CKM_DES3_MAC_GENERAL

Firmware 7.7.0 and Newer Summary

FIPS approved? Yes
Supported functions Sign | Verify
Functions restricted from FIPS use Cannot sign
Minimum key length (bits) 128
Minimum key length for FIPS use (bits) 192
Minimum legacy key length for FIPS use (bits) 128
Maximum key length (bits) 192
Block size 8
Digest size 0
Key types DES3
Algorithms DES3
Modes MAC
Flags Extractable

NOTE   For Luna HSM Firmware 7.7.0 and newer, triple-DES keys have a usage counter that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (that is, when the "Allow non-FIPS algorithms" policy [12] is set to 0). When the counter runs out for a key instance, that key instance can no longer be used for encryption or wrapping or deriving or signing, but can still be used for decrypting and unwrapping and verifying pre-existing objects.

The CKA_BYTES_REMAINING attribute is available when the Non-FIPS algorithms policy is set to 0, but cannot be viewed if the Non-FIPS algorithm policy is set to 1.

The attribute is preserved during backup/restore using a Luna Backup HSM 7; restoring puts the counter back to whatever value it had before backup.
The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring sets the counter to like-new state (no usage).

NOTE   To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to sign data.

Firmware 7.4.2 and Older Summary

FIPS approved? Yes
Supported functions Sign | Verify
Functions restricted from FIPS use None
Minimum key length (bits) 128
Minimum key length for FIPS use (bits) 192
Minimum legacy key length for FIPS use (bits) 128
Maximum key length (bits) 192
Block size 8
Digest size 0
Key types DES3
Algorithms DES3
Modes MAC
Flags Extractable