Technical Specifications
Note
For technical specifications of FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified CORE solution, see CORE FIPS Specifications.
Key Types and Operations
The table below summarizes the supported key types and their operations. The following sections detail supported modes, paddings, and hash algorithms. The key types are grouped in the following classes:
- Asymmetric Private Key
- Imported or generated asymmetric key-pair.
- Asymmetric Public Key
- Imported public key of an asymmetric key-pair.
- Symmetric Secret Key
- Imported or generated symmetric key.
- Split KeyA split key is a symmetric or a private key that has been split into a number of parts, for Import
- A part of a symmetric key or a private key that has previously been split into several parts in order to import the key in parts. This is used in order to distribute the parts and not have the key in whole before importing, as an alternative to key wrapping.
- Other keys
- Standard keys optimized by Unbound to provide a specific service. For example, PRF keys are generated and used to provide tokenization service.
Key Class | Type | Size/Curve | Default Size/Curve | Supported Operations | Default Operations |
---|---|---|---|---|---|
Asymmetric private key |
RSA |
2048, 3072, 4096 | 2048 |
Sign, Decrypt, Unwrap, Derive |
Sign, Decrypt, Unwrap |
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields |
P256, P384, P521, |
P256 |
Sign, Derive |
||
Asymmetric public key | RSA | see "Asymmetric private key" | Verify, Encrypt, Wrap | ||
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields | |||||
Symmetric secret key |
AES |
128, 192, 256 | 256 |
Encrypt, |
Encrypt, Decrypt |
XTS | 256, 512 | 256 | |||
CHACHA20 | 256 | 256 | |||
TDES | 192 | 192 | |||
DES | 64 | 64 | |||
HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. | 8 to 2048, in increments of 8 | 128 |
Mac, Mac verify, Derive |
||
Split key | AES, TDES, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. | see "Symmetric secret key" | Join | ||
Other | PRF | P256 |
Derive, Decrypt |
Notes:
- To use a public key of a private key, generate the public key and add it to the partition.
- "Default size/curve" and "Default operations" specify size and permitted operations of a key that is created without specifying these properties.
- CURVE25519 and CURVE448 are Edwards (Ed) keys if the "Supported Operations" is SIGN, and Montgomery(X) keys if it is DERIVE.
Additional Unbound keys:
- PWD
- Key type: EC P256
- Operation: Verify
- LIMA
- Key size:1024
- Operation: Derive
Algorithms
CORE provides the following crypt algorithms.
Supported HASH Options
SHASecure Hash Algorithm - a family of cryptographic hash functions-1, SHASecure Hash Algorithm - a family of cryptographic hash functions-256, SHASecure Hash Algorithm - a family of cryptographic hash functions-384, SHASecure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.
AES Algorithms
Key sizes: 128, 192, 256.
Operation | Mode | MAC Mode | Hash |
---|---|---|---|
Encrypt, Decrypt |
ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAPAES Key Wrap (KW) specified by NIST Special Publication 800-38F | ||
Wrap, Unwrap |
See Wrapping with Secret Keys | ||
Mac, Mac verify |
CMAC, GMAC | ||
Derive | Hash | Supported HASH Options | |
Concatenate | |||
NISTNational Institute of Standards and Technology-CMAC-CTR |
Note:
- NISTWRAPAES Key Wrap (KW) specified by NIST Special Publication 800-38F (NIST.SP.800-38F) is also indicated as AES-KW (AES Key Wrap mode)
AES-XTS Algorithms
Key Sizes: 256, 512. (Double Keys).
Operation | Mode | Hash |
---|---|---|
Encrypt, Decrypt |
XTS | |
Derive | Hash | Supported HASH Options |
Concatenate |
CHACHA20-Poly1305 Algorithms
Key size:256
Operation | Mode | MAC Mode |
---|---|---|
Encrypt, Decrypt |
CTR | Poly1305 |
Wrap, Unwrap |
CTR | Poly1305 |
HMAC Algorithms
Key size: from 8 to 2048, in increments of 8.
Operation | Mode | Hash |
---|---|---|
Mac Mac Verify |
HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. | Supported HASH Options |
Derive | Hash | Supported HASH Options |
Concatenate | ||
SLIP-10 |
TDES Algorithms
Key size: 168 (also known as 192).
Operation | Mode | Hash |
---|---|---|
Encrypt, Decrypt |
ECB, CBC, CFB, OFB | |
Wrap, Unwrap |
See Wrapping with Secret Keys | |
Mac, Mac Verify |
CMAC | |
Derive | Hash | Supported HASH Options |
Concatenate |
RSA Algorithms
Key size: 2048, 3072, 4096.
Notes:
- PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1 is an abbreviation of RSA-PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1 v1.5.
- PSSprobabilistic signature scheme. Abbreviation of RSASSA-PSS is an abbreviation of RSASSA-PSSprobabilistic signature scheme (PSS) with appendix.
- The default padding for wrapping: OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
- RAWCKM_RSA_X_509 padding mechanism denotes CKM_RSA_X_509 padding.
- See Wrapping Options.
ECC Algorithms
- ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
- Operation: Sign
- Elliptic curves: P256, P384, P521, SECP256K1, Ed25519, Ed448
- ECDHDiffieâ€“Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.
- Operation: Key derivation
- Elliptic curves: P256, P384, P521, X25519, X448
Notes:
- To define Edwards Ed25519 or Ed448:
- use CURVE25519 or CURVE448
- make sure to specify SIGN among the permitted operations.
- To define Montgomery X25519 or X448:
- use CURVE25519 or CURVE448
- specify DERIVE as the mandatory operation.
Make sure to delete the SIGN operation from the permitted operations list.
- Other names used for curves:
- P256 is known as SECG' secp256r1 and ANSI' prime256v1.
- P384 is known as SECG' secp384r1.
See RFC 8422 Appendix A - Equivalent Curves.
Wrapping Options
CORE provides the following key wrapping options: using secret keys and using public keys.
Wrapping with Secret Keys
(missing or bad snippet)Wrapping with Public Keys
- Keys that may be wrapped using Public RSA key:
- AES
- XTS
- CHACHA20
- HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.
- TDES/DES
- Padding options:
- OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. (default) and mandatory specification of one of the Technical Specifications and the corresponding MGFMask Generation Function - A cryptographic primitive similar to a hash function except that it supports output of a variable length..
- PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1
Interoperability
CORE can manage and use crypto material stored by cloud keystore providers or kept in on-premise HSMs. It is ready to offload user authentication to OIDCOpenID Connect is identity layer on top of the OAuth 2.0 protocol providers and its client is ready for transparent use by main crypto stacks.
Cloud Keystores
Cloud keystore | SDK name | SDK version | CORE specification |
---|---|---|---|
AWS KMSKey Management System | aws-java-sdk-kms | 1.11.682 | AWS KMS |
Azure Key Vault | azure-keyvault | 1.2.4 | Azure Key Vault |
GCP KMSKey Management System | google-cloud-kms | 1.43.0 | Google Cloud KMS |
On-premises HSMs
OIDC Providers
Crypto Client Options
Applications interact with the CORE solution in one of the following ways:
Without client-side installation:
- Using CORE RESTRepresentational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API.
- Using CORE ClientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider API.
- Using KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Protocol client-side (1.1 and later). See KMIP Conformance.
Using CORE Client software installed on device:
- PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications. #11
- OpenSSL
- Microsoft CNG and CSP
- Java JCEJava Cryptography Extension - Java frameworks for implementing cryptography primitives. - CORE Client-based JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider
Applications and Development
For integration with external keystores, see Keys in External Keystores.
For integration with other applications, see Integration Guide and Code Signing Guide.
For integration into applications, see Developer's Guide, and CORE REST API.
Platform Specifications
For CORE server architecture and OS requirements, see CORE Server Requirements.
For CORE client architecture and OS requirements, see CORE Client Requirements.
System Capacity Default Constraints
The following maximum values are the CORE default capacity constraints per system, partition, and operation. Before increasing any of these, contact support@unboundsecurity.com.
Maximum Number of | Per System | Per Partition |
---|---|---|
Server pairs in a cluster | 12 | |
Auxiliary servers | 12 | |
Partitions | 3,000 | |
OIDCOpenID Connect is identity layer on top of the OAuth 2.0 protocol Providers | 8 | |
External Key Stores | 12,000 | 10 |
Crypto objects | 500,000 | 100,000 |
Clients | 10,000 | 1,000 |
Users | 10,000 | 1,000 |
User groups | 10,000 | 1,000 |
User roles | 10,000 | 1,000 |
Statements in Partition Policy | 1,000 | 30 |
Quorum requests in DB(*) | 1,000 | 30 |
Backup records | 3,000 |
Note: "Quorum request in DB" refers to both pending and approved requests that are kept in the database. As needed, consider deleting the approved requests.
Maximum Size in Bytes | Per Crypto Operation |
---|---|
Crypto payload size | < 4000 |
Note: For example, max size of a secret that can be accepted by the system.