Skip to content

Keys and objects

Each type of key or object will have a series of attributes that completely define that type, but some are common to all:

  1. Name: uniquely identifies the object within the partition; can be up to 32 characters long and can use alphanumeric characters plus the underscore _. No HSM object names are case-sensitive, i.e. there is a differentiation between uppercase and lowercase letters. Objects in other partitions can be referenced by indicating the name of the partition and the name of the object with the formation rule: partition/object
  2. Exportable: property that allows the object to be exported outside the HSM for use in other applications.
  3. Temporary: objects that are not persistent between sessions, i.e. they only exist during the session in which they were created and are removed by the HSM at the end of that session.

Info

Please note: on Dinamo all objects are kept encrypted, regardless of the operating mode.

The import and export of cryptographic keys, as well as the installation of new algorithms and mechanisms, do not interfere with the other existing keys in the HSM.

In RM1 mode, only the functions approved by the standard are available for creating keys:

  1. DES, in ECB and CBC modes
  2. 3DES, 112 and 168 bits, in ECB and CBC modes
  3. AES, with 128-, 192- and 256-bit keys, in EBC, CBC and CTR modes
  4. RSA, above 2048 bits
  5. ECDSA, with keys above 224 bits
  6. EdDSA (ECX with Ed25519 and Ed448)
  7. XECDH
  8. SHA1, SHA2 and SHA3
  9. HMAC, based on SHA1, SHA2 and SHA3
  10. CMAC, based on 3DES and AES

In RM2 mode, the same algorithms are available as in RM1, with the exception of 112-bit DES and 3DES, EdDSA and SHA1. The RSA private key can be 2048 or 3072.

When operating in non-restricted mode(NRM) all algorithms and key sizes are enabled.

DES

Block symmetric cryptographic key for the Data Encryption Standard encryption algorithm. It has a fixed size of 56 bits. The key actually has a size of 64 bits, but every 8 bits one of them is used as a check bit, leading to a useful size of 56 bits.

Encryption operations can be done in ECB(Electronic Codebook) and CBC(Cipher Block Chaining) modes, and it is recommended to use CBC mode when possible. Three options can be used for padding in encryption operations: no padding, padding with zeros and padding according to the PKCS#5 standard.

3DES

Block symmetric encryption key for the Triple Data Encryption Standard encryption algorithm, it performs a sequence of three DES operations using two or three different keys. The size can be 112 or 168 bits. The implementation works using the EDE scheme(Encrypt - Decrypt - Encrypt).

Encryption operations can be done in ECB(Electronic Codebook) and CBC(Cipher Block Chaining) modes, and it is recommended to use CBC mode when possible. Three options can be used for padding in encryption operations: no padding, padding with zeros and padding according to the PKCS#5 standard.

DESX

Block symmetric encryption key for Data Encryption Standard - X (DESX or DES-X) encryption algorithm, is a variation of DES using a technique known as key whitening, with the aim of making brute force attacks more difficult. The size is 184 bits.

Encryption operations can be done in ECB(Electronic Codebook) and CBC(Cipher Block Chaining) modes, and it is recommended to use CBC mode when possible. Three options can be used for padding in encryption operations: no padding, padding with zeros and padding according to the PKCS#5 standard.

AES

Block symmetric cryptographic key for the Advanced Encryption Standard or Rijndael encryption algorithm, designed to be the successor to DES. The size can be 128, 192 or 256 bits.

Encryption operations can be done in ECB(Electronic Codebook) and CBC(Cipher Block Chaining) modes, and it is recommended to use CBC mode when possible. Three options can be used for padding in encryption operations: no padding, padding with zeros and padding according to the PKCS#5 standard.

ARC4

Stream symmetric cryptographic key for the Rivest Code 4 encryption algorithm, also known as ARC4. The HSM implementation uses a size of 128 bits.

RSA

Asymmetric key for the RSA public key encryption algorithm. The length can be 512, 1024, 1152, 1408, 1536, 1976, 1984, 2048, 2304, 2502, 2816, 3072, 4096 or 8192 bits.

The RSA keys in the HSM are created with a fixed and defined public exponent (three bytes in the sequence 01 00 01, decimal value of 216 + 1 = 65537).

The digital signatures generated by HSM are compatible with the algorithms defined in the document ICP-Brasil Cryptographic Standards and Algorithms - DOC ICP-01.01with the PKCS#1 RSA Cryptography Standard v.2.1 and with RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1.

ECC and ECX

Asymmetric cryptographic key forElliptic Curve Cryptography (ECC) and ECX (Montgomery/Edwards) public key algorithms. The HSM implementation adopts the following curves and key sizes:

  1. Security Group Random (112, 128, 160, 192, 224, 256, 384 and 521 bits)
  2. Security Group Koblitz (160, 192, 224 and 256 bits)
  3. NIST Random (384 and 521 bits)
  4. ISO X9.62 (192, 239 and 256 bits)
  5. Brainpool (160, 192, 224, 256, 320, 384 and 512)
  6. Ed25519 (256 bits)
  7. Ed448 (448 bits)

Elliptic curve cryptography in HSM implements digital signature operations (ECDSA and EdDSA) and key exchange (ECDH and XECDH).

The digital signatures generated by the HSM are compatible with the algorithms defined in the document _ICP-Brasil Cryptographic Standards and Algorithms - DOC ICP-01.01.

HOTP

Object containing a seed for authentication according to the OATH (Open Authentication) standard or according to RFC 4226 - An HMAC-Based One-Time Password Algorithm. When a HOTP object is created, a SoftToken can optionally be generated and exported, which is a piece of Java software to be installed on mobile devices. The token can be generated internally or imported.

Physical tokens adhering to the OATH standard, sold by third parties, can also be authenticated in the HSM as long as they provide the seed for import into the HSM.

MAP

The MAP type is not exactly an object, it is an aggregation of identifiers. With the MAP (mapping) object, it is possible to create relationships between objects for use by applications. The map object has two slots that can be filled with identifiers from other objects or can be filled freely. It is up to each application to interpret each MAP field.

A MAP can be used, for example, to link an X.509 certificate with its RSA private key in a single identifier or to create pointers with different names to an object (symbolic links).

X.509 certificate

Standard X.509 digital certificate. It is usually imported as an opaque object and identified by the HSM with a certificate. This object is not necessarily related to a private key or public key in the HSM. The digital certificate can exist in the user's partition as an independent entity. The HSM does not generate certificates, so objects of this type are always imported.

HSM also natively handles objects of type CRL(Certificate Revocation List).

HSM Dinamo supports digital certificates in the ICP-Brasil standard.

CRL

Certificate revocation list (CRL). HSM does not generate CRLs, so objects of this type are always imported.

PKCS#7 chain

Certificate chain in PKCS#7 format. Normally the chain involves the final certificate, all the intermediate certificate authorities and the root certificate authority. HSM does not generate certificate chains, so objects of this type are always imported.

File

Object stored in the HSM user partition, but interpreted in an opaque way by the HSM, i.e. just a sequence of bytes identified by a name. This type can be used by applications to store information of interest in the HSM, which is a secure repository. The File type is limited to a size of 65536 bytes.

Key API

Specific API documentation for managing the lifecycle of cryptographic keys, with functions, classes and examples.