Page tree

 

PKCS #11 v2.20 Amendment

 

Additional Mechanisms

 

Russian GOSTs

 

RSA Laboratories

 

October 1, 200 8

 

 

 

1   Introduction

 

This document is an amendment to PKCS#11 v2.20 [1] and describes extensions to PKCS#11 to support additional mechanisms.

 

2  Definitions

 

GOST 28147-89 The encryption algorithm, as defined in Part 2 [1] and RFC 4357 [4], RFC 4490 [5], and RFC 4491 [6].

GOST R 34.11-94 Hash algorithm , as defined in [3] and RFC 4357 [4], RFC 4490 [5], and RFC 4491 [6].

GOST R 34.10-2001 The digital signature algorithm, as defined in [2] and RFC 4357 [4], RFC 4490 [5], and RFC 4491 [6].

 

 

 

3 Mechanisms

 

The following table shows, for the mechanisms defined in this document, their support by different cryptographic operations. For any particular token, of course, a particular operation may well support only a subset of the mechanisms listed. There is also no guarantee that a token that supports one mechanism for some operation supports any other mechanism for any other operation (or even supports the same mechanism for any other operation).

 

Table 1, Mechanisms vs. Functions

The remainder of this section will present in detail the mechanisms and the parameters which are supplied to them.

Mechanism

Functions

Encrypt  &  Decrypt

Sign  & Verify

SR & VR

 

Digest

Gen. Key/ Key Pair

Wrap  & Unwrap

 

Derive

CK M _GOST28147 _KEY_GEN

 

 

 

 

 

 

CK M _ GOST28147 _ECB

 

 

 

 

 

CK M _GOST28147

 

 

 

 

 

CK M _ GOST28147 _ MAC

 

 

 

 

 

 

CK M _ GOST28147 _ KEY_WRAP

 

 

 

 

 

 

CK M _GOST3411

 

 

 

 

 

 

CK M _GOST3411_HMAC

 

 

 

 

 

 

CK M _GOST3410_KEY_PAIR_GEN

 

 

 

 

 

 

CK M _GOST3410

 

1

 

 

 

 

 

CK M _GOST3410_WITH_ GOST3411

 

 

 

 

 

 

CK M _ GOST3410 _ KEY_WRAP

 

 

 

 

 

 

CK M _ GOST3410 _ DERIVE

 

 

 

 

 

 

1 Single-part operations only

 

3. 1 GOST 28147-89

 

GOST 28147-89 is a block cipher with 64-bit block size and 256-bit keys .

 

 

3. 1 .1 Definitions

 

This section defines the key type “ CKK_ GOST28147” for type CK_KEY_TYPE as used in the CKA_KEY_TYPE attribute of key objects and domain parameter objects.

 

Mechanisms:

 

CKM_GOST28147_KEY_GEN

CKM_GOST28147_ECB

CKM_GOST28147

CKM_GOST28147_MAC

CKM_ GOST28147_KEY_WRAP


3. 1 .2 GOST 28147-89 secret key objects

 

GOST   28147 89 secret key objects (object class CKO_SECRET_KEY, key type C KK_ GOST28147 ) hold GOST   28147 89 keys. The following table defines the GOST   28147 89 secret key object attributes, in addition to the common attributes defined for this object class:

Table 2 , GOST 28147-89 Secret Key Object Attributes

Attribute

Data type

Meaning

CKA_VALUE 1,4,6,7

Byte array

32 bytes in little endian order

CKA_GOST28147PARAMS 1,3,5

Byte array

DER-encoding of the object identifier indicating the data object type of GOST   28147 89 .

When key is used the domain parameter object of key type CKK_GOST28147 must be specified with the same attribute CKA_OBJECT_ID

- Refer to Table 15 of [7] for footnotes

 

The following is a sample template for creating a GOST   28147 89 secret key object:

 

CK_OBJECT_CLASS class = CKO_SECRET_KEY;

CK_KEY_TYPE keyType = CKK_GOST28147;

CK_UTF8CHAR label[] = “A GOST 28147-89 secret key object”;

CK_BYTE value[32] = {...};

CK_BYTE params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1f, 0x00};

CK_BBOOL true = CK_TRUE;

CK_ATTRIBUTE template[] = {

    {CKA_CLASS, &class, sizeof(class)},

    {CKA_KEY_TYPE, &keyType, sizeof(keyType)},

    {CKA_TOKEN, &true, sizeof(true)},

    {CKA_LABEL, label, sizeof(label)-1},

    {CKA_ENCRYPT, &true, sizeof(true)},

    {CKA_GOST28147PARAMS, params_oid, sizeof(params_oid)},

    {CKA_VALUE, value, sizeof(value)}

};

 


3.1.3 GOST 28147-89 domain parameter objects

 

GOST   28147 89 domain parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_GOST28147 ) hold GOST   28147 89 domain parameters. 

 

The following table defines the GOST   28147 89 domain parameter object attributes, in addition to the common attributes defined for this object class:

Table 3, GOST 28147-89 Domain Parameter Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE 1

Byte array

DER-encoding of the domain parameters as it was introduced in [4] section 8.1 (type Gost28147-89-ParamSetParameters )

CKA_OBJECT_ID 1

Byte array

DER-encoding of the object identifier indicating the domain parameters

- Refer to Table 15 of [7] for footnotes

 

For any particular token, there is no guarantee that a token supports domain parameters loading up and/or fetching out. Furthermore, applications, that make direct use of domain parameters objects, should take in account that CKA_VALUE attribute may be inaccessible.

 

The following is a sample template for creating a GOST   28147 89 domain parameter object :

 

CK_OBJECT_CLASS class = CKO_DOMAIN_PARAMETERS;

CK_KEY_TYPE keyType = CKK_GOST28147;

CK_UTF8CHAR label[] = “A GOST 28147-89 cryptographic parameters object”;

CK_BYTE oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1f, 0x00};

CK_BYTE value[] = {

  0x30,0x62,

  0x04,0x40,

  0x4c,0xde,0x38,0x9c,0x29,0x89,0xef,0xb6,0xff,0xeb,0x56,0xc5,0x5e,0xc2,0x9b,0x02,

  0x98,0x75,0x61,0x3b,0x11,0x3f,0x89,0x60,0x03,0x97,0x0c,0x79,0x8a,0xa1,0xd5,0x5d,

  0xe2,0x10,0xad,0x43,0x37,0x5d,0xb3,0x8e,0xb4,0x2c,0x77,0xe7,0xcd,0x46,0xca,0xfa,

  0xd6,0x6a,0x20,0x1f,0x70,0xf4,0x1e,0xa4,0xab,0x03,0xf2,0x21,0x65,0xb8,0x44,0xd8,

0x02,0x01,0x00,

0x02,0x01,0x40,

  0x30,0x0b,0x06,0x07,0x2a,0x85,0x03,0x02,0x02,0x0e,0x00,0x05,0x00

};

CK_BBOOL true = CK_TRUE;

CK_ATTRIBUTE template[] = {

    {CKA_CLASS, &class, sizeof(class)},

    {CKA_KEY_TYPE, &keyType, sizeof(keyType)},

    {CKA_TOKEN, &true, sizeof(true)},

    {CKA_LABEL, label, sizeof(label)-1},

    {CKA_OBJECT_ID, oid, sizeof(oid)},

    {CKA_VALUE, value, sizeof(value)}

};

 

 

3. 1 .4 GOST 28147-89 key generation

 

The GOST   28147 89 key generation mechanism, denoted CKM_GOST28147_KEY_GEN , is a key generation mechanism for GOST   28147 89.

 

It does not have a parameter.

 

The mechanism contributes the CKA_CLASS , CKA_KEY_TYPE , and CKA_VALUE attributes to the new key. Other attributes supported by the GOST   28147 89 key type may be specified for objects of object class CKO_SECRET_KEY .

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO are not used.

 

3. 1 .5 GOST 28147-89-ECB

 

GOST   28147 89-ECB, denoted CKM_GOST28147_ECB , is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on GOST   28147 89 and electronic codebook mode.

 

It does not have a parameter.

 

This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports.

 

For wrapping ( C_WrapKey ), the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped, padded on the trailing end with up to block size so that the resulting length is a multiple of the block size.

 

For unwrapping ( C_UnwrapKey ), the mechanism decrypts the wrapped key, and truncates the result according to the CKA_KEY_TYPE attribute of the template and, if it has one, and the key type supports it, the CKA_VALUE_LEN attribute of the template. The mechanism contributes the result as the CKA_VALUE attribute of the new key.

 

Constraints on key types and the length of data are summarized in the following table:

Table 4, GOST 28147-89-ECB: Key And Data Length

Function

Key type

Input length

Output length

C_Encrypt

CKK_GOST28147

Multiple of block size

Same as input length

C_Decrypt

CKK_GOST28147

Multiple of block size

Same as input length

C_WrapKey

CKK_GOST28147

Any

Input length rounded up to multiple of block size

C_UnwrapKey

CKK_GOST28147

Multiple of block size

Determined by type of key being unwrapped

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used .

 

3. 1 .6 GOST 28147-89 encryption mode except ECB

 

GOST   28147 89 encryption mode except ECB, denoted CKM_GOST28147 , is a mechanism for single- and multiple-part encryption and decryption; key wrapping; and key unwrapping, based on GOST   28147 89 and CFB [1], counter mode [1], and additional CBC mode defined in [4] section 2. Encryption’s parameters are specified in object identifier of attribute CKA_GOST28147PARAMS .

 

It has a parameter, a 8-byte initialization vector. This parameter may be omitted then a zero initialization vector is used.

 

This mechanism can wrap and unwrap any secret key. Of course, a particular token may not be able to wrap/unwrap every secret key that it supports.

 

For wrapping ( C_WrapKey ), the mechanism encrypts the value of the CKA_VALUE attribute of the key that is wrapped.

 

For unwrapping ( C_UnwrapKey ), the mechanism decrypts the wrapped key, and contributes the result as the CKA_VALUE attribute of the new key.

 

Constraints on key types and the length of data are summarized in the following table:

Table 5, GOST 28147-89 encryption modes except ECB: Key And Data Length

Function

Key type

Input length

Output length

C_Encrypt

CKK_GOST28147

Any

For counter mode and CFB is the same as input length. For CBC is the same as input length padded on the trailing end with up to block size so that the resulting length is a multiple of the block size

C_Decrypt

CKK_GOST28147

Any

C_WrapKey

CKK_GOST28147

Any

C_UnwrapKey

CKK_GOST28147

Any

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

 

3. 1 .7 GOST 28147-89-MAC

 

GOST 28147-89-MAC, denoted CKM_GOST28147_MAC , is a mechanism for data integrity and authentication based on GOST   28147 89 [1] and key meshing algorithms [4] section 2.3.

 

MACing parameters are specified in object identifier of attribute CKA_GOST28147PARAMS .

 

The output bytes from this mechanism are taken from the start of the final GOST   28147 89 cipher block produced in the MACing process.

 

It has a parameter, a 8-byte MAC initialization vector. This parameter may be omitted then a zero initialization vector is used.

 

Constraints on key types and the length of data are summarized in the following table:

Table 6, GOST28147-89-MAC: Key And Data Length

Function

Key type

Data length

Signature length

C_Sign

CKK_GOST28147

Any

4 bytes

C_Verify

CKK_GOST28147

Any

4 bytes

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

3. 1 .8 GOST 28147-89 keys wrapping/unwrapping with GOST 28147-89

 

GOST   28147 89 keys as a KEK (key encryption keys) for encryption GOST   28147 89 keys , denoted by CKM_GOST28147_KEY_WRAP , is a mechanism for key wrapping; and key unwrapping, based on GOST   28147 89. Its purpose is to encrypt and decrypt keys have been generated by key generation mechanism for GOST   28147 89.

 

For wrapping ( C_WrapKey ), the mechanism first computes MAC from the value of the CKA_VALUE attribute of the key that is wrapped and then encrypts in ECB mode the value of the CKA_VALUE attribute of the key that is wrapped. The result is 32 bytes of the key that is wrapped and 4 bytes of MAC.

 

For unwrapping ( C_UnwrapKey ), the mechanism first decrypts in ECB mode the 32 bytes of the key that was wrapped and then computes MAC from the unwrapped key. Then compared together 4 bytes MAC has computed and 4 bytes MAC of the input. If these two MACs do not match the wrapped key is disallowed. The mechanism contributes the result as the CKA_VALUE attribute of the unwrapped key.

 

It has a parameter, a 8-byte MAC initialization vector. This parameter may be omitted then a zero initialization vector is used.

 

Constraints on key types and the length of data are summarized in the following table:

Table 7, GOST 28147-89 keys as KEK: Key And Data Length

Function

Key type

Input length

Output length

C_WrapKey

CKK_GOST28147

32 bytes

36 bytes

C_UnwrapKey

CKK_GOST28147

32 bytes

36 bytes

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.
 

3. 2 GOST R 34.11-94

 

GOST R 34.11-94 is a mechanism for message digesting, following the hash algorithm with 256-bit message digest defined in [3].

 

3. 2 .1 Definitions

This section defines the key type “ CKK_ GOSTR3411” for type CK_KEY_TYPE as used in the CKA_KEY_TYPE attribute of domain parameter objects.

 

Mechanisms:

 

CKM_GOSTR3411

CKM_GOSTR3411_HMAC

 

3. 2 .2 GOST R 34.11-94 domain parameter objects

 

GOST   R   34.11-94 domain parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_GOSTR3411 ) hold GOST R 34.11-94 domain parameters. 

 

The following table defines the GOST R 34.11-94 domain parameter object attributes, in addition to the common attributes defined for this object class:

Table 8, GOST R 34.11-94 Domain Parameter Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE 1

Byte array

DER-encoding of the domain parameters as it was introduced in [4] section 8.2 (type GostR3411-94-ParamSetParameters )

CKA_OBJECT_ID 1

Byte array

DER-encoding of the object identifier indicating the domain parameters

- Refer to Table 15 of [7] for footnotes

 

For any particular token, there is no guarantee that a token supports domain parameters loading up and/or fetching out. Furthermore, applications, that make direct use of domain parameters objects, should take in account that CKA_VALUE attribute may be inaccessible.

 

The following is a sample template for creating a GOST R 34.11-94 domain parameter object :

 

CK_OBJECT_CLASS class = CKO_DOMAIN_PARAMETERS;

CK_KEY_TYPE keyType = CKK_GOSTR3411;

CK_UTF8CHAR label[] = “A GOST R34.11-94 cryptographic parameters object”;

CK_BYTE oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x00};

CK_BYTE value[] = {

0x30,0x64,

0x04,0x40,

0x4e,0x57,0x64,0xd1,0xab,0x8d,0xcb,0xbf,0x94,0x1a,0x7a,0x4d,0x2c,0xd1,0x10,0x10,

0xd6,0xa0,0x57,0x35,0x8d,0x38,0xf2,0xf7,0x0f,0x49,0xd1,0x5a,0xea,0x2f,0x8d,0x94,

0x62,0xee,0x43,0x09,0xb3,0xf4,0xa6,0xa2,0x18,0xc6,0x98,0xe3,0xc1,0x7c,0xe5,0x7e,

0x70,0x6b,0x09,0x66,0xf7,0x02,0x3c,0x8b,0x55,0x95,0xbf,0x28,0x39,0xb3,0x2e,0xcc,

0x04,0x20,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

};

CK_BBOOL true = CK_TRUE;

CK_ATTRIBUTE template[] = {

    {CKA_CLASS, &class, sizeof(class)},

    {CKA_KEY_TYPE, &keyType, sizeof(keyType)},

    {CKA_TOKEN, &true, sizeof(true)},

    {CKA_LABEL, label, sizeof(label)-1},

    {CKA_OBJECT_ID, oid, sizeof(oid)},

    {CKA_VALUE, value, sizeof(value)}

};

 

3. 2 .3  GOST R 34.11-94 digest

 

GOST R 34.11-94 digest, denoted CKM_GOSTR3411, is a mechanism for message digesting based on GOST R 34.11-94 hash algorithm [3].

 

As a parameter this mechanism utilizes a DER-encoding of the object identifier. A mechanism parameter may be missed then parameters of the object identifier id-GostR3411-94-CryptoProParamSet [4] (section 11.2) must be used.

 

Constraints on the length of input and output data are summarized in the following table.  For single-part digesting, the data and the digest may begin at the same location in memory.

Table 9, GOST R 34.11-94: Data Length

Function

Input length

Digest length

C_Digest

Any

32 bytes

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

 

3. 2 .4  GOST R 34.11-94 HMAC

 

GOST R 34.11-94 HMAC mechanism, denoted CKM_GOSTR3411_HMAC , is a mechanism for signatures and verification.  It uses the HMAC construction, based on the GOST R 34.11-94 hash function [3] and core HMAC algorithm [8]. The keys it uses are of generic key type CKK_GENERIC_SECRET or CKK_GOST28147 .

 

To be conformed to GOST R 34.11-94 hash algorithm [3] the block length of core HMAC algorithm is 32 bytes long (see [8] section 2, and [4] section 3).

 

As a parameter this mechanism utilizes a DER-encoding of the object identifier. A mechanism parameter may be missed then parameters of the object identifier id-GostR3411-94-CryptoProParamSet [4] (section 11.2) must be used.

 

Signatures (MACs) produced by this mechanism are of 32 bytes long.

 

Constraints on the length of input and output data are summarized in the following table:

Table 10, GOST R 34.11-94 HMAC: Key And Data Length

Function

Key type

Data length

Signature length

C_Sign

CKK_GENERIC_SECRET or CKK_GOST28147

Any

32 byte

C_Verify

CKK_GENERIC_SECRET or CKK_GOST28147

Any

32 bytes

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.
 

3.3 GOST R 34.10-2001

 

GOST R 34.10-2001 is a mechanism for single- and multiple-part signatures and verification , following the digital signature algorithm defined in [2].

 

3.3.1 Definitions

 

This section defines the key type “ CKK_ GOSTR3410” for type CK_KEY_TYPE as used in the CKA_KEY_TYPE attribute of key objects and domain parameter objects.

 

Mechanisms:

 

CKM_GOSTR3410_KEY_PAIR_GEN

CKM_GOSTR3410

CKM_GOSTR3410_WITH_GOSTR3411

CKM_GOSTR3410

CKM_GOSTR3410_KEY_WRAP

CKM_GOSTR3410_DERIVE

 

 

 

3.3.2 GOST R 34.10-2001 public key objects

 

GOST   R   34.10-2001 public key objects (object class CKO_PUBLIC_KEY, key type CKK_GOSTR3410 ) hold GOST R 34.10-2001 public keys.

 

The following table defines the GOST R 34.10-2001 public key object attributes, in addition to the common attributes defined for this object class:

Table 11, GOST R 34.10-2001 Public Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE 1,4

Byte array

64 bytes for public key; 32 bytes for each coordinates X and Y of elliptic curve point P(X,   Y) in little endian order

CKA_GOSTR3410PARAMS 1,3

Byte array

DER-encoding of the object identifier indicating the data object type of GOST R 34.10-2001.

When key is used the domain parameter object of key type CKK_GOSTR3410 must be specified with the same attribute CKA_OBJECT_ID

CKA_GOSTR3411PARAMS 1,3,8

Byte array

DER-encoding of the object identifier indicating the data object type of GOST R 34.11-94.

When key is used the domain parameter object of key type CKK_GOSTR3411 must be specified with the same attribute CKA_OBJECT_ID

CKA_GOST28147PARAMS 8

Byte array

DER-encoding of the object identifier indicating the data object type of GOST   28147 89 .

When key is used the domain parameter object of key type CKK_GOST28147 must be specified with the same attribute CKA_OBJECT_ID. The attribute value may be omitted

- Refer to Table 15 of [7] for footnotes

 

The following is a sample template for creating an GOST R 34.10-2001 public key object:

 

CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;

CK_KEY_TYPE keyType = CKK_GOSTR3410;

CK_UTF8CHAR label[] = “A GOST R34.10-2001 public key object”;

CK_BYTE gostR3410params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x00};

CK_BYTE gostR3411params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x00};

CK_BYTE gost28147params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1f, 0x00};

CK_BYTE value[64] = {...};

CK_BBOOL true = CK_TRUE;

CK_ATTRIBUTE template[] = {

    {CKA_CLASS, &class, sizeof(class)},

    {CKA_KEY_TYPE, &keyType, sizeof(keyType)},

    {CKA_TOKEN, &true, sizeof(true)},

    {CKA_LABEL, label, sizeof(label)-1},

    {CKA_GOSTR3410PARAMS, gostR3410params_oid, sizeof(gostR3410params_oid)},

    {CKA_GOSTR3411PARAMS, gostR3411params_oid, sizeof(gostR3411params_oid)},

    {CKA_GOST28147PARAMS, gost28147params_oid, sizeof(gost28147params_oid)},

    {CKA_VALUE, value, sizeof(value)}

};


3.3.3 GOST R 34.10-2001 private key objects

 

GOST   R   34.10-2001 private key objects (object class CKO_PRIVATE_KEY, key type CKK_GOSTR3410 ) hold GOST R 34.10-2001 private keys.

 

The following table defines the GOST R 34.10-2001 private key object attributes, in addition to the common attributes defined for this object class:

Table 12, GOST R 34.10-2001 Private Key Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE 1,4,6,7

Byte array

32 bytes for private key in little endian order

CKA_GOSTR3410PARAMS 1,4,6

Byte array

DER-encoding of the object identifier indicating the data object type of GOST R 34.10-2001.

When key is used the domain parameter object of key type CKK_GOSTR3410 must be specified with the same attribute CKA_OBJECT_ID

CKA_GOSTR3411PARAMS 1,4,6,8

Byte array

DER-encoding of the object identifier indicating the data object type of GOST R 34.11-94.

When key is used the domain parameter object of key type CKK_GOSTR341 1 must be specified with the same attribute CKA_OBJECT_ID

CKA_GOST28147PARAMS4 4,6,8

Byte array

DER-encoding of the object identifier indicating the data object type of GOST   28147 89 .

When key is used the domain parameter object of key type CKK_GOST28147 must be specified with the same attribute CKA_OBJECT_ID. The attribute value may be omitted

 

Note that when generating an GOST   R   34.10-2001 private key, the GOST   R   34.10-2001 domain parameters are not specified in the key’s template.  This is because GOST   R   34.10-2001 private keys are only generated as part of an GOST   R   34.10-2001 key pair , and the GOST   R   34.10-2001 domain parameters for the pair are specified in the template for the GOST   R   34.10-2001 public key.

 

The following is a sample template for creating an GOST R 34.10-2001 private key object:

 

CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;

CK_KEY_TYPE keyType = CKK_GOSTR3410;

CK_UTF8CHAR label[] = “A GOST R34.10-2001 private key object”;

CK_BYTE subject[] = {...};

CK_BYTE id[] = {123};

CK_BYTE gostR3410params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x00};

CK_BYTE gostR3411params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x00};

CK_BYTE gost28147params_oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1f, 0x00};

CK_BYTE value[32] = {...};

CK_BBOOL true = CK_TRUE;

CK_ATTRIBUTE template[] = {

    {CKA_CLASS, &class, sizeof(class)},

    {CKA_KEY_TYPE, &keyType, sizeof(keyType)},

    {CKA_TOKEN, &true, sizeof(true)},

    {CKA_LABEL, label, sizeof(label)-1},

    {CKA_SUBJECT, subject, sizeof(subject)},

    {CKA_ID, id, sizeof(id)},

    {CKA_SENSITIVE, &true, sizeof(true)},

    {CKA_SIGN, &true, sizeof(true)},

    {CKA_GOSTR3410PARAMS, gostR3410params_oid, sizeof(gostR3410params_oid)},

    {CKA_GOSTR3411PARAMS, gostR3411params_oid, sizeof(gostR3411params_oid)},

    {CKA_GOST28147PARAMS, gost28147params_oid, sizeof(gost28147params_oid)},

    {CKA_VALUE, value, sizeof(value)}

};

 

3.3.4 GOST R 34.10-2001 domain parameter objects

 

GOST   R   34.10-2001 domain parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_GOSTR3410 ) hold GOST   R   34.10 2001 domain parameters.

 

The following table defines the GOST R 34.10-2001 domain parameter object attributes, in addition to the common attributes defined for this object class:

Table 13, GOST R 34.10-2001 Domain Parameter Object Attributes

Attribute

Data Type

Meaning

CKA_VALUE 1

Byte array

DER-encoding of the domain parameters as it was introduced in [4] section 8.4 (type GostR3410-2001-ParamSetParameters )

CKA_OBJECT_ID 1

Byte array

DER-encoding of the object identifier indicating the domain parameters

- Refer to Table 15 of [7] for footnotes

 

For any particular token, there is no guarantee that a token supports domain parameters loading up and/or fetching out. Furthermore, applications, that make direct use of domain parameters objects, should take in account that CKA_VALUE attribute may be inaccessible.

 

The following is a sample template for creating a GOST R 34.10-2001 domain parameter object :

 

CK_OBJECT_CLASS class = CKO_DOMAIN_PARAMETERS;

CK_KEY_TYPE keyType = CKK_GOSTR3410;

CK_UTF8CHAR label[] = “A GOST R34.10-2001 cryptographic parameters object”;

CK_BYTE oid[] = {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x00};

CK_BYTE value[] = {

0x30,0x81,0x90,

0x02,0x01,0x07,

0x02,0x20,

0x5f,0xbf,0xf4,0x98,0xaa,0x93,0x8c,0xe7,0x39,0xb8,0xe0,0x22,0xfb,0xaf,0xef,0x40,

0x56,0x3f,0x6e,0x6a,0x34,0x72,0xfc,0x2a,0x51,0x4c,0x0c,0xe9,0xda,0xe2,0x3b,0x7e,

0x02,0x21,0x00,  0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x31,

0x02,0x21,0x00,

0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,

0x50,0xfe,0x8a,0x18,0x92,0x97,0x61,0x54,0xc5,0x9c,0xfc,0x19,0x3a,0xcc,0xf5,0xb3,

0x02,0x01,0x02,

0x02,0x20,

0x08,0xe2,0xa8,0xa0,0xe6,0x51,0x47,0xd4,0xbd,0x63,0x16,0x03,0x0e,0x16,0xd1,0x9c,

0x85,0xc9,0x7f,0x0a,0x9c,0xa2,0x67,0x12,0x2b,0x96,0xab,0xbc,0xea,0x7e,0x8f,0xc8

};

CK_BBOOL true = CK_TRUE;

CK_ATTRIBUTE template[] = {

    {CKA_CLASS, &class, sizeof(class)},

    {CKA_KEY_TYPE, &keyType, sizeof(keyType)},

    {CKA_TOKEN, &true, sizeof(true)},

    {CKA_LABEL, label, sizeof(label)-1},

    {CKA_OBJECT_ID, oid, sizeof(oid)},

    {CKA_VALUE, value, sizeof(value)}

};

 

3.3.5 GOST R 34.10-2001 mechanism parameters

 

CK_GOST3410_KEY_WRAP_PARAMS

 

CK_GOST3410_KEY_WRAP_PARAMS is a structure that provides the parameters to the CKM_GOST3410_KEY_WRAP mechanism. It is defined as follows:

 

typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS {

        CK_BYTE_PTR      pWrapOID;

        CK_ULONG         ulWrapOIDLen;

        CK_BYTE_PTR      pUKM;

        CK_ULONG         ulUKMLen;

        CK_OBJECT_HANDLE hKey;

} CK_GOSTR3410_KEY_WRAP_PARAMS;

 

The fields of the structure have the following meanings:

pWrapOID

 

pointer to a data with DER-encoding of the object identifier indicating the data object type of GOST   28147 89 . If pointer takes NULL_PTR value in C_WrapKey operation then parameters are specified in object identifier of attribute CKA_GOSTR3411PARAMS must be used. For C_UnwrapKey operation the pointer is not used and must take NULL_PTR value anytime

 

ulWrapOIDLen

 

length of data with DER-encoding of the object identifier indicating the data object type of GOST   28147 89

 

pUKM

 

pointer to a data with UKM . If pointer takes NULL_PTR value in C_WrapKey operation then random value of UKM will be used. If pointer takes non-NULL_PTR value in C_UnwrapKey operation then the pointer value will be compared with UKM value of wrapped key. If these two values do not match the wrapped key will be rejected

 

ulUKMLen

 

length of UKM data. If pUKM -pointer is different from NULL_PTR then equal to 8

 

hKey

 

key handle. Key handle of a sender for C_WrapKey operation. Key handle of a receiver for C_UnwrapKey operation. When key handle takes CK_INVALID_HANDLE value then an ephemeral (one time) key pair of a sender will be used

 

CK_GOST3410_DERIVE_PARAMS

 

CK_GOST3410_DERIVE_PARAMS is a structure that provides the parameters to the CKM_GOST3410_DERIVE mechanism. It is defined as follows:

 

typedef struct CK_GOSTR3410_DERIVE_PARAMS {

  CK_EC_KDF_TYPE kdf;

  CK_BYTE_PTR    pPublicData;

  CK_ULONG       ulPublicDataLen;

  CK_BYTE_PTR    pUKM;

  CK_ULONG       ulUKMLen;

} CK_GOSTR3410_DERIVE_PARAMS;

 

 

The fields of the structure have the following meanings:

kdf

 

identifier of the key derivation function. It may takes CKD_NULL or CKD_CPDIVERSIFY_KDF. When takes CKD_CPDIVERSIFY_KDF a special diversification algorithm [4] must be used

 

pPublicData 1

 

pointer to data with public key of a receiver

 

 

ulPublicDataLen

 

length of data with public key of a receiver (must be 64)

 

pUKM

 

pointer to a UKM data

 

ulUKMLen

 

length of UKM data in bytes (must be 8)

 

1 Public key of a receiver is an octet string of 64 bytes long. The public key octets correspond to the concatenation of X and Y coordinates of a point. Any one of them is 32 bytes long and represented in little endian order.

 

3.3.6 GOST R 34.10-2001 key pair generation

 

The GOST   R   34.10 2001 key pair generation mechanism, denoted CKM_GOSTR3410_KEY_PAIR_GEN , is a key pair generation mechanism for GOST   R   34.10 2001.

 

This mechanism does not have a parameter.

 

The mechanism generates GOST   R   34.10 2001 public/private key pairs with particular GOST   R   34.10 2001 domain parameters, as specified in the CKA_GOSTR3410PARAMS , CKA_GOSTR3411PARAMS , and CKA_GOST28147PARAMS attributes of the template for the public key.  Note that CKA_GOST28147PARAMS attribute may not be present in the template.

 

The mechanism contributes the CKA_CLASS , CKA_KEY_TYPE , and CKA_VALUE attributes to the new public key and the CKA_CLASS , CKA_KEY_TYPE , CKA_VALUE , and CKA_GOSTR3410PARAMS , CKA_GOSTR3411PARAMS , CKA_GOST28147PARAMS attributes to the new private key.

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

 

 

3.3.7 GOST R 34.10-2001 without hashing

 

The GOST   R   34.10 2001 without hashing mechanism, denoted CKM_GOSTR3410 , is a mechanism for single-part signatures and verification for GOST   R   34.10 2001.  (This mechanism corresponds only to the part of GOST   R   34.10 2001 that processes the 32-bytes hash value; it does not compute the hash value.)

 

This mechanism does not have a parameter.

 

For the purposes of these mechanisms, a GOST   R   34.10 2001 signature is an octet string of 64 bytes long. The signature octets correspond to the concatenation of the GOST   R   34.10 2001 values s and r’ , both represented as a 32 bytes octet string in big endian order with the most significant byte first [5] section 3.2, and [6] section 2.2.2.

 

The input for the mechanism is an octet string of 32 bytes long with digest has computed by means of GOST   R   34.11 94 hash algorithm in the context of signed or should be signed message.

Table 14, GOST R 34.10-2001 without hashing : Key And Data Length

Function

Key type

Input length

Output length

C_Sign 1

CKK_ GOSTR3410

32 bytes

64 bytes

C_Verify 1

CKK_ GOSTR3410

32 bytes

64 bytes

1 Single-part operations only.

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

 

3.3.8 GOST R 34.10-2001 with GOST R 34.11-94

 

The GOST   R   34.10 2001 with GOST   R   34.11 94, denoted CKM_GOSTR3410_WITH_GOSTR3411 , is a mechanism for signatures and verification for GOST   R   34.10 2001. This mechanism computes the entire GOST   R   34.10 2001 specification, including the hashing with GOST   R   34.11 94 hash algorithm.

 

As a parameter this mechanism utilizes a DER-encoding of the object identifier indicating GOST   R   34.11 94 data object type. A mechanism parameter may be missed then parameters are specified in object identifier of attribute CKA_GOSTR3411PARAMS must be used.

 

For the purposes of these mechanisms, a GOST   R   34.10 2001 signature is an octet string of 64 bytes long. The signature octets correspond to the concatenation of the GOST   R   34.10 2001 values s and r’ , both represented as a 32 bytes octet string in big endian order with the most significant byte first [5] section 3.2, and [6] section 2.2.2.

 

The input for the mechanism is signed or should be signed message of any length. Single- and multiple-part signature operations are available.

Table 15, GOST R 34.10-2001 with GOST R 34.11-94 : Key And Data Length

Function

Key type

Input length

Output length

C_Sign

CKK_ GOSTR3410

Any

64 bytes

C_Verify

CKK_ GOSTR3410

Any

64 bytes

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

 

3.3.9 GOST 28147-89 keys wrapping/unwrapping with GOST R 34.10-2001

 

GOST R 34.10-2001 keys as a KEK (key encryption keys) for encryption GOST 28147 keys , denoted by CKM_GOSTR3410_KEY_WRAP , is a mechanism for key wrapping; and key unwrapping, based on GOST R 34.10-2001. Its purpose is to encrypt and decrypt keys have been generated by key generation mechanism for GOST   28147 89. An encryption algorithm from [5] (section 5.2) must be used. Encrypted key is a DER-encoded structure of ASN.1 GostR3410-KeyTransport type [5] section 4.2.

 

It has a parameter, a CK_GOSTR3410_KEY_WRAP_PARAMS structure defined in section 3.2.5 .

 

For unwrapping ( C_UnwrapKey ), the mechanism decrypts the wrapped key, and contributes the result as the CKA_VALUE attribute of the new key.

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.


3.3.10 Common key derivation with assistance of GOST R 34.10-2001 keys

 

Common key derivation, denoted CKM_GOSTR3410_DERIVE, is a mechanism for key derivation with assistance of GOST   R   34.10 2001 private and public keys. The key of the mechanism must be of object class CKO_DOMAIN_PARAMETERS and key type CKK_GOSTR3410 . An algorithm for key derivation from [4] (section 5.2) must be used.

 

The mechanism contributes the result as the CKA_VALUE attribute of the new private key. All other attributes must be specified in a template for creating private key object.

 

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

 

A. Manifest constants

 

The following definitions can be found in the appropriate header file.

 

#define NSSCK_VENDOR_PKSC11_RU_TEAM  0xd4321000 /*0x80000000|0x54321000*/

#define CKM_GOSTR3410_KEY_PAIR_GEN   (NSSCK_VENDOR_PKSC11_RU_TEAM |0x000)

#define CKM_GOSTR3410                (NSSCK_VENDOR_PKSC11_RU_TEAM |0x001)

#define CKM_GOSTR3410_WITH_GOSTR3411 (NSSCK_VENDOR_PKSC11_RU_TEAM |0x002)

#define CKM_GOSTR3410_KEY_WRAP       (NSSCK_VENDOR_PKSC11_RU_TEAM |0x003)

#define CKM_GOSTR3410_DERIVE         (NSSCK_VENDOR_PKSC11_RU_TEAM |0x004)

#define CKM_GOSTR3411                (NSSCK_VENDOR_PKSC11_RU_TEAM |0x010)

#define CKM_GOSTR3411_HMAC           (NSSCK_VENDOR_PKSC11_RU_TEAM |0x011)

#define CKM_GOST28147_KEY_GEN        (NSSCK_VENDOR_PKSC11_RU_TEAM |0x020)

#define CKM_GOST28147_ECB            (NSSCK_VENDOR_PKSC11_RU_TEAM |0x021)

#define CKM_GOST28147                (NSSCK_VENDOR_PKSC11_RU_TEAM |0x022)

#define CKM_GOST28147_MAC            (NSSCK_VENDOR_PKSC11_RU_TEAM |0x023)

#define CKM_GOST28147_KEY_WRAP       (NSSCK_VENDOR_PKSC11_RU_TEAM |0x023)

 

B.  Intellectual property considerations

 

RSA Security Inc. makes no patent claims on the general constructions described in this

document, although specific underlying techniques may be covered.

 

Copyright © 2007 RSA Security Inc. All rights reserved. License to copy this document

and furnish the copies to others is granted provided that the above copyright notice is

included on all such copies. This document should be identified as RSA: PKCS #11

V2.20 Amendment in all material mentioning or referencing this document.

 

RSA is a registered trademark of RSA Security Inc. in the United States and/or other

countries. The names of other products or services mentioned may be the trademarks of

their respective owners.

 

This document and the information contained herein are provided on an "AS IS" basis and

RSA SECURITY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE

INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED

 

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR

PURPOSE. RSA Security Inc. makes no representations regarding intellectual property

claims by other parties. Such determination is the responsibility of the user.

 

C.  References

 

[1] “Information Processing Systems. Cryptographic Protection. Cryptographic Algorithm , GOST 28147-89, Gosudarstvennyi Standard of USSR , Government Committee of the USSR for Standards, 1989. (In Russian).

[2] Information Technology. Cryptographic Data Security. Formation and Verification Processes of [Electronic] Digital Signature , GOST R 34.10-2001, Gosudarstvennyi      Standard of the Russian Federation , Government Committee of the Russia n Federation for Standards, 2001. (In Russian).

[3] Information Technology. Cryptographic Data Security. Hashing function , GOST R 34.11-94, Gosudarstvennyi Standard of the Russian Federation, Government Committee of           the Russian Federation for Standards, 1994. (In Russian).

[4] RFC 4357, V. Popov, I. Kurepkin, S. Leontiev “Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms”, January 2006.

[5] RFC 4490, S. Leontiev , Ed. G. Chudov, Ed.  “Using the GOST 28147-89, GOST R 34.11-94,GOST R 34.10-94, and GOST R 34.10-2001 Algorithms with Cryptographic Message Syntax (CMS)”, May 2006.

[6] RFC 4491, S. Leontiev , Ed., D. Shefanovski, Ed., “Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile”, May 2006.

[7] RSA Laboratories. PKCS #11: Cryptographic Token Interface Standard . Version

2.20, June 2004. URL: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-

11v2-20.pdf.

[8] RFC 2104, Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message Authentication , February 1997.


D.  About PKCS

 

The Public Key Cryptography Standards are documents produced by RSA, The Security

Division of EMC, in cooperation with secure systems developers for the purpose of

simplifying integration and management of accelerating the deployment of public-key

cryptography and strong authentication technology into secure applications, and to

enhance the user experience of these technologies.

26 A DDITIONAL PKCS #11 M ECHANISMS

Copyright © 2007 RSA Security Inc. All rights reserved. PKCS #11 V2.20 Amdendment 3 Revision 1

RSA plans further development of the PKCS series through mailing list discussions and

occasional workshops, and suggestions for improvement are welcome. Results may also

be submitted to standards forums. For more information, contact:

PKCS Editor

RSA, The Security Division of EMC

174 Middlesex Turnpike

Bedford, MA 01730 USA

pkcs-editor@rsasecurity.com

http://www.rsasecurity.com/rsalabs/