CKM_DES3_X919_MAC
The CKM_DES3_X919_MAC is a signature generation and verification mechanism, as defined ANSI X9.19-1996 Financial Institution Retail Message Authentication annex 1 Cipher Block Chaining Procedure.
NA FIPS
FIPS approved? | No |
Supported functions | Sign | Verify |
Functions restricted from FIPS use | N/A |
Minimum key length (bits) | 128 |
Minimum key length for FIPS use (bits) | N/A |
Minimum legacy key length for FIPS use (bits) | N/A |
Maximum key length (bits) | 192 |
Block size | 8 |
Digest size | 0 |
Key types | DES3 |
Algorithms | DES3 |
Modes | MAC |
Flags | Extractable |
NA non-FIPS
FIPS approved? | No |
Supported functions | Sign | Verify |
Functions restricted from FIPS use | N/A |
Minimum key length (bits) | 128 |
Minimum key length for FIPS use (bits) | N/A |
Minimum legacy key length for FIPS use (bits) | N/A |
Maximum key length (bits) | 192 |
Block size | 8 |
Digest size | 0 |
Key types | DES3 |
Algorithms | DES3 |
Modes | MAC |
Flags | Extractable |
EU FIPS
FIPS approved? | No |
Supported functions | Sign | Verify |
Functions restricted from FIPS use | N/A |
Minimum key length (bits) | 128 |
Minimum key length for FIPS use (bits) | N/A |
Minimum legacy key length for FIPS use (bits) | N/A |
Maximum key length (bits) | 192 |
Block size | 8 |
Digest size | 0 |
Key types | DES3 |
Algorithms | DES3 |
Modes | MAC |
Flags | Extractable |
EU non-FIPS
FIPS approved? | No |
Supported functions | Sign | Verify |
Functions restricted from FIPS use | N/A |
Minimum key length (bits) | 128 |
Minimum key length for FIPS use (bits) | N/A |
Minimum legacy key length for FIPS use (bits) | N/A |
Maximum key length (bits) | 192 |
Block size | 8 |
Digest size | 0 |
Key types | DES3 |
Algorithms | DES3 |
Modes | MAC |
Flags | Extractable |
Usage
The CKM_DES3_X919_MAC mechanism is used with the C_VerifyInit and C_SignInit functions. It has the following attriobutes:
>Only CKK_DES2 and CKK_DES3 keys are supported.
>The mechanism takes no parameter.
>Multi-part operation is supported.
>The total input data length must be at least one byte.
>The length of result is half the size of the DES block (i.e. 4 bytes).
Example
#define CKM_DES3_X919_MAC (CKM_VENDOR_DEFINED + 0x150)
CK_OBJECT_HANDLE hKey; // handle of CKK_DES2 or CKK_DES3 key
CK_MECHANISM mech = { CKM_DES3_X919_MAC , NULL, 0};
CK_CHAR inp[any length];
CK_CHAR mac[4];
CK_SIZE len;
// Single-part operation
C_SignInit(hSes, &mech, hKey);
len = sizeof mac;
C_Sign(hSes, inp, sizeof inp, mac, &len);
// Multi-part operation
C_SignInit(hSes, &mech, hKey);
C_SignUpdate(hSes, inp, sizeof inp/2);
C_SignUpdate(hSes, inp+ (sizeof inp)/2, sizeof inp/2);
len = sizeof mac;
C_SignFinal(hSes, mac, &len);
// Test vectors
static const UInt8 retailKey[16] =
{
0x58, 0x91, 0x25, 0x86, 0x3D, 0x46, 0x10, 0x7F,
0x46, 0x3E, 0x52, 0x3B, 0xF7, 0x46, 0x9D, 0x52
};
static const UInt8 retailInputAscii[19] =
{
't','h','e',' ','q','u','i','c','k',' ','b','r','o','w','n',' ','f','o','x'
};
static const UInt8 retailMACAscii[4] =
{
0x55, 0xA7, 0xBF, 0xBA
};
static const UInt8 retailInputEBCDIC[19] =
{
// "the quick brown fox" in EBCDIC
0xA3, 0x88, 0x85, 0x40, 0x98, 0xA4, 0x89, 0x83,
0x92, 0x40, 0x82, 0x99, 0x96, 0xA6, 0x95, 0x40,
0x86, 0x96, 0xA7
};
static const UInt8 retailMACEBCDIC[4] =
{
0x60, 0xAE, 0x2C, 0xD7
};