Key Metadata

This section specifies manageable CORE key material metadata.

Name and Description

In the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 terms, the name assigned to key material becomes its CKA_ID and the description CKA_LABEL.

The name and description settings can be modified.

By default, the object's name is concatenated from the "0x00" prefix and the hexadecimal value of the object's UID. For example, the default name of UID  a4e4e41d69eca593 is 0x00a4e4e41d69eca593.

The rules for assigning the name to an object are as follows:

  • Characters - seeKeyname Permitted Characters.
  • Duplicate names
    By default, duplicate names and or duplicate descriptions within a partition are allowed. To eliminate such an option, enable the partition's enforce-unique-name and or enforce-unique-desc setting. See Enforce-unique.
  • A name that is a byte array
    A name can be the content of an arbitrary byte array. In such a case, it is presented in a HEX format starting with 0x.

    Notes:
    1. The 0x is not included in the CKA_ID value.
    2. Names with the odd number of the hexadecimal characters (e.g., 0x123) or names that contain non-hexadecimal character(s) (e.g., 0x12XYZ) are not considered as the binary byte array names.

Type and Purpose

The following table specifies key types, supported operations, and operations supported by default when generating or importing a key. The key types are grouped in the following classes:

Private key class
Imported or generated private key of an asymmetric key-pair.
Secret key class
Imported or generated symmetric key.
Public key class
Imported public key of an asymmetric key-pair.
Split keys
Parts of a secret key.
UB key class
standard keys optimized by Unbound to provide specific service. For example, PRF keys are generated and used to provide tokenization services.
Key Class Type Size / Curve Default size/curve Supported Operations Default Operations
Private key

RSA

2048, 3072, 4096 2048

 

Sign,

Decrypt,

Unwrap,

Derive

Sign,
Decrypt, Unwrap
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields

P256, P384, P521,
SECP256K1,
CURVE25519, CURVE448

P256

Sign,

Derive

Secret key

AES

128, 192, 256 256

 

Encrypt, Decrypt

Wrap, Unwrap

Mac, Mac verify

Derive

 

Encrypt, Decrypt

XTS 256, 512 256
CHACHA20 256 256
TDES 192 192
DES 64 64
HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. 8 to 2048, increments of 8 128

Mac, Mac verify, Derive

Public key RSA See "Private key".   Verify, Encrypt, Wrap
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields

Split key

AES, TDES, HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. See "Secret key".   Join
UB key PRF P256

Derive, Decrypt

  1. To use a public key of a private key, generate the public key and add it to the partition.
  2. "Default size/curve" and "Default operations" specify the size and permitted operations of a key that is created without specifying these properties.
  3. CURVE25519 and CURVE448 are Edwards (Ed) keys if the "Supported Operations" is SIGN and Montgomery(X) keys if it is DERIVE.

Purpose

A key is generated or imported for a specific purpose that cannot be changed. The intended usage of a key is specified in the permitted operations (purpose) setting that may select the options specified in the Supported Operations column. The options are specified using the following abbreviations that are concatenated into a single string:

For example:

The purpose setting notes:

  • It is permanent.
  • It is inherited by the descendants of the key that are generated from it using the derive or rekey (rotation) methods.
  • It has to be specified to permit a particular operation.
  • But it doesn't authorize the execution of the permitted operation by everyone. The authorization is governed by: 
    • The partition's policy.
    • Permissions that are granted to the user that executes the operation.

Purpose of External Key

If a key in CORE represents a key located in an external keystore, all cryptographic operations using this key are performed by the external keystore. Therefore, the purpose of such a key reflects its use by the keystore. Therefore:

  • The external keystore might reject a requested purpose that is supported by CORE.
  • The external keystore might reduce the specified set of purposes or reject the request if none of the options match the keystores capabilities.

Note
When generating or importing keys processed by an external keystore, it is best practice to specify a single purpose. If you rely on CORE default key purpose(s) or specify multiple purposes, check the result using the key show command.

Dates in Key's Lifetime

The transition of a key across its states is planned by the activation and deactivation dates.

  • The scheduled activation time and date. Default: now.
    It can be set or changed before the key is activated. Must meet the following requirements:
  • currentToD < activationToD <  October 2, 2096 activationToD <  deactivationToD (if set)
  • Scheduled deactivation time and date. Default: manual
    It can be set or changed before the key is deactivated. Must meet the following requirements:
  • Jan 1, 2000 < deactivationToD < October 2, 2096 activationToD (if set) <  deactivationToD

    Setting deactivation to the already passed time and date - revokes the material.

Dates of the following events are recorded:

  • Key creation date. The date when the key was created.
  • Key activation date.The date when the key was activated.
  • Key last change date. The date when the key was changed the last time.
  • Key revocation date. The date when the key was revoked (deactivated).
  • Key compromise includes two dates that record the following dates:
    • The date when the key was manually deactivated due to the breach notice.
    • The known date when the key was compromised.
  • Key material destruction date. The date when the private and secret key material was destroyed. The key metadata, including all dates, is kept in the database.

Key Revocation Reason

Revocation (deactivation) of a key impacts its usability as follows:

  • Its use in cryptographic protection operations ceases.
  • Its use in cryptographic processing operations is possible but requires special authorization.

A key may be revoked as the result of the following events:

  • Scheduled deactivation.
  • Manual revocation.
    • Planned reasons:
    • - Unspecified (the default) - Affiliation changed - Superseded - Cessation of operation - Privilege withdrawn
    • As a result of the key compromise announcement. The reasons include:
    • - Key compromise - CA compromise

Key Material Exportability

By default,

  • the public material of an asymmetric key is always exportable,
  • the private and secret key material is never exportable.
  • Nonetheless, the private and secret key material may be cleared for export with or without prerequisites defined while creating a crypto object

CORE supports four export prerequisite levels that escalate from the "exportable (plain or wrapped)" to the "not exportable" (the default):

Plain or wrapped (exportable)
The key material is exportable without any prerequisites.
Wrapped
Export key material must be wrapped using a wrapping key from the same partition, either trusted or not.
Wrapped with a trusted key
Export key material must be wrapped using a trusted wrapping key from the same partition.
Not Exportable
It is the default setting.

For the plain and wrapped export file formats, see Export Permissions and Methods.

Key Rotation Interval

This setting allows enabling or disabling the periodic rotation of key material every N days. Where N is in the range of 1 to 1095 days (3 yearsClosedFor any time interval setting in years, 1 year is converted to 365 days). See Key Rotation.

By default, this setting is disabled. It may be set during key creation or modified using the ucl rekey command in CLIClosedCommand Line Interface or Edit Command in UI.

The count-down to the next rotation starts the moment the setting is set or changed.

Key Check Value (KCV)

Key Check Value (KCVClosedKey Check Value. PKCS#11 CKA_CHECK_VALUE) is the 3-byte value used to validate the key integrity or compare keys without knowing their actual values. It applies to symmetric keys and their split parts. CORE calculates the KCVClosedKey Check Value. PKCS#11 CKA_CHECK_VALUE as follows:

AES, TDES/DES
KCVClosedKey Check Value. PKCS#11 CKA_CHECK_VALUE is the three most significant bytes of a zero characters block 00000000....00 that is encrypted using the key and the ECB mode. See PKCS#11 CKA_CHECK_VALUE specification.
HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key., SplitKey

KCVClosedKey Check Value. PKCS#11 CKA_CHECK_VALUE is the three most significant bytes of its SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1 hash.

The KCVClosedKey Check Value. PKCS#11 CKA_CHECK_VALUE attribute of these keys is set when their key material is added to the CORE Database.

CORE Key Attributes

Local Key

The permanent local setting is assigned by the system. It indicates how the material was created:

  • local == true - the key was generated.
  • local == false - the key was imported or linked from the external keystore.

isExternal Key

This setting indicates that all cryptographic operations using this key are performed by the external keystore. The setting applies to keys that are linked to their external peers.

In the isExternal=true case, the key info shows the following settings:

When isExternal is true, the local setting mirrors the BYOKClosedBring Your Own Key setting of the external key:
- If BYOKClosedBring Your Own Key is true, then local is true.
- If BYOKClosedBring Your Own Key is false, then local is false.

See our related blog post about What Are the Security Challenges with BYOK for Hybrid Cloud Users?

Trusted Key

The permanent trusted setting allows identifying crypto objects that could be created only by:

This setting only applies to the secret and public keys that wrap the other key material (see Key Material Exportability). In addition, the following restrictions apply when creating a trusted object:

Secret keys: AES
Exportability:
  • not permitted, or
  • permitted if wrapped with a different trusted object.
Public keys: RSA
Must be imported (local == false).

Membership in Key-Groups

Membership in the key groups is indicated by the groups setting. It is a list of group tags that the key is a member of.

Each key of a partition is a member of its default group. This membership is permanent. See Key Groups.