Technical Specifications

Note
For technical specifications of FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified CORE solution, see CORE FIPS Specifications.

Key Types and Operations

The table below summarizes the supported key types and their operations. The following sections detail supported modes, paddings, and hash algorithms. The key types are grouped in the following classes:

Asymmetric Private Key
Imported or generated asymmetric key-pair.
Asymmetric Public Key
Imported public key of an asymmetric key-pair.
Symmetric Secret Key
Imported or generated symmetric key.
Split KeyClosedA split key is a symmetric or a private key that has been split into a number of parts, for Import
A part of a symmetric key or a private key that has previously been split into several parts in order to import the key in parts. This is used in order to distribute the parts and not have the key in whole before importing, as an alternative to key wrapping.
Other keys
Standard keys optimized by Unbound to provide a specific service. For example, PRF keys are generated and used to provide tokenization service.
Key Class Type Size/Curve Default Size/Curve Supported Operations Default Operations
Asymmetric private key

RSA

2048, 3072, 4096 2048

Sign, Decrypt, Unwrap, Derive

Sign,
Decrypt, Unwrap
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields

P256, P384, P521,
SECP256K1,
CURVE25519, CURVE448

P256

Sign, Derive

Asymmetric public key RSA see "Asymmetric private key"   Verify, Encrypt, Wrap
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields
Symmetric secret key

AES

128, 192, 256 256

Encrypt,
Decrypt, Wrap,
Unwrap Mac,
Mac verify, Derive

Encrypt, Decrypt

XTS 256, 512 256
CHACHA20 256 256
TDES 192 192
DES 64 64
HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. 8 to 2048, in increments of 8 128

Mac, Mac verify, Derive

Split key AES, TDES, HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. see "Symmetric secret key"   Join
Other PRF P256

Derive, Decrypt

Notes:

  1. To use a public key of a private key, generate the public key and add it to the partition.
  2. "Default size/curve" and "Default operations" specify size and permitted operations of a key that is created without specifying these properties.
  3. CURVE25519 and CURVE448 are Edwards (Ed) keys if the "Supported Operations" is SIGN, and Montgomery(X) keys if it is DERIVE.

Additional Unbound keys:

PWD
Key type: EC P256
Operation: Verify
LIMA
Key size:1024
Operation: Derive

Algorithms

CORE provides the following crypt algorithms.

Supported HASH Options

SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-256, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-384, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.

AES Algorithms

Key sizes: 128, 192, 256.

Operation Mode MAC Mode Hash

Encrypt,

Decrypt

ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAPClosedAES Key Wrap (KW) specified by NIST Special Publication 800-38F    

Wrap,

Unwrap

See Wrapping with Secret Keys    

Mac,

Mac verify

  CMAC, GMAC  
Derive Hash   Supported HASH Options
Concatenate    
NISTClosedNational Institute of Standards and Technology-CMAC-CTR    

Note:

  1. NISTWRAPClosedAES Key Wrap (KW) specified by NIST Special Publication 800-38F (NIST.SP.800-38F) is also indicated as AES-KW (AES Key Wrap mode)

AES-XTS Algorithms

Key Sizes: 256, 512. (Double Keys).

Operation Mode Hash

Encrypt,

Decrypt

XTS  
Derive Hash Supported HASH Options
Concatenate  

CHACHA20-Poly1305 Algorithms

Key size:256

Operation Mode MAC Mode

Encrypt,

Decrypt

CTR Poly1305

Wrap,

Unwrap

CTR Poly1305

HMAC Algorithms

Key size: from 8 to 2048, in increments of 8.

Operation Mode Hash

Mac

Mac Verify

HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. Supported HASH Options
Derive Hash Supported HASH Options
Concatenate  
SLIP-10  

TDES Algorithms

Key size: 168 (also known as 192).

Operation Mode Hash

Encrypt,

Decrypt

ECB, CBC, CFB, OFB  

Wrap,

Unwrap

See Wrapping with Secret Keys  

Mac,

Mac Verify

CMAC  
Derive Hash Supported HASH Options
Concatenate  

RSA Algorithms

Key size: 2048, 3072, 4096.

Operation Padding Hash Notes
Sign PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1   1
PSSClosedprobabilistic signature scheme. Abbreviation of RSASSA-PSS   2
Decrypt PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1    
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Supported HASH Options 3
RAWClosedCKM_RSA_X_509 padding mechanism   4
Wrap (using the public key) PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1  

 

5

OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Supported HASH Options
Unwrap PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1  
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Supported HASH Options

Notes:

  1. PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1 is an abbreviation of RSA-PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1 v1.5.
  2. PSSClosedprobabilistic signature scheme. Abbreviation of RSASSA-PSS is an abbreviation of RSASSA-PSSClosedprobabilistic signature scheme (PSS) with appendix.
  3. The default padding for wrapping: OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
  4. RAWClosedCKM_RSA_X_509 padding mechanism denotes CKM_RSA_X_509 padding.
  5. See Wrapping Options.

ECC Algorithms

ECDSAClosedElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
Operation: Sign
Elliptic curves: P256, P384, P521, SECP256K1, Ed25519, Ed448
ECDHClosedDiffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.
Operation: Key derivation
Elliptic curves:  P256, P384, P521, X25519, X448

Notes:

  1. To define Edwards Ed25519 or Ed448:
    • use CURVE25519 or CURVE448
    • make sure to specify SIGN among the permitted operations.
  2. To define Montgomery X25519 or X448:
    • use CURVE25519 or CURVE448
    • specify DERIVE as the mandatory operation.
    • Make sure to delete the SIGN operation from the permitted operations list.

  3. Other names used for curves:

Wrapping Options

CORE provides the following key wrapping options: using secret keys and using public keys.

Wrapping with Secret Keys

(missing or bad snippet)

Wrapping with Public Keys

Keys that may be wrapped using Public RSA key:
AES
XTS
CHACHA20
HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.
TDES/DES
Padding options:
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. (default) and mandatory specification of one of the Technical Specifications and the corresponding MGFClosedMask Generation Function - A cryptographic primitive similar to a hash function except that it supports output of a variable length..
PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1

Interoperability

CORE can manage and use crypto material stored by cloud keystore providers or kept in on-premise HSMs. It is ready to offload user authentication to OIDCClosedOpenID Connect is identity layer on top of the OAuth 2.0 protocol providers and its client is ready for transparent use by main crypto stacks.

Cloud Keystores

Cloud keystoreSDK nameSDK versionCORE specification
AWS KMSClosedKey Management Systemaws-java-sdk-kms1.11.682AWS KMS
Azure Key Vaultazure-keyvault1.2.4Azure Key Vault
GCP KMSClosedKey Management Systemgoogle-cloud-kms1.43.0Google Cloud KMS

On-premises HSMs

On-premises HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendorHSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing modelHSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing client versionCORE specification
ThalesSafenet Luna 7.4HSM - Luna

OIDC Providers

Crypto Client Options

Applications interact with the CORE solution in one of the following ways:

Without client-side installation:

Using CORE Client software installed on device:

Applications and Development

For integration with external keystores, see Keys in External Keystores.

For integration with other applications, see Integration Guide and Code Signing Guide.

For integration into applications, see Developer's Guide, and CORE REST API.

Platform Specifications

For CORE server architecture and OS requirements, see CORE Server Requirements.

For CORE client architecture and OS requirements, see CORE Client Requirements.

System Capacity Default Constraints

The following maximum values are the CORE default capacity constraints per system, partition, and operation. Before increasing any of these, contact support@unboundsecurity.com.

Maximum Number ofPer SystemPer Partition
Server pairs in a cluster12 
Auxiliary servers12 
Partitions3,000 
OIDCClosedOpenID Connect is identity layer on top of the OAuth 2.0 protocol Providers8 
External Key Stores12,00010
Crypto objects500,000100,000
Clients10,0001,000
Users10,0001,000
User groups10,0001,000
User roles10,0001,000
Statements in Partition Policy1,00030
Quorum requests in DB(*)1,00030
Backup records3,000 

Note: "Quorum request in DB" refers to both pending and approved requests that are kept in the database. As needed, consider deleting the approved requests.

Maximum Size in BytesPer Crypto Operation
Crypto payload size< 4000

Note: For example, max size of a secret that can be accepted by the system.