Introduction

Technical Specifications

FIPS 140-2 Certified Cryptography

In FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys of crypto operation, UKCClosedUnbound Key Control - The name of Unbound's key management product. crypto capabilities are specified in FIPS 140-2 Certificate #3378 and FIPS 140-2 Certificate #3453.

Unbound Standard Cryptography

In addition to the FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified mode of operation, UKCClosedUnbound Key Control - The name of Unbound's key management product. provides a constantly evolving non-FIPS modeClosedUKC system advanced execution mode that hasn't yet received the FIPS certification of crypto operation that covers a wider set of keys and algorithms.

AES Capabilities

Key sizes: 128, 192, 256.

Operation Mode MacMode Allowed hash types
Encrypt ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAPClosedAES Key Wrap (KW) specified by NIST Special Publication 800-38F    
Decrypt ECB, CBC, CFB, OFB, CTR, GCM, CCM, NISTWRAPClosedAES Key Wrap (KW) specified by NIST Special Publication 800-38F    
Wrap Refer to Key Wrapping Capabilities    
Unwrap    
Mac   CMAC, GMAC  
Mac verify   CMAC, GMAC  
Derive Hash   Supported HASH Options
Concatenate    
NISTClosedNational Institute of Standards and Technology-CMAC-CTR    
  1. NISTWRAPClosedAES Key Wrap (KW) specified by NIST Special Publication 800-38F (NIST.SP.800-38F) is also indicated as AES-KW.

AES-XTS Capabilities

Key Sizes: 256, 512. (Double Keys).

Operation Mode Allowed hash types
Encrypt XTS  
Decrypt XTS  
Derive Hash Supported HASH Options
Concatenate  

AES-SIV Capabilities

Key Sizes: 256, 512. (Double Keys).

Operation Mode Allowed hash types
Wrap Refer to Key Wrapping Capabilities  
Unwrap  
Derive Hash Supported HASH Options
Concatenate  

3DES Capabilities

Key size: 168 (also known as 192).

Operation Mode Allowed hash types
Encrypt ECB, CBC, CFB, OFB  
Decrypt ECB, CBC, CFB, OFB  
Wrap Refer to Key Wrapping Capabilities  
Unwrap  
Mac CMAC  
Mac verify CMAC  
Derive Hash Supported HASH Options
Concatenate  

HMAC Capabilities

Key size: from 8 to 2048, in increments of 8.

Operation Mode Allowed hash types
Mac HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-256, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-384, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-512
Mac verify HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-256, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-384, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-512
Derive Hash SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-256, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-384, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-5122
Concatenate  
SLIP-10  

RSA Capabilities

Key size: 2048, 3072, 4096.

Operation Padding Allowed hash types Notes
Sign PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1   1
PSSClosedprobabilistic signature scheme. Abbreviation of RSASSA-PSS   2
Decrypt PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1    
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Supported HASH Options 3
RAWClosedCKM_RSA_X_509 padding mechanism   4
Wrap (using the public key) PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1  

 

5

OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Supported HASH Options
Unwrap PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1  
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Supported HASH Options
  1. PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1 is an abbreviation of RSA-PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1 v1.5.
  2. PSSClosedprobabilistic signature scheme. Abbreviation of RSASSA-PSS is an abbreviation of RSASSA-PSSClosedprobabilistic signature scheme (PSS) with appendix.
  3. The default padding for wrapping: OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
  4. RAWClosedCKM_RSA_X_509 padding mechanism denotes CKM_RSA_X_509 padding.
  5. Refer to Key Wrapping Capabilities.

ECC (ECDSA) Capabilities

Elliptic curves: P-256, P-384, P-521, SECP256K1.

Supported DSA: ECDSAClosedElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. and Schnorr.

Operation Mode
Sign ECDSAClosedElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
Derive SLIP-10
ECDSAClosedElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.-to-EdDSAClosedEdwards-curve Digital Signature Algorithm
  1. P-256 is also known as SECG' secp256r1 and ANSI' prime256v1.
  2. P-384 is also known as SECG' secp384r1.
    For other synonyms of elliptic curve names, refer to RFC 4492 Appendix A - Equivalent Curves.

ECC (ECDH) Capabilities

Elliptic curves: P-256, P-384, P-521

Operation Mode
Derive ECDHClosedDiffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.
Decrypt ECIESClosedIntegrated Encryption Scheme

EC-PRF Capabilities

Elliptic curve: P-256

Operation Mode
Derive EC-PRF

EC-PWD Capabilities

Elliptic curve: P-256

Operation Mode
Verify EC-PWD

EdDSA Capabilities

EdDSAClosedEdwards-curve Digital Signature Algorithm curve: ed25519.

Operation Mode
Sign EdDSAClosedEdwards-curve Digital Signature Algorithm

LIMA Capabilities

Key size: 1024

Operation Mode
Derive ECDHClosedDiffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.

Supported HASH Options

SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-256, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-384, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.

Key Wrapping Capabilities

The following table specifies

  • Types of keys that may be wrapped.
  • Types of keys that may be used for wrapping.

The body of the table specifies attributes of the wrapping:

  • modes that are applicable when using symmetric keys.
  • padding when using the RSA key.
 

Key to be Wrapped

Wrapping Key
Modes Padding
AES 3DES DES RSA
AES ECB, CBC, OFB, CFB, CTR, GCM, CCM, AES-KW ECB, CBC, OFB, CFB ECB, CBC, OFB, CFB PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1, OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys.
3DES OFB, CFB, CTR, GCM, CCM, AES-KW ECB, CBC, OFB, CFB ECB, CBC, OFB, CFB PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1, OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys.
DES OFB, CFB, CTR, GCM, CCM, AES-KW ECB, CBC, OFB, CFB ECB, CBC, OFB, CFB PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1, OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys.
XTS ECB, CBC, OFB, CFB, CTR, GCM, CCM, AES-KW ECB, CBC, OFB, CFB ECB, CBC, OFB, CFB PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1, OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys.
SIV ECB, CBC, OFB, CFB, CTR, GCM, CCM, AES-KW ECB, CBC, OFB, CFB ECB, CBC, OFB, CFB PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1, OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys.
HMACClosedHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. ECB, CBC, OFB, CFB, CTR, GCM, CCM, AES-KW OFB, CFB OFB, CFB PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#1, OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys.
RSA OFB, CFB, CTR, GCM, CCM, AES-KW OFB, CFB OFB, CFB  
EC OFB, CFB, CTR, GCM, CCM, AES-KW OFB, CFB OFB, CFB
EDDSAClosedEdwards-curve Digital Signature Algorithm ECB, CBC, OFB, CFB, CTR, GCM, CCM, AES-KW ECB, CBC, OFB, CFB ECB, CBC, OFB, CFB
  1. The default padding used by RSA: OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with the following Hash options: SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-1, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-256, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-384, SHAClosedSecure Hash Algorithm - a family of cryptographic hash functions-512, SHA3-256, SHA3-384, SHA3-512.

Supported Crypto Clients and Security Frameworks

Applications interact with the UKCClosedUnbound Key Control - The name of Unbound's key management product. solution in one of the following ways:

Supported External Keystores

UKCClosedUnbound Key Control - The name of Unbound's key management product. allows generating, storing, linking to, and using keys that are stored in the following external keystores.

Keystore SDK name Version UKC Specification
AWS KMSClosedKey Management System aws-java-sdk-kms 1.11.682 AWS KMS
Azure Key Vault azure-keyvault 1.2.4 Azure Key Vault