Technical Specifications

UKCUnbound Key Control - The name of Unbound's key management product. servers provide two independent and concurrently operating cryptography engines:

• FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified engine.
• Default cryptography engine.

FIPS 140-2 Certified Cryptography

FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors certificates FIPS 140-2 Certificate #3378 and FIPS 140-2 Certificate #3453 summarize UKCUnbound Key Control - The name of Unbound's key management product. crypto certificates by crypto type. The relevant certificates are listed in the corresponding line.

To obtain a specific certificate:

1. Open FIPS 140-2 Certificate #3378 or FIPS 140-2 Certificate #3453.
2. Find the required crypto element
3. To open its certificates, click the #<cert number> link.For example,

For example, to examine ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.-related certificates, in the ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. row,

1. To list the certified functions and elliptic curves, click the #1447 and #1448 tags.
   
2. Compare the list with the one supported by the default crypto engine. Refer to Default Cryptography Key Types.

Default Cryptography Key Types

In addition to the FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified cryptography engine, UKCUnbound Key Control - The name of Unbound's key management product. servers contain a constantly evolving MPCMultiparty computation - A methodology for parties to jointly compute a function of their inputs while keeping those inputs private. crypto engine that provides the following functionality.

Asymmetric

• RSA
  • Key Sizes: 2048, 3072, 4096.
  • Padding: RAWCKM_RSA_X_509 padding mechanism, PKCS1, PSS, OAEP Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
  • Hash: SHASecure Hash Algorithm - a family of cryptographic hash functions-1, SHASecure Hash Algorithm - a family of cryptographic hash functions-256, SHASecure Hash Algorithm - a family of cryptographic hash functions-384, SHASecure Hash Algorithm - a family of cryptographic hash functions-512
• ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields
  • ECDHDiffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.. Curves: P-256, P-384, P-521.
  • ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.. Curves: P-256, P-384, P-521, SECP256K1.
  • DSA supported by secp256k1:
    • ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
    • Schnorr
  • EdDSAEdwards-curve Digital Signature Algorithm using the ed25519 curve.
  • ECPRF using the P-256 curve.
  • ECPWD using the P-256 curve.

  NISTNational Institute of Standards and Technology P-256 is also known as SECG' secp256r1 and ANSI' prime256v1.
  NISTNational Institute of Standards and Technology P-384 is also known as SECG' secp384r1.
  Refer to RFC 4492 Appendix A - Equivalent Curves.

• PQCPost Quantum Cryptography - Cryptographic algorithms that are thought to be secure against an attack by a quantum computer.
  • LIMA. Key size: 1024.

Symmetric

• AES
  • Modes: ECB, CBC, OFB, CFB, CTR, CCM, GCM, NISTNational Institute of Standards and Technology_WRAP, CMAC, GMAC
    Key sizes: 128, 192, 256.
  • Double Key Modes: XTS, SIV.
    Key sizes: 256, 512.
• 3DES
  • Modes: ECB, CBC, OFB, CFB, CTR
    Key sizes: 112, 168.

HASH

• SHASecure Hash Algorithm - a family of cryptographic hash functions

  SHASecure Hash Algorithm - a family of cryptographic hash functions Types: SHASecure Hash Algorithm - a family of cryptographic hash functions-1, SHASecure Hash Algorithm - a family of cryptographic hash functions-256, SHASecure Hash Algorithm - a family of cryptographic hash functions-384, SHASecure Hash Algorithm - a family of cryptographic hash functions-512

Message Authentication

• HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.
  Key sizes: from 8 to 2048 in increments of 8.

To use the AES and HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key. keys by the UKCUnbound Key Control - The name of Unbound's key management product. software, equip the UKCUnbound Key Control - The name of Unbound's key management product. cluster with an Auxiliary server.
However, if these keys are specified as exportable and UKCUnbound Key Control - The name of Unbound's key management product. only stores them, an Auxiliary server is not required.

Supported Crypto Clients and Security Frameworks

Applications interact with the UKCUnbound Key Control - The name of Unbound's key management product. solution in one of the following ways:

• UKCUnbound Key Control - The name of Unbound's key management product. clients installed on application servers and used transparently via the following security software frameworks:

  • Java JCEJava Cryptography Extension - Java frameworks for implementing cryptography primitives. framework
  • PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications. #11
  • OpenSSL
  • Microsoft CNG

• Integration using the Unbound RESTRepresentational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API

• KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server clients (1.1 and later). The following KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server encodings and transport layers are supported:

  • TTLV over TLS - KMIP Profiles v1.3
  • TTLV over HTTPS - KMIP Profiles v1.3
  • JSON over HTTPS - KMIP Profiles v1.3

  For the list of the supported KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Server attributes and operations, refer to the UKC Developer's Guide - Supported KMIP Entities.

Supported External Keystores

UKCUnbound Key Control - The name of Unbound's key management product. allows generation, storing, linking to, and use of keys that are stored in the following external keystores.

Keystore	SDK name	Version	UKC Specification
AWS KMSKey Management System	aws-java-sdk-kms	1.11.682	AWS KMS
Azure Key Vault	azure-keyvault	1.2.4	Azure Key Vault