Re: [pkcs11] Groups - TLS 1.2 mechanisms uploaded

[Wan-Teh Chang <wtc@google.com>]

Mike, Bob R.,

Your proposal has three sets of rules about key sensitivity and
extractability.

The first set of rules is used for CKM_TLS12_MASTER_KEY_DERIVE and
CKM_TLS12_MASTER_KEY_DERIVE_DH. The second set of rules is used for
CKM_TLS12_KEY_AND_MAC_DERIVE and CKM_TLS12_KEY_SAFE_DERIVE. The
third set of rules is used for CKM_TLS_KDF. (The three sets of rules
are listed at the end of this message.)

Question 1: does CKM_TLS_KDF need its own set of rules?

It seems that the rules for the master key derivation mechanisms
should be appropriate for CKM_TLS_KDF because these mechanisms all
derive one generic secret key from another generic secret key.

Note: I may have found the answer to this question. See my next question.

Question 2: I found that the rules for CKM_TLS_KDF are based on the
rules for CKM_EXTRACT_KEY_FROM_KEY (with "base key" changed to
"original key"). The only important change is that "from a default value"
is changed to "from the original key". Why the change?

I assume "from the original key" also implies if the original key doesn't
have the CKA_SENSITIVE attribute, neither will the derived key. Correct?

Thanks,
Wan-Teh Chang

==========

1. CKM_TLS12_MASTER_KEY_DERIVE and CKM_TLS12_MASTER_KEY_DERIVE_DH:

This mechanism has the following rules about key sensitivity and
extractability:
* The CKA_SENSITIVE and CKA_EXTRACTABLE attributes in the template for
  the new key can both be specified to be either CK_TRUE or CK_FALSE.
  If omitted, these attributes each take on some default value.
* If the base key has its CKA_ALWAYS_SENSITIVE attribute set to
  CK_FALSE, then the derived key will as well.  If the base key has its
  CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key
  has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its
  CKA_SENSITIVE attribute.
* Similarly, if the base key has its CKA_NEVER_EXTRACTABLE attribute
  set to CK_FALSE, then the derived key will, too.  If the base key has
  its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived
  key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value
  from its CKA_EXTRACTABLE attribute.

2. CKM_TLS12_KEY_AND_MAC_DERIVE and CKM_TLS12_KEY_SAFE_DERIVE:

All four keys inherit the values of the CKA_SENSITIVE,
CKA_ALWAYS_SENSITIVE, CKA_EXTRACTABLE, and CKA_NEVER_EXTRACTABLE
attributes from the base key.  The template provided to C_DeriveKey may
not specify values for any of these attributes which differ from those
held by the base key.

3. CKM_TLS_KDF:

This mechanism has the following rules about key sensitivity and
extractability:
* If the original key has its CKA_SENSITIVE attribute set to CK_TRUE, so
  does the derived key.  If not, then the derived key’s CKA_SENSITIVE
  attribute is set either from the supplied template or from the
  original key.
* Similarly, if the original key has its CKA_EXTRACTABLE attribute set
  to CK_FALSE, so does the derived key.  If not, then the derived key’s
  CKA_EXTRACTABLE attribute is set either from the supplied template or
  from the original key.
* The derived key’s CKA_ALWAYS_SENSITIVE attribute is set to CK_TRUE if
  and only if the original key has its CKA_ALWAYS_SENSITIVE attribute
  set to CK_TRUE.
* Similarly, the derived key’s CKA_NEVER_EXTRACTABLE attribute is set to
  CK_TRUE if and only if the original key has its CKA_NEVER_EXTRACTABLE
  attribute set to CK_TRUE.

4. CKM_EXTRACT_KEY_FROM_KEY:

This mechanism has the following rules about key sensitivity and
extractability:
* If the base key has its CKA_SENSITIVE attribute set to CK_TRUE, so
  does the derived key. If not, then the derived key’s CKA_SENSITIVE
  attribute is set either from the supplied template or from a default
  value.
* Similarly, if the base key has its CKA_EXTRACTABLE attribute set
  to CK_FALSE, so does the derived key. If not, then the derived key’s
  CKA_EXTRACTABLE attribute is set either from the supplied template or
  from a default value.
* The derived key’s CKA_ALWAYS_SENSITIVE attribute is set to CK_TRUE if
  and only if the base key has its CKA_ALWAYS_SENSITIVE attribute
  set to CK_TRUE.
* Similarly, the derived key’s CKA_NEVER_EXTRACTABLE attribute is set to
  CK_TRUE if and only if the base key has its CKA_NEVER_EXTRACTABLE
  attribute set to CK_TRUE.