PKCS5_PBKD2 with SHA2

Prior to firmware version 7.9.3 and UC 10.9.3 the HSM the HMAC PRFs available to Password-Based Key Derivation Function 2 (CKM_PKCS5_PBKD2) were:

>HMAC_SHA1

>HMAC_SM3

Firmware 7.9.3 and UC 10.9.3 (tools) add support for

>HMAC_SHA224

>HMAC_SHA256

>HMAC_SHA384

>HMAC_SHA512

Examples of PBE key generation of various types with the SHA2 mechanisms

1.In CKDemo, generate a PBE key with SHA224 mechanism and an AES key type.

TOKEN:
    ( 1) Open Session  ( 2) Close Session  ( 3) Login
    ( 4) Logout        ( 5) Change PIN     ( 6) Init Token
    ( 7) Init Pin      ( 8) Mechanism List ( 9) Mechanism Info
    (10) Get Info      (11) Slot Info      (12) Token Info
    (13) Session Info  (14) Get Slot List  (15) Wait for Slot Event
    (16) Token Status  (17) SessionCancel  (18) Factory Reset
    (19) CloneMofN     (33) Token Insert   (34) Token Delete
    (36) Show Roles    (37) Show Role Configuration Policies
    (38) Show Role State   (39) Get OUID   (140) Get Handle
    (58) HSM Zeroize       (59) Token Zeroize
    (160) Show License List   (161) QueryLicense   (162) HSM Stats
    (163) LogoutOther
OBJECT MANAGEMENT:
    (20) Create object (21) Copy object    (22) Destroy object
    (23) Object size   (24) Get attribute  (25) Set attribute
                       (26) Find object    (27) Display Object
    (30) Modify Usage Count         (31) Destroy Multiple Objects
    (32) Extract Public Key         (35) Import Public Key
SECURITY:
    (40) Encrypt file  (41) Decrypt file   (42) Sign
    (43) Verify        (44) Hash file      (45) Simple Generate Key
    (46) Digest Key
HIGH AVAILABILITY RECOVERY :
    (49) HA Current Status       (50) HA Recovery Init       (51) HA Recovery Login
    (52) HA Group Status
POLICY:
   (53) Show Partition Policies     (54) Set Partition Policies
   (55) Show HSM Policies (56) Set HSM Policies (57) Set Destructive HSM Policies
KEY:
    (60)  Wrap key      (61) Unwrap key     (62) Generate random number
    (63)  Derive Key    (64) PBE Key Gen    (65) Create known keys
    (66)  Seed RNG      (67) EC User Defined Curves
    (68)  SM2 User Defined Curves
    (69)  Translate key
    (150) Encapsulate key
    (151) Decapsulate key
CA:
    (70) Set Domain    (71) Clone Key      (72) Set MofN
    (73) Generate MofN (74) Activate MofN  (75) Generate Token Keys
                                           (77) Sign Token Cert
    (78) Generate CertCo Cert              (79) Modify MofN
    (85) Put HSM Data/Parameter
    (86) Dup. MofN Keys                    (87) Deactivate MofN
    (88) Get Token Certificates            (89) Get HSM Data/Parameter
    (112) Set Legacy Cloning Domain
OTHERS:
    (90) Self Test
    (92) Get App ID
    (93) Utilization Metrics
    (94) Open Access    (95) Close Access
    (97) Set App ID     (98) Options
OFFBOARD KEY STORAGE:
   (101) Extract Masked Object            (102) Insert Masked Object
   (103) Multisign With Value             (104) Clone Object
   (105) SIMExtract                       (106) SIMInsert
   (107) SimMultiSign                     (108) SMKRollover
   (109) CPv4 MigrateKeys
   (118) Extract Object                   (119) Insert Object
CLUSTER EXECUTION:
   (111) Get Cluster State
   (113) Lock Clustered Slot              (114) Unlock Clustered Slot
PED INFO:
   (120) Set Ped Info   (121) Get Ped Info (122) Init RPV
   (123) Delete RPV
AUDIT/LOG:
   (130) Get Config     (131) Set Config   (132) Verify logs
   (133) Get Time       (134) Set Time     (135) Import Secret
   (136) Export Secret  (137) Init Audit   (138) Get Status
   (139) Log External
SRK:
   (200) SRK Get State  (201) SRK Restore  (202) SRK Resplit
   (203) SRK Zeroize    (204) SRK Enable/Disable
Per Key Authorization:
    (210) Authorize Key              (211) Set Authorization Data
    (212) Reset Authorization Data   (213) Assign Key
    (214) Increment Failed Auth Count
Cloning API:
    (215) CloneAsSourceInit          (216) CloneAsTargetInit
    (217) CloneAsSource              (218) CloneAsTarget
    (219) CPv4 MigrateKeys           (220) CPv4 Negotiate Session
    (221) CPv4 Close Session
IS6 Migration:
    (300) Set IS6 Domain             (301) Insert IS6 Group Part
    (302) Insert IS6 Member Part     (303) Insert IS6 Key
KeyRing Configurations:
    (310) Setup KeyRing              (311) Add Key to KeyRing

(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit

Status: Doing great, no errors (CKR_OK)

Enter your choice : 64
Enter iterations: 999

MD2_DES[1]
SHA1_RC4_128[5]  SHA1_RC4_40[6]  SHA1_RC2_128[7]
SHA1_RC2_40[8]  SHA1_DES2[9]  SHA1_DES3[10]
PKCS5_PBKD2_SHA1[11] PKCS5_PBKD2_SM3[12]
PKCS5_PBKD2_SHA224[13] PKCS5_PBKD2_SHA256[14]
PKCS5_PBKD2_SHA384[15] PKCS5_PBKD2_SHA512[16]
Select a mechanism: 13

 [1] CKK_GENERIC_SECRET  [2] CKK_RC2      [3] CKK_RC4
 [4] CKK_DES             [5] CKK_DES2     [6] CKK_DES3
                         [8] CKK_CAST3    [9] CKK_SEED
 [10] CKK_AES            [11] CKK_ARIA

Select key type: 10

Enter Key Length: 24
Generated key:         34 (0x00000022)
Returned IV:  None

Status: Doing great, no errors (CKR_OK)

The key is created and the handle returned.

2.Generate a PBE key with SHA256 mechanism and a DES2 key type

Enter your choice : 64
Enter iterations: 343

MD2_DES[1]
SHA1_RC4_128[5]  SHA1_RC4_40[6]  SHA1_RC2_128[7]
SHA1_RC2_40[8]  SHA1_DES2[9]  SHA1_DES3[10]
PKCS5_PBKD2_SHA1[11] PKCS5_PBKD2_SM3[12]
PKCS5_PBKD2_SHA224[13] PKCS5_PBKD2_SHA256[14]
PKCS5_PBKD2_SHA384[15] PKCS5_PBKD2_SHA512[16]
Select a mechanism: 14

 [1] CKK_GENERIC_SECRET  [2] CKK_RC2      [3] CKK_RC4
 [4] CKK_DES             [5] CKK_DES2     [6] CKK_DES3
                         [8] CKK_CAST3    [9] CKK_SEED
 [10] CKK_AES            [11] CKK_ARIA

Select key type: 5

Enter Key Length: 16
Generated key:         56 (0x00000038)
Returned IV:  None

Status: Doing great, no errors (CKR_OK)

The key is created and the handle returned.

3.Generate a PBE key with SHA384 mechanism and a generic key type.

Enter your choice : 64
Enter iterations: 1

MD2_DES[1]
SHA1_RC4_128[5]  SHA1_RC4_40[6]  SHA1_RC2_128[7]
SHA1_RC2_40[8]  SHA1_DES2[9]  SHA1_DES3[10]
PKCS5_PBKD2_SHA1[11] PKCS5_PBKD2_SM3[12]
PKCS5_PBKD2_SHA224[13] PKCS5_PBKD2_SHA256[14]
PKCS5_PBKD2_SHA384[15] PKCS5_PBKD2_SHA512[16]
Select a mechanism: 15

 [1] CKK_GENERIC_SECRET  [2] CKK_RC2      [3] CKK_RC4
 [4] CKK_DES             [5] CKK_DES2     [6] CKK_DES3
                         [8] CKK_CAST3    [9] CKK_SEED
 [10] CKK_AES            [11] CKK_ARIA

Select key type: 1

Enter Key Length: 384
Generated key:         57 (0x00000039)
Returned IV:  None

Status: Doing great, no errors (CKR_OK)

The key is created and the handle returned.

4.Generate a PBE key with SHA512 mechanism and an ARIA key type.

Enter your choice : 64
Enter iterations: 100

MD2_DES[1]
SHA1_RC4_128[5]  SHA1_RC4_40[6]  SHA1_RC2_128[7]
SHA1_RC2_40[8]  SHA1_DES2[9]  SHA1_DES3[10]
PKCS5_PBKD2_SHA1[11] PKCS5_PBKD2_SM3[12]
PKCS5_PBKD2_SHA224[13] PKCS5_PBKD2_SHA256[14]
PKCS5_PBKD2_SHA384[15] PKCS5_PBKD2_SHA512[16]
Select a mechanism: 16

 [1] CKK_GENERIC_SECRET  [2] CKK_RC2      [3] CKK_RC4
 [4] CKK_DES             [5] CKK_DES2     [6] CKK_DES3
                         [8] CKK_CAST3    [9] CKK_SEED
 [10] CKK_AES            [11] CKK_ARIA

Select key type: 11

Enter Key Length: 24
Generated key:         59 (0x0000003b)
Returned IV:  None

Status: Doing great, no errors (CKR_OK)

The key is created and the handle returned.