nCore API commands

This chapter describes the complete nShield command set. It is divided into the following sections:

  • Basic commands

    These commands are available on all nShield modules. They do not offer any key-management functionality

  • Key-management commands

    These commands are only available on nForce and nShield modules.

  • Commands used only by the generic stub

    These commands are included for information only. You should not need to call them directly. Commands are listed alphabetically within each section. For each command, the following information is listed:

  • the command name

  • the states in which the command can be issued

  • the required inputs

  • the expected output

If the module is unable to complete a requested command due to a non-fatal condition, such as lack of memory or an unknown command, the module sends a response with no reply data. The reply’s cmd value is sent to Cmd_ErrorReturn with the condition indicated by the status word that was returned in the header.
Unless specified otherwise, there is a limit of 8K on the total message that can be sent to the nShield server for each command, or in reply. This means that the maximum length of any byteblock sent for processing must be somewhat less that 8K.

Basic commands

The following basic commands, described in this section, are available on all nShield modules:

  • ClearUnit

  • ClearUnitEx

  • ModExp

  • ModExpCrt

These commands perform cryptographic acceleration without key management.

These commands are intended for use by applications that manage their own keys.

ClearUnit

All non-error states

"Privileged" users only

This command resets a module, returning it to the same mode that it was previously in. The module and server negotiate to enable the module to be reset without disturbing the host’s PCI subsystem. When the module is cleared:

  • all object handles (IDKA, IDKT, etc.) are invalidated

  • any share reassembly process that is currently active is aborted

  • the module enters the self-test state.

ClearUnit does not destroy:

  • module keys KM

  • module signing key KML

  • long-term fixed signing key KLF

  • nShield Security Officer’s key KNSO.

Arguments

struct M_Cmd_ClearUnit_Args {
   M_ModuleID module;                                   ModuleID
};

Reply

The reply structure for this command is empty.

The status is Status_OK or, if the unit is already being reset, Status_UnitReset. The reply is sent immediately (that is, before the unit is actually cleared).

Notes

In versions of the server prior to 1.40, the ClearUnit command caused a hard reset. In release 1.40, the ClearUnit command was given a new command number, and the old command number was renamed OldClearUnit, which is included for backward compatibility only. From release 1.40, servers interpret ClearUnit and OldClearUnit as ClearUnit. The ClearUnit command fails with Status_UnknownCommand on servers older than release 1.40.

ClearUnitEx

All non-error states

"Privileged" users only

This command resets a module, and optionally enables you to change the mode as required. ClearUnitEx is implemented entirely by the hardserver, which:

  • Checks and sets the scratchpad registers

  • Sets a want clear state on the command target

Further behavior is identical to the ClearUnit command, including sending ClearUnit (not ClearUnixEx) to the module. See ClearUnit for more about the ClearUnit command.

Arguments

bitmap:                         flags
       harmless: 16-
ModuleID                        module       [<module to be reset>]
ModuleMode                      mode         [<desired module mode>]
  • Flags are not currently used.

Module mode settings

The following desired module mode settings are available:

ModuleMode Default =0
ModuleMode Maintenance =1
ModuleMode Operational =2
ModuleMode Initialisation =3

Reply

  • The ModuleMode value in the reply corresponds to the bit field in scratchpad 0.

  • If the module is already part way through a reset, then @ref Status_UnitReset is returned.

  • If the request cannot be completed because the main application of the module does not support software mode changes, then @ref Status_ModuleApplicationNotSupported is returned.

  • If the request cannot be completed because the module monitor does not support software mode changes, then @ref Status ModuleMonitorNotSupported is returned.

Firmware releases prior to v12 do not support changing the mode without use of the MOI switch. The mode argument must be 0. With the appropriate firmware, the mode argument can be used to change the mode.

ModExp

Operational state

initialization state

This command performs modular exponentiation on parameters passed by the client.

Arguments

struct M_Cmd_ModExp_Args {
  M_Bignum a;                          A base
  M_Bignum p;                          P power
  M_Bignum n;                          N modulus
};

Reply

struct M_Cmd_ModExp_Reply {
M_Bignum r;
};

where r = APmod N

ModExpCrt

Operational state

initialization state

This command performs modular exponentiation on parameters passed by the client. ModExpCrt uses the Chinese Remainder Theorem to reduce the time it takes to perform the operation.

Arguments

struct M_Cmd_ModExpCrt_Args {
   M_Bignum a;                      A base
   M_Bignum p;                      P modulus larger factor
   M_Bignum q;                      Q modulus smaller factor
   M_Bignum dmp1;                   D mod (P-1)
   M_Bignum dmq1;                   D mod (Q-1)
   M_Bignum iqmp;                   Q-1 mod P
};

Reply

Uses M_Cmd_ModExp_Reply.

Notes

It is assumed that P >= Q.

Key-management commands

The commands described in this section, are only available on key-management modules.

If you send any of these commands to an acceleration-only module, it fails with the status value Status_InvalidState.

ChangeSharePIN

Operational state

initialization state

This command enables a PIN that protects a single share to be changed. The old PIN must be provided unless the share has no PIN. Likewise, the new PIN must be provided unless the PIN is being removed.

The module decrypts the share using the old PIN and the KM associated with the token. If the share is decrypted correctly, the module encrypts it using the new PIN and the KM. It then writes the newly encrypted share to the smart card or software token.

This operation can be performed regardless of whether or not the logical token associated with this share is "present". The only requirement is that both the smart card with the share and the KM associated with the token be present within the module.

Arguments

struct M_Cmd_ChangeSharePIN_Args {
   M_Cmd_ChangeSharePIN_Args_flags flags;
   M_PhysToken token;
   M_KMHash hkm;
   M_ShortHash hkt;
   M_Word i;
   M_PIN *oldpin;
   M_PIN *newpin;
};
  • The following flags are defined:

    • Cmd_ChangeSharePIN_Args_flags_oldpin_present

      Set this flag if the input contains the old PIN. The old PIN must be specified unless the share was previously encrypted without a PIN or if the share uses the protected PIN path.

    • Cmd_ChangeSharePIN_Args_flags_newpin_present

      Set this flag if the input contains the new PIN. The new PIN must be specified unless the share is to be encrypted without a PIN or if the share uses the protected PIN path.

    • Cmd_ChangeSharePIN_Args_flags__allflags

  • M_KMHash hkm is Module key hash HKM

  • M_ShortHash hkt is a short, 10-byte token hash, such as returned by GetSlotInfo.

  • M_Word i is the share number

  • M_PIN *oldpin is the old PIN, or NULL

  • M_PIN *newpin is the new PIN, or NULL

Reply

The reply structure for this command is empty.

ChannelOpen

Operational state, initialization state

Requires a ClientID

This command opens a communication channel that can be used for bulk encryption. Data can then be transferred over this channel by using the ChannelUpdate command.

Channel operations are only available for symmetric algorithms.

Arguments

typedef struct {
   M_ModuleID module;
   M_ChannelType type;
   M_Cmd_ChannelOpen_Args_flags flags;
   M_ChannelMode mode;
   M_Mech mech;
   M_KeyID *key;
   M_IV *given_iv;
} M_Cmd_ChannelOpen_Args;
  • M_ChannelType type is the data transfer mechanism for the channel. At present, only ChannelType_Simple is supported. Alternatively, ChannelType_Any can be used to let the module pick the"best" channel type that it supports.

    ChannelType_Any
    ChannelType_Simple
  • M_Cmd_ChannelOpen_Args_flags flags The following flags are defined:

    • Cmd_ChannelOpen_Args_flags_key_present

      Set this flag if the command contains a KeyID. The command must include a KeyID unless you are using a hashing mechanism.

    • Cmd_ChannelOpen_Args_flags_given_iv_present

      Set this flag if the command designates which initialization vector to use. For encryption and signature mechanisms, if this flag is not set and the mechanism requires an initialization vector, the module will create a random iv and return it in the reply. For decryption and verification mechanisms, this flag must be set and the M_IV must be specified or Status_InvalidParameter will be returned.

  • M_ChannelMode mode determines the operation to perform on this channel. The following modes are defined:

    • ChannelMode_Encrypt

    • ChannelMode_Decrypt

    • ChannelMode_Sign

    • ChannelMode_Verify

  • M_Mech mech is the mechanism to use. See Mechanisms for information on supported mechanisms.

  • M_KeyID *key is the KeyID of the key to use on the channel. The key must have the appropriate Encrypt, Decrypt, Sign, or Verify permissions in its ACL. It must also be an appropriate type for the given mechanism. In order to use unkeyed hash mechanisms, this key field must be absent.

  • M_IV *given_iv is the initialization vector to use on the channel. This field is optional for the Encrypt and Sign modes, but it must be given for the Decrypt and Verify modes. Status_InvalidParameter is returned if this field is not present when it is required or if it has an incorrect mechanism.

Reply

typedef struct {
M_Cmd_ChannelOpen_Reply_flags flags;
M_KeyID idch;
M_IV *new_iv;
M_ChannelOpenInfo openinfo;
} M_Cmd_ChannelOpen_Reply;
  • M_Cmd_ChannelOpen_Reply_flags flags

    The following flag is defined: Cmd_ChannelOpen_Reply_flags_new_iv_present. This flag is set if the new_iv field is present.

  • M_KeyID idch is the ID of the Channel. It is like a KeyID; it may be used to refer to the channel and can be destroyed with the Destroy command after use. However, it will be different to the KeyID.

    The server will destroy the channel automatically when the last connection associated with the application that created it closes.
  • M_IV *new_iv is an initialization vector for the channel. It is returned only if the channel mode is Encrypt or Sign and no given_iv has been sent with the command.

  • M_ChannelOpenInfo openinfo is extra information about the channel:

    struct M_ModuleChannelOpenInfo {
    M_ChannelType type;
    union M_ChannelType__ExtraMCOI info;
    };
  • M_ChannelType type is the channel type used.

  • union M_ChannelType__ExtraMCOI info is extra information that is dependent on the channel type. It allows the client to access a device driver, if necessary, in order to perform data transfer.

ChannelUpdate

Operational state, initialization state

Requires a ClientID

This command transfers data over a communication channel for bulk encryption. Such a channel must be opened with the ChannelOpen command before the ChannelUpdate command can be used.

Channel operations are only available for symmetric algorithms.

Data is streamed into an open channel by giving one or more Update commands. The last data block to be processed should have the final flag set. This final block does not have to contain any input data (except in Verify mode; see below). Input data does not have to be multiples of the block size for block ciphers; the module will buffer the data internally as necessary. In general, the output block will contain all the data that can be encrypted/decrypted unambiguously given the input so far. However, PKCS #5 padding usually lags behind by a block when decrypting.

For decryption—and for encryption in non-padding modes—you must have supplied a whole number of input blocks. Otherwise, a status of Status_EncryptFailed or Status_DecryptFailed will be returned. Status_DecryptFailed is also used if unpadding fails during decryption.

For signing modes, no output will be generated until the final bit is set, in which case the signature or hash will be output as the byte block.

For verification modes, no output is generated. Instead, the plain text message must be input by ChannelUpdate commands with their final bit clear, then a ChannelUpdate with the final bit set is given, with the signature/hash bytes given as the input block. This will return a status of OK or VerifyFailed, as appropriate.

Arguments

struct M_Cmd_ChannelUpdate_Args {
   M_Cmd_ChannelUpdate_Args_flags flags;
   M_KeyID idch;
   M_ByteBlock input;
};
  • The following flag is defined: Cmd_ChannelUpdate_Args_flags_final. This flag indicates the last block of input data.

  • M_KeyID idch is the ChannelID returned by ChannelOpen.

  • M_ByteBlock input is a byte block of input data (it may be of zero length)

Reply

struct M_Cmd_ChannelUpdate_Reply {
    M_ByteBlock output;
};

M_ByteBlock output is a byte block containing output data from the channel. This block may be of zero length.

Decrypt

Operational state, initialization state

Requires a ClientID

This command takes a cipher text and decrypts it with a previously stored key.

The limit of 8K does not apply to data decrypted by this command. This is because the Generic Stub library splits the command into a ChannelOpen command followed by a number of ChannelUpdate commands. Only symmetric mechanisms use channels; asymmetric mechanisms cannot.

For information on formats, see Encrypt.

Arguments

struct M_Cmd_Decrypt_Args {
   M_Cmd_Decrypt_Args_flags flags;
   M_KeyID key;
   M_Mech mech;
   M_CipherText cipher;
   M_PlainTextType reply_type;
};
  • No Flags are defined.

  • M_KeyID key is IDKA.

  • M_Mech mech: See Mechanisms for information on supported mechanisms. If mech is not Mech_Any, then it must match the mechanism of the ciphertext, cipher.mech. If it does not match, then a MechanismNotExpected error is returned.

Reply

struct M_Cmd_Decrypt_Reply {
   M_PlainText plain;
}

DeriveKey

Operational state, initialization state

Requires a ClientID

This command creates a new key object from a number of other keys that have been stored already on the module. Then, DeriveKey returns a KeyID for the new key.

There are two special key types used by DeriveKey:

  • a template key — the template is used to provide the ACL and application data for the output key

  • a wrapped key — a key type for holding encrypted keys.

Arguments

struct M_Cmd_DeriveKey_Args {
   M_Cmd_DeriveKey_Args_flags flags;
   M_DeriveMech mech;
   int n_keys;
   M_vec_KeyID keys;
   union M_DeriveMech__DKParams params;
} M_Cmd_DeriveKey_Args;
  • The following flag is defined: Cmd_DeriveKey_Args_flags_WorldHashMech Indicates that the hash mechanism for Security World keys will be used for identifying keys. By enabling the Cmd_DeriveKey_Args_flags_WorldHashMech flag, keys shall be identified by the selected world hash mechanism. See DeriveKey and DeriveKeyEx.

  • M_DeriveMech mech

    See Derive Key Mechanisms for information on supported mechanisms.

  • int n_keys

    This value is the number of keys that have been supplied in the key table.

  • M_vec_KeyID keys

    This is a table containing the KeyIDs of the keys that are to be used. You must enter the KeyIDs of these keys in the following order:

    1. template key

    2. base key

    3. wrapping key(s)

    Each key must be of the correct type for the mechanism.

    Each of these keys must have an ACL that permits them to be used for DeriveKey operations in this role.

    Any of the keys may have an ACL that requires a certificate. If more than one of the keys requires a certificate, then all the certificates must have the same signing key.
  • union M_DeriveMech__DKParams params

    Parameters for the specific wrapping mechanism. See Derive Key Mechanisms.

union M_DeriveMech__DKParams {
 M_DeriveMech_ConcatenationKDF_DKParams concatenationkdf;
M_DeriveMech_PKCS8Encrypt_DKParams pkcs8encrypt;
M_DeriveMech_PKCS8Decrypt_DKParams pkcs8decrypt;
M_DeriveMech_RawDecrypt_DKParams rawdecrypt;
M_DeriveMech_AESKeyWrap_DKParams aeskeywrap;
M_DeriveMech_AESKeyUnwrap_DKParams aeskeyunwrap;
M_DeriveMech_RawDecryptZeroPad_DKParams rawdecryptzeropad;
M_DeriveMech_ECCMQV_DKParams eccmqv;
M_DeriveMech_ECDHKA_DKParams ecdhka;
M_DeriveMech_ECIESKeyUnwrap_DKParams ecieskeyunwrap;
M_DeriveMech_ECIESKeyWrap_DKParams ecieskeywrap;
M_DeriveMech_ConcatenateBytes_DKParams concatenatebytes;
M_DeriveMech_RawEncrypt_DKParams rawencrypt;
M_DeriveMech_NISTKDFmCTRpRijndaelCMACr32_DKParams nistkdfmctrprijndaelcmacr32;
M_DeriveMech_RawEncryptZeroPad_DKParams rawencryptzeropad;
};

Reply

struct M_Cmd_DeriveKey_Reply {
   M_KeyID key;
};

The M_KeyID points to the derived key. The ACL and application data for this key are the ACL and application data that have been stored as the key data of the template key. The key type is defined by the mechanism used. The key data is determined by the base key, the wrapping key (or wrapping keys), and the mechanism.

Notes

The key derivation mechanisms provide a means of converting keys of many different types into KeyType_Wrapped and then back again. The type of the original key is usually not preserved in the Wrapped data format (the EncryptMarshalled mechanism does preserve type).

Therefore, one key may be converted to another of a different type by unwrapping it with a different mechanism. Indeed, the key data itself may be modified by unwrapping it with a different key.

This feature is provided to increase flexibility and interoperability, which is a major goal of the DeriveKey command. However, it can be a potential weak point in security. Therefore, Entrust recommends that whenever a base key is turned into a Wrapped key type, if the new key is to be used within the nShield environment, the ACL for the new key be set only to allow decoding back to the original key. This is done by setting the DeriveKey ACL entry in the wrapped key so that:

  • the mech field identifies the correct decoding mechanism

  • the otherkeys table identifies the correct unwrapping key in the right role.

Destroy

Operational state, initialization state

Requires a ClientID

This removes a key object from memory and zeroes any storage associated with it.

This command can be used to destroy:

  • a key object by specifying an IDKA

  • a logical token by specifying an IDKT

  • a ModuleSEEWorld by specifying a KeyID

  • an impath by specifying an ImpathID

  • an FTSessionID or FileTransferID

  • a channel

  • a foreign token lock

  • multiple objects that were previously merged by means of MergeKeyIDs. Only the merged KeyID is removed; the underlying keys remain loaded.

When an object has multiple KeyIDs, Destroy only removes the KeyID for the current ClientID or SEEWorld. The underlying object is removed when the last KeyID for the object is destroyed.

It is an error to Destroy an IDKA that has not been issued previously by the nShield server or that has already been destroyed.

An IDKA may be reused for a new object after the current object is destroyed.

A key that forms part of a merged set made with MergeKeyIDs (see MergeKeyIDs) cannot be destroyed. Attempts to do so will return an ObjectInUse error. Destroy the merged KeyID first.

Arguments

struct M_Cmd_Destroy_Args {
M_KeyID key;
};

M_KeyID key can be any object with an M_KeyID, such as an IDKA, an IDKT, or the SEE World’s KeyID.

Reply

The reply structure for this command is empty.

Duplicate

Operational state, initialization state

Requires a ClientID

This command duplicates a key object within module memory and returns a new handle to it. The new key object can then be manipulated independently of the original key object.

The new key inherits its ACL from the original key.

Arguments

struct M_Cmd_Duplicate_Args {
   M_KeyID key;
};

M_KeyID key is IDKA.

Reply

struct M_Cmd_Duplicate_Reply {
   M_KeyID newkey;
};

M_KeyID newkey is IDKA2.

Encrypt

Operational state, initialization state

Requires a ClientID

This command encrypts data by using a previously loaded key. It returns the cipher text.

The limit of 8K does not apply to data encrypted by this command. This is because the Generic Stub library splits the command into a ChannelOpen command followed by a number of ChannelUpdate commands. Only symmetric mechanisms use channels; asymmetric mechanisms cannot.

Arguments

struct M_Cmd_Encrypt_Args {
   M_Cmd_Encrypt_Args_flags flags;
   M_KeyID key;
   M_Mech mech;
   M_PlainText plain;
   M_IV *given_iv;
};
  • The following flag is defined:

    Cmd_Encrypt_Args_flags_given_iv_present

    This flag must be set if the command includes the initialization vector. If this flag is not set, the module will generate a random initialization vector if one is required by this mechanism.

  • M_KeyID key is IDKA.

  • M_Mech mech

    See Mechanisms for information on supported mechanisms. If Mech_Any is specified and an IV is given, the mechanism is taken from that IV. Otherwise, if Mech_Any is not specified, the given mechanism is used. Moreover, if an IV is given, its mechanism must match the given mechanism, otherwise Status_MechanismNotExpected will be returned.

  • M_IV *given_iv

    This can be either the IV to use or otherwise NULL if no IV is defined or if you prefer that the module choose an IV on its own.

Reply

struct M_Cmd_Encrypt_Reply {
   M_CipherText cipher;
};

Export

Operational state, initialization state

Requires a ClientID

This command is used to extract key material in plain text.

Most private key objects should have an ACL (or ACLs) that forbid the reading of this data in plain text.

Arguments

struct M_Cmd_Export_Args {
   M_KeyID key;
};

Reply

struct M_Cmd_Export_Reply {
   M_KeyData data;
};

FirmwareAuthenticate

Operational state, initialization state, maintenance state

This command is used to authenticate the firmware in a module by comparing it to a firmware image on the host. If performed in the maintenance state it can be used to authenticate the monitor.

Use the fwcheck command-line utility to perform this operation.

FormatToken

Operational state, initialization state

May require a KNSO certificate

This command initializes a smart card.

Arguments

struct M_Cmd_FormatToken_Args {
M_Cmd_FormatToken_Args_flags flags;
M_PhysToken token;
M_KMHash *auth_key;
};
  • The following flag is defined:

    Cmd_FormatToken_Args_flags_auth_key_present

    Set this flag if the input includes a module key hash to use for challenge-response authentication. This flag can only be used if the smart card supports authentication.

  • M_KMHash *auth_key is the HKM of a module key or a NULL pointer. The module key is combined with the unique identity of the token to produce the key to be used for challenge-response authentication.

Reply

The reply structure for this command is empty.

GenerateKey and GenerateKeyPair

Operational state, initialization state

Requires a ClientID

May require a KNSO certificate

The GenerateKey command randomly generates a key object of the given type and with the specified ACL (or ACLs) and stores it in internal RAM.

The GenerateKeyPair command randomly generates a matching public and private key pair.

Use GenerateKey for symmetric algorithms.

For public-key algorithms, use GenerateKeyPair.

Arguments

struct M_Cmd_GenerateKey_Args {
   M_Cmd_GenerateKey_Args_flags flags;
   M_ModuleID module;
   M_KeyGenParams params;
   M_ACL acl;
   M_AppData *appdata;
};
struct M_Cmd_GenerateKeyPair_Args {
   M_Cmd_GenerateKeyPair_Args_flags flags;
   M_ModuleID module;
   M_KeyGenParams params;
   M_ACL aclpriv;
   M_ACL aclpub;
   M_AppData *appdatapriv;
   M_AppData *appdatapub;
} M_Cmd_GenerateKeyPair_Args;
  • The following flags are defined:

    • Cmd_GenerateKey_Args_flags_Certify

      If this flag is set, the reply will contain a certificate of data type ModuleCert that describes the security policy for this key or key pair. This certificate enables an observer, such as an organization’s Security Officer or a certificate authority, to check that the key or key pair was generated in compliance with a stated security policy before they allow the key to be used. The certificate contains:

      • HKA for the key

      • the application data field or fields

      • the ACL (or ACLs)

      • The certificate is signed by the module’s private key.
        Module Private Key

    • Cmd_GenerateKey_Args_flags_appdata_present

      You must set this flag if the request contains application data for the symmetric key.

    • Cmd_GenerateKey_Args_flags_PairwiseCheck

      If this flag is set, the module performs a consistency check on the key by creating a random message, then encrypting and decrypting this message. The test fails if the encrypted message is the same as the plain text or if the encrypted message fails to decrypt to the plain text.

    • Cmd_GenerateKeyPair_Args_flags_Certify

    • Cmd_GenerateKeyPair_Args_flags_appdatapriv_present

      You must set this flag if the request contains application data for the private key.

    • Cmd_GenerateKeyPair_Args_flags_appdatapub_present

      You must set this flag if the request contains application data for the public key.

    • Cmd_GenerateKeyPair_Args_flags_PairwiseCheck

  • M_ModuleID module

    If the module ID is nonzero, the key is loaded onto the specified module. If the module ID is 0, the key is loaded onto the first available module. You can use the GetWhichModule command to determine which modules contain which keys).

  • M_KeyGenParams params

    The key type and required parameters needed to generate this key or key pair are as follows:

    struct M_KeyGenParams {
     M_KeyType type;
     union M_KeyType__GenParams params;
    };
  • The following key types are defined:

    • KeyType_ArcFour Use GenerateKey

    • KeyType_Blowfish

    • KeyType_CAST Use GenerateKey

    • KeyType_CAST256

    • KeyType_DES Use GenerateKey

    • KeyType_DES2 Use GenerateKey

    • KeyType_DES3 Use GenerateKey

    • KeyType_DHPrivate Use GenerateKeyPair

    • KeyType_DHPublic Do not use for key generation

    • KeyType_DKTemplate

    • KeyType_DSAComm Use GenerateKey

    • KeyType_DSAPrivate Use GenerateKeyPair

    • KeyType_DSAPublic Do not use for key generation

    • KeyType_HMACMD2

    • KeyType_HMACMD5

    • KeyType_HMACRIPEMD160

    • KeyType_HMACSHA1

    • KeyType_HMACSHA256

    • KeyType_HMACSHA384

    • KeyType_HMACSHA512

    • KeyType_HMACTiger

    • KeyType_IDEA

    • KeyType_KCDSAComm

    • KeyType_KCDSAPrivate

    • KeyType_KCDSAPublic

    • KeyType_Random Use GenerateKey

    • KeyType_RC2

    • KeyType_RC5

    • KeyType_Rijndael

    • KeyType_RSAPrivate Use GenerateKeyPair

    • KeyType_RSAPublic Do not use for key generation

    • KeyType_SEED

    • KeyType_Serpent

    • KeyType_Skipjack

    • KeyType_Twofish

    • KeyType_Void KeyType_Wrapped Created by DeriveKey

    • KeyType_Any Do not use for key generation

    • KeyType_None Do not use for key generation

    When generating a key pair, you must specify the key type for the private half of the key pair.
    The following key types have key generation parameters:
    union M_KeyType__GenParams {
    M_KeyType_RSAPrivate_GenParams rsaprivate;
    M_KeyType_DSAPrivate_GenParams dsaprivate;
    M_KeyType_Random_GenParams random;
    M_KeyType_DSAComm_GenParams dsacomm;
    M_KeyType_DHPrivate_GenParams dhprivate;
    M_KeyType_Wrapped_GenParams wrapped;
    };
    • M_KeyType_RSAPrivate_GenParams rsaprivate. See RSA.

    • M_KeyType_DSAPrivate_GenParams dsaprivate. See DSA.

    • M_KeyType_Random_GenParams random. See Random.

    • M_KeyType_DSAComm_GenParams dsacomm. See DSA.

    • M_KeyType_DHPrivate_GenParams dhprivate. See Diffie-Hellman and ElGamal.

    • M_KeyType_Wrapped_GenParams wrapped. Generating a wrapped key creates a random key block — this may be useful in some key derivation schemes.

    DES and Triple DES do not have any key generation parameters. ArcFour and CAST use the same parameters as the key type RANDOM. ElGamal uses key type Diffie-Hellman.

  • M_ACL acl

    See ACLs.

  • M_AppData *appdata

    This is application data. If the command contains application data, the appropriate flag must be set. If no appdata is provided, the appdata stored with the key is set to all-bits-zero.

  • M_ACL aclpriv

    ACL for private half

  • M_ACL aclpub

    ACL for public half

  • M_AppData *appdatapriv

    appdata for private half.

  • M_AppData *appdatapub

    appdata for public half.

Reply

struct M_Cmd_GenerateKey_Reply {
   M_Cmd_GenerateKey_Reply_flags flags;
   M_KeyID key;
   M_ModuleCert *cert;
};
struct M_Cmd_GenerateKeyPair_Reply {
   M_Cmd_GenerateKeyPair_Reply_flags flags;
   M_KeyID keypriv;
   M_KeyID keypub;
   M_ModuleCert *certpriv;
   M_ModuleCert *certpub;
};
  • The following flags are defined:

    • Cmd_GenerateKey_Reply_flags_cert_present

    • Cmd_GenerateKeyPair_Reply_flags_cert_present

      These flags are set if the reply contains a certificate or a certificate pair.

  • M_KeyID key is IDKA.

  • M_ModuleCert *cert is a certificate that describes how the key was generated.

    struct M_ModuleCert {
     M_CipherText signature;
     M_ByteBlock modcertmsg;
    };
    struct M_ModCertMsg {
     M_ModCertType type;
     union M_ModCertType__ModCertData data;
    };
    union M_ModCertType__ModCertData {
     M_ModCertType_KeyGen_ModCertData keygen;
    };
    struct M_ModCertType_KeyGen_ModCertData {
     M_ModCertType_KeyGen_ModCertData_flags flags:
     M_KeyGenParams genparams;
     M_ACL acl;
     M_Hash hka;
    };
    • M_ModCertType type From release 1.67.15 and later, this should be type KeyGen with code 2. The previous type, now called OldKeyGen, did not distinguish between public and private keys and should no longer be used

      The following flag is defined:

      • ModCertType_KeyGen_ModCertData_flags_public

        Set this flag if this is the public half of a key pair.

    • M_KeyGenParams genparams

      These are the key generation parameters to be used to generate this key.

    • M_ACL acl

      This is the ACL that was applied to this key when it was created.

    • M_Hash hka

      This is the SHA-1 hash of the key value.

Notes

If the Strict_FIPS140 flag was set in the SetKNSO command, GenerateKey or GenerateKeyPair will fail with status Status_StrictFIPS140 if you attempt to generate a secret key that can be exported as plain text. A secret key is any key that can have Sign or Decrypt permissions.

GenerateLogicalToken

Operational state, initialization state

Requires a ClientID

May require a KNSO certificate

This command generates a random token key KT, associates it with the given properties and secret-sharing parameters (n and t), and encrypts it with the given module key that is identified by its hash, HKM.

The result is stored internally, and an identifier IDKT and a hash HKT are returned. The token is referred to by its identifier in commands and by its hash in ACLs.

Arguments

struct M_Cmd_GenerateLogicalToken_Args {
   M_ModuleID module;
   M_KMHash hkm;
   M_TokenParams params;
};
  • M_ModuleID module

    If the module ID is nonzero, the key is loaded onto the specified module. If the module ID is 0, the token is generated on the first available module.

  • M_KMHash hkm is the HKM of the module key to use to protect this token. If you supply an all zero HKM, the module will use the null module key.

Reply

struct M_Cmd_GenerateLogicalToken_Reply {
   M_KeyID idkt;
   M_TokenHash hkt;
};
  • M_KeyID idkt is IDKT

  • M_TokenHash hkt is HKT

GetChallenge

Operational state, initialization state

Requires a ClientID

The GetChallenge command returns a nonce that is used to build a fresh certificate. See Certificates. GetChallenge is also used during impath setup.

Arguments

struct M_Cmd_GetChallenge_Args {
   M_ModuleID module;
};

Reply

struct M_Cmd_GetChallenge_Reply {
   M_KMHash nonce;
};

GetKML

Operational state, initialization state

This command is used to retrieve a KeyID for the module’s long-term public key. This key is generated by InitialiseUnit and is held internally. KML has ACL permissions that allow it to be extracted as plain text, to be used to verify signatures, to view its own ACL, and to extend its ACL.

Arguments

struct M_Cmd_GetKML_Args {
   M_ModuleID module;
};

Reply

struct M_Cmd_GetKML_Reply {
   M_KeyID idka;
};

M_KeyID idka is IDKA for KML

GetTicket

Operational state, initialization state

Requires a ClientID

This command gets a ticket for a specific KeyID. The ticket can then be passed to another client or to an SEE application, which can redeem the ticket for a KeyID in its name space.

Tickets can be single-use or permanent, and they can specify the destination.

The program should treat tickets as opaque objects. nShield reserves the right to change the structure of tickets at any time.

Arguments

struct M_Cmd_GetTicket_Args {
M_Cmd_GetTicket_Args_flags flags;
M_KeyID obj;
M_TicketDestination dest;
union M_TicketDestination__TicketDestSpec destspec;
};
  • The following flags are defined:

    • Cmd_GetTicket_Args_flags_Reusable

      If this flag is set, the ticket can be used multiple times. Otherwise, the ticket can only be used once.

    • Cmd_GetTicket_Args_flags_HarmlessInfoFlags

      Set if the nShield server understands new destinations, TicketDestination_AnyKernelClient and later. The nShield will set this flag automatically.

  • M_KeyID obj

    The object for which a ticket is required. This may be any object with a KeyID, for example a key, token or SEEWorld.

  • M_TicketDestination dest are destinations at which this ticket can be redeemed:

    typedef enum M_TicketDestination {
     TicketDestination_Any =
     TicketDestination_AnyClient =
     TicketDestination_NamedClient =
     TicketDestination_AnySEEWorld =
     TicketDestination_NamedSEEWorld =
     TicketDestination_AnyKernelClient
     TicketDestination__Max =
    } M_TicketDestination;
  • TicketDestination_Any

    This specifies any destination. If the nShield server has not set Cmd_GetTicket_Args_flags_HarmlessInfoFlags this will not include TicketDestination_AnyKernelClient or later destinations.

  • TicketDestination_AnyClient

    This specifies any client connected to this server.

  • TicketDestination_NamedClient

    This is the specific client that is named in the M_TicketDestination__TicketDestSpec.

  • TicketDestination_AnySEEWorld

    This specifies any SEEWorld loaded on this module.

  • TicketDestination_NamedSEEWorld

    This is the specific SEEWorld that is named in the M_TicketDestination__TicketDestSpec

  • TicketDestination_AnyKernelClient

    This specifies any client operating in kernel space. This can only be used if the nShield server reports that the module offers the kernel interface.

  • union M_TicketDestination__TicketDestSpec destspec

    This specifies a specific destination:

    union M_TicketDestination__TicketDestSpec {
     M_TicketDestination_NamedSEEWorld_TicketDestSpec namedseeworld;
     M_TicketDestination_NamedClient_TicketDestSpec namedclient;
    };
  • M_TicketDestination_NamedSEEWorld_TicketDestSpec namedseeworld

    This is the KeyID of the SEEWorld:

    struct M_TicketDestination_NamedSEEWorld_TicketDestSpec {
     M_KeyID world;
    };
  • M_TicketDestination_NamedClient_TicketDestSpec namedclient

    This is the SHA-1 hash of the ClientID:

    struct M_TicketDestination_NamedClient_TicketDestSpec {
     M_Hash hclientid;
    };

Reply

struct M_Cmd_GetTicket_Reply {
   M_nest_Ticket ticket;
};

M_nest_Ticket ticket is a ticket for this object to pass to the destination.

Hash

Operational state, initialization state

This command hashes a message.

There is no limit to the size of the plaintext. This is because the Generic Stub library splits the command into a ChannelOpen command followed by a number of ChannelUpdate commands. Only symmetric mechanisms use channels; asymmetric mechanisms cannot.

Arguments

struct M_Cmd_Hash_Args {
   M_Cmd_Hash_Args_flags flags;
   M_Mech mech;
   M_PlainText plain;
};
  • No flags are defined.

  • M_Mech mech - see Mechanisms.

  • M_PlainText plain This must be in the format M_PlainTextType_Bytes_Data.

Reply

struct M_Cmd_Hash_Reply {
   M_CipherText sig; Hash
};

ImpathKXBegin

Operational state, initialization state

Requires a ClientID

This command creates a new intermodule path (impath) and returns a key-exchange message that is to be sent to the peer module.

An impath is a cryptographically secure channel between two nShield nC-series hardware security modules. Data sent through such a channel is secure against both eavesdroppers and active adversaries. The channel can carry arbitrary user data as well as module-protected secrets, such as share data, to be passed directly between modules.

Modules are identified by means of M_RemoteModule structures. The elements of a M_RemoteModule describe a specific module or a set of modules—for example, those modules that know a particular module key—as well as information about how modules must prove their identity. The M_RemoteModule structures are the primary means for describing security policy decisions about impaths.

In many cases you do not need to define the impath yourself. If you use the nCore remote slot commands, the nShield server will create the required impaths automatically.

Arguments

struct M_Cmd_ImpathKXBegin_Args {
    M_Cmd_ImpathKXBegin_Args_flags flags;
    M_ModuleID module;
    M_RemoteModule me;
    M_RemoteModule him;
    M_ImpathKXGroupSelection hisgroups;
    M_Nonce n;
    int n_keys;
    M_vec_KeyID keys;
};
  • No flags are defined.

  • M_ModuleID module

    The module ID of the module which is to be the local end of the impath.

  • M_RemoteModule me

    This is an M_RemoteModule structure describing the local module. It must exactly match the him structure being used at the other end of the impath.

  • M_RemoteModule him

    This is an M_RemoteModule structure describing the peer module. It must exactly match the me structure being used at the other end of the impath.

  • M_ImpathKXGroupSelection hisgroups

    This is the peer module’s list of supported key-exchange groups. This list can be obtained, for example, by using the NewEnquiry command on the remote module. The list is used to select the key-exchange group that is to be used when setting up the impath.

  • M_Nonce n

    This is a challenge obtained from the remote module by using the GetChallenge command.

  • int n_keys is the size of the keys table

  • M_vec_KeyID keys

    This is a table of KeyIDs for the user keys whose hashes are listed in me.hks. The keys must have the SignModuleCert permission enabled. User keys may be either private or symmetric.

Reply

struct M_Cmd_ImpathKXBegin_Reply {
   M_ImpathID imp;
   M_ByteBlock kx;
};
  • M_ImpathID imp

    This is the ID for this impath. After the impath is no longer required, it can be disposed of by using the Destroy command.

  • M_ByteBlock kx

    This is a key-exchange message that is to be transmitted to the peer module. (See ImpathKXFinish.)

ImpathKXFinish

Operational state, initialization state

Requires a ClientID

This command completes an impath (intermodule path) key exchange. It leaves the impath ready for data transmission and receipt.

Arguments

struct M_Cmd_ImpathKXFinish_Args {
   M_Cmd_ImpathKXFinish_Args_flags flags;
   M_ImpathID imp;
   M_NetworkAddress *addr;
   int n_keys;
   M_vec_KeyID keys;
   M_ByteBlock kx;
};
  • The following flag is defined:

    • Cmd_ImpathKXFinish_Args_flags_addr_present

      Indicates whether the M_NetworkAddress *addr is present.

  • M_ImpathID imp is the ID for the impath

  • M_NetworkAddress *addr

    This is the network address of the peer host. If supplied, this is compared against the addr field in the him structure given to the ImpathKXBegin command.

  • int n_keys is the size of the keys table.

  • M_vec_KeyID keys

    This is a table of KeyIDs for the user keys, public or symmetric, whose hashes were listed in the hks table in the him structure given to the ImpathKXBegin command.

  • M_ByteBlock kx

    This is the key-exchange message returned by ImpathKXBegin on the peer module.

Reply

The reply structure for this command is empty.

ImpathReceive

Operational state, initialization state

Requires a ClientID

This command decrypts a user-data message that was encrypted using an impath.

Arguments

struct M_Cmd_ImpathReceive_Args {
   M_ImpathID imp;
   M_ByteBlock cipher;
};
  • M_ImpathID imp is the ID for the impath.

  • M_ByteBlock cipher is the cipher text emitted by an ImpathSend command issued to the peer module. Each cipher text message can be received once only, in order to prevent replay attacks.

Reply

struct M_Cmd_ImpathReceive_Reply {
   M_ByteBlock data;
};

M_ByteBlock data is a recovered plain text message.

ImpathSend

Operational state, initialization state

Requires a ClientID

This command encrypts a user message using an impath’s keys, ready for transmission to the peer host.

Arguments

struct M_Cmd_ImpathSend_Args {
   M_Cmd_ImpathSend_Args_flags flags;
   M_ImpathID imp;
   M_ByteBlock data;
};
  • No flags are defined.

  • M_ImpathID imp is the ID for the impath.

  • M_ByteBlock data is the message to be sent.

Reply

struct M_Cmd_ImpathSend_Reply {
   M_ByteBlock cipher;
};

M_ByteBlock cipher is the cipher text corresponding to the given plain text data. The plain text can be recovered by issuing an ImpathReceive command to the peer module.

InitialiseUnit

Pre-initialization state, initialization state

"Privileged" users only

This command causes a module in the pre-initialization state to enter the initialization state.

When the module enters the initialization state, it erases all module keys KM, including KM0. It also erases the module’s signing key, KML, and the hash of the Security Officer’s keys, HKNSO. It does not erase the long-term KLF key. It then generates a new KML and KM0.

In order to use the module after it has been initialized, you must set a new Security Officer’s key.

When the module is in the pre-initialization state, you cannot obtain a ClientID. In order to use commands that require a ClientID, use the NewClient command after the module enters the Initialization state.

Arguments

struct M_Cmd_InitialiseUnit_Args {
   M_ModuleID module;
};

Reply

The reply structure for this command is empty.

LoadBlob

Operational state, initialization state

Requires a ClientID

This command allows a key blob to be loaded into the module. If this process is successful, a new IDKA handle will be generated and returned.

For KM blobs, the required KM value must be present in the module’s internal storage.

For KT blobs, the logical token containing KT must be "present". This is not possible if the KM associated with that KT is not present in the module. See GenerateLogicalToken and LoadLogicalToken.

For the archival key blobs Ki or KAR, the appropriate key object must be loaded.

Arguments

struct M_Cmd_LoadBlob_Args {
   M_Cmd_LoadBlob_Args_flags flags;
   M_ModuleID module;
   M_ByteBlock blob;
   M_KeyID *idkb;
} M_Cmd_LoadBlob_Args;
  • The following flag is defined:

    Cmd_LoadBlob_Args_flags_idkb_present

    See *idkb below.

  • M_ModuleID module is the module id.

  • M_ByteBlock blob is a key blob.

  • M_KeyID *idkb

    In order to load a blob encrypted under a token or recovery key, set the idkb_present flag and include the identifier of either the token or the recovery key (IDKT for tokens, IDKAR for recovery keys) in the data as idkb. Otherwise, do not set idkb_present, and set idkb to NULL.

Reply

struct M_Cmd_LoadBlob_Reply {
    M_KeyID idka;
};

M_KeyID idka is IDKA.

LoadLogicalToken

Operational state, initialization state

Requires a ClientID

May require a KNSO certificate

This command is used to initiate loading a token from shares.

The command returns an IDKT. The token and any loaded shares can be removed by issuing the Destroy command with this identifier.

When this command is issued, the module allocates space for a share-reassembly process. In order to assemble the token, the application must issue one or more ReadShare commands (see ReadShare).

Arguments

struct M_Cmd_LoadLogicalToken_Args {
   M_ModuleID module;
   M_TokenHash hkt;
   M_KMHash hkm;
   M_TokenParams params;
};
  • M_ModuleID module is the module ID of the module. If you enter a module ID of 0, the command returns with status InvalidParameter.

  • M_TokenHash hkt is HKT

  • M_KMHash hkm is the HKM of the module key that is to be used to protect this token. If you supply an all-zero HKM, the module will use the null module key.

  • M_TokenParams params

    The shares information must match that which was given when the token was generated. The flags and time limit are read from the token, and values set in the command are ignored.

Reply

struct M_Cmd_LoadLogicalToken_Reply {
   M_KeyID idkt;
};

M_KeyID idkt is the IDKT.

MakeBlob

Operational state, initialization state

Requires a ClientID

This command requests that the module generate a key blob using a key whose identifier is given. The ACL for the key must allow the key to be exported as a blob, otherwise the command will fail.

The ACL for the key IDKA must have a MakeBlob entry (for Module and Token blobs) or MakeArchiveBlob entry (for Direct or Indirect blobs) which permits making a blob with the requested parameters.

For a KM key, the relevant key must be stored internally within the module.

For a KT key, the logical token containing this key must be "present". Otherwise, the handle of another key object can be given to encrypt the blob. To succeed, the key object needs a UseAsBlobKey permission.

Arguments

struct M_Cmd_MakeBlob_Args {
   M_Cmd_MakeBlob_Args_flags flags;
   M_BlobFormat format;
   M_KeyID idka;
   union M_BlobFormat__MkBlobParams blobkey;
   M_ACL *acl;
   M_MakeBlobFile *file;
};
  • The following flags are defined:

    • Cmd_MakeBlob_Args_flags_acl_present

      Set this flag if the command contains a new ACL.

    • Cmd_MakeBlob_Args_flags_file_present

      Set this flag to store the blob in an NVRAM or smart card file, defined by the M_MakeBlobFile.

  • M_BlobFormat format

    The following formats are defined:

    • BlobFormat_Module

      Blob encrypted by a module key.

    • BlobFormat_Token

      Blob encrypted by a Logical Token.

    • BlobFormat_Direct

      Blob encrypted by a symmetric archiving key. Currently only Triple DES keys may be used.

    • BlobFormat_Indirect

      Blob encrypted by an public archiving key, this requires the private key to decrypt. Currently only RSA keys may be used.

    • BlobFormat_UserKey

      Not yet supported.

  • union M_BlobFormat__MkBlobParams blobkey

    The following MKBlobParams are defined for the four different blob types:

    struct M_BlobFormat_Direct_MkBlobParams \{
     M_KeyID idki;
    };
    struct M_BlobFormat_Indirect_MkBlobParams \{
     M_KeyID idkr;
     M_Mech mech;
    };
    struct M_BlobFormat_Module_MkBlobParams {
     M_KMHash hkm;
    };
    struct M_BlobFormat_Token_MkBlobParams {
     M_KeyID idkt;
    };
    struct M_BlobFormat_UserKey_MkBlobParams {
     M_KeyID idkr;
     M_Mech mech;
    };
    union M_BlobFormat__MkBlobParams {
     M_BlobFormat_Module_MkBlobParams module;
     M_BlobFormat_Token_MkBlobParams token;
     M_BlobFormat_Direct_MkBlobParams direct;
     M_BlobFormat_Indirect_MkBlobParams indirect;
     M_BlobFormat_UserKey_MkBlobParams userkey;
    };
  • M_KeyID idki

    This is the KeyID of a Triple DES key that is to be used to encrypt the blob.

  • M_KeyID idkr

    This is the KeyID of the public key that is to be used to encrypt the blob.

  • M_Mech mec

    This is the public key mechanism that is to be used to encrypt the blob.

  • M_KMHash hkm

    This is the hash of the module key that is to be used to encrypt the blob.

  • M_KeyID idkt

    This is the KeyID of the token that is to be used to encrypt the blob.

  • M_ACL *acl

    This is either an ACL to be used for the key blob or NULL. If no ACL is specified, the loaded key’s existing ACL is recorded in the blob. See ACLs.

    The ACL created for the blob does not include permission groups that have global limits (as opposed to per-authorization limits).

    The permissions of the new ACL must be a subset of those specified by the existing ACL. For more information, see SetACL.

  • M_MakeBlobFile *file

    A structure defining the file in which to store the blob.

    struct M_MakeBlobFile {
     M_MakeBlobFile_flags flags;
     M_KeyID kacl;
     M_PhysToken file;
    };
  • No flags are defined.

  • M_KeyID kacl

    The KeyID of a template key defining the ACL for this file. This ACL must contain the LoadBlob permission.

  • M_PhysToken file

    A FileSpec specifying the location of the file.

Reply

struct M_Cmd_MakeBlob_Reply {
   M_ByteBlock blob;
};

M_ByteBlock blob is a KeyBlob.

MergeKeyIDs

All non-error states

Requires a ClientID

In situations where one key has been loaded onto several modules, this key will have a different KeyID on each module. The MergeKeyIDs command takes a list of KeyIDs, which are assumed to refer to the same key, and creates a new KeyID that can be used to refer to the key on any module. This facilitates load sharing and fail-over strategies.

Arguments

struct M_Cmd_MergeKeyIDs_Args {
   int n_keys;
   M_vec_KeyID keys;
};
  • int n_keys is the number of keys.

  • M_vec_KeyID keys is a list of IDKA.

Reply

struct M_Cmd_MergeKeyIDs_Reply {
   M_KeyID newkey;
};

M_KeyID newkey is IDKA

Notes

MergeKeyIDs does not check to see whether the supplied KeyIDs actually refer to the same key.

Merged KeyIDs may not themselves be supplied to MergeKeyIDs.

A merged KeyID will continue to work even if some of the modules containing the component KeyIDs are reset or fail, though performance may be reduced in such cases. The merged KeyID will only stop working after all the modules containing the component KeyIDs are reset or fail.

MergeKeyIDs can be used to group keys, logical tokens, SEE Worlds, and any other objects that are referred to by a KeyID and destroyed by Destroy.

The server does not attempt to ensure that the merged KeyIDs refer to the same underlying data, or even to the same types of objects.

ReadShare

Operational state, initialization state

Requires a ClientID

This command is used to assemble a logical token from shares.

The smart card architecture keeps public data storage areas separate from the areas that are used to store logical token shares. Specifically, if a given piece of information can be read or written with ReadShare or WriteShare, then it cannot be read or written with ReadFile or WriteFile. The converse is also true.

Arguments

struct M_Cmd_ReadShare_Args {
   M_Cmd_ReadShare_Args_flags flags;
   M_PhysToken token;
   M_KeyID idkt;
   M_Word i;
   M_PIN *pin;
};
  • The following flags are defined:

    • Cmd_ReadShare_Args_flags_pin_present

      This flag must be set if the input includes a PIN.

      If the slot uses the ProtectedPINPath, do not include the PIN with the command.
    • Cmd_ReadShare_Args_flags_UseLimitsUnwanted

      If this flag is set the module does not allocate Per-Authorisation Use limits to this logical token. Keys protected by the assembled local token will only be permitted to perform actions that do not have use limits. Per authorisation use limits can only be allocated to one logical token for each insertion of the card. However, it is possible that the logical token is required on several modules, or by several clients on one module. Therefore, you should set this flag, if you are aware that you do not need the uselimits and wish to make them available elsewhere.

  • M_KeyID idkt is the IDKT.

  • M_Word i is share number i.

  • M_PIN *pin

    If the share is protected by a PIN, this must be specified in order to successfully decrypt the share, otherwise pin must be a NULL pointer. If the input includes a PIN, the pin_present flag must be set.

Reply

struct M_Cmd_ReadShare_Reply {
   M_Word sharesleft;
};

M_Word sharesleft is the number of shares that are still required in order to recreate the token. You can issue further ReadShare commands when the shares are present.

A sharesleft value of 0 indicates that all shares are present. At that point, the module will automatically assemble the token.

Notes

If an error occurs during an individual share reading operation (because of, for example, an incorrect PIN or the wrong token), the current state of the logical token is retained, and the operation can simply be repeated.

If an error occurs during the final share reassembly process (implying that the shares have been corrupted in some way), the logical token is invalidated, and Status_TokenReassemblyFailed is returned. The token must then be destroyed, and the whole operation must be restarted.

At any time during the share reassembly sequence, the host can abort it (and clear the reassembly buffer) by calling Destroy with the given IDKT. If the client closes before the token has been assembled, the server automatically issues the Destroy command.

RedeemTicket

Operational state, initialization state

Requires a ClientID

This command gets a KeyID in return for a key ticket.

Arguments

struct M_Cmd_RedeemTicket_Args {
   M_Cmd_RedeemTicket_Args_flags flags;
   M_ModuleID module;
   M_nest_Ticket ticket;
};
  • No flags are defined.

  • M_ModuleID module

    This specifies the module ID of the module that contains this object.

  • M_nest_Ticket ticket

    This is the ticket that is supplied by GetTicket.

Reply

struct M_Cmd_RedeemTicket_Reply {
   M_KeyID obj;
};

M_KeyID obj is the new KeyID for this object.

RemoveKM

Operational state, initialization state

Requires a ClientID

May require a KNSO certificate

"Privileged" users only

This command deletes a given KM value from permanent storage. The deletion process overwrites the value in order to ensure its destruction.

KM0 cannot be deleted.

Arguments

struct M_Cmd_RemoveKM_Args {
   M_ModuleID module;
   M_Cmd_RemoveKM_Args_flags flags;
   M_KMHash hkm;
};
  • M_ModuleID module is the ModuleID.

  • No flags are defined.

  • M_KMHash hkm is HKM.

Reply

The reply structure for this command is empty.

RSAImmedSignDecrypt

Operational state, initialization state

This command performs RSA decryption by using an RSA private key that is provided in plain text.

Arguments

struct M_Cmd_RSAImmedSignDecrypt_Args {
   M_Bignum m;
   M_Bignum k_p;
   M_Bignum k_q;
   M_Bignum k_dmp1;
   M_Bignum k_dmq1;
   M_Bignum k_iqmp;
};
  • M_Bignum m Ciphertext

  • M_Bignum k_p P modulus first factor

  • M_Bignum k_q Q modulus first factor

  • M_Bignum k_dmp1 D MODP-1

  • M_Bignum k_dmq1 D MODQ-1

  • M_Bignum k_iqmp Q-1 MODP

Reply

struct M_Cmd_RSAImmedSignDecrypt_Reply {
   M_Bignum r;
};

M_Bignum r is plain text .

Notes

The plain text and cipher text are in the nShield bignum format.

No padding is done.

RSAImmedVerifyEncrypt

Operational state, initialization state

This command performs RSA encryption with an RSA public key provided in plain text.

Arguments

struct M_Cmd_RSAImmedVerifyEncrypt_Args {
   M_Bignum a;
   M_Bignum k_e;
   M_Bignum k_n;
};
  • M_Bignum a Message

  • M_Bignum k_e Key exponent

  • M_Bignum k_n Key modulus

Reply

Uses M_Cmd_RSAImmedSignDecrypt_Reply.

Notes

The plain text and cipher text are in nShield bignum format.

No padding or unpadding is performed.

SetACL

Operational state, initialization state

Requires a ClientID

This command replaces the ACL of a given key object with a new ACL. The existing ACL must have either ExpandACL or ReduceACL permission. If the existing ACL only includes the ReduceACL permission, you must set the Cmd_SetACL_Args_flags_reduce flag, and also the new ACL must be a subset of the existing ACL.

Arguments

struct M_Cmd_SetKM_Args {
   M_Cmd_SetKM_Args_flags flags;
   M_KeyID idka;
   M_ACL *acl;
};
  • The following flag is defined:

    • Cmd_SetACL_Args_flags_reduce

      If this flag is not set, the command checks the ExpandACL permission in the existing ACL. However, if this flag is set:

      • the command checks the ReduceACL permission in the existing ACL

      • the new ACL must be a subset of the existing ACL

  • M_KeyID idka is IDKA.

  • M_ACL *acl is the new ACL for the key.

Reply

The reply structure for this command is empty.

Notes

The new ACL will be a subset of the original ACL if for every action in the new ACL there exists an entry in the existing ACL in a permission group with:

  • the same certifier or no certifier

  • the same or more restrictive FreshCerts flag

  • use limits that are at least as permissive as those in the new ACL

The use limits are considered to be as permissive as those in the new ACL if for each limit in the original ACL there is a limit in the new ACL:

  • of the same type, global or per-authorization

  • with the same limit ID

  • with a use count and a time limit that are no greater than those in the original.

The following changes count as reducing an ACL:

  • adding a certifier or NSOCertified to a group

  • adding UseLimits to a group that did not have them previously

  • adding a time limit or a use count to a use limit that did not have one previously

  • reducing an existing use count or time limit

  • adding a module serial number to a group.

The following changes do not count as reducing an ACL:

  • changing the certifier for a group

  • changing the module serial number for a group

  • changing a use count to a time limit or changing a time limit to a use count

  • changing from NSOCertified to a specific certifier or changing from a specific certifier to NSOCertified.

If the Strict_FIPS140 flag was set in the SetKNSO command, then SetACL will fail with status Status_FIPS_Compliance if you attempt to add ExportAsPlain to the ACL of a secret key. A secret key is any key that can have Sign or Decrypt permissions.

If you want to record the new ACL permanently, you must make a new blob of the key.

SetKM

Operational state, initialization state

Requires a ClientID

May require a KNSO certificate

"Privileged" users only

This command allows a key object to be stored internally as a module key (KM) value. The KM value is derived from the key material given by IDKA. The ACL and other information associated with IDKA are not stored.

Arguments

struct M_Cmd_SetKM_Args {
   M_ModuleID module;
   M_Cmd_SetKM_Args_flags flags;
   M_KeyID idka;
};
  • M_ModuleID module

  • No flags are defined.

  • M_KeyID idka is IDKA.

  • KA must be a DES3 key with UseAsKM permission.

Reply

The reply structure for this command is empty.

Notes

If you attempt to set as a KM a key that has the same hash as an existing KM, then SetKM will overwrite the existing module key with the new key. If you are attempting to overwrite KM0, the command will return Status_AccessDenied.

SetNSOPerms

Initialization state only

Requires a ClientID

"Privileged" users only

The SetNSOPerms command stores the key hash HKA, which is returned by GetKeyInfo as the new Security Officer’s key.

It also determines which operations require a KNSO certificate.

The SetNSOPerms command requires you to set a flag if you want an operation to be allowed without a certificate. This is the opposite behavior to the SetKNSO command.

This command may only be called once after each use of InitialiseUnit (see InitialiseUnit). After it is set, the Security Officer’s key can only be changed by completely reinitializing the module.

Arguments

struct M_Cmd_SetNSOPerms_Args {
   M_ModuleID module;
   M_Cmd_SetNSOPerms_Args_flags flags;
   M_KeyHash hknso;
   M_NSOPerms publicperms;
};
  • M_ModuleID module is the module id

  • The following flag is defined:

    • Cmd_SetNSOPerms_Args_flags_FIPS140Level3

      If this flag is set, the module adopts a security policy that complies with FIPS 140-2 Level 3. This enforces the following restrictions:

      • the Import command fails if you attempt to import a key of a type that can be used to sign or decrypt messages.

        Use of the Import command for other key types requires a KNSO certificate.
      • GenerateKey and GenerateKeyPair require KNSO certificates

      • GenerateKey and GenerateKeyPair fail if you attempt to generate a key of a type that can be used to sign or decrypt messages with an ACL that allows ExportAsPlain

      • SetACL fails if you attempt to add the ExportAsPlain action to the ACL of a key of a type that can be used to sign or decrypt messages.

        All cryptographic mechanisms which do not use a FIPS-approved algorithm are disabled. (This restriction is new for firmware versions 2.18.13 and later).

        Cryptographic algorithms which are disabled are: ArcFour, Blowfish, CAST, CAST256, HAS160, KCDSA, MD2, MD5, RIPEMD160, SEED, Serpent, Tiger, Twofish.

        The following algorithms are unaffected: DES, DES2, DES3, Diffie-Hellman, DSA, Rijndael (AES), RSA, SHA-1, SHA-256, SHA-384 and SHA-512

    In order to fully comply with FIPS 140-2 Level 3 you must also ensure that none of the following are set: NSOPerms_ops_ReadFile, NSOPerms_ops_WriteFile, NSOPerms_ops_EraseShare, NSOPerms_ops_EraseFile, NSOPerms_ops_FormatToken, NSOPerms_ops_GenerateLogToken, NSOPerms_ops_SetKM, NSOPerms_ops_RemoveKM.
  • M_KeyHash hkns is HKA to set as HKNSO

  • M_NSOPerms publicperms

    The NSOPerms word is a bit map that determines which operations do not require a certificate from the nShield Security Officer. These certificates can be reusable. The following flags are defined:

    • NSOPerms_ops_LoadLogicalToken

    • NSOPerms_ops_ReadFile

    • NSOPerms_ops_WriteShare

    • NSOPerms_ops_WriteFile

    • NSOPerms_ops_EraseShare

    • NSOPerms_ops_EraseFile

    • NSOPerms_ops_FormatToken

    • NSOPerms_ops_SetKM

    • NSOPerms_ops_RemoveKM

    • NSOPerms_ops_GenerateLogToken

    • NSOPerms_ops_ChangeSharePIN

    • NSOPerms_ops_OriginateKey Not allowed in SetKNSO

    • NSOPerms_ops_NVMemAlloc Not allowed in SetKNSO

    • NSOPerms_ops_NVMemFree Not allowed in SetKNSO

    • NSOPerms_ops_GetRTC Not allowed in SetKNSO

    • NSOPerms_ops_SetRTC Not allowed in SetKNSO

    • NSOPerms_ops_DebugSEEWorld Not allowed in SetKNSO

    • NSOPerms_ops_SendShare Not allowed in SetKNSO

    • NSOPerms_ops_ForeignTokenOpen Not allowed in SetKNSO

Reply

The reply structure for this command is empty.

Notes

Modules that are supplied by nShield are initialized with no operations that require KNSO certificates. This means that the key whose hash is installed as HKNSO is irrelevant.

SetRTC

Operational state, initialization state

Requires an SEE-Ready module

May require a KNSO certificate

"Privileged" users only

Arguments

struct M_Cmd_SetRTC_Args {
   M_ModuleID module;
   M_Cmd_SetRTC_Args_flags flags;
   M_RTCTime time;
};
  • M_ModuleID module

    The module ID of the module. If you enter a module ID of 0, the command returns with status InvalidParameter.

  • The following flag is defined:

    • Cmd_SetRTC_Args_flags_adjust

      If this flag is set, the module calculates the difference between the current time according to the RTC and the time supplied in the command. Next, it divides this difference by the length of time since the clock was last set in order to determine a drift rate. The result of all future calls to GetRTC is corrected using this drift rate. The command returns status OutOfRange if the implied drift rate is larger than the chip’s guaranteed maximum drift rate. If, however, this flag is not set, the module will clear any current drift rate adjustment.

  • M_RTCTime time is the new time.

Reply

The reply structure for this command is empty.

Sign

Operational state, initialization state

Requires a ClientID

This command signs a message with a stored key.

For information on formats, see Encrypt.

Sign pads the message as specified by the relevant algorithm, unless you use plaintext of the type Bignum.

You cannot sign a message that is longer than the maximum size of an nShield command. In order to sign longer messages, use the Hash command first, and then call Sign with the appropriate Hash plain text type.

Arguments

struct M_Cmd_Sign_Args {
   M_Word flags;
   M_KeyID key;
   M_Mech mech;
   M_PlainText plain;
   M_IV *given_iv
};
  • No flags are defined.

  • M_KeyID key is the IDKA.

Reply

struct M_Cmd_Sign_Reply {
   M_CipherText sig;
};

SignModuleState

Operational state, initialization state

Requires a ClientID

SignModuleState makes the module generate a signed Module Certificate that contains data about the current state of the module. Optionally, a challenge value may be supplied to provide a provably fresh certificate.

Arguments

struct M_Cmd_SignModuleState_Args{
    M_ModuleID module;
    M_Cmd_SignModuleState_Args_flags flags;
    M_SignerType enum;
    M_Nonce challenge;
    M_wrap_vec_ModuleAttribTag *attribs;
};
  • The following flags are defined:

    • Cmd_SignModuleState_Args_flags_challenge_present

      This flag must be set if the command contains a challenge.

    • Cmd_SignModuleState_Args_flags_attribs_present

      This flag must be set if the command contains Module Attribute Tags. If not set the module delivers a default set of attributes.

  • SignerType can have the following values:

    • KLF: The certificate is signed by the KLF long-term key. Status_NotAvailable is returned if this key has not been set.

    • KML: The certificate is signed by the KML key. This is always available (except in pre-initialization mode, when the command is not accepted anyway).

    • Appkey: The certificate is signed a user key, using the given mechanism (which can be Mech_Any). The key must have a new OpPermission bit in its ACL, called SignModuleCert. SignModuleCert is a less generate permission than Sign: the module uses it only to sign well-formed messages whose content it believes to be true. Sign permission doesn’t imply SignModuleCert permission.

  • M_wrap_vec_ModuleAttribTag *attribs is a list of the attributes to include in the signed message

    struct M_wrap_vec_ModuleAttribTag {
       int n;
       M_vec_ModuleAttribTag v;
    };

    The following attributes are defined:

    • ModuleAttribTag_None

    • ModuleAttribTag_Challenge (default if included in command)

    • ModuleAttribTag_ESN (default)

    • ModuleAttribTag_KML (default)

    • ModuleAttribTag_KLF (default)

    • ModuleAttribTag_KNSO (default)

    • ModuleAttribTag_KMList (default)

    • ModuleAttribTag_PhysSerial

    • ModuleAttribTag_PhysFIPSl3

    • ModuleAttribTag_FeatureGoldCert

    • ModuleAttribTag_Enquiry

    • ModuleAttribTag_AdditionalInfo

    • ModuleAttribTag_ModKeyInfo

Reply

The reply structure for this command is as follows:

struct M_Cmd_SignModuleState_Reply {
    M_ModuleCert *cert;
};

M_ModuleCert *cert is a certificate that describes how the key was generated.

struct M_ModuleCert {
    M_CipherText signature;
    M_ByteBlock modcertmsg;
};
struct M_ModCertMsg {
    M_ModCertType type;
    union M_ModCertType__ModCertData data;
};
union M_ModCertType__ModCertData {
    M_ModCertType_KeyGen_ModCertData keygen;
};
struct M_ModCertType_KeyGen_ModCertData {
    M_ModCertType_KeyGen_ModCertData_flags flags:
    M_KeyGenParams genparams;
    M_ACL acl;
    M_Hash hka;
};
  • M_ModCertType type is one of the following:

    • None

    • Challenge: appears if a challenge is present in the SignModuleState command

    • ESN: ASCII string

    • KML: KML key, defined with key hash and key data

    • KLF: KLF key, defined with key hash and key data

    • KNSO: not present if module is in initialization mode

    • KMList

  • The following flag is defined:

    • ModCertType_KeyGen_ModCertData_flags_public

      Set this flag if this is the public half of a key pair.

  • M_KeyGenParams genparams

    These are the key generation parameters to be used to generate this key.

  • M_ACL acl

    This is the ACL that was applied to this key when it was created.

  • M_Hash hka

    This is the SHA-1 hash of the key value.

StaticFeatureEnable

Operational state, initialization state

This command is used to enable a purchased feature. It requires a certificate signed by the nShield master feature enabling key, KSA, authorizing the feature on the specified module.

Use the fet command-line utility to perform this function.

Arguments

struct M_Cmd_StaticFeatureEnable_Args {
   M_ModuleID module; Module ID
   M_FeatureInfo info;
};

M_FeatureInfo info is a description of the feature to authorize

Reply

The reply structure for this command is empty.

UpdateMergedKey

All non-error states

Processed by the nShield Server.

This command allows a merged key set to be manipulated, listed, or both.

Arguments

struct M_Cmd_UpdateMergedKey_Args {
    M_PlainText mkey; IDKA
    M_Cmd_UpdateMergedKeys_Args_flags flags
    int n_addkeys;
    M_KeyID *addkeys;
    int n_delkeys;
    M_KeyID *delkeys;
};
  • M_PlainText mkey (IDKA) is a merged key set created with MergeKeyIDs.

  • The following flags are defined:

    • Cmd_UpdateMergedKey_Args_flags_ListWorking

      If this flag is set, the keys in the resulting merged key that are in working modules are returned.

    • Cmd_UpdateMergedKey_Args_flags_ListNonworking

      If this flag is set, the keys in the resulting merged key that are not in working modules are returned.

      These two flags can be set together if required.

  • M_KeyID *addkeys is a table of keys to be added to the merged key.

    Merged key IDs that currently contain no key IDs are allowed.

  • M_KeyID *delkeys is a table of keys to be deleted from the merged key.

    Including a key in this list deletes all copies of the specified key.

Reply

struct M_Cmd_UpdateMergedKey_Reply {
   int n_keys;
   M_KeyID *keys;
};

M_KeyID *keys is a table containing the merged key that results once the specified keys are added and deleted from the input merged key.

If ListWorking is set, keys in working modules are included; if ListNonWorking is set, keys not in working modules are included. If both are set, all keys are included.

Notes

You cannot add a merged key to another merged key, or delete a merged key from another merged key.

The same key can be present more than once in a merged key.

The keys specified in addkeys are added to the target merged key first. The keys specified in delkeys are then deleted. This means that if the same key is present in both addkeys and delkeys, it is not present in the resulting merged key.

Verify

Operational state, initialization state

Requires a ClientID

This command verifies a digital signature. It returns Status_OK if the signature verifies correctly and Status_VerifyFailed if the verification fails.

The limit of 8K does not apply to data signed by this command. This is because the Generic Stub library splits the command into a ChannelOpen command followed by a number of ChannelUpdate commands.

For information on formats, see Sign.

Arguments

struct M_Cmd_Verify_Args {
    M_Cmd_Verify_Args_flags flags;
    M_KeyID key;
    M_Mech mech;
    M_PlainText plain;
    M_CipherText sig;
};
  • No flags are defined.

  • M_KeyID key: IDKA

  • M_Mech mech: set Mech_Any in order to use the mechanism specified in the signature. If you specify a mechanism, Verify will compare this with the mechanism in the signature and return Status_MechanismNotExpected if the mechanisms do not match.

  • M_PlainText plain: message.

  • M_CipherText sig: signature.

Reply

The reply structure for this command is empty.

WriteShare

Operational state, initialization state

Requires a ClientID

May require a KNSO certificate

This command creates one share of a logical token and writes it to a smart card identified by the SlotID, insertion counter pair. The i value identifies the share number. This command needs to be given once for each share that is to be generated.

Arguments

struct M_Cmd_WriteShare_Args {
    M_Cmd_WriteShare_Args_flags flags;
    M_PhysToken token;
    M_KeyID idkt;
    M_Word i;
    M_PIN *pin;
    M_ACL *acl;
};
  • The following flags are defined:

    • Cmd_WriteShare_Args_flags_pin_present

      This flag must be set if the input includes a pass phrase.

    • Cmd_WriteShare_Args_flags_UseProtectedPINPath

      Set this flag if the token reads a pass phrase by means of a protected path. However, this feature is not currently implemented.

    • Cmd_WriteShare_Args_flags_acl_present

      Set this flag if the command contains an ACL for the share.

      Setting both pin_present and UseProtectedPINPath will cause the command to fail with InvalidParameter.
  • M_KeyID idkt: IDKT

  • M_Word i is the share number for the share you are writing. Share numbers start at 0. Each share in a token can only be written once.

  • M_ACL *acl is an ACL for this share. If no ACL is specified, a default ACL is assumed, containing a single ReadShare action without any flags set and requiring no certification.

    If any shares of a logical token are to have an ACL set, you must set an ACL for all of them. Shares with ACLs cannot be read in modules running firmware earlier than version 1.75.0.

Reply

The reply structure for this command is empty.

Commands used by the generic stub only

The following commands are used by the generic stub library to connect to the module.

  • ExistingClient

  • NewClient

Applications usually do not have to call these commands directly.

ExistingClient

All non-error states

Connection must not be associated with a ClientID

This command identifies a connection as belonging to an existing client. There must be at least one other connection from this client still open. The ExistingClient command is called automatically by the generic stub function NFastApp_Connect as appropriate, for example when making an additional connection to an existing client.

Arguments

struct M_Cmd_ExistingClient_Args {
    M_Cmd_ExistingClient_Args_flags flags;
    M_ClientID client;
};
  • No flags are defined.

  • M_ClientID client: RSC

Reply

struct M_Cmd_ExistingClient_Reply {
    M_Cmd_ExistingClient_Reply_flags flags;
};

No flags are defined.

NewClient

Initialization state, operational state

Connection must not be associated with a ClientID

This command asks the module for a random number to use as the ClientID for a new connection. It is called automatically by the generic stub function NFastApp_Connect.

Arguments

typedef struct M_Cmd_NewClient_Args {
   M_Cmd_NewClient_Args_flags flags;
};

No flags are defined.

Reply

struct M_Cmd_NewClient_Reply {
    M_Cmd_NewClient_Reply_flags flags;
    M_ClientID client;
};
  • No flags are defined.

  • M_ClientID client: RSC