AES and HMAC key separation is controlled by the associated data section in the key token. The associated data section contains fields for type of algorithm for which the key can be used, key type, key usage, and key management. In addition to the algorithm and key type, the values of the key-usage and key-management fields further restrict the use of a key.
The associated data is cryptographically bound to the key token when the key value is encrypted under the master key or a transport key.