If you perform encryption using a HSM then the encryption procedure is performed within the HSM, not in the software. Cipher
does not implement the encryption procedure itself. The underlying CipherSpi
of the PKCS#11 provider for Cipher
is chosen using delayed provider selection depending on the key given during the call to init()
. So although the desEncrypt()
function seems to perform the same operations, in reality the functionality depends on the provider, and in your case, on the PKCS#11 wrapper, library and of course HSM.
Now PKCS#11 is an interface specification; not all mechanisms in PKCS#11 will be implemented in every token. It is likely that some encryption algorithms are too obscure or too unsafe. The latter is probably the case for DES ECB as that algorithm is extremely insecure. That does not mean that DES keys cannot be used in general - they could still play a role in e.g. MAC calculations. So please check the documentation of your HSM if DES ECB is supported (in the current setting).
You can get more information about the PKCS#11 method calls by adding -Djava.security.debug=sunpkcs11
to your call to the Java interpreter (java
or javaw
). If DES does not work, try the much safer and more common "AES/CBC/PKCS5Padding"
or triple DES mechanism.