Cryptographic algorithms
The Cosmian server supports a large, and growing, list of cryptographic algorithms. This page lists the supported algorithms, their details and their reference in various standards. FIPS compliant algorithms are also listed with the corresponding NIST standard.
Keys and certificates for all the listed algorithms can be generated, imported, exported, wrapped, unwrapped… using the Cosmian KMS server API or command line interface tool
Should you require a specific algorithm or standard to be supported, please directly open a ticket or pull request on the Github repository.
Keywrapping schemes¶
The Cosmian server supports keywrapping via the Import
(unwrapping) and Export
(wrapping) kmip
operations.
The (un)wrapping key identifier may be that of a key or a certificate.
In the latter case, the public key (or the associated private key for unwrapping, if any) will be
retrieved and used.
The supported keywrapping algorithms are:
Algorithm  Wrap Key Type  FIPS mode  Description 

AESKWP  Symmetric key wrapping  NIST SP 80038F  Symmetric keywrapping with padding as defined in RFC5649. 
CKM_RSA_PKCS  RSA PKCS#1 v1.5  Not anymore  RSA WITH PKCS#1 v1.5 padding  removed by NIST approved algorithms for key wrapping in FIPS 1403 
CKM_RSA_PKCS_OAEP  RSA key wrapping  NIST 80056B rev. 2  RSA OAEP with NIST approved hashing functions for RSA key size 2048, 3072 or 4096 bits. 
CKM_RSA_AES_KEY_WRAP  RSAAES hybrid key wrapping  NIST SP 80038F  RSA OAEP with NIST approved hashing functions and AESKWP for RSA key size 2048, 3072 or 4096 bits. 
Salsa Sealed Box  X25519, Ed25519 and Salsa20 Poly1305  No  ECIES compatible with libsodium Sealed Boxes. 
ECIES  P192, P224, P256, P384, P521  No  ECIES with a NIST curve and using SHAKE 128 and AES 128 GCM (P192, P224, P256) AES 256 GCM otherwise. 
Encryption schemes¶
Encryption is supported via the Encrypt
and Decrypt
kmip operations.
For bulk operations (i.e. encrypting/decrypting multiple data with the same key),
please refer to KMIP Messages that allow combining multiple operations in a
single request.
Encryption can be performed using a key or a certificate. Decryption can be performed using a key.
The supported encryption algorithms are:
Algorithm  Encryption Key Type  FIPS mode  Description 

Covercrypt  Covercrypt  No  A fast postquantum attribute based scheme: Covercrypt. 
AES128GCM AES256GCM 
Symmetric authenticated encryption with additional data  NIST FIPS 197  The NIST standardized symmetric encryption in FIPS 197. 
ChaCha20Poly1305  Symmetric authenticated encryption with additional data  No  A popular symmetric encryption algorithm standardised in RFC8439 
CKM_RSA_PKCS  RSA PKCS#1 v1.5  Not anymore  RSA WITH PKCS#1 v1.5 padding  removed by NIST approved algorithms for encryption in FIPS 1403 
CKM_RSA_PKCS_OAEP  RSA encryption with OAEP paddding  NIST 80056B rev. 2  RSA OAEP with NIST approved hashing functions for RSA key size 2048, 3072 or 4096 bits. 
Salsa Sealed Box  X25519, Ed25519 and Salsa20 Poly1305  No  ECIES compatible with libsodium Sealed Boxes. 
ECIES  P192, P224, P256, P384, P521  No  ECIES with a NIST curve and using SHAKE 128 and AES128GCM. 
Algorithms Details¶
Covercrypt¶
Covercrypt is a new postquantum cryptographic algorithm, being standardized at ETSI that allows creating ciphertexts for a set of attributes and issuing user keys with access policies over these attributes. User keys are traceable with a unique fingerprint.
AES GCM¶
AES is described in NIST FIPS 197. In Cosmian KMS it is used as a data encryption mechanism (DEM) with the Galois Counter Mode of operation (GCM) with a 96 bits nonce, a 128 bits tag with and key sizes of 128 or 256 bits.
ChaCha20Poly1305¶
ChaCha20Poly1305 is a symmetric authenticated encryption algorithm that is described in RFC8439. The algorithm is not standardized by NIST but is a popular secure alternative to AESGCM and is used in the same way, in particular by Google.
AESKWP¶
Allows to symmetrically wrap keys using RFC5649 which is also standardized as PKCS#11 CKM_AES_KEY_WRAP_PAD and described in NIST SP 80038F.
CKM_RSA_PKCS¶
A.k.a PKCS #1 v1.5 RSA as specified in PKCS#11 v2.40.
The algorithm is not recommended by NIST for encryption or key wrapping in FIPS 1403. It is still supported for signature operations.
The maximum plaintext length is k11
where k
is the length in octets of the RSA modulus
The output length is the same as the modulus length.
CKM_RSA_PKCS_OAEP¶
A.k.a PKCS #1 RSA OAEP as specified in PKCS#11 v2.40. This scheme is part of the NIST 80056B rev. 2 recommendation available at section 7.2.2.
The maximum plaintext length is k22*hLen
where
k
is the length in octets of the RSA modulushLen
is the length in octets of the hash function output
The output length is the same as the modulus length.
The default hash function is SHA256 but any NIST approved hash functions can be used for the OAEP scheme as listed in
 NIST FIPS 1804: SHA1, SHA224, SHA256, SHA384, SHA512
 NIST FIPS 202: SHA3224, SHA3256, SHA3384, SHA3512
Set the corresponding name of the hash function in the Cryptographic Parameters
when performing a
KMIP operation.
To request this algorithm using the KMIP Encrypt/Decrypt
operation, or keywrapping as part of
the Import/Export
operations, specify the id/tags of an RSA key and set the Cryptographic Algorithm
to RSA
.
CKM_RSA_AES_KEY_WRAP¶
A PKCS#11 key wrapping mechanism that is supported by most HSMs.
The scheme asymmetrically wrap keys as described here and allows wrapping keys of any size using using a hybrid RSA/AES scheme.
Since old similar wrapping methods based on RSA used naive RSA encryption and could present some flaws, it aims at a generally more secure method to wrap keys:
 Receive data of the form
cwk
where
is the concatenation operator. Distinguishc
andwk
, respectively the encryptedkek
and the wrapped key. First decrypt the keyencryptionkeykek
using RSAOAEP, then proceed to unwrap the key by decryptingm = dec(wk, kek)
using AESKWP as specified in RFC5649.
The algorithm can be used with any NIST approved hash function described above; set the
corresponding value in the Cryptographic Parameters
when performing a KMIP operation.
To request this algorithm using keywrapping as part of the Import/Export
operations, specify the
id of an RSA key as the key wrapping key and set the Cryptographic Algorithm
to AES
.
This algorithm is compatible with the one used in Google KMS.
RSA OAEP AES 128 GCM¶
CKM_RSA_AES_KEY_WRAP can only be used for key wrapping and not for encryption. This scheme adds authentication by using AES 128 in Galois Counter Mode (GCM). Combined with RSA OAEP to encapsulate the AES key, this scheme is compatible with NIST SP 80038F.
To request this algorithm using the KMIP Encrypt/Decrypt
operation, specify the id/tags of an RSA
key and set the Cryptographic Algorithm
to AES
.
Salsa sealed box¶
An ECIES scheme that uses X25519 and XSalsa20Poly1305 and is compatible with libsodium Sealed Boxes.
An Ed25519 key can be used; it will be automatically converted to X25519 first.
Ecies with NIST Curves¶
Although there is no specific FIPS standard for hybrid encryption, the ECIES encryption scheme is
based on FIPS compliant cryptographic primitives only and uses the same algorithm as the Salsa
Sealed Boxes. It supports the entire family of NIST P curves, with the exception of P192
in FIPS
mode, and uses AES128GCM and SHAKE128 for curves with security strength s \leq 128 bits:
P192
P224
P256
and AES256GCM and SHAKE256 for curves with security strength s > 128 bits:
P384
P512
Signature¶
Signature is only supported via the Certify
operation, which is used to create a certificate
either by signing a certificate request, or building it from an existing public key.
Algorithm  Signature Key Type  FIPS mode  Description 

ECDSA  P192, P224, P256, P384, P384, P521, X25519, X448  Restricted to curves P224, P256, P384 and P521.  See FIPS186.5 and NIST.SP.800186  Section 3.1.2 table 2. 
EdDSA  Ed25519, Ed448  Yes  See FIPS186.5. 
ECDSA
performs digital signatures on elliptic curvesP192
,P224
,P256
,P384
,P512
,X25519
andX448
.EdDSA
performs digital signatures on Edwards curvesEd25519
andEd448
.
Passwordbased key derivation¶
The randomness of cryptographic keys is essential for the security of cryptographic applications. Sometimes, passwords may be the only input required from the users who are eligible to access the data. Due to the low entropy and possibly poor randomness of those passwords, they are not suitable to be used directly as cryptographic keys. The KMS addresses this problem by providing methods to derive a password into a secure cryptographic key.
In normal mode, passwords are derived using Argon2
hash algorithm with a random 128bit salt.
Argon2 has the property of being computationally intensive making it significantly harder to crack
by brute force only.
In FIPS mode, passwords are derived using FIPS compliant PBKDF2_HMAC
with SHA512
and recommended
210,000 iterations
by OWASP
which follows FIPS recommendations as well. An additional random 128bit salt is used.
References¶

NIST.FIPS.1403, Implementation Guidance for FIPS 1403 and the Cryptographic Module Validation Program, August 1, 2023
 General information and pointers to other NIST documents concerning the FIPS standard.

NIST.SP.800186, Recommendations for Discrete Logarithmbased Cryptography: Elliptic Curve Domain Parameters, February 2023
 Recommended curves for specific usage (ECDH, ECDSA, EdDSA, …) and associated security strength. Describes each curves parameters in details.

NIST.SP.80038F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012
 Description of symmetric key wrapping using AESKW and AESKWP. Approving RFC 5649.

NIST.FIPS.800132, Recommendation for PasswordBased Key Derivation, December 2010
 Description of lowentropy data derivation into secure master key.

NIST.SP.80056Cr2, Recommendation for KeyDerivation Methods in KeyEstablishment Schemes, August 2020
 Description of highentropy data derivation into secure master key.

NIST.SP.800131Ar2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019
 Key length specification for different domain parameters, algorithms and cryptographic schemes.

NIST.SP.80056Ar3, Recommendation for PairWise KeyEstablishment Schemes Using Discrete Logarithm Cryptography, April 2018
 General information on discrete logarithm parameters.

NIST.SP.80056Br2, Recommendation for PairWise Key Establishment Using Integer Factorization Cryptography, March 2019
 Information regarding RSA primitive specifications: key length, encryption, decryption and padding to use.

NIST.FIPS.1804, Secure Hash Standard (SHS), August 2015
 Specification regarding SHA family of hash functions.

NIST.FIPS.202, SHA3 Standard: PermutationBased Hash and ExtendableOutput Functions, August 2015
 Specification for SHA3.

NIST.FIPS.1865, Digital Signature Standard (DSS), February 3, 2023
 Information on ECDSA, EdDSA and key generation.

NIST.FIPS.800135r1, Recommendation for Existing ApplicationSpecific Key Derivation Functions, December 2011

OpenSSL FIPS 1402 Security Policy, 26 January 2023
 OpenSSL official documentation