As can be seen in the table, RKX key tokens are 64 bytes in length, have a token identifier flag (X'02'), a token version number (X'10'), and room for encrypted keys like normal CCA DES key tokens. Unlike normal CCA DES key-tokens, RKX key tokens do not have a control vector, flag bits, and a token-validation value. In addition, they have a confounder value, a MAC value, and room for a third encrypted key.
Offset | Length | Meaning |
---|---|---|
00 | 1 | X'02' (a token identifier flag that indicates an external key-token) |
01 | 3 | Reserved, binary zero |
04 | 1 | The token version number (X'10') |
05 | 2 | Reserved, binary zero |
07 | 1 | Key length in bytes, including confounder |
08 | 8 | Confounder |
16 | 8 | Key left |
24 | 8 | Key middle (binary zero if not used) |
32 | 8 | Key right (binary zero if not used) |
40 | 8 | Rule ID The trusted block rule identifier used to create this key token. A subsequent call to Remote Key Export (CSNDRKX) can use this token with a trusted block rule that references the rule ID that must have been used to create this token. The trusted block rule can be compared with this rule ID for verification purposes. The Rule ID is an 8-byte string of ASCII characters, left justified and padded on the right with space characters. Acceptable characters are A...Z, a...z, 0...9, - (X'2D'), and _ (X'5F'). All other characters are reserved for future use. |
48 | 8 | Reserved, binary zero |
56 | 8 | MAC value ISO 16609 TDES CBC-mode MAC, computed over the 56 bytes starting at offset 0 and including the encrypted key value and the rule ID using the same MAC key that is used to protect the trusted block itself. This MAC value guarantees that the key and the rule ID cannot be modified without detection, providing integrity and binding the rule ID to the key itself. This MAC value must verify with the same trusted block used to create the key, thus binding the key structure to that specific trusted block. |