NA FIPS Mechanism Summary
The following table provides a summary of all of the supported mechanisms for all FIPS Luna Cloud HSM Services in the NA region.
| Mechanism | Supported Functions | Functions Restricted from FIPS Use | Min Key Length (bits) | Min Key Length for FIPS Use (bits) | Min Legacy Key Length for FIPS Use (bits) | Max Key Length (bits) | Block Size | Digest Size | Key Types | Algorithms | Modes | Flags |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CKM_AES_CBC | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | CBC | Extractable |
| CKM_AES_CBC_ENCRYPT_DATA | Derive | None | 128 | 128 | N/A | 256 | 0 | 0 | AES | None | None | None |
| CKM_AES_CBC_PAD | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | CBC_PAD | Extractable |
| CKM_AES_CFB8 | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 1 | AES | AES | CFB | Extractable |
| CKM_AES_CFB128 | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 16 | AES | AES | CFB | Extractable |
| CKM_AES_CMAC | Sign | Verify | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | MAC | Extractable | CMAC |
| CKM_AES_CMAC_GENERAL | Sign | Verify | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | MAC | Extractable | CMAC |
| CKM_AES_CTR | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | CTR | Extractable |
| CKM_AES_ECB | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | ECB | Extractable |
| CKM_AES_ECB_ENCRYPT_DATA | Derive | None | 128 | 128 | N/A | 256 | 0 | 0 | AES | None | None | None |
| CKM_AES_GCM | Encrypt | Decrypt | Wrap | Unwrap | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | GCM | Extractable | Accumulating |
| CKM_AES_GMAC | Sign | Verify | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | GCM | Extractable | Accumulating |
| CKM_AES_KEY_GEN | Generate Key | None | 128 | 128 | N/A | 256 | 0 | 0 | AES | None | None | None |
| CKM_AES_KW | Encrypt | Decrypt | Wrap | Unwrap | None | 128 | 128 | N/A | 256 | 8 | 0 | AES | AES | KEYWRAP | Extractable | Accumulating |
| CKM_AES_KWP | Encrypt | Decrypt | Wrap | Unwrap | None | 128 | 128 | N/A | 256 | 8 | 0 | AES | AES | KEYWRAP_PAD | Extractable | Accumulating |
| CKM_AES_OFB | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | OFB | Extractable |
| CKM_AES_XTS | Encrypt | Decrypt | None | 128 | 128 | N/A | 256 | 16 | 0 | AES | AES | XTS | Extractable |
| CKM_DSA | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 0 | 0 | DSA | DSA | None | None |
| CKM_DSA_KEY_PAIR_GEN | Generate Key Pair | None | 1024 | 2048 | 1024 | 3072 | 0 | 0 | DSA | None | None | None |
| CKM_DSA_PARAMETER_GEN | Generate Key | None | 1024 | 2048 | 1024 | 3072 | 0 | 0 | DSA | None | None | None |
| CKM_DSA_SHA1 | Sign | Verify | Cannot sign | 1024 | 2048 | 1024 | 3072 | 64 | 20 | DSA | SHA | None | Extractable |
| CKM_DSA_SHA224 | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 64 | 28 | DSA | SHA224 | None | Extractable |
| CKM_DSA_SHA256 | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 64 | 32 | DSA | SHA256 | None | Extractable |
| CKM_EC_KEY_PAIR_GEN | Generate Key Pair | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | None | None | None |
| CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS | Generate Key Pair | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | None | None | Extra bits |
| CKM_EC_MONTGOMERY_KEY_PAIR_GEN | Generate Key Pair | None | 256 | 256 | N/A | 256 | 0 | 0 | EC_MONT | None | None | None |
| CKM_ECDH1_COFACTOR_DERIVE | Derive | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | BIP32 | None | None | None |
| CKM_ECDH1_DERIVE | Derive | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | EC_MONT | BIP32 | None | None | None |
| CKM_ECDSA | Sign | Verify | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | BIP32 | ECDSA | None | None |
| CKM_ECDSA_SHA1 | Sign | Verify | Cannot sign | 105 | 224 | 160 | 571 | 64 | 20 | ECDSA | BIP32 | SHA | None | Extractable |
| CKM_ECDSA_SHA224 | Sign | Verify | None | 105 | 224 | 160 | 571 | 64 | 28 | ECDSA | BIP32 | SHA224 | None | Extractable |
| CKM_ECDSA_SHA256 | Sign | Verify | None | 105 | 224 | 160 | 571 | 64 | 32 | ECDSA | BIP32 | SHA256 | None | Extractable |
| CKM_ECDSA_SHA384 | Sign | Verify | None | 105 | 224 | 160 | 571 | 128 | 48 | ECDSA | BIP32 | SHA384 | None | Extractable |
| CKM_ECDSA_SHA512 | Sign | Verify | None | 105 | 224 | 160 | 571 | 128 | ( | ECDSA | BIP32 | SHA512 | None | Extractable |
| CKM_ECIES | Encrypt | Decrypt | None | 105 | 224 | 160 | 571 | 0 | 0 | ECDSA | EC_MONT | BIP32 | None | None | Accumulating |
| CKM_GENERIC_SECRET_KEY_GEN | Generate Key | None | 8 | 112 | N/A | 4096 | 0 | 0 | None | None | None | None |
| CKM_HMAC_SHA3_224 | Sign | Verify | None | 8 | 112 | 80 | 4096 | 144 | 28 | Symmetric | SHA3_224 | HMAC | Extractable |
| CKM_HMAC_SHA3_256 | Sign | Verify | None | 8 | 112 | 80 | 4096 | 136 | 32 | Symmetric | SHA3_256 | HMAC | Extractable |
| CKM_HMAC_SHA3_384 | Sign | Verify | None | 8 | 112 | 80 | 4096 | 104 | 48 | Symmetric | SHA3_384 | HMAC | Extractable |
| CKM_HMAC_SHA3_512 | Sign | Verify | None | 8 | 112 | 80 | 4096 | 72 | 64 | Symmetric | SHA3_512 | HMAC | Extractable |
| CKM_NIST_PRF_KDF | Derive | None | 8 | 112 | N/A | 4096 | 0 | 0 | Symmetric | None | None | None |
| CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN | Generate Key Pair | None | 1024 | 2048 | 1024 | 4096 | 0 | 0 | RSA | None | None | None |
| CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN | Generate Key Pair | None | 2048 | 2048 | N/A | 4096 | 0 | 0 | RSA | None | None | None |
| CKM_RSA_PKCS | Sign | Verify | Encrypt | Decrypt | Wrap | Unwrap | Cannot wrap | Cannot legacy decrypt | Cannot legacy unwrap | Cannot encrypt | 256 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | None |
| CKM_RSA_PKCS_OAEP | Encrypt | Decrypt | Wrap | Unwrap | None | Cannot legacy decrypt | Cannot legacy unwrap | 256 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | None |
| CKM_RSA_PKCS_PSS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | None | PSS |
| CKM_RSA_X9_31 | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 0 | 0 | RSA | None | None | Extractable | X9.31 |
| CKM_SHA_1 | Digest | Cannot sign | 0 | 0 | N/A | 0 | 64 | 20 | None | SHA | None | Extractable |
| CKM_SHA_1_HMAC | Sign | Verify | Cannot sign | 8 | 112 | 80 | 4096 | 64 | 20 | Symmetric | SHA | HMAC | Extractable |
| CKM_SHA_1_HMAC_GENERAL | Sign | Verify | Cannot sign | 8 | 112 | 80 | 4096 | 64 | 20 | Symmetric | SHA | HMAC | Extractable |
| CKM_SHA1_RSA_PKCS | Sign | Verify | Cannot sign | 256 | 2048 | 1024 | 8192 | 64 | 20 | RSA | SHA | None | Extractable |
| CKM_SHA1_RSA_PKCS_PSS | Sign | Verify | Cannot sign | 256 | 2048 | 1024 | 8192 | 64 | 20 | RSA | SHA | None | Extractable | PSS |
| CKM_SHA1_RSA_X9_31 | Sign | Verify | Cannot sign | 1024 | 2048 | 1024 | 8192 | 64 | 20 | RSA | SHA | None | Extractable | X9.31 |
| CKM_SHA3_224 | Digest | None | 0 | 0 | N/A | 0 | 144 | 28 | None | SHA3_224 | None | Extractable |
| CKM_SHA3_224_DSA | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 144 | 28 | DSA | SHA3_224 | None | Extractable |
| CKM_SHA3_224_ECDSA | Sign | Verify | None | 105 | 224 | 160 | 571 | 144 | 28 | ECDSA | BIP32 | SHA3_224 | None | Extractable |
| CKM_SHA3_224_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 144 | 28 | RSA | SHA3_224 | None | Extractable |
| CKM_SHA3_224_RSA_PKCS_PSS | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 144 | 28 | RSA | SHA3_224 | None | Extractable | PSS |
| CKM_SHA3_256 | Digest | None | 0 | 0 | N/A | 0 | 136 | 32 | None | SHA3_256 | None | Extractable |
| CKM_SHA3_256_DSA | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 136 | 32 | DSA | SHA3_256 | None | Extractable |
| CKM_SHA3_256_ECDSA | Sign | Verify | None | 105 | 224 | 160 | 571 | 136 | 32 | ECDSA | BIP32 | SHA3_256 | None | Extractable |
| CKM_SHA3_256_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 136 | 32 | RSA | SHA3_256 | None | Extractable |
| CKM_SHA3_256_RSA_PKCS_PSS | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 136 | 32 | RSA | SHA3_256 | None | Extractable | PSS |
| CKM_SHA3_384 | Digest | None | 0 | 0 | N/A | 0 | 104 | 48 | None | SHA3_384 | None | Extractable |
| CKM_SHA3_384_DSA | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 104 | 48 | DSA | SHA3_384 | None | Extractable |
| CKM_SHA3_384_ECDSA | Sign | Verify | None | 105 | 224 | 160 | 571 | 104 | 48 | ECDSA | BIP32 | SHA3_384 | None | Extractable |
| CKM_SHA3_384_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 104 | 48 | RSA | SHA3_384 | None | Extractable |
| CKM_SHA3_384_RSA_PKCS_PSS | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 104 | 48 | RSA | SHA3_384 | None | Extractable | PSS |
| CKM_SHA3_512 | Digest | None | 0 | 0 | N/A | 0 | 72 | 64 | None | SHA3_512 | None | Extractable |
| CKM_SHA3_512_DSA | Sign | Verify | None | 1024 | 2048 | 1024 | 3072 | 72 | 64 | DSA | SHA3_512 | None | Extractable |
| CKM_SHA3_512_ECDSA | Sign | Verify | None | 105 | 224 | 160 | 571 | 72 | 64 | ECDSA | BIP32 | SHA3_512 | None | Extractable |
| CKM_SHA3_512_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 72 | 64 | RSA | SHA3_512 | None | Extractable |
| CKM_SHA3_512_RSA_PKCS_PSS | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 72 | 64 | RSA | SHA3_512 | None | Extractable | PSS |
| CKM_SHA224 | Digest | None | 0 | 0 | N/A | 0 | 64 | 28 | None | SHA224 | None | Extractable |
| CKM_SHA224_HMAC | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 28 | Symmetric | SHA224 | HMAC | Extractable |
| CKM_SHA224_HMAC_GENERAL | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 28 | Symmetric | SHA224 | HMAC | Extractable |
| CKM_SHA224_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 64 | 28 | RSA | SHA224 | None | Extractable |
| CKM_SHA224_RSA_PKCS_PSS | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 64 | 28 | RSA | SHA224 | None | Extractable | PSS |
| CKM_SHA224_RSA_X9_31 | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 64 | 28 | RSA | SHA224 | None | Extractable | X9.31 |
| CKM_SHA256 | Digest | None | 0 | 0 | N/A | 0 | 64 | 32 | None | SHA256 | None | Extractable |
| CKM_SHA256_HMAC | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 32 | Symmetric | SHA256 | HMAC | Extractable |
| CKM_SHA256_HMAC_GENERAL | Sign | Verify | None | 8 | 112 | 80 | 4096 | 64 | 32 | Symmetric | SHA256 | HMAC | Extractable |
| CKM_SHA256_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 64 | 32 | RSA | SHA256 | None | Extractable |
| CKM_SHA256_RSA_PKCS_PSS | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 64 | 32 | RSA | SHA256 | None | Extractable | PSS |
| CKM_SHA256_RSA_X9_31 | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 64 | 32 | RSA | SHA256 | None | Extractable | X9.31 |
| CKM_SHA384 | Digest | None | 0 | 0 | N/A | 0 | 128 | 48 | None | SHA384 | None | Extractable |
| CKM_SHA384_HMAC | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | 48 | Symmetric | SHA384 | HMAC | Extractable |
| CKM_SHA384_HMAC_GENERAL | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | 48 | Symmetric | SHA384 | HMAC | Extractable |
| CKM_SHA384_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 128 | 48 | RSA | SHA384 | None | Extractable |
| CKM_SHA384_RSA_PKCS_PSS | Sign | Verify | None | 512 | 2048 | 1024 | 8192 | 128 | 48 | RSA | SHA384 | None | Extractable | PSS |
| CKM_SHA384_RSA_X9_31 | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 128 | 48 | RSA | SHA384 | None | Extractable | X9.31 |
| CKM_SHA512 | Digest | None | 0 | 0 | N/A | 0 | 128 | ( | None | SHA512 | None | Extractable |
| CKM_SHA512_HMAC | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | ( | Symmetric | SHA512 | HMAC | Extractable |
| CKM_SHA512_HMAC_GENERAL | Sign | Verify | None | 8 | 112 | 80 | 4096 | 128 | ( | Symmetric | SHA512 | HMAC | Extractable |
| CKM_SHA512_RSA_PKCS | Sign | Verify | None | 256 | 2048 | 1024 | 8192 | 128 | ( | RSA | SHA512 | None | Extractable |
| CKM_SHA512_RSA_PKCS_PSS | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 128 | ( | RSA | SHA512 | None | Extractable | PSS |
| CKM_SHA512_RSA_X9_31 | Sign | Verify | None | 1024 | 2048 | 1024 | 8192 | 128 | ( | RSA | SHA512 | None | Extractable | X9.31 |
| CKM_SHAKE_128 | Digest | None | 0 | 0 | N/A | 0 | 168 | 0 | None | SHAKE_128 | None | Extractable |
| CKM_SHAKE_256 | Digest | None | 0 | 0 | N/A | 0 | 136 | 0 | None | SHAKE_256 | None | Extractable |
| CKM_X9_42_DH_DERIVE | Derive | None | 1024 | 2048 | N/A | 4096 | 0 | 0 | X9_42_DH | None | None | None |
| CKM_X9_42_DH_HYBRID_DERIVE | Derive | None | 1024 | 2048 | N/A | 4096 | 0 | 0 | X9_42_DH | None | None | None |
| CKM_X9_42_DH_KEY_PAIR_GEN | Generate Key Pair | None | 1024 | 2048 | N/A | 4096 | 0 | 0 | X9_42_DH | None | None | None |
