PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40

PROPOSAL: Disallow 0 as valid output length for all general-length MAC mechanisms and restore CK_MAC_GENERAL_PARAMS[_PTR] to currency

PART 1: All of the mechanisms listed here should be amended to disallow 0 as a valid output length, and instead require the range to begin with 1 byte at a minimum. Input length of 0 remains valid. CKM_AES_MAC_GENERAL (2.8.9) CKM_AES_CMAC_GENERAL (2.13.3) CKM_DES3_MAC_GENERAL (no section) CKM_DES3_CMAC_GENERAL (2.17.3) CKM_SHA_1_HMAC_GENERAL (2.18.3) CKM_SHA224_HMAC_GENERAL (2.19.3) CKM_SHA256_HMAC_GENERAL (2.20.3) CKM_SHA384_HMAC_GENERAL (2.21.3) CKM_SHA512_HMAC_GENERAL (2.22.3) CKM_SHA512_224_HMAC_GENERAL (2.23.3) CKM_SHA512_256_HMAC_GENERAL (2.24.3) CKM_SHA512_T_HMAC_GENERAL (2.25.3) CKM_CAMELLIA_MAC_GENERAL (2.35.7) CKM_ARIA_MAC_GENERAL (2.37.7) Amend the text to replace “0” with “1” in both the prose and the tables. Sample diffs to the mechanism descriptions follow at the bottom. Many of the descriptions are repetitive; each section listed above is to be amended in like manner.

PART 2 Section 2.7.8 “General block cipher mechanism parameters” found its way into the “Historical Mechanisms” part of PKCS#11 v2.40. It should be restored to “Current Mechanisms” as section 2.7.1 with the following updates:

2.7.8 2.7.1 General block cipher mechanism parameters

2.7.8.1 2.7.1.1 CK_MAC_GENERAL_PARAMS; CK_MAC_GENERAL_PARAMS_PTR CK_MAC_GENERAL_PARAMS provides the parameters to the general-length MACing mec hanisms of the DES, DES3 (triple-DES), CAST, CAST3, CAST128 (CAST5), IDEA, CDMF an d AES, Camellia, SEED, and ARIA ciphers. It also provides the parameters to the general-lengt h HMACing mechanisms (i.e., MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512, RIPEMD-1 28 and RIPEMD-160 and SHA-512/T family) and the two SSL 3.0 MACing mechanisms, (i.e., MD5 and SHA-1). It holds the length of the MAC that these mechanisms produce. It is defined as follows: typedef CK_ULONG CK_MAC_GENERAL_PARAMS;

CK_MAC_GENERAL_PARAMS_PTR is a pointer to a CK_MAC_GENERAL_PARAMS. SAMPLE AMENDMENTS TO GENERAL LENGTH MAC DESCRIPTIONS:

2.8.9 General-length AES-MAC General-length AES-MAC, denoted CKM_AES_MAC_GENERAL, is a mechanism for single- and multiple-part signatures and verification, based on NIST Advanced Encryption Standard as d efined in FIPS PUB 197 and data authentication as defined in FIPS PUB 113. It has a parameter, a CK_MAC_GENERAL_PARAMS structure, which specifies the output le ngth desired from the mechanism. The output bytes from this mechanism are taken from the start of the final AES cipher block pro duced in the MACing process. Constraints on key types and the length of data are summarized in the following table: Table 53, General-length AES-MAC: Key And Data Length

Function Key type Data length Signature length

C_Sign AES any 0-block size 1-block size, as specified in parameters

C_Verify AES any 0-block size 1-block size, as specified in parameters For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_IN FO structure specify the supported range of AES key sizes, in bytes.

2.13.3 General-length AES-CMAC General-length AES-CMAC, denoted CKM_AES_CMAC_GENERAL, is a mechanism for sin gle- and multiple-part signatures and verification, based on [NIST SP800-38B] and [RFC 4493]. It has a parameter, a CK_MAC_GENERAL_PARAMS structure, which specifies the output le ngth desired from the mechanism. The output bytes from this mechanism are taken from the start of the final AES cipher block pro duced in the MACing process. Constraints on key types and the length of data are summarized in the following table: Table 63, General-length AES-CMAC: Key And Data Length

Function Key type Data length Signature length

C_Sign CKK_AES any 0-block size 1-block size, as specified in parameters

C_Verify CKK_AES any 0-block size 1-block size, as specified in parameters References [NIST SP800-38B] and [RFC 4493] recommend that the output MAC is not truncate d to less than 64 bits. The MAC length must be specified before the communication starts, and m ust not be changed during the lifetime of the key. It is the caller’s responsibility to follow these r ules. For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_IN FO structure specify the supported range of AES key sizes, in bytes.

2.17.3 General-length DES3-MAC General-length DES3-CMAC, denoted CKM_DES3_CMAC_GENERAL, is a mechanism for s ingle- and multiple-part signatures and verification with DES3 or DES2 keys, based on [NIST sp 800-38b]. It has a parameter, a CK_MAC_GENERAL_PARAMS structure, which specifies the output le ngth desired from the mechanism. The output bytes from this mechanism are taken from the start of the final DES3 cipher block pr oduced in the MACing process. Constraints on key types and the length of data are summarized in the following table: Table 75, General-length DES3-CMAC: Key And Data Length

Function Key type Data length Signature length

C_Sign CKK_DES3 any 0-block size 1-block size, as specified in CKK_DES2 parameters

C_Verify CKK_DES3 any 0-block size 1-block size, as specified in CKK_DES2 parameters Reference [NIST sp800-38b] recommends that the output MAC is not truncated to less than 64 b its (which means using the entire block for DES). The MAC length must be specified before the communication starts, and must not be changed during the lifetime of the key. It is the caller’s re sponsibility to follow these rules. For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_IN FO structure are not used

2.18.3 General-length SHA-1-HMAC The general-length SHA-1-HMAC mechanism, denoted CKM_SHA_1_HMAC_GENERAL, is a mechanism for signatures and verification. It uses the HMAC construction, based on the SHA-1 hash function. The keys it uses are generic secret keys and CKK_SHA_1_HMAC. It has a parameter, a CK_MAC_GENERAL_PARAMS, which holds the length in bytes of the desired output. This length should be in the range 0-20 1-20 (the output size of SHA-1 is 20 bytes). Signatures (MACs) produced by this mechanism will be taken from the start of the full 20-byte HMAC output. Table 1, General-length SHA-1-HMAC: Key And Data Length Function Key type Data length Signature length C_Sign generic secret any 0-20 1-20 , depending on parameters C_Verify generic secret any 0-20 1-20, depending on parameters

2.19.3 General-length SHA-224-HMAC The general-length SHA-224-HMAC mechanism, denoted CKM_SHA224_HMAC_GENERAL, is the same as the general-length SHA-1-HMAC mechanism except that it uses the HMAC construction based on the SHA-224 hash function and length of the output should be in the range 0-28. The keys it uses are generic secret keys and CKK_SHA224_HMAC. FIPS-198 compliant tokens may require the key length to be at least 14 bytes; that is, half the size of the SHA-224 hash output. It has a parameter, a CK_MAC_GENERAL_PARAMS, which holds the length in bytes of the desired output. This length should be in the range 0-28 1-28 (the output size of SHA-224 is 28 bytes). FIPS-198 compliant tokens may constrain the output length to be at least 4 or 14 (half the maximum length). Signatures (MACs) produced by this mechanism will be taken from the start of the full 28-byte HMAC output. Table 2, General-length SHA-224-HMAC: Key And Data Length Function Key type Data length Signature length C_Sign generic secret Any 0-28 1-28, depending on parameters C_Verify generic secret Any 0-28 1-28, depending on parameters