What is a "mechanism" in PKCS11?

Question

What does mechanism mean in PKCS11? For example: CKM_RSA_PKCS.

What is the difference between a mechanism (CKM_RSA_PKCS) and a signature algorithm (NoneWithRSA)?

Answer 1

A mechanism is a constant value that describes a cryptographic operation. For example, CKM_RSA_PKCS is defined in the PKCS #11 manual as:

The PKCS #1 v1.5 RSA mechanism, denoted CKM_RSA_PKCS, is a multi-purpose mechanism based on the RSA public-key cryptosystem and the block formats initially defined in PKCS #1 v1.5. It supports single-part encryption and decryption; single-part signatures and verification with and without message recovery; key wrapping; and key unwrapping. This mechanism corresponds only to the part of PKCS #1 v1.5 that involves RSA; it does not compute a message digest or a DigestInfo encoding as specified for the md2withRSAEncryption and md5withRSAEncryption algorithms in PKCS #1 v1.5.

Note the "multi-purpose" clause - this single mechanism can be used with encryption/decryption as well as signing/verifying.

The Java mechanism NoneWithRSA is defined as:

The RSA signature algorithm which does not use a digesting algorithm (e.g. MD5/SHA1) before performing the RSA operation. For more information about the RSA Signature algorithms, please see PKCS1.

The Java mechanism is only for signatures.

From the descriptions, it appears a signature computed with NoneWithRSA in Java would be equivalent to a signature computed in PKCS #11 with CKM_RSA_PKCS.