Supported mechanisms for Client SDK 3 for AWS CloudHSM Client SDK 3
This topic provides information about supported mechanisms for JCE provider with AWS CloudHSM Client SDK 3. For information about the Java Cryptography Architecture (JCA) interfaces and engine classes supported by AWS CloudHSM, see the following topics.
Topics
Supported keys
The AWS CloudHSM software library for Java enables you to generate the following key types.
-
AES – 128, 192, and 256-bit AES keys.
-
DESede – 92 bit 3DES key. See note 1 below for an upcoming change.
-
ECC key pairs for NIST curves secp256r1 (P-256), secp384r1 (P-384), and secp256k1 (Blockchain).
-
RSA – 2048-bit to 4096-bit RSA keys, in increments of 256 bits.
In addition to standard parameters, we support the following parameters for each key that is generated.
-
Label: A key label that you can use to search for keys.
-
isExtractable: Indicates whether the key can be exported from the HSM.
-
isPersistent: Indicates whether the key remains on the HSM when the current session ends.
Note
Java library version 3.1 provides the ability to specify parameters in greater detail. For more information, see Supported Java Attributes.
Supported ciphers
The AWS CloudHSM software library for Java supports the following algorithm, mode, and padding combinations.
| Algorithm | Mode | Padding | Notes |
|---|---|---|---|
| AES | CBC |
|
Implements |
| AES | ECB |
|
Implements Cipher.ENCRYPT_MODE and Cipher.DECRYPT_MODE. Use
Transformation AES. |
| AES | CTR |
|
Implements |
| AES | GCM | AES/GCM/NoPadding |
Implements When performing
AES-GCM encryption, the HSM ignores the initialization vector (IV)
in the request and uses an IV that it generates. When the operation
completes, you must call |
| AESWrap | ECB |
|
Implements |
| DESede (Triple DES) | CBC |
|
Implements The key generation routines accept a size of 168 or 192 bits. However, internally, all DESede keys are 192 bits. See note 1 below for an upcoming change. |
| DESede (Triple DES) | ECB |
|
Implements The key generation routines accept a size of 168 or 192 bits. However, internally, all DESede keys are 192 bits. See note 1 below for an upcoming change. |
| RSA | ECB |
|
Implements See note 1 below for an upcoming change. |
| RSA | ECB |
|
Implements
|
| RSAAESWrap | ECB | OAEPPADDING |
Implements Cipher.WRAP_Mode and Cipher.UNWRAP_MODE.
|
Supported digests
The AWS CloudHSM software library for Java supports the following message digests.
-
SHA-1 -
SHA-224 -
SHA-256 -
SHA-384 -
SHA-512
Note
Data under 16 KB in length are hashed on the HSM, while larger data are hashed locally in software.
Supported hash-based message authentication code (HMAC) algorithms
The AWS CloudHSM software library for Java supports the following HMAC algorithms.
-
HmacSHA1 -
HmacSHA224 -
HmacSHA256 -
HmacSHA384 -
HmacSHA512
Supported sign/verify mechanisms
The AWS CloudHSM software library for Java supports the following types of signature and verification.
RSA Signature Types
-
NONEwithRSA -
SHA1withRSA -
SHA224withRSA -
SHA256withRSA -
SHA384withRSA -
SHA512withRSA -
SHA1withRSA/PSS -
SHA224withRSA/PSS -
SHA256withRSA/PSS -
SHA384withRSA/PSS -
SHA512withRSA/PSS
ECDSA Signature Types
-
NONEwithECDSA -
SHA1withECDSA -
SHA224withECDSA -
SHA256withECDSA -
SHA384withECDSA -
SHA512withECDSA
Mechanism annotations
[1] In accordance with NIST guidance, this is disallowed for clusters in FIPS mode after 2023. For clusters in non-FIPS mode, it is still allowed after 2023. See FIPS 140 Compliance: 2024 Mechanism Deprecation for details.
