xref: /ohos5.0/docs/en/application-dev/security/UniversalKeystoreKit/huks-key-generation-overview.md

# Key Generation Overview and Algorithm Specifications

You can use the HUKS APIs to generate a key randomly and store the key in HUKS.
> **NOTE**<br>
> Key aliases must not contain sensitive information, such as personal data.

- Random generation: HUKS uses a cryptographically secure pseudorandom number generator (PRNG) to generate keys. The PRNG helps improve the randomness, unpredictability, and non-reproducibility of the keys, making the generated keys difficult to infer.

- Secure storage: Except the public keys in asymmetric key pairs, the keys generated by HUKS can be used only in the secure storage area throughout their lifecycle (from generation to destruction). In addition, the generated key file cannot be directly accessed by any service except HUKS. Even the services that generate the keys can perform key operations and obtain the operation result only using the HUKS APIs.
- Key usage: A key can be used for only one purpose. For example, a key cannot be used for encryption/decryption or signing/signature verification, but cannot be used for both. In addition, the usage specified when the key is generated must be the same as that specified when the key is used. Otherwise, an exception may occur.


## Supported Algorithms

The following table lists the supported key generation specifications.
<!--Del-->
The key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported.

**You are advised to use mandatory specifications in your development for compatibility purposes.**
<!--DelEnd-->
**Specifications for Standard-System Devices**
| Algorithm| Supported Key Length (Bit)| API Version| <!--DelCol4-->Mandatory|
| -------- | -------- | -------- | -------- |
| AES | 128, 192, 256| 8+ | Yes|
| <!--DelRow-->RSA | 512, 768, 1024| 8+ | No|
| RSA | 2048, 3072, 4096| 8+ | Yes|
| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 8+ | Yes|
| <!--DelRow-->ECC | 224 | 8+ | No|
| ECC | 256, 384, 521| 8+ | Yes|
| ED25519 | 256 | 8+ | Yes|
| X25519 | 256 | 8+ | Yes|
| <!--DelRow-->DSA | An integer multiple of 8, ranging from 512 to 1024 (inclusive) | 8+ | No|
| DH | 2048 | 8+ | Yes|
| <!--DelRow-->DH | 3072, 4096| 8+ | No|
| SM2 | 256 | 9+ | Yes|
| SM4 | 128 | 9+ | Yes|

> **NOTE**<br>
> The DH algorithm uses the FFDHE named safe prime groups.

**Specifications for Mimi-System Devices**

<!--Del-->
Before implementing the specifications for mini-system devices, determine whether your device supports the related specifications.
<!--DelEnd-->

| Algorithm| Supported Key Length (Bit)| API Version|
| -------- | -------- | -------- |
| AES | 128, 192, 256| 8+ |
| DES | 64 | 12+ |
| 3DES | 128, 192| 12+ |
| RSA | An integer multiple of 8, ranging from 1024 to 2048 (inclusive)| 12+ |
| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 12+ |
| CMAC | 128 (supporting only 3DES)| 12+ |