This article provides information about the attributes for the customer keys.
Expected values
Table: Attribute values expected for the customer keys | Key role | HSM storage key | HSM transport key | KEK |
|---|
| Key type | CKK_DES2 or
CKK_DES3 or
CKK_AES(5) | CKK_DES2 or
CKK_DES3 or
CKK_AES(5) | CKK_DES2 or
CKK_DES3 or
CKK_AES(5) |
| Key size | 128(DES2) or
192(DES3) or
128(AES128) or
256(AES256) | 128(DES2) or
192(DES3) or
128(AES128) or
256(AES256) | 128(DES2) or
192(DES3) or
128(AES128) or
256(AES256) |
| Persistent | TRUE | TRUE | TRUE |
| Private (P) | FALSE (3) | FALSE (3) | FALSE |
| Sensitive (T) | TRUE | TRUE | TRUE |
| Modifiable (M) | FALSE | FALSE | FALSE |
| Wrap (W) | TRUE | FALSE | FALSE |
| Unwrap (U) | TRUE | TRUE | FALSE (4) |
| Extractable (X) | FALSE | FALSE | FALSE |
| Export (w) | FALSE | FALSE | TRUE |
| Exportable (x) | FALSE (1) | TRUE | FALSE (1) |
| Import (I) | FALSE | FALSE | FALSE |
| Derive (R) | FALSE | FALSE | FALSE |
| Encrypt (E) | TRUE (2) | TRUE (2) | FALSE |
| Decrypt (D) | FALSE | FALSE | FALSE |
| Sign (S) | FALSE | FALSE | FALSE |
| Verify (V) | FALSE | FALSE | FALSE |
(1): Can be TRUE if key backup should be possible.
(2): Can be FALSE for VACMAN Controller 3.7 and later (Encrypt is no longer mandatory).
(3): Can be TRUE for VACMAN Controller 3.6.11 and later. See Private keys for information about private keys.
(4): Can be TRUE if the KEK must be able to import wrapped keys.
(5): 3DES triple-length or AES highly recommended (3DES double-length is not supported in case of ProtectServer2 HSM, if the HSM has been configured with the FIPS Algorithm Only flag enabled).
Table: Meaning of key attributes | Attribute | Meaning |
|---|
| Persistent | Indicates whether a key object has been created for all the sessions. If FALSE, the key is only visible for the current session and will be destroyed when the session ends. |
| Private | Indicates whether users need to authenticate to the key’s HSM token before they can access the key object. |
| Sensitive | Indicates whether the key object can be extracted from the hardware security module (HSM) in clear. The key object includes the values of all key attributes. |
| Modifiable | Indicates whether a key object can be changed after creation. Changing the key object involves changing the object’s attributes. |
| Wrap | Indicates whether the key can encrypt other keys that are in the HSM. |
| Unwrap | Indicates whether the key can decrypt encrypted key material that is in the HSM. |
| Extractable | Indicates whether the key can be extracted from the HSM in encrypted form. The key encrypting key can be controlled by any user of the HSM. It is recommended that you use the Exportable rather than the Extractable property. |
| Export | This attribute is similar to the Wrap attribute in that it specifies that the key may be used to encrypt a second key so that it may be extracted from the HSM in an encrypted form. Unlike the Wrap attribute, however, only the security officer may specify this attribute. |
| Exportable | Indicates whether the key can be exported from the HSM in encrypted form. However, the key encrypting key needs to be controlled by a security officer, not by a standard user. |
| Import | This attribute is similar to the Unwrap attribute. It is used to determine if a given key can be used to unwrap encrypted key material. The important difference is that if Import is set to TRUE and Unwrap is set to FALSE, then the only unwrap mechanism that can be used will be 3DES in CBC-mode. |
| Derive | Indicates whether other keys can be derived from the key. |
| Encrypt | Indicates whether the key can be used to encrypt data. |
| Decrypt | Indicates whether the key can be used to decrypt data. |
| Sign | Indicates whether the key can be used to generate digital signatures or message authentication codes (MACs). |
| Verify | Indicates whether the key can be used to verify digital signatures or message authentication codes (MACs). |
Private keys
The following keys can be created with the Private attribute set to TRUE:
- HSM-level storage key
- HSM-level transport key
- Issuer master key
Before using a key with the Private attribute, the application interfacing with the HSM must:
- Open a session with the slot containing the private key(s) (C_OpenSession)
- Log in with the owner of the key(s) as user (C_Login)
Once logged in, an Authentication Suite Server SDK command using a private key can be addressed to the HSM (C_Digest).
The advantage of using private keys, is that you can restrict key access. For example, when migrating a Virtual Mobile Authenticator under a private storage key, only an application logged in with the correct credentials can use the Virtual Mobile Authenticator.