Safenet iKey 4000 RSA key pair generation in FIPS 140-2 compliant mode

Question

I need to generate RSA key pair and show the public and private key on screen (in a secured room). The algorithm must be FIPS approved.

So I would like to use iKey 4000 which is FIPS 140-2 level 3 compliant (I am using PKCS#11 library from Safenet to work with the token). If I generate RSA key pair on token (I mean using CKA_TOKEN attribute set to True) I am not able to show private key exponent. If I use CKA_TOKEN attribute set to False, I can see the all information about key pair.

But the question is if method of generation of key pair outside token is still FIPS compliant? Also it is faster than generating key pair on token so I assume it is not generated by token itself but by some software part of Safenet library.

Would it be still FIPS compliant?

score 1 · Accepted Answer · answered Aug 01 '15 at 04:30

The difference between generating a KeyPair with CKA_TOKEN set as true and false is that when it is set to true, the KeyPair that is generated by the hardware token is persisted (it exists on the token even after you logout of the session). If it is set to false, it is still generated on the hardware and not outside the token, it is just not persisted (it exists only during the active session, when you logout, it is gone).

Safenet iKey 4000 RSA key pair generation in FIPS 140-2 compliant mode

1 Answers1