Luna Key Translation

On this page:

>Mechanism Description

>Data size




Mechanism Description


Key Translation function - allows to securely import subscriber authentication keys into a 5G authentication platform (UDM).
This is a Proprietary Luna mechanism.

This mechanism receives a cryptogram from the client and re-encrypts it using a different key and/or mechanism. The mechanism returns the resulting cryptogram to the client.

The mechanism is used with the C_WrapKey command with the following parameters:

CK_SESSION_HANDLE hSession current session
CK_MECHANISM_PTR pMechanism Mechanism parameter is a pointer to CK_MECHANISM_PARAMS
CK_OBJECT_HANDLE hWrappingKey handle of output wrapping key
CK_OBJECT_HANDLE hKey In this case, it will be always set to CK_INVALID_HANDLE
CK_BYTE_PTR pWrappedKey address to where new cryptogram is stored – (length prediction supported)
CK_ULONG_PTR pulWrappedKeyLen

address where to store output buffer size and actual/predicted output length

Data size

The maximum allowed data size for this mechanism is 8000 bytes



CK_MECHANISM_PARAM for KEY_TRANSLATE mechanism is structured as follow

typedef struct CK_MECHANISM{
      CK_VOID_PTR pParameter; /* pointer to CK_KEY_TRANSLATE_PARAMs */
      CK_ULONG ulParameterLen;

CK_ KEY_TRANSLATE_PARAMS is a structure that provides the parameters to the CKM_KEY_TRANSLATE mechanism. The structure is defined as follows:

typedef struct CK_KEY_TRANSLATE_PARAMS {
      CK_FLAGS  flags;
      CK_MECHANISM wrapMech;
      CK_MECHANISM unWrapMech;
      CK_BYTE_PTR pData;
      CK_ULONG ulDataLen;
      CK_OBJECT_HANDLE hUnwrapKey; /* input unwrapped handle (hA4key)*/


The flags field of the mechanism parameter is reserved for future use and must be set to zero.

The wrapMech parameter must be a valid key wrapping mechanism for the key type of hWrappingKey. The key hWrappingKey must have the CKA_WRAP attribute set true.

The pData is the wrapped key data with a length of ulDataLen to translate using the wrap mechanism

The unWrapMech parameter must be a valid key unwrapping mechanism for the key type of hUnwrapKey. The key hUnwrapKey must have the CKA_UNWRAP attribute set true. Any CKA_UNWRAP_TEMPLATE attribute on the hUnwrapKey is ignored.

If a key is wrapped/unwrapped with a mechanism that does not support content padding – such as CKA_AES_ECB then the implication is that the key content is a multiple of block size.

Partition Policy settings that control key import/export such as:

>Enable private key cloning,

>Enable private key wrapping,

>Enable private key unwrapping,

>Enable private key masking,

>Enable secret key cloning,

>Enable secret key wrapping,

>Enable secret key unwrapping,

>Enable secret key masking,

>Enable private key unmasking,

>Enable secret key unmasking

...have no effect on the CKM_KEY_TRANSLATE.

These partition policies affect which values for the wrapMech or unWrapMech can be used:

>Enable non-FIPS algorithms,

>Enable RSA PKCS mechanism,

>Enable CBC-PAD (un)wrap keys of any size

Handling of wrapping and padding

Wrapping mechanisms that do not encode a padding length automatically append zeros to the key value, if the length of the key being wrapped is not a multiple of the wrapping algorithm block size.
For example: CKM_AES_ECB has a block size of 16 and, if it is used to wrap a 24 byte key, then 8 zeros are appended to the key before wrapping.

When unwrapping a key that has such padding applied the extra zeros are NOT stripped from the key value, Therefore the key value that is wrapped includes the exrtra zeros.


#define LUNA_MECH_KEY_TRANSLATE 0x80000E10



See item 69 Translate Key in KEY Menu Functions.


JCPROV API supports the mechanism. A program “KeyTranslate” added to the JCPROV Samples.

Luna HSM Client 10.5.1 and newer has fixed input and output mechanisms (DES3_CBC and AES_KWP respectively). These mechanisms were chosen as they represent the initial use case.


The multitoken tool has an option to test performance of the KeyTranslate mechanism.

Luna HSM Client 10.5.1 and newer has fixed input and output mechanisms (DES3_CBC and AES_KWP respectively). These mechanisms were chosen as they represent the initial use case.