Supported algorithms
The Cosmian server supports a growing list of cryptographic algorithms.
Key-wrapping¶
The Cosmian server supports key-wrapping via the Import
(unwrapping) and Export
(wrapping) kmip operations.
The (un)wrapping key identifier may be that of a key or a certificate.
In the latter case, the public key (or the associated private key for unwrapping, if any) will be retrieved and used.
The supported key-wrapping algorithms are:
Algorithm | Wrap Key Type | Description |
---|---|---|
AES-KWP | Symmetric key wrapping | Symmetric key-wrapping with padding as defined in RFC3394. |
CKM_RSA_AES_KEY_WRAP | Hybrid key wrapping | RSA OAEP with SHA256 with AES-KWP for RSA key size 2048, 3072 or 4096 bits. |
Salsa Sealed Box | X25519, Ed25519 | ECIES compatible with libsodium Sealed Box. |
ECIES | P-192, P-224, P-256, P-384, P-521 | ECIES with a NIST curve and AES-256-GCM. |
Salsa sealed box
uses X25519 and XSalsa20-Poly1305. A Ed25519 wrapping key can be used; it will be converted to X25519 first.-
There is no NIST standard for ECIES but since
SalsaSealbox
is fast and widely used, we expose ECIES encryption based on it for NIST P curves. -
AES-KWP
allows to symmetrically wrap keys using RFC5649. -
CKM_RSA_AES_KEY_WRAP
is a PKCS#11 mechanism that is supported by most HSMs. Asymmetrically wrap keys referring to PKCS#11 as described here. This document describes how to unwrap keys of any size using asymmetric encryption and the RSA algorithm. Since old similar wrapping methods based on RSA used naive RSA encryption and could present some flaws, it aims at a generally more secure method to wrap keys. Receive data of the formc|wk
where|
is the concatenation operator. Distinguishc
andwk
, respectively the encryptedkek
and the wrapped key. First decrypt the key-encryption-keykek
using RSA-OAEP, then proceed to unwrap the key by decryptingm = dec(wk, kek)
using AES-KWP as specified in RFC5649. It is also compatible with Google KMS. -
Salsa sealed box
uses X25519 and XSalsa20-Poly1305. A Ed25519 wrapping key can be used; it will be converted to X25519 first. -
Although there is no specific FIPS standard for hybrid encryption, we built an ECIES encryption scheme based on FIPS compliant crytographic primitives only. It supports the entire family of NIST P curves with the exception of
P-192
and it uses AES-256-GCM for encryption.
Encryption schemes¶
Encryption is supported via the Encrypt
and Decrypt
kmip operations.
For bulk operations (i.e. encrypting/decrypting multiple data with the same key),
please refer to KMIP Messages that allow combining multiple operations in a single request.
Encryption can be performed using a key or a certificate. Decryption can be performed using a key.
The supported encryption algorithms are:
Algorithm | Encryption Key Type | Description |
---|---|---|
Covercrypt | Covercrypt | A fast post-quantum attribute based scheme: Covercrypt. |
AES-128-GCM AES-256-GCM |
Symmetric authenticated encryption with additional data | The NIST standardized symmetric encryption in FIPS 197. |
RSA_OAEP_AES_GCM | Hybrid encryption | RSA OAEP with SHA256 with AES-256-GCM for RSA key size 2048, 3072 or 4096 bits. This will change to use AES-GCM instead of AES-KWP in a near future. |
Salsa Sealed Box | X25519, Ed25519 | ECIES compatible with libsodium Sealed Box. |
ECIES | P-192, P-224, P-256, P-384, P-521 | ECIES with a NIST curve and AES-256-GCM. |
-
Covercrypt is a new post-quantum cryptographic algorithm, being standardized at ETSI that allows creating ciphertexts for a set of attributes and issuing user keys with access policies over these attributes. User keys are traceable with a unique fingerprint.
-
AES is used in Galois Counter Mode (GCM) with a 96 bits nonce and a 128 bits tag with a keysize of 128 or 256 bits.
-
RSA_OAEP_AES_GCM
is a PKCS#11 mechanism that is supported by most HSMs. It is initially used to asymmetrically wrap keys referring to PKCS#11 as described here. For general hybrid AES-GCM is used instead of AES-KWP. -
Salsa sealed box
uses X25519 and XSalsa20-Poly1305. A Ed25519 wrapping key can be used; it will be converted to X25519 first. -
Although there is no specific FIPS standard for hybrid encryption, we built an ECIES encryption scheme based on FIPS compliant crytographic primitives only. It supports the entire family of NIST P curves with the exception of
P-192
and it uses AES-256-GCM for encryption.
Signature¶
Signature is only supported via the Certify
operation, which is used to create a certificate either by signing a certificate request,
or building it from an existing public key.
Algorithm | Signature Key Type | Description |
---|---|---|
ECDSA | P-192, P-224, P-256, P-384, X25519, X448 | See FIPS-186.5 and NIST.SP.800-186 - Section 3.1.2 table 2. |
EdDSA | Ed25519, Ed448 | See FIPS-186.5. |
ECDSA
performs digital signatures on elliptic curvesP-192
,P-224
,P-256
,P-384
,P-512
andX25519
.EdDSA
performs digital signatures on Edwards curvesEd25519
.
Password-based key derivation¶
The randomness of cryptographic keys is essential for the security of cryptographic applications. Sometimes, passwords may be the only input required from the users who are eligible to access the data. Due to the low entropy and possibly poor randomness of those passwords, they are not suitable to be used directly as cryptographic keys. The KMS addresses this problem by providing methods to derive a password into a secure cryptographic key.
In normal mode, passwords are derived using Argon2
hash algorithm with a random 128-bit salt. Argon2 has the property of being computationally intensive making it significantly harder to crack by brute force only.