Introduction
Technical Specifications
FIPS 140-2 Certified Cryptography
In FIPS modeUKC system mode that allows processing FIPS-certified and not-certified keys of crypto operation, UKC
Unbound Key Control - The name of Unbound's key management product. crypto capabilities are specified in FIPS 140-2 Certificate #3378 and FIPS 140-2 Certificate #3453.
Unbound Standard Cryptography
In addition to the FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified mode of operation, UKC
Unbound Key Control - The name of Unbound's key management product. provides a constantly evolving non-FIPS mode
UKC system advanced execution mode that hasn't yet received the FIPS certification of crypto operation that covers a wider set of keys and algorithms.
AES Capabilities
Key sizes: 128, 192, 256.
Operation | Mode | MacMode | Allowed hash types |
---|---|---|---|
Encrypt | ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAP![]() |
||
Decrypt | ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAP![]() |
||
Wrap | Refer to Key Wrapping Capabilities | ||
Unwrap | |||
Mac | CMAC, GMAC | ||
Mac verify | CMAC, GMAC | ||
Derive | Hash | Supported HASH Options | |
Concatenate | |||
NIST![]() |
- NISTWRAP
AES Key Wrap (KW) specified by NIST Special Publication 800-38F (NIST.SP.800-38F) is also indicated as AES-KW.
AES-XTS Capabilities
Key Sizes: 256, 512. (Double Keys).
Operation | Mode | Allowed hash types |
---|---|---|
Encrypt | XTS | |
Decrypt | XTS | |
Derive | Hash | Supported HASH Options |
Concatenate |
AES-SIV Capabilities
Key Sizes: 256, 512. (Double Keys).
Operation | Mode | Allowed hash types |
---|---|---|
Wrap | Refer to Key Wrapping Capabilities | |
Unwrap | ||
Derive | Hash | Supported HASH Options |
Concatenate |
3DES Capabilities
Key size: 168 (also known as 192).
Operation | Mode | Allowed hash types |
---|---|---|
Encrypt | ECB, CBC, CFB, OFB | |
Decrypt | ECB, CBC, CFB, OFB | |
Wrap | Refer to Key Wrapping Capabilities | |
Unwrap | ||
Mac | CMAC | |
Mac verify | CMAC | |
Derive | Hash | Supported HASH Options |
Concatenate |
HMAC Capabilities
Key size: from 8 to 2048, in increments of 8.
RSA Capabilities
Key size: 2048, 3072, 4096.
- PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#1 is an abbreviation of RSA-PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#1 v1.5.
- PSS
probabilistic signature scheme. Abbreviation of RSASSA-PSS is an abbreviation of RSASSA-PSS
probabilistic signature scheme (PSS) with appendix.
- The default padding for wrapping: OAEP
Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
- RAW
CKM_RSA_X_509 padding mechanism denotes CKM_RSA_X_509 padding.
- Refer to Key Wrapping Capabilities.
ECC (ECDSA) Capabilities
Elliptic curves: P-256, P-384, P-521, SECP256K1.
Supported DSA: ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. and Schnorr.
- P-256 is also known as SECG' secp256r1 and ANSI' prime256v1.
- P-384 is also known as SECG' secp384r1.
For other synonyms of elliptic curve names, refer to RFC 4492 Appendix A - Equivalent Curves.
ECC (ECDH) Capabilities
Elliptic curves: P-256, P-384, P-521
Operation | Mode |
---|---|
Derive | ECDH![]() |
Decrypt | ECIES![]() |
EC-PRF Capabilities
Elliptic curve: P-256
Operation | Mode |
---|---|
Derive | EC-PRF |
EC-PWD Capabilities
Elliptic curve: P-256
Operation | Mode |
---|---|
Verify | EC-PWD |
EdDSA Capabilities
EdDSAEdwards-curve Digital Signature Algorithm curve: ed25519.
Operation | Mode |
---|---|
Sign | EdDSA![]() |
LIMA Capabilities
Key size: 1024
Operation | Mode |
---|---|
Derive | ECDH![]() |
Supported HASH Options
SHASecure Hash Algorithm - a family of cryptographic hash functions-1, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-256, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-384, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.
Key Wrapping Capabilities
The following table specifies
- Types of keys that may be wrapped.
- Types of keys that may be used for wrapping.
The body of the table specifies attributes of the wrapping:
- modes that are applicable when using symmetric keys.
- padding when using the RSA key.
- The default padding used by RSA: OAEP
Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with the following Hash options: SHA
Secure Hash Algorithm - a family of cryptographic hash functions-1, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-256, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-384, SHA
Secure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.
Supported Crypto Clients and Security Frameworks
Applications interact with the UKCUnbound Key Control - The name of Unbound's key management product. solution in one of the following ways:
- UKC
Unbound Key Control - The name of Unbound's key management product. clients installed on application servers and used transparently via the following security software frameworks:
- Java JCE
Java Cryptography Extension - Java frameworks for implementing cryptography primitives. - UKC
Unbound Key Control - The name of Unbound's key management product. Client-based JCA
Java Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider
- Java JCE
Java Cryptography Extension - Java frameworks for implementing cryptography primitives. - UKC
Unbound Key Control - The name of Unbound's key management product. Clientless
System that is using Unbound Java Security Provider without dependency on the UKC Client software. JCA
Java Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider
- PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications. #11
- OpenSSL
- Microsoft CNG
- Java JCE
- KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server clients (1.1 and later). Refer to KMIP Conformance.
-
Integration using the Unbound REST
Representational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API.
Supported External Keystores
UKCUnbound Key Control - The name of Unbound's key management product. allows generating, storing, linking to, and using keys that are stored in the following external keystores.
Keystore | SDK name | Version | UKC Specification |
---|---|---|---|
AWS KMS![]() |
aws-java-sdk-kms | 1.11.682 | AWS KMS |
Azure Key Vault | azure-keyvault | 1.2.4 | Azure Key Vault |