RSA Mechanism Remap for FIPS Compliance

Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.

Luna HSM Client allows you to automatically remap calls to these old, less-secure mechanisms, to new mechanisms that are FIPS-approved. This remapping can allow you to operate the HSM securely without having to rewrite your applications. With this feature enabled, the following remapping is applied:

>Calls for PKCS key generation using CKM_RSA_PKCS_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN, which uses 186-3 Prime key generation.

>Calls for X9.31 key generation using CKM_RSA_X9_31_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN, which uses 186-3 Aux Prime key generation

Effects of Remapping in FIPS Mode

When the Luna HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to 0) or the application partition is in FIPS mode (partition policy 43: Allow non-FIPS algorithms set to 0) and RSA remapping is enabled:

>CKM_RSA_PKCS_KEY_PAIR_GEN appears in the C_GetMechanismList output.

>C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default information from the client library.

>CKM_RSA_X9_31_KEY_PAIR_GEN appears in the C_GetMechanismList output.

>C_GetMechanismInfo for CKM_RSA_X9_31_KEY_PAIR_GEN returns the default information from the client library.

Applying the Mechanism Remapping

Mechanism remapping has been enabled automatically in recent versions of the Luna HSM Client. Refer to the following table for older version requirements.

Misc = {
  RSAKeyGenMechRemap=1;
}

[Misc]
RSAKeyGenMechRemap=1