Technical Specifications
Note
For technical specifications of FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified CORE solution, see CORE FIPS Specifications.
Key Types and Operations
The table below summarizes the supported key types and their operations. The following sections detail supported modes, paddings, and hash algorithms. The key types are grouped in the following classes:
- Private Key
- Imported or generated private key of an asymmetric key-pair.
- Public Key
- Imported public key of an asymmetric key-pair.
- Secret Key
- Imported or generated symmetric key.
- Split Key
A split key is a symmetric or a private key that has been split into a number of parts,
- A part of symmetric or private key that was split into several parts.
- Other
- Standard keys optimized by Unbound to provide a specific service. For example, PRF keys are generated and used to provide tokenization services.
Key Class | Type | Size/Curve | Default Size/Curve | Supported Operations | Default Operations |
---|---|---|---|---|---|
Asymmetric private key |
RSA |
2048, 3072, 4096 | 2048 |
Sign, Decrypt, Unwrap, Derive |
Sign, Decrypt, Unwrap |
ECC![]() |
P256, P384, P521, |
P256 |
Sign, Derive |
||
Asymmetric public key | RSA | see "Asymmetric private key" | Verify, Encrypt, Wrap | ||
ECC![]() |
|||||
Symmetric secret key |
AES |
128, 192, 256 | 256 |
Encrypt, |
Encrypt, Decrypt |
XTS | 256, 512 | 256 | |||
CHACHA20 | 256 | 256 | |||
TDES | 192 | 192 | |||
DES | 64 | 64 | |||
HMAC![]() |
8 to 2048, in increments of 8 | 128 |
Mac, Mac verify, Derive |
||
Split key | AES, TDES, HMAC![]() |
see "Symmetric secret key" | Join | ||
Other | PRF | P256 |
Derive, Decrypt |
Notes:
- To use a public key of a private key, generate the public key and add it to the partition.
- "Default size/curve" and "Default operations" specify the size and permitted operations of a key that is created without specifying these properties.
- CURVE25519 and CURVE448 are Edwards (Ed) keys if the "Supported Operations" are SIGN. They are Montgomery(X) keys if the "Supported Operations" are DERIVE.
Additional Unbound keys:
- PWD
- Key type: EC P256
- Operation: Verify
- LIMA
- Key size:1024
- Operation: Derive
Algorithms
CORE provides the following crypt algorithms.
Supported HASH Options
SHASecure Hash Algorithm - a family of cryptographic hash functions-1, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-256, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-384, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.
AES Algorithms
Key sizes: 128, 192, 256.
Operation | Mode | MAC Mode | Hash |
---|---|---|---|
Encrypt, Decrypt |
ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAP![]() |
||
Wrap, Unwrap |
See Wrapping with Secret Keys | ||
Mac, Mac verify |
CMAC, GMAC | ||
Derive | Hash | Supported HASH Options | |
Concatenate | |||
NIST![]() |
Note:
- NISTWRAP
AES Key Wrap (KW) specified by NIST Special Publication 800-38F (NIST.SP.800-38F) is also indicated as AES-KW (AES Key Wrap mode)
AES-XTS Algorithms
Key Sizes: 256, 512. (Double Keys).
Operation | Mode | Hash |
---|---|---|
Encrypt, Decrypt |
XTS | |
Derive | Hash | Supported HASH Options |
Concatenate |
CHACHA20-Poly1305 Algorithms
Key size:256
Operation | Mode | MAC Mode |
---|---|---|
Encrypt, Decrypt |
CTR | Poly1305 |
Wrap, Unwrap |
CTR | Poly1305 |
HMAC Algorithms
Key size: 8 to 2048, in increments of 8.
Operation | Mode | Hash |
---|---|---|
Mac Mac Verify |
HMAC![]() |
Supported HASH Options |
Derive | Hash | Supported HASH Options |
Concatenate | ||
SLIP-10 |
TDES Algorithms
Key size: 168 (also known as 192).
Operation | Mode | Hash |
---|---|---|
Encrypt, Decrypt |
ECB, CBC, CFB, OFB | |
Wrap, Unwrap |
See Wrapping with Secret Keys | |
Mac, Mac Verify |
CMAC | |
Derive | Hash | Supported HASH Options |
Concatenate |
RSA Algorithms
Key size: 2048, 3072, 4096.
Notes:
- PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#1 is an abbreviation of RSA-PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#1 v1.5.
- PSS
probabilistic signature scheme. Abbreviation of RSASSA-PSS is an abbreviation of RSASSA-PSS
probabilistic signature scheme (PSS) with appendix.
- The default padding for wrapping: OAEP
Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
- RAW
CKM_RSA_X_509 padding mechanism denotes CKM_RSA_X_509 padding.
- See Wrapping Options.
ECC Algorithms
- ECDSA
Elliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
- Operation: Sign
- Elliptic curves: P256, P384, P521, SECP256K1, Ed25519, Ed448
- ECDH
Diffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.
- Operation: Key derivation
- Elliptic curves: P256, P384, P521, X25519, X448
Notes:
- To define Edwards Ed25519 or Ed448:
- use CURVE25519 or CURVE448
- make sure to specify SIGN among the permitted operations.
- To define Montgomery X25519 or X448:
- use CURVE25519 or CURVE448
- specify DERIVE as the mandatory operation.
Make sure to delete the SIGN operation from the permitted operations list.
- Other names used for curves:
- P256 is known as SECG' secp256r1 and ANSI' prime256v1.
- P384 is known as SECG' secp384r1.
See RFC 8422 Appendix A - Equivalent Curves.
Wrapping Options
CORE provides the following key wrapping options: using secret keys and using public keys.
Wrapping with Secret Keys
Note:
- AES-KW (AES Key Wrap mode) and AES-KWP (AES Key Wrap with Padding) are indicated here as NISTWRAP
AES Key Wrap (KW) specified by NIST Special Publication 800-38F (NIST.SP.800-38F).
Wrapping with Public Keys
- Keys that may be wrapped using Public RSA key:
- AES
- XTS
- CHACHA20
- HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.
- TDES/DES
- Padding options:
- OAEP
Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. (default) and mandatory specification of one of the Technical Specifications and the corresponding MGF
Mask Generation Function - A cryptographic primitive similar to a hash function except that it supports output of a variable length..
- PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#1
Interoperability
Cloud Keystores
Cloud keystore | SDK name | SDK version | CORE specification |
---|---|---|---|
AWS KMS![]() |
aws-java-sdk-kms | 1.11.682 | AWS KMS |
Azure Key Vault | azure-keyvault | 1.2.4 | Azure Key Vault |
GCP KMS![]() |
google-cloud-kms | 1.43.0 | Google Cloud KMS |
On-premises HSMs
OIDC Providers
Crypto Client Options
Applications interact with the CORE solution in one of the following ways:
Without client-side installation:
- Using CORE REST
Representational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API.
- Using CORE Clientless
System that is using Unbound Java Security Provider without dependency on the UKC Client software. JCA
Java Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider API.
- Using KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Protocol client-side (1.1 and later). See KMIP Conformance.
Using CORE Client software installed on device:
- PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications. #11
- OpenSSL
- Microsoft CNG and CSP
- Java JCE
Java Cryptography Extension - Java frameworks for implementing cryptography primitives. - CORE Client-based JCA
Java Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider
Applications and Development
For integration with external keystores, see Keys in External Keystores.
For integration with other applications, see Integration Guide and Code Signing Guide.
For integration into applications, see Developer's Guide, and CORE REST API.
Platform Specifications
For CORE server architecture and OS requirements, see CORE Server Requirements.
For CORE client architecture and OS requirements, see CORE Client Requirements.
System Capacity Default Constraints
The following maximum values are the CORE default capacity constraints per system, partition, and operation. Before increasing any of these, contact support@unboundsecurity.com.
Maximum Number of | Per System | Per Partition |
---|---|---|
Server pairs in a cluster | 12 | |
Auxiliary servers | 12 | |
Partitions | 3,000 | |
OIDC![]() |
8 | |
External Key Stores | 12,000 | 10 |
Crypto objects | 500,000 | 100,000 |
Clients | 10,000 | 1,000 |
Users | 10,000 | 1,000 |
User groups | 10,000 | 1,000 |
User roles | 10,000 | 1,000 |
Statements in Partition Policy | 1,000 | 30 |
Quorum requests in DB(*) | 1,000 | 30 |
Backup records | 3,000 |
Note: "Quorum request in DB" refers to both pending and approved requests that are kept in the database. As needed, consider deleting the approved requests.
Maximum Size in Bytes | Per Crypto Operation |
---|---|
Crypto payload size | < 4000 |
Note: For example, max size of a secret that can be accepted by the system.