Table 335 defines an external DES key-token called
an RKX key-token. An RKX key-token is a special
token used exclusively by the Remote Key Export (CSNDRKX and CSNFRKX)
and DES key-storage callable services (for example, CKDS Key
Record Write). No other callable services use or reference an RKX
key-token or key-token record. For additional information about the
usage of RKX key tokens, see Remote Key Loading.
Note:
Callable
services other than the Remote Key Export and the DES key-storage
callable services do not support RKX key tokens or RKX key token records.
As can be seen in the table, RKX key tokens are 64 bytes in length,
have a token identifier flag (X'02'), a token version number
(X'10'), and room for encrypted keys like normal CCA DES key
tokens. Unlike normal CCA DES key-tokens, RKX key tokens do not have
a control vector, flag bits, and a token-validation value. In addition,
they have a confounder value, a MAC value, and room for a third encrypted
key.
Table 335. External RKX DES key-token format, version X'10'Offset | Length | Meaning |
---|
00 | 1 | X'02' (a token identifier flag that indicates
an external key-token) | 01 | 3 | Reserved, binary zero | 04 | 1 | The token version number (X'10') | 05 | 2 | Reserved, binary zero | 07 | 1 | Key length in bytes, including confounder | 08 | 8 | Confounder | 16 | 8 | Key left | 24 | 8 | Key middle (binary zero if not used) | 32 | 8 | Key right (binary zero if not used) | 40 | 8 | Rule ID
The trusted block rule identifier used
to create this key token. A subsequent call to Remote Key Export
(CSNDRKX or CSNFRKX) can use this token with a trusted block
rule that references the rule ID that must have been used to create
this token. The trusted block rule can be compared with this rule
ID for verification purposes.
The Rule ID is an 8-byte string
of ASCII characters, left justified and padded on the right with space
characters. Acceptable characters are A...Z, a...z, 0...9, - (X'2D'),
and _ (X'5F'). All other characters are reserved for future
use. | 48 | 8 | Reserved, binary zero | 56 | 8 | MAC value
ISO 16609 TDES CBC-mode MAC, computed
over the 56 bytes starting at offset 0 and including the encrypted
key value and the rule ID using the same MAC key that is used to protect
the trusted block itself.
This MAC value guarantees that the
key and the rule ID cannot be modified without detection, providing
integrity and binding the rule ID to the key itself. This MAC value
must verify with the same trusted block used to create the key, thus
binding the key structure to that specific trusted block. |
Notes:
- A fixed, randomly derived variant is exclusive-ORed with the MAC
key before it is used to encipher the generated or exported key and
confounder.
- The MAC key is located within a trusted block (internal format)
and can be recovered by decipherment under a variant of the PKA master
key.
- The trusted block is originally created in external form by the
Trusted Block Create callable service and then converted to internal
form by the PKA Key Import callable service prior to the Remote Key
Export call.
|