Pkcs11 interface capabilities question

Is there a NitroKey product that meets these requirements? I’m having a hard time finding something that supports AES in ECB and CBC modes.

The HSM appliance must expose a client side PKCS#11 interface (a *.dll file). A 64bit DLL must be used.
The HSM must have at least one slot that fulfills the following:
Slot flags:




hardware slot


token is present in the slot


random number generation is supported

The slot mechanism must have the following flags:



CKF_HW encryption is done in-hardware
CKF_ENCRYPT has encryption capability
CKF_DECRYPT has decryption capability

mechanism supports key generation

The HSM must support AES-256 encryption in ECB and CBC modes (this is part of the supported slot mechanisms).
The following HSM functions are relevant.
Function Mandatory

C_GenerateKey Yes
C_EncryptInit Yes
C_Encrypt Yes
C_UnwrapKey Yes
C_FindObjectsInit Yes
C_FindObjects Yes
C_GetAttributeValue Yes
C_FindObjectsFinal Yes
C_DecryptInit Yes
C_Decrypt Yes
C_Logout Yes
C_CloseSession Yes
C_Finalize Yes
C_OpenSession Yes
C_Initialize Yes
C_GetSlotList Yes
C_GetSlotInfo Yes
C_GetTokenInfo Yes
C_GetMechanismInfo Yes
C_Login Yes
C_CreateObject Yes
C_GenerateKeyPair Yes
C_GetFunctionList Yes
C_GenerateRandom Yes
C_DestroyObject No

The Nitrokey HSM supports most of it, but not C_UnwrapKey.

The ECB mode can be emulated using CBC mode with a single block input.

1 Like