keys of virtually any length using the algorithm described in X9.63 with the SHA-384 hash algorithm. Shared data can be provided.

Note

If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, this KDF is not available when the FIPS Mode security flag is set. For more information, refer to FIPS Mode.
CKD_SHA512_KDF: This KDF generates secret keys of virtually any length using the algorithm described in X9.63 with the SHA-512 hash algorithm. Shared data can be provided.

Note

If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, this KDF is not available when the FIPS Mode security flag is set. For more information, refer to FIPS Mode.
CKD_RIPEMD160_KDF: This KDF generates secret keys of virtually any length using the algorithm described in X9.63 with the RIPE MD 160 hash algorithm. Shared data can be provided.

Note

This KDF is not available when the FIPS Algorithms Only security flag is set. For more information, refer to FIPS Algorithms Only.
CKD_SHA1_SES_KDF: This KDF generates session keys. It uses the algorithm described in TR-03111 with the SHA-1 hash algorithm. Shared data can be provided but typically it is not used. The counter value that is a parameter to this KDF must be added to this constant.
CKD_SHA224_SES_KDF: This KDF generates single, double and triple length DES keys that are intended for Encryption operations. It uses the algorithm described in TR-03111 with the SHA-224 hash algorithm. Shared data can be provided but typically it is not used. The counter value that is a parameter to this KDF must be added to this constant.
CKD_SHA256_SES_KDF: This KDF generates single, double and triple length DES keys that are intended for Encryption operations. It uses the algorithm described in TR-03111 with the SHA-256 hash algorithm. Shared data can be provided but typically it is not used. The counter value that is a parameter to this KDF must be added to this constant.
CKD_SHA384_SES_KDF: This KDF generates single, double and triple length DES keys that are intended for Encryption operations. It uses the algorithm described in TR-03111 with the SHA-384 hash algorithm. Shared data can be provided but typically it is not used. The counter value that is a parameter to this KDF must be added to this constant.
CKD_SHA512_SES_KDF: This KDF generates single, double and triple length DES keys that are intended for Encryption operations. It uses the algorithm described in TR-03111 with the SHA-512 hash algorithm. Shared data can be provided but typically it is not used. The counter value that is a parameter to this KDF must be added to this constant.
CKD_RIPEMD160_SES_KDF: This KDF generates single, double and triple length DES keys that are intended for Encryption operations. It uses the algorithm described in TR-03111 with the Ripe MD 160 hash algorithm. Shared data can be provided but typically it is not used. The counter value that is a parameter to this KDF must be added to this constant.

Note

This KDF is not available when the FIPS Algorithms Only security flag is set. For more information, refer to FIPS Algorithms Only.
CKD_SHA1_NIST_KDF: This KDF generates secret keys of virtually any length using the algorithm described in NIST 800-56A with the SHA-1 hash algorithm. Shared data should be formatted according to the standard.
CKD_SHA224_NIST_KDF: This KDF generates secret keys of virtually any length using the algorithm described in NIST 800-56A with the SHA-224 hash algorithm. Shared data should be formatted according to the standard.
CKD_SHA256_NIST_KDF: This KDF generates secret keys of virtually any length using the algorithm described in NIST 800-56A with the SHA-256 hash algorithm. Shared data should be formatted according to the standard.
CKD_SHA384_NIST_KDF: This KDF generates secret keys of virtually any length using the algorithm described in NIST 800-56A with the SHA-384 hash algorithm. Shared data should be formatted according to the standard.
CKD_SHA512_NIST_KDF: This KDF generates secret keys of virtually any length using the algorithm described in NIST 800-56A with the SHA-512 hash algorithm. Shared data should be formatted according to the standard.
CKD_RIPEMD160_NIST_KDF: This KDF generates secret keys of virtually any length using the algorithm described in NIST 800-56A with the RIPE MD 160 hash algorithm. Shared data should be formatted according to the standard.

Note

This KDF is not available when the FIPS Algorithms Only security flag is set. For more information, refer to FIPS Algorithms Only.

This mechanism derives a secret value, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one and the key type supports it, the CKA_VALUE_LEN attribute of the template. (The truncation removes bytes from the leading end of the secret value.) The mechanism contributes the result as the CKA_VALUE attribute of the new key; other attributes required by the key type must be specified in the template.

The following rules apply to the provided attribute template:

A key type must be provided in the template or else a Template Error is returned.
If no length is provided in the template, that key type must have a well-defined length. If it doesn’t, an error is returned.
If both a key type and a length are provided in the template, the length must be compatible with that key type.
If a DES key is derived with these mechanisms, the parity bits of the key are set properly.
If the requested type of key requires more bytes than the Key Derive Function can provide, an error is generated.

The mechanisms have the following rules about key sensitivity and extractability:

The CKA_SENSITIVE, CKA_EXTRACTABLE and CKA_EXPORTABLE attributes in the template for the new key can both be specified to be either CK_TRUE or CK_FALSE. If omitted, these attributes all take on the default value TRUE.
If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE, then the derived key will as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.
Similarly, if the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE, then the derived key will, too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute.

Return to ProtectToolkit-C mechanisms.

Suggest A Change

CKM_ECDH1_DERIVE

Supported operations

FIPS Mode support

Key size range (bits) and parameters

Parameter

Mechanism description

Example

On this page