Craton HSM

Cryptography Overview

Craton HSM implements a mixed portfolio of classical and post-quantum algorithms behind the PKCS#11 v3.0 interface. This page summarises what is supported, how each algorithm maps to a PKCS#11 mechanism, and which mechanisms are approved when the module is configured for FIPS approved mode.

Algorithm families

Family	Algorithms	Primary standard
RSA	2048, 3072, 4096 (PKCS#1 v1.5, PSS, OAEP)	FIPS 186-5, PKCS#1 v2.2
Elliptic curve	ECDSA P-256, ECDSA P-384, ECDH P-256, ECDH P-384	FIPS 186-5, SP 800-56A
Edwards curve	EdDSA Ed25519, X25519 (key agreement, hybrid only)	RFC 8032, RFC 7748
Symmetric	AES-128/192/256 in GCM, CBC, CTR, Key Wrap, Key Wrap with Padding	FIPS 197, SP 800-38A/D/F
Digest	SHA-1, SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384, SHA3-512	FIPS 180-4, FIPS 202
MAC	HMAC-SHA256, HMAC-SHA384, HMAC-SHA512	FIPS 198-1
KDF	ECDH + HKDF-SHA256 (internal), PBKDF2-HMAC-SHA256 (for PIN hashing)	SP 800-56C, SP 800-132
DRBG	HMAC_DRBG (HMAC-SHA256) with prediction resistance	SP 800-90A Rev.1
Post-quantum KEM	ML-KEM-512/768/1024	FIPS 203
Post-quantum signatures	ML-DSA-44/65/87, SLH-DSA-SHA2-128s, SLH-DSA-SHA2-256s	FIPS 204, FIPS 205
Hybrid	X25519+ML-KEM-768, ECDSA+ML-DSA	Vendor-defined

See Classical algorithms and Post-quantum algorithms for per-algorithm details.

Mechanism categories

The module registers 41 PKCS#11 mechanisms. They are grouped in PKCS#11 mechanisms by the operations each supports (sign, verify, encrypt, decrypt, generate, wrap, unwrap, derive). Mechanism numbers for classical algorithms follow the OASIS PKCS#11 v3.0 assignments; post-quantum mechanisms use vendor-defined numbers in the 0x80000000 range.

FIPS approved-mode status

Approved-mode status is a property of the mechanism, not just the algorithm family. When algorithms.fips_approved_only = true in craton_hsm.toml, C_GetMechanismList returns only the approved set below and any non-approved mechanism is rejected with CKR_MECHANISM_INVALID.

Status	Mechanisms
Approved	RSA-2048/3072/4096 (PKCS#1 v1.5, PSS, OAEP), ECDSA P-256/P-384, ECDH P-256/P-384, AES GCM/CBC/CTR/Key Wrap, SHA-256/384/512, SHA3-256/384/512, HMAC-SHA256/384/512
Not approved	Ed25519 (pending inclusion in FIPS 186-6), SHA-1 (blocked for signing per SP 800-131A), all PQC mechanisms (pending CMVP adoption of FIPS 203/204/205)

FIPS approved mode is described in detail in FIPS overview.

Hybrid and experimental mechanisms

Three classes of mechanism are exposed but carry interoperability and stability caveats.

Post-quantum mechanisms (CKM_ML_KEM_*, CKM_ML_DSA_*, CKM_SLH_DSA_*) use vendor-defined numbers and depend on the ml-kem, ml-dsa, and slh-dsa crates, all of which are currently at release-candidate versions. The API is expected to stabilise before Craton HSM 1.0, but encoded keys and signatures produced today may not interoperate with future RC revisions.
Hybrid mechanisms (CKM_HYBRID_X25519_ML_KEM_768, CKM_HYBRID_ML_DSA_ECDSA) combine a classical primitive with a PQC primitive. There is no PKCS#11 v3.0 standard for hybrid mechanisms yet; the on-the-wire encoding follows the internal convention documented alongside each mechanism in Post-quantum.
Ed25519 is implemented and fully functional but is not FIPS-approved at the time of writing.

Crypto backend

Cryptographic primitives are provided by a CryptoBackend trait. Two backends exist.

Backend	Crates	FIPS status
RustCrypto (default)	`rsa`, `p256`, `p384`, `ed25519-dalek`, `aes-gcm`, `sha2`, `sha3`, `hmac`, ...	Not FIPS-validated
aws-lc-rs (Enterprise)	`aws-lc-rs` with the `fips` feature	FIPS 140-3 certified

PQC primitives (ml-kem, ml-dsa, slh-dsa) are used regardless of backend — aws-lc-rs does not yet cover post-quantum algorithms.

Where to go next

Classical algorithms — key sizes, mechanisms, constraints per algorithm
Post-quantum algorithms — ML-KEM, ML-DSA, SLH-DSA, hybrid
DRBG — HMAC_DRBG construction, reseeding, health tests
Key lifecycle — SP 800-57 states and attribute mapping
PKCS#11 mechanisms — full mechanism capability matrix