CKM_ECDSA
Firmware 7.9.0 and Newer Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | Can verify only if PP45 enabled |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA | BIP32 |
| Algorithms | ECDSA |
| Modes | None |
| Flags | FIPS-approved curves only |
NOTE Using Luna HSM Firmware 7.9.0 or newer, signature verification is permitted in FIPS approved configuration, as long as partition policy 45: Allow ECDSA/RSA Prehash SigVer is set to 1 on the partition.
TIP The default setting of partition policy 45 : Allow ECDSA/RSAPrehash SigVer varies according to firmware update status:
HSM Firmware starting at 7.9.0 or newer
•Default is OFF for partitions not in FIPS configuration.
•Default is OFF for partitions in FIPS configuration.
HSM Firmware older than version 7.9.0
For a starting firmware version between 7.7.1 and 7.8.9 updating to 7.9.0 and newer, the Partition Policy 45 behavior follows the FIPS partition policy 43
•Default is ON for partitions not already in FIPS configuration(*)
•Default is OFF for partitions already in FIPS configuration
Starting firmware older than version 7.7.1 did not have FIPS partition policy 43.
When updating to firmware 7.9.0, the Partition Policy 45 behavior follows the HSM-level FIPS policy 12 instead.
•Default is ON if HSM is not in FIPS configuration(*)
•Default is OFF if HSM is in FIPS configuration
(*When older firmware is being updated, this policy defaults to ON in non-FIPS configuration in order to minimize impact for customers updating existing HSMs; your partition behaves, for crypto operation, as it did before update, and action here is needed, only if you wish to change that behavior.)
Firmware 7.8.9 Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA | BIP32 |
| Algorithms | ECDSA |
| Modes | None |
| Flags | FIPS-approved curves only |
NOTE Using Luna HSM Firmware 7.8.9 or newer, this mechanism now verifies that the specified EC curve is FIPS-approved, and rejects operations that specify non-approved curves.
See Luna HSM Firmware 7.8.9 and scroll down to Allowed Elliptic Curves.
Firmware 7.3.0-7.8.7 Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA | BIP32 |
| Algorithms | ECDSA |
| Modes | None |
| Flags | None |
Firmware 7.2.0 and Older Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA |
| Algorithms | ECDSA |
| Modes | None |
| Flags | None |
