harmony 鸿蒙Key Generation Overview and Algorithm Specifications

2025-06-12
浏览 (4)

Key Generation Overview and Algorithm Specifications

You can use the HUKS APIs to generate a key randomly and store the key in HUKS. > NOTE
> Key aliases must not contain sensitive information, such as personal data.

Random generation: HUKS uses a cryptographically secure pseudorandom number generator (PRNG) to generate keys. The PRNG helps improve the randomness, unpredictability, and non-reproducibility of the keys, making the generated keys difficult to infer.
Secure storage: Except the public keys in asymmetric key pairs, the keys generated by HUKS can be used only in the secure storage area throughout their lifecycle (from generation to destruction). In addition, the generated key file cannot be directly accessed by any service except HUKS. Even the services that generate the keys can perform key operations and obtain the operation result only using the HUKS APIs.
Key usage: A key can be used for only one purpose. For example, a key cannot be used for encryption/decryption or signing/signature verification, but cannot be used for both. In addition, the usage specified when the key is generated must be the same as that specified when the key is used. Otherwise, an exception may occur.

Supported Algorithms

The following table lists the supported key generation specifications. The key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported.

You are advised to use mandatory specifications in your development for compatibility purposes. Specifications for Standard-System Devices |Algorithm|Supported Key Length (Bit)|API Version|Mandatory| |——–|——–|——–|——–| |AES|128, 192, 256|8+|Yes| |RSA|512, 768, 1024|8+|No| |RSA|2048, 3072, 4096|8+|Yes| |RSA|An integer multiple of 8, ranging from 1024 to 2048 (inclusive)|16+|Yes| |HMAC|An integer multiple of 8, ranging from 8 to 1024 (inclusive)|8+|Yes| |ECC|224|8+|No| |ECC|256, 384, 521|8+|Yes| |ED25519|256|8+|Yes| |X25519|256|8+|Yes| |DSA|An integer multiple of 8, ranging from 512 to 1024 (inclusive)|8+|No| |DH|2048|8+|Yes| |DH|3072, 4096|8+|No| |SM2|256|9+|Yes| |SM4|128|9+|Yes| |DES|64|16+|Yes| |3DES|128, 192|16+|Yes|

NOTE
The DH algorithm uses the FFDHE named safe prime groups.

Specifications for Mimi-System Devices

Before implementing the specifications for mini-system devices, determine whether your device supports the related specifications.

Algorithm	Supported Key Length (Bit)	API Version
AES	128, 192, 256	8+
DES	64	12+
3DES	128, 192	12+
RSA	An integer multiple of 8, ranging from 1024 to 2048 (inclusive)	12+
HMAC	An integer multiple of 8, ranging from 8 to 1024 (inclusive)	12+
CMAC	128 (supporting only 3DES)	12+