1e41f4b71Sopenharmony_ci# Key Import Overview and Algorithm Specifications
2e41f4b71Sopenharmony_ci
3e41f4b71Sopenharmony_ciYou can import an externally generated key (for example, a key generated after key agreement or generated by a server) into HUKS for management. Once a key is imported into HUKS, the plaintext can be accessed only in a secure environment in its lifecycle. This ensures that no one can obtain the plaintext of the key.
4e41f4b71Sopenharmony_ci
5e41f4b71Sopenharmony_ciA key can be imported in plaintext or in encrypted (wrapped) mode.
6e41f4b71Sopenharmony_ci
7e41f4b71Sopenharmony_ci
8e41f4b71Sopenharmony_ci## Plaintext Import
9e41f4b71Sopenharmony_ci
10e41f4b71Sopenharmony_ciImporting a key in plaintext may expose the plaintext to a non-secure environment. This import mode applies to lightweight devices or security-insensitive services.
11e41f4b71Sopenharmony_ci
12e41f4b71Sopenharmony_ci- Plaintext import is recommended to import the public key of an asymmetric key pair.
13e41f4b71Sopenharmony_ci
14e41f4b71Sopenharmony_ci- It is not recommended to import symmetric keys or asymmetric key pairs.
15e41f4b71Sopenharmony_ci  > **NOTE**<br>
16e41f4b71Sopenharmony_ci  > The mini-system devices support plaintext import but not encrypted import.
17e41f4b71Sopenharmony_ci
18e41f4b71Sopenharmony_ci## Encrypted Import
19e41f4b71Sopenharmony_ci
20e41f4b71Sopenharmony_ciIn this mode, the key to be imported is encrypted (wrapped) and then imported to HUKS through an end-to-end encrypted transmission channel established between the service and HUKS. This mode applies to security-sensitive services due to higher security than plaintext import. However, it involves more complex key material and operations.
21e41f4b71Sopenharmony_ci
22e41f4b71Sopenharmony_ci- Encrypted import is recommended to import symmetric keys or asymmetric key pairs.
23e41f4b71Sopenharmony_ci
24e41f4b71Sopenharmony_ciThe following figure illustrates the development sequence of encrypted import.
25e41f4b71Sopenharmony_ci
26e41f4b71Sopenharmony_ci![](figures/Encrypted_import_process.png)
27e41f4b71Sopenharmony_ci
28e41f4b71Sopenharmony_ciTo import an encrypted key, you need to use the HUKS APIs to generate a key pair (used to encrypt the key to be imported), export the public key, import the encrypted key, and delete the key pair.
29e41f4b71Sopenharmony_ci
30e41f4b71Sopenharmony_ciThe [public key material](huks-concepts.md#public-key-material-format) exported is encapsulated in X.509 format. The encrypted key material to be imported must be encapsulated in **Length<sub>Data< /sub>-Data** format.
31e41f4b71Sopenharmony_ci
32e41f4b71Sopenharmony_ci> **NOTE**
33e41f4b71Sopenharmony_ci>
34e41f4b71Sopenharmony_ci> - The encrypted import supports key agreement algorithms ECDH and X25519. The generated **Shared_Key** uses the AES-GCM algorithm to encrypt **Caller_Kek**. For details about the cipher suites, see [HuksUnwrapSuite](../../reference/apis-universal-keystore-kit/js-apis-huks.md#huksunwrapsuite9).
35e41f4b71Sopenharmony_ci> - The mini-system devices support plaintext import but not encrypted import.
36e41f4b71Sopenharmony_ci
37e41f4b71Sopenharmony_ci### Key Material Format for Encrypted Import
38e41f4b71Sopenharmony_ci
39e41f4b71Sopenharmony_ci| Content| Length|
40e41f4b71Sopenharmony_ci| -------- | -------- |
41e41f4b71Sopenharmony_ci| Service public key **Caller_Pk** length (L<sub>Caller_Pk</sub>)| 4 bytes|
42e41f4b71Sopenharmony_ci| Service public key **Caller_Pk**| L<sub>Caller_Pk</sub> bytes|
43e41f4b71Sopenharmony_ci| Shared_Key **AAD2** length (L<sub>AAD2</sub>)| 4 bytes|
44e41f4b71Sopenharmony_ci| Shared_Key **AAD2**| L<sub>AAD2</sub> bytes|
45e41f4b71Sopenharmony_ci| Shared_Key **Nonce2** length (L<sub>Nonce2</sub>)| 4 bytes|
46e41f4b71Sopenharmony_ci| Shared_Key **Nonce2**| L<sub>Nonce2</sub> bytes|
47e41f4b71Sopenharmony_ci| Shared_Key **AEAD2** length (L<sub>AEAD2</sub>)| 4 bytes|
48e41f4b71Sopenharmony_ci| Shared_Key **AEAD2**| L<sub>AEAD2</sub> bytes|
49e41f4b71Sopenharmony_ci| **Caller_Kek_enc** length (L<sub>Caller_Kek_enc</sub>)| 4 bytes|
50e41f4b71Sopenharmony_ci| Caller_Kek ciphertext **Caller_Kek_enc**| L<sub>Caller_Kek_enc</sub> bytes|
51e41f4b71Sopenharmony_ci| Caller_Kek **AAD3** length (L<sub>AAD3</sub>)| 4 bytes|
52e41f4b71Sopenharmony_ci| Caller_Kek **AAD3**| L<sub>AAD3</sub> bytes|
53e41f4b71Sopenharmony_ci| Caller_Kek **Nonce3** length (L<sub>Nonce3</sub>)| 4 bytes|
54e41f4b71Sopenharmony_ci| Caller_Kek **Nonce3**| L<sub>Nonce3</sub> bytes|
55e41f4b71Sopenharmony_ci| Caller_Kek **AEAD3** length (L<sub>AEAD3</sub>)| 4 bytes|
56e41f4b71Sopenharmony_ci| Caller_Kek **AEAD3**| L<sub>AEAD3</sub> bytes|
57e41f4b71Sopenharmony_ci| **To_Import_Key_size** length (L<sub>To_Import_Key_size</sub>)| 4 bytes|
58e41f4b71Sopenharmony_ci| Key plaintext material length **To_Import_Key_size**| L<sub>To_Import_Key_size</sub> bytes|
59e41f4b71Sopenharmony_ci| **To_Import_Key_enc** length (L<sub>To_Import_Key_enc</sub>)| 4 bytes|
60e41f4b71Sopenharmony_ci| To_Import_Key ciphertext **To_Import_Key_enc**| L<sub>To_Import_Key_enc</sub> bytes|
61e41f4b71Sopenharmony_ci
62e41f4b71Sopenharmony_ci
63e41f4b71Sopenharmony_ci## Supported Algorithms
64e41f4b71Sopenharmony_ci
65e41f4b71Sopenharmony_ciThe following table lists the supported key import specifications.
66e41f4b71Sopenharmony_ci<!--Del-->
67e41f4b71Sopenharmony_ciThe key management service specifications include mandatory specifications and optional specifications. Mandatory specifications are algorithm specifications that must be supported. Optional specifications can be used based on actual situation. Before using the optional specifications, refer to the documents provided by the vendor to ensure that the specifications are supported.
68e41f4b71Sopenharmony_ci
69e41f4b71Sopenharmony_ci**You are advised to use mandatory specifications in your development for compatibility purposes.**
70e41f4b71Sopenharmony_ci<!--DelEnd-->
71e41f4b71Sopenharmony_ci**Specifications for Standard-System Devices**
72e41f4b71Sopenharmony_ci| Algorithm| Supported Key Length (Bit)| API Version| <!--DelCol4-->Mandatory|
73e41f4b71Sopenharmony_ci| -------- | -------- | -------- | -------- |
74e41f4b71Sopenharmony_ci| AES | 128, 192, 256| 8+ | Yes|
75e41f4b71Sopenharmony_ci| <!--DelRow-->RSA | 512, 768, 1024| 8+ | No|
76e41f4b71Sopenharmony_ci| RSA | 2048, 3072, 4096| 8+ | Yes|
77e41f4b71Sopenharmony_ci| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 8+ | Yes|
78e41f4b71Sopenharmony_ci| <!--DelRow-->ECC | 224 | 8+ | No|
79e41f4b71Sopenharmony_ci| ECC | 256, 384, 521| 8+ | Yes|
80e41f4b71Sopenharmony_ci| ED25519 | 256 | 8+ | Yes|
81e41f4b71Sopenharmony_ci| X25519 | 256 | 8+ | Yes|
82e41f4b71Sopenharmony_ci| <!--DelRow-->DSA | An integer multiple of 8, ranging from 512 to 1024 (inclusive) | 8+ | No|
83e41f4b71Sopenharmony_ci| DH | 2048 | 8+ | Yes|
84e41f4b71Sopenharmony_ci| <!--DelRow-->DH | 3072, 4096| 8+ | No|
85e41f4b71Sopenharmony_ci| SM2 | 256 | 9+ | Yes|
86e41f4b71Sopenharmony_ci| SM4 | 128 | 9+ | Yes|
87e41f4b71Sopenharmony_ci
88e41f4b71Sopenharmony_ci**Specifications for Mimi-System Devices**
89e41f4b71Sopenharmony_ci
90e41f4b71Sopenharmony_ci<!--Del-->
91e41f4b71Sopenharmony_ciBefore implementing the specifications for mini-system devices, determine whether your device supports the related specifications.
92e41f4b71Sopenharmony_ci<!--DelEnd-->
93e41f4b71Sopenharmony_ci
94e41f4b71Sopenharmony_ci| Algorithm| Supported Key Length (Bit)| API Version|
95e41f4b71Sopenharmony_ci| -------- | -------- | -------- |
96e41f4b71Sopenharmony_ci| AES | 128, 192, 256| 12+ |
97e41f4b71Sopenharmony_ci| DES | 64 | 12+ |
98e41f4b71Sopenharmony_ci| 3DES | 128, 192| 12+ |
99e41f4b71Sopenharmony_ci| RSA |  An integer multiple of 8, ranging from 1024 to 2048 (inclusive)| 12+ |
100e41f4b71Sopenharmony_ci| HMAC | An integer multiple of 8, ranging from 8 to 1024 (inclusive)| 12+ |
101e41f4b71Sopenharmony_ci| CMAC | 128 | 12+ |
102