YubiHSM Algorithms
Following table describes algorithm names to be used with YubiHSM Shell for the algorithms supported by YubiHSM 2. The table includes the externally common name, YubiHSM shell name, and common usage.
| Name | yubihsm-shell name | EC Curve | Value | Usage |
|---|---|---|---|---|
| AES 128 | aes128 | |||
| AES 192 | aes192 | |||
| AES 256 | aes256 | |||
| AES CBC | aes-cbc | |||
| AES ECB | aes-ecb | |||
| AES128 CCM WRAP | aes128-ccm-wrap | 29 | Generate Wrap key | |
| AES192 CCM WRAP | aes192-ccm-wrap | 41 | Generate and
store wrap key
|
|
| AES256 CCM WRAP | aes256-ccm-wrap | 43 | Generate and
store wrap key
|
|
| AES KWP | aes-kwp | 55 | Internal use only | |
| EC BP256 | ecbp256 | brainpool256r1 | 15 | Generate EC key |
| EC BP384 | ecbp384 | brainpool384r1 | 16 | Generate EC key |
| EC BP512 | ecbp512 | brainpool512r1 | 17 | Generate EC key |
| EC ECDH | ecdh | 24 | ||
| EC K256 | eck256 | secp256k1 | 15 | Generate EC key |
| EC P224 | ecp224 | secp224r1 | 12 | Generate EC key |
| EC P256 | ecp256 | secp256r1 | 13 | Generate EC key |
| EC P384 | ecp384 | secp384r1 | 14 | Generate EC key |
| EC P521 | ecp521 | secp521r1 | 47 | Generate EC key |
| ECDSA SHA1 | ecdsa-sha1 | 23 | ECDSA sign | |
| ECDSA SHA256 | ecdsa-sha256 | 43 | ECDSA sign | |
| ECDSA SHA384 | ecdsa-sha384 | 44 | ECDSA sign | |
| ECDSA SHA512 | ecdsa-sha512 | 45 | ECDSA sign | |
| ED25519 | ed25519 | 46 | Generate ED key | |
| HMAC SHA1 | hmac-sha1 | 19 | Generate HMAC key | |
| HMAC SHA256 | hmac-sha256 | 20 | Generate HMAC key | |
| HMAC SHA384 | hmac-sha384 | 21 | Generate HMAC key | |
| HMAC SHA512 | hmac-sha512 | 22 | Generate HMAC key | |
| MGF1 SHA1 | mgf1-sha1 | 32 | RSA sign with
PSS and RSA
decrypt with OAEP
|
|
| MGF1 SHA256 | mgf1-sha256 | 33 | RSA sign with
PSS and RSA
decrypt with OAEP
|
|
| MGF1 SHA384 | mgf1-sha384 | 34 | RSA sign with
PSS and RSA
decrypt with OAEP
|
|
| MGF1 SHA512 | mgf1-sha512 | 35 | RSA sign with
PSS and RSA
decrypt with OAEP
|
|
| Opaque Data | opaque-data | 30 | Store raw data
as an opaque
object
|
|
| Opaque X509 Certificate | opaque-x509-certificate | 31 | Store
X509Certificate
as an opaque
object
|
|
| RSA 2048 | rsa2048 | 9 | Generate RSA key | |
| RSA 3072 | rsa3072 | 10 | Generate RSA key | |
| RSA 4096 | rsa4096 | 11 | Generate RSA key | |
| RSA OAEP SHA1 | rsa-oaep-sha1 | 25 | RSA decrypt with
OAEP
|
|
| RSA OAEP SHA256 | rsa-oaep-sha256 | 26 | RSA decrypt with
OAEP
|
|
| RSA OAEP SHA384 | rsa-oaep-sha384 | 27 | RSA decrypt with
OAEP
|
|
| RSA OAEP SHA512 | rsa-oaep-sha512 | 28 | RSA decrypt with
OAEP
|
|
| RSA PKCS1 SHA1 | rsa-pkcs1-sha1 | 1 | RSA sign with
PKCS1.5
|
|
| RSA PKCS1 SHA256 | rsa-pkcs1-sha256 | 2 | RSA sign with
PKCS1.5
|
|
| RSA PKCS1 SHA384 | rsa-pkcs1-sha384 | 3 | RSA sign with
PKCS1.5
|
|
| RSA PKCS1 SHA512 | rsa-pkcs1-sha512 | 4 | RSA sign with
PKCS1.5
|
|
| RSA PSS SHA1 | rsa-pss-sha1 | 5 | RSA sign with PSS | |
| RSA PSS SHA256 | rsa-pss-sha256 | 6 | RSA sign with PSS | |
| RSA PSS SHA384 | rsa-pss-sha384 | 7 | RSA sign with PSS | |
| RSA PSS SHA512 | rsa-pss-sha512 | 8 | RSA sign with PSS | |
| SSH Template | template-ssh | 36 | Store an SSH
template (a
binary object
used to restrict
how and when an
SSH CA private
key should be
used)
|
|
| Yubico AES Authentication | aes128-yubico-authentication | 38 | Store
authentication
key
|
|
Yubico Asymmetric
Authentication
|
ecp256-yubico-authentication | |||
| Yubico OTP AES128 | aes128-yubico-otp | 37 | Generate OTP AEAD
key
|
|
| Yubico OTP AES192 | aes192-yubico-otp | 39 | Generate OTP AEAD
key
|
|
| Yubico OTP AES256 | aes256-yubico-otp | 40 | Generate OTP AEAD
key
|