Reputation: 123
What does CKA_SENSITIVE attribute in PKCS 11 means?
I'm reading PKCS 11 documentation, and I can not understand cleary, what does CKA_SENSITIVE attribute of a key means.
And more common: where can I read attributes description?
Upvotes: 5
Views: 4856
Answers (2)
Reputation: 123
I found out that if CKA_SENSITIVE = FALSE, then the clear value of the key (for secret keys) can be retrieved by the C_GetAttributeValue function, while you cannot retrieve the value itself if CKA_SENSITIVE = TRUE.
Upvotes: 6
Reputation: 283
Quote from PKCS#11 spec v2.20:
If the CKA_SENSITIVEattribute is CK_TRUE, or if the CKA_EXTRACTABLE attribute is CK_FALSE, then certain attributesof the secret key cannot be revealed in plaintext outside the token. Which attributes these are is specified for each type of secret key in the attribute table in the section describing that type of key
In general this means that the actual value of the secret key is not exposed. It depends on the key which attributes make up the value. For secret keys it is generally CKA_VALUE, for private RSA keys this would be CKA_PRIVATE_EXPONENT and the Chinese Remainder Theorem parameters - if those are part of the key.
Upvotes: 8
Related Questions
- Symmetric key creation with CKA_SENSITIVE false and CKA_PRIVATE as true
- What is a pkcs#11 secret key
- What is CKA_VALUE used in AES secret key generation template?
- Exception "CKR_FUNCTION_NOT_SUPPORTED", PKCS11Interop with OpenSC
- PKCS11, OBJECT PIN
- PKCS11Exception ckr_attribute_type_invalid
- What is CKM_SSL3_SHA1_MAC in PKCS 11 ? (difference between CKM_SHA_1_HMAC and CKM_SSL3_SHA1_MAC )
- CKM_CAST5_CBC_PAD on LunaSA
- What are PKCS#12 vulnerabilities?
- PKCS11Exception: CKR_KEY_FUNCTION_NOT_PERMITTED