Supported algorithms
The Cosmian server supports a growing list of cryptographic algorithms.
Keywrapping¶
The Cosmian server supports keywrapping via the Import
(unwrapping) and Export
(wrapping) kmip operations.
The (un)wrapping key identifier may be that of a key or a certificate.
In the latter case, the public key (or the associated private key for unwrapping, if any) will be retrieved and used.
The supported keywrapping algorithms are:
Algorithm  Wrap Key Type  Description 

AESKWP  Symmetric key wrapping  Symmetric keywrapping with padding as defined in RFC3394. 
CKM_RSA_AES_KEY_WRAP  Hybrid key wrapping  RSA OAEP with SHA256 with AESKWP for RSA key size 2048, 3072 or 4096 bits. 
Salsa Sealed Box  X25519, Ed25519  ECIES compatible with libsodium Sealed Box. 
ECIES  P192, P224, P256, P384, P521  ECIES with a NIST curve and AES256GCM. 
Salsa sealed box
uses X25519 and XSalsa20Poly1305. A Ed25519 wrapping key can be used; it will be converted to X25519 first.
There is no NIST standard for ECIES but since
SalsaSealbox
is fast and widely used, we expose ECIES encryption based on it for NIST P curves. 
AESKWP
allows to symmetrically wrap keys using RFC5649. 
CKM_RSA_AES_KEY_WRAP
is a PKCS#11 mechanism that is supported by most HSMs. Asymmetrically wrap keys referring to PKCS#11 as described here. This document describes how to unwrap keys of any size using asymmetric encryption and the RSA algorithm. Since old similar wrapping methods based on RSA used naive RSA encryption and could present some flaws, it aims at a generally more secure method to wrap keys. Receive data of the formcwk
where
is the concatenation operator. Distinguishc
andwk
, respectively the encryptedkek
and the wrapped key. First decrypt the keyencryptionkeykek
using RSAOAEP, then proceed to unwrap the key by decryptingm = dec(wk, kek)
using AESKWP as specified in RFC5649. It is also compatible with Google KMS. 
Salsa sealed box
uses X25519 and XSalsa20Poly1305. A Ed25519 wrapping key can be used; it will be converted to X25519 first. 
Although there is no specific FIPS standard for hybrid encryption, we built an ECIES encryption scheme based on FIPS compliant crytographic primitives only. It supports the entire family of NIST P curves with the exception of
P192
and it uses AES256GCM for encryption.
Encryption schemes¶
Encryption is supported via the Encrypt
and Decrypt
kmip operations.
For bulk operations (i.e. encrypting/decrypting multiple data with the same key),
please refer to KMIP Messages that allow combining multiple operations in a single request.
Encryption can be performed using a key or a certificate. Decryption can be performed using a key.
The supported encryption algorithms are:
Algorithm  Encryption Key Type  Description 

Covercrypt  Covercrypt  A fast postquantum attribute based scheme: Covercrypt. 
AES128GCM AES256GCM 
Symmetric authenticated encryption with additional data  The NIST standardized symmetric encryption in FIPS 197. 
RSA_OAEP_AES_GCM  Hybrid encryption  RSA OAEP with SHA256 with AES256GCM for RSA key size 2048, 3072 or 4096 bits. This will change to use AESGCM instead of AESKWP in a near future. 
Salsa Sealed Box  X25519, Ed25519  ECIES compatible with libsodium Sealed Box. 
ECIES  P192, P224, P256, P384, P521  ECIES with a NIST curve and AES256GCM. 

Covercrypt is a new postquantum cryptographic algorithm, being standardized at ETSI that allows creating ciphertexts for a set of attributes and issuing user keys with access policies over these attributes. User keys are traceable with a unique fingerprint.

AES is used in Galois Counter Mode (GCM) with a 96 bits nonce and a 128 bits tag with a keysize of 128 or 256 bits.

RSA_OAEP_AES_GCM
is a PKCS#11 mechanism that is supported by most HSMs. It is initially used to asymmetrically wrap keys referring to PKCS#11 as described here. For general hybrid AESGCM is used instead of AESKWP. 
Salsa sealed box
uses X25519 and XSalsa20Poly1305. A Ed25519 wrapping key can be used; it will be converted to X25519 first. 
Although there is no specific FIPS standard for hybrid encryption, we built an ECIES encryption scheme based on FIPS compliant crytographic primitives only. It supports the entire family of NIST P curves with the exception of
P192
and it uses AES256GCM for encryption.
Signature¶
Signature is only supported via the Certify
operation, which is used to create a certificate either by signing a certificate request,
or building it from an existing public key.
Algorithm  Signature Key Type  Description 

ECDSA  P192, P224, P256, P384, X25519, X448  See FIPS186.5 and NIST.SP.800186  Section 3.1.2 table 2. 
EdDSA  Ed25519, Ed448  See FIPS186.5. 
ECDSA
performs digital signatures on elliptic curvesP192
,P224
,P256
,P384
,P512
andX25519
.EdDSA
performs digital signatures on Edwards curvesEd25519
.
Passwordbased key derivation¶
The randomness of cryptographic keys is essential for the security of cryptographic applications. Sometimes, passwords may be the only input required from the users who are eligible to access the data. Due to the low entropy and possibly poor randomness of those passwords, they are not suitable to be used directly as cryptographic keys. The KMS addresses this problem by providing methods to derive a password into a secure cryptographic key.
In normal mode, passwords are derived using Argon2
hash algorithm with a random 128bit salt. Argon2 has the property of being computationally intensive making it significantly harder to crack by brute force only.