• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Key Import Overview and Algorithm Specifications
2
3You can import an externally generated key (for example, a key generated after key agreement or generated by a server) into HUKS for management. Once a key is imported into HUKS, the plaintext can be accessed only in a secure environment in its lifecycle. This ensures that no one can obtain the plaintext of the key.
4
5A key can be imported in plaintext or in encrypted (wrapped) mode.
6
7
8## Plaintext Import
9
10Importing a key in plaintext may expose the plaintext to a non-secure environment. This import mode applies to lightweight devices or security-insensitive services.
11
12- Plaintext import is recommended to import the public key of an asymmetric key pair.
13
14- It is not recommended to import symmetric keys or asymmetric key pairs.
15
16
17## Encrypted Import
18
19In this mode, the key to be imported is encrypted (wrapped) and then imported to HUKS through an end-to-end encrypted transmission channel established between the service and HUKS. This mode applies to security-sensitive services due to higher security than plaintext import. However, it involves more complex key material and operations.
20
21- Encrypted import is recommended to import symmetric keys or asymmetric key pairs.
22
23The following figure illustrates the development sequence of encrypted import.
24
25![](figures/Encrypted_import_process.png)
26
27To import an encrypted key, you need to use the HUKS APIs to generate a key pair (used to encrypt the key to be imported), export the public key, import the encrypted key, and delete the key pair.
28
29The [public key material](huks-concepts.md#public-key-material-format) exported is encapsulated in X.509 format. The encrypted key material to be imported must be encapsulated in **Length<sub>Data< /sub>-Data** format.
30
31
32### Key Material Format for Encrypted Import
33
34| Content| Length|
35| -------- | -------- |
36| Service public key **Caller_Pk** length (L<sub>Caller_Pk</sub>)| 4 bytes|
37| Service public key **Caller_Pk**| L<sub>Caller_Pk</sub> bytes|
38| Shared_Key **AAD2** length (L<sub>AAD2</sub>)| 4 bytes|
39| Shared_Key **AAD2**| L<sub>AAD2</sub> bytes|
40| Shared_Key **Nonce2** length (L<sub>Nonce2</sub>)| 4 bytes|
41| Shared_Key **Nonce2**| L<sub>Nonce2</sub> bytes|
42| Shared_Key **AEAD2** length (L<sub>AEAD2</sub>)| 4 bytes|
43| Shared_Key **AEAD2**| L<sub>AEAD2</sub> bytes|
44| **Caller_Kek_enc** length (L<sub>Caller_Kek_enc</sub>)| 4 bytes|
45| Caller_Kek ciphertext **Caller_Kek_enc**| L<sub>Caller_Kek_enc</sub> bytes|
46| Caller_Kek **AAD3** length (L<sub>AAD3</sub>)| 4 bytes|
47| Caller_Kek **AAD3**| L<sub>AAD3</sub> bytes|
48| Caller_Kek **Nonce3** length (L<sub>Nonce3</sub>)| 4 bytes|
49| Caller_Kek **Nonce3**| L<sub>Nonce3</sub> bytes|
50| Caller_Kek **AEAD3** length (L<sub>AEAD3</sub>)| 4 bytes|
51| Caller_Kek **AEAD3**| L<sub>AEAD3</sub> bytes|
52| **To_Import_Key_size** length (L<sub>To_Import_Key_size</sub>)| 4 bytes|
53| Key plaintext material length **To_Import_Key_size**| L<sub>To_Import_Key_size</sub> bytes|
54| **To_Import_Key_enc** length (L<sub>To_Import_Key_enc</sub>)| 4 bytes|
55| To_Import_Key ciphertext **To_Import_Key_enc**| L<sub>To_Import_Key_enc</sub> bytes|
56
57
58## Supported Algorithms
59
60The following table lists the supported key import specifications.
61
62The key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported.
63
64**You are advised to use mandatory specifications in your development for compatibility purposes.**
65
66| Algorithm| Supported Key Length (Bit)| API Level| Mandatory|
67| -------- | -------- | -------- | -------- |
68| AES | 128, 192, 256| 8+ | Yes|
69| RSA | 512, 768, 1024| 8+ | No|
70| RSA | 2048, 3072, 4096| 8+ | Yes|
71| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 8+ | Yes|
72| ECC | 224 | 8+ | No|
73| ECC | 256, 384, 521| 8+ | Yes|
74| ED25519 | 256 | 8+ | Yes|
75| X25519 | 256 | 8+ | Yes|
76| DSA | An integer multiple of 8, ranging from 512 to 1024 (inclusive) | 8+ | No|
77| DH | 2048 | 8+ | Yes|
78| DH | 3072, 4096| 8+ | No|
79| SM2 | 256 | 9+ | Yes|
80| SM4 | 128 | 9+ | Yes|
81