The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
Table: Attribute values expected for the customer keys
Key role
HSM storage key
HSM transport key
KEK
Key type
CKK_DES2 or CKK_DES3 or CKK_AES(5)
CKK_DES2 or CKK_DES3 or CKK_AES(5)
CKK_DES2 or CKK_DES3 or CKK_AES(5)
Key size
128(DES2) or 192(DES3) or 128(AES128) or 256(AES256)
128(DES2) or 192(DES3) or 128(AES128) or 256(AES256)
128(DES2) or 192(DES3) or 128(AES128) or 256(AES256)
Persistent
TRUE
TRUE
TRUE
Private (P)
FALSE (3)
FALSE (3)
FALSE
Sensitive (T)
TRUE
TRUE
TRUE
Modifiable (M)
FALSE
FALSE
FALSE
Wrap (W)
TRUE
FALSE
FALSE
Unwrap (U)
TRUE
TRUE
FALSE (4)
Extractable (X)
FALSE
FALSE
FALSE
Export (w)
FALSE
FALSE
TRUE
Exportable (x)
FALSE (1)
TRUE
FALSE (1)
Import (I)
FALSE
FALSE
FALSE
Derive (R)
FALSE
FALSE
FALSE
Encrypt (E)
TRUE (2)
TRUE (2)
FALSE
Decrypt (D)
FALSE
FALSE
FALSE
Sign (S)
FALSE
FALSE
FALSE
Verify (V)
FALSE
FALSE
FALSE
(1): Can be TRUE if key backup should be possible.
(2): Can be FALSE for VACMAN Controller 3.7 and later (Encrypt is no longer mandatory).
(3): Can be TRUE for VACMAN Controller 3.6.11 and later. See Private keys for information about private keys.
(4): Can be TRUE if the KEK must be able to import wrapped keys.
(5): 3DES triple-length or AES highly recommended (3DES double-length is not supported in case of ProtectServer2 HSM, if the HSM has been configured with the FIPS Algorithm Only flag enabled).
Table: Meaning of key attributes
Attribute
Meaning
Persistent
Indicates whether a key object has been created for all the sessions. If FALSE, the key is only visible for the current session and will be destroyed when the session ends.
Private
Indicates whether users need to authenticate to the key’s HSM token before they can access the key object.
Sensitive
Indicates whether the key object can be extracted from the hardware security module (HSM) in clear. The key object includes the values of all key attributes.
Modifiable
Indicates whether a key object can be changed after creation. Changing the key object involves changing the object’s attributes.
Wrap
Indicates whether the key can encrypt other keys that are in the HSM.
Unwrap
Indicates whether the key can decrypt encrypted key material that is in the HSM.
Extractable
Indicates whether the key can be extracted from the HSM in encrypted form. The key encrypting key can be controlled by any user of the HSM. It is recommended that you use the Exportable rather than the Extractable property.
Export
This attribute is similar to the Wrap attribute in that it specifies that the key may be used to encrypt a second key so that it may be extracted from the HSM in an encrypted form. Unlike the Wrap attribute, however, only the security officer may specify this attribute.
Exportable
Indicates whether the key can be exported from the HSM in encrypted form. However, the key encrypting key needs to be controlled by a security officer, not by a standard user.
Import
This attribute is similar to the Unwrap attribute. It is used to determine if a given key can be used to unwrap encrypted key material. The important difference is that if Import is set to TRUE and Unwrap is set to FALSE, then the only unwrap mechanism that can be used will be 3DES in CBC-mode.
Derive
Indicates whether other keys can be derived from the key.
Encrypt
Indicates whether the key can be used to encrypt data.
Decrypt
Indicates whether the key can be used to decrypt data.
Sign
Indicates whether the key can be used to generate digital signatures or message authentication codes (MACs).
Verify
Indicates whether the key can be used to verify digital signatures or message authentication codes (MACs).
Cet article vous a-t-il été utile ?
Merci pour vos commentaires! Notre équipe vous répondra
