HP HP-UX Kernel Cryptographic Module User Manual
HP-UX Kernel Cryptographic Module 1.0 User Guide
Abstract
This document describes how to install, configure, and troubleshoot HPUX-KCM on HP-UX 11i v3 platforms. It is intended for
system and network administrators who have knowledge of operating system concepts, commands, and configuration.
HP Part Number: 5900-3288
Published: October 2013
Edition: 1
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Contents
1 Overview..................................................................................................4
Supported configuration............................................................................................................4
Features provided in this release.................................................................................................4
PKCS #11 API considerations ....................................................................................................5
2 Installing HP-UX KCM..................................................................................9
3 Configuring HP-UX KCM............................................................................10
4 Troubleshooting........................................................................................11
5 Removing HP-UX KCM...............................................................................12
6 Support and other resources......................................................................13
Information to collect before contacting HP.................................................................................13
How to contact HP..................................................................................................................13
Documentation feedback.........................................................................................................13
Typographic conventions.........................................................................................................14
Index.........................................................................................................15
Glossary....................................................................................................16
Contents 3
1 Overview
The HP-UX Kernel Cryptographic Module ( HP-UX KCM ) is a common cryptographic library in
HP-UX Kernel. It is a library of core cryptographic algorithms, which are used by HP-UX Kernel
products.
HP-UX KCM implements FIPS 140-2 compliant algorithms for commonly used cryptographic
operations such as data encryption/decryption, sign/verify, digest, HMAC, and random number
generation.
HP-UX KCM is available in HP-UX Kernel as a dynamically loadable library with well-defined
interfaces to invoke the crypto functions. This helps to bring modularity and standardization in the
usage of crypto algorithms across the HP-UX Kernel products. HP-UX KCM is available on HP
Integrity platform running HP-UX 11iv3.
HP-UX KCM is undergoing FIPS 140-2 Level 1 validation and is currently in NIST Review Pending
state.
The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification.
For more information on PKCS, see PKCS #11 v2.20: Cryptographic Token Interface Standard
document.
NOTE: This link will take you outside the Hewlett-Packard (HP) Web site. HP does not control
and is not responsible for information outside of HP.com.
Supported configuration
The supported configuration for HPUX-KCM is HP-UX 11i v3 for HP Integrity Servers.
Features provided in this release
This section discusses the new features available in the HP-UX KCM version 1.0.
The table below lists the FIPS 140-2 compliant algorithms, key lengths, modes, and operations
implemented by HP-UX KCM 1.0.
AES
128, 192, and 256
Mode: CBC
2048RSA
Generate, Encrypt, and
Decrypt
Verify, Wrap key, and
Unwrap key
Digest (with key)256, 384, and 512HMAC-SHA2
PurposeOperationsKey sizeFIPS algo
Symmetric key operations (FIPS-197
compliant)
Asymmetric key operationsGenerate key pair, Sign,
(FIPS 186-3 and PKCS#1 v1.5 compliant)
Digest operations (FIPS 180-3 compliant)Digest256, 384, and 512SHA-2
Key-Hash Message Authentication Code
(HMAC)
NIST SP800-90A compliant DRBGGenerate randomRNG
HP-UX KCM also implements the following algorithms, which are required for supportability purposes
even though they are not FIPS 140-2 compliant.
AES
4 Overview
128, 192, and 256
Mode: CFB
PurposeOperationsKey sizeNon FIPS algo
Symmetric key operationsGenerate, Encrypt, and
Decrypt
1024 and 1536RSA
Verify, Wrap key, and
Unwrap key
Asymmetric key operationsGenerate key pair, Sign,
Digest operationsDigest160SHA-1
The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification.
For more information see, PKCS#11 specifications document.
PKCS #11 API considerations
Following are the API considerations for PKCS#11:
• In PKCS#11 terminology, KCM is a soft token used for software implementation. Hardware
related functions, data types, and features are not implemented by default.
• There is only one conceptual slot with slotID=0 and conceptual token is assumed to be present
in the slot.
• KCM does not store public or private token objects such as keys/certificates. Following are
the ramifications of this consideration:
◦ KCM does not implement PIN related functions or functions that require PIN (For example,
C_Login) specified by PKCS#11.
◦ Session type will be R/W user functions by default. There is no distinction between R/O
and R/W session types.
◦ No distinction is made between user session and SO session. The user is considered as
logged in by default at the point of opening a session and logged out when the session
is closed.
Digest (with key)160HMAC-SHA1
Key-Hash Message Authentication Code
(HMAC)
• KCM implements CK_RV type functions and does not support CK_NOTIFY type. Hence it does
not support callback functions and events.
• Multiple thread access to a single PKCS#11 session is not supported.
• There will be limited support for objects and object related functions as per the scope of APIs
implemented by KCM. They are used only to invoke KCM supported PKCS#11 functions and
retrieve the data returned by functions.
KCM supports the following objects:
◦ Data objects – CKO_DATA
◦ Key objects - CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, CKO_SECRET_KEY
• Table 1 (page 5) describes the mechanisms supported by HPUX-KCM.
Table 1 Mechanisms supported by HPUX-KCM
FunctionsMechanism
Encrypt
and
Decrypt
Sign
and
Verify
VR
1
DigestSR and
Gen Key or
Key Pair
√CKM_RSA_PKCS_KEY_PAIR_GEN
and
Unwrap
√√√CKM_RSA_PKCS
DeriveWrap
√CKM_SHA256_RSA_PKCS
√CKM_SHA384_RSA_PKCS
PKCS #11 API considerations 5
Loading...