Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does CKA_SENSITIVE attribute in PKCS 11 means?

Tags:

pkcs#11

I'm reading PKCS 11 documentation, and I can not understand cleary, what does CKA_SENSITIVE attribute of a key means.

And more common: where can I read attributes description?

like image 404
Vestild Avatar asked Sep 03 '12 10:09

Vestild


2 Answers

I found out that if CKA_SENSITIVE = FALSE, then the clear value of the key (for secret keys) can be retrieved by the C_GetAttributeValue function, while you cannot retrieve the value itself if CKA_SENSITIVE = TRUE.

like image 25
Vestild Avatar answered Oct 04 '22 17:10

Vestild


Quote from PKCS#11 spec v2.20:

If the CKA_SENSITIVEattribute is CK_TRUE, or if the CKA_EXTRACTABLE attribute is CK_FALSE, then certain attributesof the secret key cannot be revealed in plaintext outside the token. Which attributes these are is specified for each type of secret key in the attribute table in the section describing that type of key

In general this means that the actual value of the secret key is not exposed. It depends on the key which attributes make up the value. For secret keys it is generally CKA_VALUE, for private RSA keys this would be CKA_PRIVATE_EXPONENT and the Chinese Remainder Theorem parameters - if those are part of the key.

like image 118
Thijs Avatar answered Oct 04 '22 17:10

Thijs