• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Key Generation Overview and Algorithm Specifications
2
3<!--Kit: Universal Keystore Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @wutiantian-gitee-->
6<!--Designer: @HighLowWorld-->
7<!--Tester: @wxy1234564846-->
8<!--Adviser: @zengyawen-->
9
10You can use the HUKS APIs to generate a key randomly and store the key in HUKS.
11> **NOTE**
12>
13> - The key alias can contain a maximum of 128 bytes.
14> - Key aliases must not contain sensitive information, such as personal data. You are not advised to include information such as the encryption algorithm, key length, and encryption mode.
15> - Using an existing key alias as the alias of the key generated will overwrite the existing key.
16
17- Random generation: HUKS uses a cryptographically secure pseudorandom number generator (PRNG) to generate keys. The PRNG helps improve the randomness, unpredictability, and non-reproducibility of the keys, making the generated keys difficult to infer.
18
19- Secure storage: Except the public keys in asymmetric key pairs, the keys generated by HUKS can be used only in the secure storage area throughout their lifecycle (from generation to destruction). In addition, the generated key file cannot be directly accessed by any service except HUKS. Even the services that generate the keys can perform key operations and obtain the operation result only using the HUKS APIs.
20- Key usage: A key can be used for only one purpose. For example, a key cannot be used for encryption/decryption or signing/signature verification, but cannot be used for both. In addition, the usage specified when the key is generated must be the same as that specified when the key is used. Otherwise, an exception may occur.
21
22## Key Storage Security Level
23
24In versions earlier than API version 11, the default storage level is DE when a key is generated or imported. Since API version 11, you can choose the storage security level, which defaults to CE. See the table below for options.
25
26| Name                          | Value  | Description                                                        |
27| ------------------------------ | ---- | ------------------------------------------------------------ |
28| HUKS_AUTH_STORAGE_LEVEL_DE | 0    | The key can be accessed only after the device is started.|
29| HUKS_AUTH_STORAGE_LEVEL_CE | 1    | The key can be accessed only after the first unlock of the device.|
30| HUKS_AUTH_STORAGE_LEVEL_ECE | 2    | The key can be accessed only when the device is unlocked.|
31
32## Supported Algorithms
33
34The following table lists the supported key generation specifications.
35<!--Del-->
36The key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported.
37
38**You are advised to use mandatory specifications in your development for compatibility purposes.**
39<!--DelEnd-->
40
41**Specifications****<!--RP1--> for standard devices<!--RP1End-->**
42
43| Algorithm| Supported Key Length (Bit)| API Version| <!--DelCol4-->Mandatory|
44| -------- | -------- | -------- | -------- |
45| AES | 128, 192, 256| 8+ | Yes|
46| <!--DelRow-->RSA | 512, 768, 1024| 8+ | No|
47| RSA | 2048, 3072, 4096| 8+ | Yes|
48| RSA | An integer multiple of 8, ranging from 1024 to 2048 (inclusive)| 18+ | Yes|
49| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 8+ | Yes|
50| <!--DelRow-->ECC | 224 | 8+ | No|
51| ECC | 256, 384, 521| 8+ | Yes|
52| ED25519 | 256 | 8+ | Yes|
53| X25519 | 256 | 8+ | Yes|
54| <!--DelRow-->DSA | An integer multiple of 8, ranging from 512 to 1024 (inclusive) | 8+ | No|
55| DH | 2048 | 8+ | Yes|
56| <!--DelRow-->DH | 3072, 4096| 8+ | No|
57| SM2 | 256 | 9+ | Yes|
58| SM4 | 128 | 9+ | Yes|
59| DES | 64 | 18+ | Yes|
60| 3DES | 128, 192| 18+ | Yes|
61
62> **NOTE**<br>
63> The DH algorithm uses the FFDHE named safe prime groups.
64> Use DES and 3DES algorithms only in certain cases; avoid them otherwise.
65
66**Specifications****<!--RP2--> for mini-system devices<!--RP2End-->**
67
68<!--Del-->
69Before implementing the specifications for mini-system devices, determine whether your device supports the related specifications.
70<!--DelEnd-->
71
72| Algorithm| Supported Key Length (Bit)| API Version|
73| -------- | -------- | -------- |
74| AES | 128, 192, 256| 8+ |
75| DES | 64 | 12+ |
76| 3DES | 128, 192| 12+ |
77| RSA | An integer multiple of 8, ranging from 1024 to 2048 (inclusive)| 12+ |
78| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 12+ |
79| CMAC | 128 (supporting only 3DES)| 12+ |
80