Encryption and Decryption Overview and Algorithm Specifications
You can use the keys in HUKS to encrypt or decrypt data.
The Group Key feature is supported since API version 23.
Supported Algorithms
The following table lists the supported specifications for key encryption and decryption.
The key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported.
You are advised to use mandatory specifications in your development for compatibility purposes.
Specifications for standard devices
| Algorithm/Cipher Mode/Padding Mode | Description | API Version | Mandatory |
|---|---|---|---|
| AES/ECB/NoPadding AES/ECB/PKCS7 |
In ECB mode, the data length should be a multiple of the block size used by the encryption algorithm. If the padding mode is NoPadding and the length of the input data is not a multiple of 16 bytes, the service side must pad the input data to the required length. | 8+ | No |
| AES/CBC/NoPadding AES/CBC/PKCS7 AES/CTR/NoPadding |
IV is mandatory. In CBC mode, the data length should be a multiple of the block size used by the encryption algorithm. If the padding mode is NoPadding and the length of the input data is not a multiple of 16 bytes, the service side must pad the input data to the required length. |
8+ | Yes |
| AES/GCM/NoPadding | Encryption: NONCE and AAD are optional. If the NONCE parameter is not specified, data is returned in the format of "Ciphertext + AEAD + NONCE". The length of AEAD is 16, and the default length of NONCE is 12. Decryption: AAD is optional, but NONCE and AEAD are mandatory. |
8+ | Yes |
| AES/CCM/NoPadding | Encryption: NONCE and AAD are optional. If the NONCE parameter is not specified, data is returned in the format of "Ciphertext + AEAD + NONCE". The default length of AEAD is 16, and the default length of NONCE is 7. Decryption: AAD is optional, but NONCE and AEAD are mandatory. You can set the length of AEAD to 4, 6, 8, 10, 12, 14, or 16. |
22+ | Yes |
| RSA/ECB/NoPadding RSA/ECB/PKCS1_V1_5 RSA/ECB/OAEP |
The OAEP padding mode supports the following MD algorithms: SHA-256, SHA-384, and SHA-512. | 8+ | Yes |
| SM4/ECB/NoPadding SM4/ECB/PKCS7 |
The ECB mode is not recommended. | 9+ | No |
| SM4/ECB/PKCS7 | The ECB mode is not recommended. | 20+ | Yes |
| SM4/CBC/PKCS7 | IV is mandatory. | 9+ | Yes |
| SM4/CTR/NoPadding SM4/CBC/NoPadding SM4/CFB/NoPadding SM4/OFB/NoPadding |
IV is mandatory. | 12+ | Yes |
| SM2/-/NoPadding | SM3 is used as the MD algorithm. | 11+ | Yes |
| DES/CBC/NoPadding DES/ECB/NoPadding |
The IV parameter is mandatory in CBC mode. | 18+ | Yes |
| 3DES/CBC/NoPadding 3DES/ECB/NoPadding |
The IV parameter is mandatory in CBC mode. | 18+ | Yes |
Specifications for mini-system devices
Before implementing the specifications for mini-system devices, determine whether your device supports the related specifications.
| Algorithm/Cipher Mode/Padding Mode | Description | API Version |
|---|---|---|
| AES/GCM/NoPadding | Encryption: NONCE and AAD are optional. If the NONCE parameter is not specified, data is returned in the format of "Ciphertext + AEAD + NONCE". The length of AEAD is 16, and the default length of NONCE is 12. Decryption: AAD is optional, but NONCE and AEAD are mandatory. |
8+ |
| AES/CBC/NoPadding AES/CTR/NoPadding |
IV is mandatory. | 11+ |
| DES/ECB/NoPadding | - | 12+ |
| DES/CBC/NoPadding | IV is mandatory. | 12+ |
| 3DES/ECB/NoPadding | - | 12+ |
| 3DES/CBC/NoPadding | IV is mandatory. | 12+ |
| RSA/ECB/NoPadding | - | 12+ |
| RSA/ECB/PKCS1_V1_5 | - | 12+ |
| RSA/ECB/OAEP | SHA-256 is used as the MD algorithm. | 12+ |