PKA key token sections
A PKA key token is the concatenation of an ordered
set of sections. Table 1 describes the key
token section data structures and the references that provide details.
| Section | Reference | Usage |
|---|---|---|
| Header | Table 1 | PKA key token header. |
| X'02' | Table 3 | RSA private key, 1024-bit Modulus-Exponent format. External format. Note: The internal format is deprecated. |
| X'04' | Table 9 | RSA public key. |
| X'06' | Table 4 | RSA private key, 1024-bit Modulus-Exponent format with OPK. Internal format. |
| X'08' | Table 7 | RSA private key, 4096-bit Chinese-Remainder Theorem format with OPK. Internal and external format. |
| X'09' | Table 6 | RSA private key, 4096-bit Modulus-Exponent format. Generated for external format for clear keys or for keys encrypted by a DES key-encrypting key. |
| X'10' | Table 10 | Private-key name for RSA and QSA keys. |
| X'20' | Table 13 | ECC private key format with OPK. Internal and external format. |
| X'21' | Table 14 | ECC public key. |
| X'30' | Table 5 | RSA private key, 4096-bit Modulus-Exponent format with AES-encrypted OPK. Internal and external format. |
| X'31' | Table 8 | RSA private key, 4096-bit Chinese-Remainder Theorem format with AES-encrypted OPK. Internal and external format. |
PKA key tokens can be built with the PKA Key Token Build service (CSNDPKB and CSNFPKB).
An RSA key token is the concatenation of these sections:
- A token header:
- An external header (first byte X'1E').
- An internal header (first byte X'1F').
- An optional private key section in one of these formats:
- Section identifier X'02' for a Modulus-Exponent format key 512 - 1024
bits, either in an external key token in the clear or wrapped by a DES key-encrypting key, or in an
internal key token wrapped by the RSA master key. Note: The use of the internal format is deprecated.
- Section identifier X'06' for a Modulus-Exponent format key 512 - 1024 bits, in an internal key token wrapped with an OPK which is wrapped by the RSA master key.
- Section identifier X'30' for a Modulus-Exponent format key 512 - 4096 bits, either in an external key token in the clear or wrapped with an OPK which is wrapped by an AES key-encrypting key, or in an internal key token wrapped with an OPK which is wrapped by the ECC master key.
- Section identifier X'09' for a Modulus-Exponent format key 512 - 4096 bits, in an external key token in the clear or wrapped by a DES key-encrypting key.
- Section identifier X'08' for a Chinese-Remainder Theorem format key 512 - 4096 bits, either in an external key token in the clear or wrapped by a DES key-encrypting key, or in an internal key token wrapped by the RSA master key.
- Section identifier X'31' for a Chinese-Remainder Theorem format key 512 - 4096 bits, either in an external key token in the clear or wrapped with an OPK which is wrapped by an AES key-encrypting key, or in an internal key token wrapped with an OPK which is wrapped by the ECC master-key.
- Section identifier X'02' for a Modulus-Exponent format key 512 - 1024
bits, either in an external key token in the clear or wrapped by a DES key-encrypting key, or in an
internal key token wrapped by the RSA master key.
- A public key section (section identifier X'04').
- An optional private key name section (section identifier X'10').
Special note for CRT keys: ICSF always generates a
CRT key with p > q. If you import a CRT key from another RSA implementation with q > p, the key is
usable within the coprocessor or accelerator, but your application encounters a performance
degradation with each use of the key.
An ECC key token is the concatenation of these sections:
- A token header:
- An external header (first byte X'1E').
- An internal header (first byte X'1F').
- An optional private key section (section identifier X'20').
- A public key section (section identifier X'21').
- An optional key-derivation section (section identifier X'23').