EU FIPS Mechanism Summary
The following table provides a summary of all of the supported mechanisms for all FIPS Luna Cloud HSM Services in the EU region.
Mechanism | FIPS Approved? | Supported Functions | Functions Restricted from FIPS Use | Min Key Length (bits) | Min Key Length for FIPS Use (bits) | Min Legacy Key Length for FIPS Use (bits) | Max Key Length (bits) | Block Size | Digest Size | Key Types | Algorithms | Modes | Flags |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CKM_AES_CBC | Yes | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | CBC | Extractable |
CKM_AES_CBC_ENCRYPT_DATA | Yes | Derive | None | 128 | 128 | N/A | 256 | 0 | 0 | AES | None | None | None |
CKM_AES_CBC_PAD | Yes | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | CBC_PAD | Extractable |
CKM_AES_CFB8 | Yes | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 1 | AES | AES | CFB | Extractable |
CKM_AES_CFB128 | Yes | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 16 | AES | AES | CFB | Extractable |
CKM_AES_CMAC | Yes | Sign | Verify | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | MAC | Extractable | CMAC |
CKM_AES_CMAC_GENERAL | Yes | Sign | Verify | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | MAC | Extractable | CMAC |
CKM_AES_CTR | Yes | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | CTR | Extractable |
CKM_AES_ECB | Yes | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | ECB | Extractable |
CKM_AES_ECB_ENCRYPT_DATA | Yes | Derive | None | 128 | 128 | N/A | 256 | 0 | 0 | AES | None | None | None |
CKM_AES_GCM | Yes | Encrypt | Decrypt | Wrap | Unwrap | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | GCM | Extractable | Accumulating |
CKM_AES_GMAC | Yes | Sign | Verify | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | GCM | Extractable | Accumulating |
CKM_AES_KEY_GEN | Yes | Generate Key | None | 128 | 128 | N/A | 256 | 0 | 0 | AES | None | None | None |
CKM_AES_KW | Yes | Encrypt | Decrypt | Wrap | Unwrap | None | 128 | 128 | N/A | 256 | 8 | 0 | AES | AES | KEYWRAP | Extractable | Accumulating |
CKM_AES_KWP | Yes | Encrypt | Decrypt | Wrap | Unwrap | None | 128 | 128 | N/A | 256 | 8 | 0 | AES | AES | KEYWRAP_PAD | Extractable | Accumulating |
CKM_AES_OFB | Yes | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | OFB | Extractable |
CKM_AES_XTS | Yes | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | XTS | Extractable |
CKM_DSA | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 0 | 0 | DSA | DSA | None | None |
CKM_DSA_KEY_PAIR_GEN | Yes | Generate Key Pair | None | 1024 | 2048 | 1024 | 3072 | 0 | 0 | DSA | None | None | None |
CKM_DSA_PARAMETER_GEN | Yes | Generate Key | None | 1024 | 2048 | 1024 | 3072 | 0 | 0 | DSA | None | None | None |
CKM_DSA_SHA1 | Yes | Sign | Verify | Cannot sign | 1024 | 2048 | 1024 | 3072 | 64 | 20 | DSA | SHA | None | Extractable |
CKM_DSA_SHA224 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 64 | 28 | DSA | SHA224 | None | Extractable |
CKM_DSA_SHA256 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 64 | 32 | DSA | SHA256 | None | Extractable |
CKM_EC_KEY_PAIR_GEN | Yes | Generate Key Pair | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | None | None | None |
CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS | Yes | Generate Key Pair | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | None | None | Extra bits |
CKM_EC_MONTGOMERY_KEY_PAIR_GEN | Yes | Generate Key Pair | None | 256 | 256 | N/A | 256 | 0 | 0 | EC_MONT | None | None | None |
CKM_ECDH1_COFACTOR_DERIVE | Yes | Derive | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | BIP32 | None | None | None |
CKM_ECDH1_DERIVE | Yes | Derive | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | EC_MONT | BIP32 | None | None | None |
CKM_ECDSA | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | BIP32 | ECDSA | None | None |
CKM_ECDSA_SHA1 | Yes | Sign | Verify | Cannot sign | 105 | 224 | 160 | 571 | 64 | 20 | ECDSA | BIP32 | SHA | None | Extractable |
CKM_ECDSA_SHA224 | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 64 | 28 | ECDSA | BIP32 | SHA224 | None | Extractable |
CKM_ECDSA_SHA256 | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 64 | 32 | ECDSA | BIP32 | SHA256 | None | Extractable |
CKM_ECDSA_SHA384 | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 128 | 48 | ECDSA | BIP32 | SHA384 | None | Extractable |
CKM_ECDSA_SHA512 | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 128 | ( | ECDSA | BIP32 | SHA512 | None | Extractable |
CKM_ECIES | Yes | Encrypt | Decrypt | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | EC_MONT | BIP32 | None | None | Accumulating |
CKM_GENERIC_SECRET_KEY_GEN | Yes | Generate Key | None | 8 | 112 | N/A | 4096 | 0 | 0 | None | None | None | None |
CKM_HMAC_SHA3_224 | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 144 | 28 | Symmetric | SHA3_224 | HMAC | Extractable |
CKM_HMAC_SHA3_256 | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 136 | 32 | Symmetric | SHA3_256 | HMAC | Extractable |
CKM_HMAC_SHA3_384 | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 104 | 48 | Symmetric | SHA3_384 | HMAC | Extractable |
CKM_HMAC_SHA3_512 | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 72 | 64 | Symmetric | SHA3_512 | HMAC | Extractable |
CKM_NIST_PRF_KDF | Yes | Derive | None | 8 | 112 | N/A | 4096 | 0 | 0 | Symmetric | None | None | None |
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN | Yes | Generate Key Pair | None | 1024 | 2048 | 1024 | 4096 | 0 | 0 | RSA | None | None | None |
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN | Yes | Generate Key Pair | None | 2048 | 2048 | N/A | 4096 | 0 | 0 | RSA | None | None | None |
CKM_RSA_PKCS | Yes | Sign | Verify | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | Cannot legacy decrypt | Cannot legacy unwrap | Cannot encrypt | 256 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | None |
CKM_RSA_PKCS_OAEP | Yes | Encrypt | Decrypt | Wrap | Unwrap | None | Cannot legacy decrypt | Cannot legacy unwrap | 256 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | None |
CKM_RSA_PKCS_PSS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | None | PSS |
CKM_RSA_X9_31 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | Extractable | X9.31 |
CKM_SHA_1 | Yes | Digest | Cannot sign | 0 | 0 | N/A | 0 | 64 | 20 | None | SHA | None | Extractable |
CKM_SHA_1_HMAC | Yes | Sign | Verify | Cannot sign | 8 | 112 | 80 | 4096 | 64 | 20 | Symmetric | SHA | HMAC | Extractable |
CKM_SHA_1_HMAC_GENERAL | Yes | Sign | Verify | Cannot sign | 8 | 112 | 80 | 4096 | 64 | 20 | Symmetric | SHA | HMAC | Extractable |
CKM_SHA1_RSA_PKCS | Yes | Sign | Verify | Cannot sign | 256 | 2048 | 1024 | 8192 | 64 | 20 | RSA | SHA | None | Extractable |
CKM_SHA1_RSA_PKCS_PSS | Yes | Sign | Verify | Cannot sign | 256 | 2048 | 1024 | 8192 | 64 | 20 | RSA | SHA | None | Extractable | PSS |
CKM_SHA1_RSA_X9_31 | Yes | Sign | Verify | Cannot sign | 1024 | 2048 | 1024 | 8192 | 64 | 20 | RSA | SHA | None | Extractable | X9.31 |
CKM_SHA3_224 | Yes | Digest | None | 0 | 0 | N/A | 0 | 144 | 28 | None | SHA3_224 | None | Extractable |
CKM_SHA3_224_DSA | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 144 | 28 | DSA | SHA3_224 | None | Extractable |
CKM_SHA3_224_ECDSA | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 144 | 28 | ECDSA | BIP32 | SHA3_224 | None | Extractable |
CKM_SHA3_224_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 144 | 28 | RSA | SHA3_224 | None | Extractable |
CKM_SHA3_224_RSA_PKCS_PSS | Yes | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 144 | 28 | RSA | SHA3_224 | None | Extractable | PSS |
CKM_SHA3_256 | Yes | Digest | None | 0 | 0 | N/A | 0 | 136 | 32 | None | SHA3_256 | None | Extractable |
CKM_SHA3_256_DSA | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 136 | 32 | DSA | SHA3_256 | None | Extractable |
CKM_SHA3_256_ECDSA | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 136 | 32 | ECDSA | BIP32 | SHA3_256 | None | Extractable |
CKM_SHA3_256_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 136 | 32 | RSA | SHA3_256 | None | Extractable |
CKM_SHA3_256_RSA_PKCS_PSS | Yes | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 136 | 32 | RSA | SHA3_256 | None | Extractable | PSS |
CKM_SHA3_384 | Yes | Digest | None | 0 | 0 | N/A | 0 | 104 | 48 | None | SHA3_384 | None | Extractable |
CKM_SHA3_384_DSA | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 104 | 48 | DSA | SHA3_384 | None | Extractable |
CKM_SHA3_384_ECDSA | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 104 | 48 | ECDSA | BIP32 | SHA3_384 | None | Extractable |
CKM_SHA3_384_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 104 | 48 | RSA | SHA3_384 | None | Extractable |
CKM_SHA3_384_RSA_PKCS_PSS | Yes | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 104 | 48 | RSA | SHA3_384 | None | Extractable | PSS |
CKM_SHA3_512 | Yes | Digest | None | 0 | 0 | N/A | 0 | 72 | 64 | None | SHA3_512 | None | Extractable |
CKM_SHA3_512_DSA | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 72 | 64 | DSA | SHA3_512 | None | Extractable |
CKM_SHA3_512_ECDSA | Yes | Sign | Verify | None | 105 | 224 | 160 | 571 | 72 | 64 | ECDSA | BIP32 | SHA3_512 | None | Extractable |
CKM_SHA3_512_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 72 | 64 | RSA | SHA3_512 | None | Extractable |
CKM_SHA3_512_RSA_PKCS_PSS | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 72 | 64 | RSA | SHA3_512 | None | Extractable | PSS |
CKM_SHA224 | Yes | Digest | None | 0 | 0 | N/A | 0 | 64 | 28 | None | SHA224 | None | Extractable |
CKM_SHA224_HMAC | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 28 | Symmetric | SHA224 | HMAC | Extractable |
CKM_SHA224_HMAC_GENERAL | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 28 | Symmetric | SHA224 | HMAC | Extractable |
CKM_SHA224_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 64 | 28 | RSA | SHA224 | None | Extractable |
CKM_SHA224_RSA_PKCS_PSS | Yes | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 64 | 28 | RSA | SHA224 | None | Extractable | PSS |
CKM_SHA224_RSA_X9_31 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 64 | 28 | RSA | SHA224 | None | Extractable | X9.31 |
CKM_SHA256 | Yes | Digest | None | 0 | 0 | N/A | 0 | 64 | 32 | None | SHA256 | None | Extractable |
CKM_SHA256_HMAC | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 32 | Symmetric | SHA256 | HMAC | Extractable |
CKM_SHA256_HMAC_GENERAL | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 32 | Symmetric | SHA256 | HMAC | Extractable |
CKM_SHA256_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 64 | 32 | RSA | SHA256 | None | Extractable |
CKM_SHA256_RSA_PKCS_PSS | Yes | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 64 | 32 | RSA | SHA256 | None | Extractable | PSS |
CKM_SHA256_RSA_X9_31 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 64 | 32 | RSA | SHA256 | None | Extractable | X9.31 |
CKM_SHA384 | Yes | Digest | None | 0 | 0 | N/A | 0 | 128 | 48 | None | SHA384 | None | Extractable |
CKM_SHA384_HMAC | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | 48 | Symmetric | SHA384 | HMAC | Extractable |
CKM_SHA384_HMAC_GENERAL | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | 48 | Symmetric | SHA384 | HMAC | Extractable |
CKM_SHA384_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 128 | 48 | RSA | SHA384 | None | Extractable |
CKM_SHA384_RSA_PKCS_PSS | Yes | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 128 | 48 | RSA | SHA384 | None | Extractable | PSS |
CKM_SHA384_RSA_X9_31 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 128 | 48 | RSA | SHA384 | None | Extractable | X9.31 |
CKM_SHA512 | Yes | Digest | None | 0 | 0 | N/A | 0 | 128 | ( | None | SHA512 | None | Extractable |
CKM_SHA512_HMAC | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | ( | Symmetric | SHA512 | HMAC | Extractable |
CKM_SHA512_HMAC_GENERAL | Yes | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | ( | Symmetric | SHA512 | HMAC | Extractable |
CKM_SHA512_RSA_PKCS | Yes | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 128 | ( | RSA | SHA512 | None | Extractable |
CKM_SHA512_RSA_PKCS_PSS | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 128 | ( | RSA | SHA512 | None | Extractable | PSS |
CKM_SHA512_RSA_X9_31 | Yes | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 128 | ( | RSA | SHA512 | None | Extractable | X9.31 |
CKM_SHAKE_128 | Yes | Digest | None | 0 | 0 | N/A | 0 | 168 | 0 | None | SHAKE_128 | None | Extractable |
CKM_SHAKE_256 | Yes | Digest | None | 0 | 0 | N/A | 0 | 136 | 0 | None | SHAKE_256 | None | Extractable |
CKM_X9_42_DH_DERIVE | Yes | Derive | None | 1024 | 2048 | N/A | 4096 | 0 | 0 | X9_42_DH | None | None | None |
CKM_X9_42_DH_HYBRID_DERIVE | Yes | Derive | None | 1024 | 2048 | N/A | 4096 | 0 | 0 | X9_42_DH | None | None | None |
CKM_X9_42_DH_KEY_PAIR_GEN | Yes | Generate Key Pair | None | 1024 | 2048 | N/A | 4096 | 0 | 0 | X9_42_DH | None | None | None |