1# Encryption and Decryption Overview and Algorithm Specifications 2 3<!--Kit: Universal Keystore Kit--> 4<!--Subsystem: Security--> 5<!--Owner: @wutiantian-gitee--> 6<!--Designer: @HighLowWorld--> 7<!--Tester: @wxy1234564846--> 8<!--Adviser: @zengyawen--> 9 10You can use the keys in HUKS to encrypt or decrypt data. 11 12## Supported Algorithms 13 14The following table lists the supported specifications for key encryption and decryption. 15<!--Del--> 16The key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported. 17 18**You are advised to use mandatory specifications in your development for compatibility purposes.** 19<!--DelEnd--> 20 21**Specifications****<!--RP1--> for standard devices<!--RP1End-->** 22 23| Algorithm/Cipher Mode/Padding Mode| Description| API Version| <!--DelCol4-->Mandatory| 24| -------- | -------- | -------- | -------- | 25| <!--DelRow-->AES/ECB/NoPadding<br>AES/ECB/PKCS7 | In ECB mode, the data length should be a multiple of the block size used by the encryption algorithm. If the padding mode is **NoPadding** and the length of the input data is not a multiple of 16 bytes, the service side must pad the input data to the required length.| 8+ | No| 26| AES/CBC/NoPadding<br>AES/CBC/PKCS7<br>AES/CTR/NoPadding | **IV** is mandatory.<br>In CBC mode, the data length should be a multiple of the block size used by the encryption algorithm. If the padding mode is **NoPadding** and the length of the input data is not a multiple of 16 bytes, the service side must pad the input data to the required length.| 8+ | Yes| 27| AES/GCM/NoPadding | **Nonce** is mandatory for encryption.<br>**Nonce** and **TAG** are mandatory for decryption.| 8+ | Yes| 28| RSA/ECB/NoPadding<br>RSA/ECB/PKCS1_V1_5<br>RSA/ECB/OAEP | The OAEP padding mode supports the following MD algorithms: SHA-256, SHA-384, and SHA-512.| 8+ | Yes| 29| <!--DelRow-->SM4/ECB/NoPadding<br>SM4/ECB/PKCS7 | The ECB mode is not recommended.| 9+ | No| 30| SM4/ECB/PKCS7 | The ECB mode is not recommended.| 20+ | Yes| 31| SM4/CBC/PKCS7 | **IV** is mandatory.| 9+ | Yes| 32| SM4/CTR/NoPadding<br>SM4/CBC/NoPadding<br>SM4/CFB/NoPadding<br>SM4/OFB/NoPadding | **IV** is mandatory.| 12+ | Yes| 33| SM2/-/NoPadding | SM3 is used as the MD algorithm.| 11+ | Yes| 34| DES/CBC/NoPadding<br>DES/ECB/NoPadding | The **IV** parameter is mandatory in CBC mode.| 18+ | Yes| 35| 3DES/CBC/NoPadding<br>3DES/ECB/NoPadding | The **IV** parameter is mandatory in CBC mode.| 18+ | Yes| 36 37**Specifications****<!--RP2--> for mini-system devices<!--RP2End-->** 38 39<!--Del--> 40Before implementing the specifications for mini-system devices, determine whether your device supports the related specifications. 41<!--DelEnd--> 42 43| Algorithm/Cipher Mode/Padding Mode| Description| API Version| 44| -------- | -------- | -------- | 45| AES/GCM/NoPadding | **Nonce** is mandatory for encryption.<br>**Nonce** and **TAG** are mandatory for decryption.| 8+ | 46| AES/CBC/NoPadding<br>AES/CTR/NoPadding | **IV** is mandatory.| 11+ | 47| DES/ECB/NoPadding | - | 12+ | 48| DES/CBC/NoPadding | **IV** is mandatory.| 12+ | 49| 3DES/ECB/NoPadding | - | 12+ | 50| 3DES/CBC/NoPadding | **IV** is mandatory.| 12+ | 51| RSA/ECB/NoPadding | - | 12+ | 52| RSA/ECB/PKCS1_V1_5 | - | 12+ | 53| RSA/ECB/OAEP | SHA-256 is used as the MD algorithm.| 12+ | 54