CKM_DES3_CBC_PAD
Summary
| FIPS approved? | Yes |
| Supported functions | Encrypt | Decrypt | Wrap | Unwrap |
| Functions restricted from FIPS use | Cannot wrap |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 192 |
| Minimum legacy key length for FIPS use (bits) | 128 |
| Maximum key length (bits) | 192 |
| Block size | 8 |
| Digest size | 0 |
| Key types | DES3 |
| Algorithms | DES3 |
| Modes | CBC_PAD |
| Flags | Extractable |
NOTE For HSM firmware version 7.7 and newer, triple-DES keys have a usage counter that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (that is, when the "Allow non-FIPS algorithms" policy [12] is set to 0). When the counter runs out for a key instance, that key instance can no longer be used for encryption or wrapping or deriving or signing, but can still be used for decrypting and unwrapping and verifying pre-existing objects.
The CKA_BYTES_REMAINING attribute is available when the Non-FIPS algorithms policy is set to 0, but cannot be viewed if the Non-FIPS algorithm policy is set to 1.
The attribute is preserved during backup/restore using a G7 Backup HSM; restoring puts the counter back to whatever value it had before backup.
The attribute is not preserved through backup/restore using a G5 Backup HSM; restoring sets the counter to like-new state (no usage).
NOTE The flag MPE_NO_WRAP is assigned to several mechanisms, including this one. When the HSM policy “Allow NonFIPS Algorithms” is disabled, mechanisms with the MPE_NO_WRAP flag are not allowed to wrap objects. When the policy is enabled, these mechanisms are allowed to wrap objects.
