| Key Block Algorithm (one required) |
| DES |
Specifies to build a DES key-token. |
| AES |
Specifies to build an AES key-token. Only valid with wrapping method D. |
| HMAC |
Specifies to build an HMAC key-token. Only valid with key usage KEY-HMAC (M7). |
| Key Status (one required) |
| NO-KEY |
Specifies to build a TR-31 key block without a key value. This creates a key block header
(that is, a skeleton key token) that can be populated using CSNBKPI2 or used in key derivation services
such as CSNDEDH, CSNBUKD, and so on. |
| RANDOM |
Specifies to build a TR-31 key block using a randomly generated AES, DES, or HMAC key fitting
the specifications given. This keyword requires a Key Form keyword. |
| Key Form (one required with RANDOM, otherwise not
allowed) |
| OP |
Return one copy of the key enciphered under the master key. |
| IM |
Return one copy of the key enciphered under either a TR-31 importer KEK (TR-31 key usage K1
and TR-31 mode of key use D) or a CCA
importer KEK with key usage IMEX. |
| EX |
Return one copy of the key enciphered under either a TR-31 exporter KEK (TR-31 key usage K1
and TR-31 mode of key use E) or a CCA
exporter KEK with key usage EXEX. |
| OPOP |
Return two copies of the key, both enciphered under the master key. The accepted key usages
and modes for OPOP can be found in Table 2. |
| OPIM |
Return two copies of the key, the first key enciphered under the master key and the second
key enciphered under KEK_key_identifier_2, which can be either a TR-31 importer
KEK (key usage K1 and mode of key use D) or a CCA importer KEK with key usage OPIM. The
accepted key usages and modes of key use for OPIM can be found in Table 2. |
| OPEX |
Return two copies of the key, the first key enciphered under the master key and the second
key enciphered under KEK_key_identifier_2, which can be either a TR-31 exporter
KEK (key usage K1 and mode of key use E) or a CCA exporter KEK with key usage OPEX. The
accepted key usages and modes of key use for OPEX can be found in Table 2. |
| IMIM |
Return two copies of the key, both keys enciphered under either a TR-31 importer KEK (key
usage K1 and mode of key use D) or under a CCA importer KEK with key usage IMIM. The
accepted key usages and modes of key use for IMIM can be found in Table 2. |
| IMEX |
Return two copies of the key, the first key enciphered under either a TR-31 importer KEK (key
usage K1 and mode of key use D) or under a CCA importer KEK with key usage IMEX, and the
second key under either a TR-31 exporter KEK (key usage K1 amd mode of key use E) or a CCA exporter KEK with key usage IMEX. The
accepted key usages and modes of key use for IMEX can be found in Table 2. |
| EXEX |
Return two copies of the key, both enciphered under either a TR-31 exporter KEKs (key usage
K1 amd mode of key use E) or under a CCA exporter KEK with key usage EXEX. The accepted key usages and modes for EXEX can be found in
Table 2. |
| Key Context for
generated_key_identifier_1 (one required if
generated_key_identifier_1 is external, otherwise invalid) |
| K1-STRX (’0’) |
Either storage or key exchange context. This allows interoperability with legacy key blocks.
Note: This does not imply that the wrapping key for a key block can be used for both storage and key
exchange, merely that the storage or exchange of this key block is determined by the properties of
the wrapping key.
Sets the byte at offset 14 of the header to 0 (0x30). |
| K1-EXCH (’2’) |
Key exchange context only. The key block is wrapped by a transport key for exchange between a
communicating pair. Sets the byte at offset 14 of the header to 2 (0x32). |
| Key Context for
generated_key_identifier_2 (one required if
generated_key_identifier_2 is external, otherwise invalid) |
| K2-STRX (’0’) |
Either storage or key exchange context. This allows interoperability with legacy key blocks.
Note: This does not imply that the wrapping key for a Key Block can be used for both storage and key
exchange, merely that the storage or exchange of this Key Block is determined by the properties of
the wrapping key.
Sets the byte at offset 14 of the header to 0 (0x30).
|
| K2-EXCH (’2’) |
Key exchange context only. The key block is wrapped by a transport key for exchange between a
communicating pair. Sets the byte at offset 14 of the header to 2 (0x32). |
| Wrapping method to be used for
generated_key_identifier_1 (one required) |
| K1-BM-A |
Use X9.143/TR-31 Binding Method ’A’ for the key from the
generated_key_identifier_1 parameter. Only valid with IM, EX, IMIM, IMEX, EXEX
- cases where the generated_key_identifier_1 parameter will contain an external
key block on output. The KEK_key_identifier_1 parameter must contain a TDES
wrapping key. Only valid with RANDOM. |
| K1-BM-B |
Use X9.143/TR-31 Binding Method ’B’ for the key from the
generated_key_identifier_1 parameter. For Key Format keywords OP,
OPOP, OPIM, OPEX where the generated_key_identifier_1 parameter will contain an
internal key block on output, the SYM-MK will be used. For Key Format keywords IM, EX,
IMIM, IMEX, EXEX, the KEK_key_identifier_1 parameter must contain a TDES
wrapping key. |
| K1-BM-C |
Use X9.143/TR-31 Binding Method ’C’ for the key from the
generated_key_identifier_1 parameter. Only valid with IM, EX, IMIM, IMEX, EXEX
- cases where the generated_key_identifier_1 parameter will contain an external
key block on output. The KEK_key_identifier_1 parameter must contain a TDES
wrapping key. Only valid with RANDOM. |
| K1-BM-D |
Use X9.143/TR-31 Binding Method ’D’ for the key from the
generated_key_identifier_1 parameter. For Key Format keywords OP,
OPOP, OPIM, OPEX where the generated_key_identifier_1 parameter will contain an
internal key block on output, the AES-MK will be used. For Key Format keywords IM, EX,
IMIM, IMEX, EXEX, the KEK_key_identifier_1 parameter must contain an AES
wrapping key. |
| Wrapping method to be used for
generated_key_identifier_2 (one required for Key Format
keywords OPOP, OPIM, OPEX, IMIM, IMEX, EXEX, invalid otherwise) |
| K2-BM-A |
Use X9.143/TR-31 Binding Method ’A’ for the key from the
generated_key_identifier_2 parameter. Only valid with OPIM, OPEX, IMIM, IMEX,
EXEX - cases where the generated_key_identifier_2 parameter will contain an
external key block on output. The KEK_key_identifier_2 parameter must contain a
TDES wrapping key. Only valid with RANDOM. |
| K2-BM-B |
Use X9.143/TR-31 Binding Method ’B’ for the key from the
generated_key_identifier_2 parameter. For Key Format keyword
OPOP, where the generated_key_identifier_2 parameter will contain an internal
key block on output, the SYM-MK will be used. For Key Format keywords OPIM, OPEX,
IMIM, IMEX, EXEX, the KEK_key_identifier_2 parameter must contain a TDES
wrapping key. |
| K2-BM-C |
Use X9.143/TR-31 Binding Method ’C’ for the key from the
generated_key_identifier_2 parameter. Only valid with OPIM, OPEX, IMIM, IMEX,
EXEX - cases where the generated_key_identifier_2 parameter will contain an
external key block on output. The KEK_key_identifier_2 parameter must contain a
TDES wrapping key. Only valid with RANDOM. |
| K2-BM-D |
Use X9.143/TR-31 Binding Method ’D’ for the key from the
generated_key_identifier_2 parameter. For Key Format
keyword OPOP, where the generated_key_identifier_2
parameter contains an internal key block on output, the AES-MK is used. For Key
Format keywords OPIM, OPEX, IMIM, IMEX, EXEX, the KEK_key_identifier_2
parameter must contain an AES wrapping key. |
| Key Usage (one required) |
| BDK (”B0”) |
Specifies to create a BDK base derivation key. Sets the bytes at offset 5 – 6 of the header
to ASCII B0. This key is used to derive the initial PIN encryption key (IPEK) in
the derived unique key per transaction (DUKPT) process defined in X9.24-1. An initial key is derived
for individual devices such as PIN pads. This is only valid with TR-31 mode of key use X
(K*DERIVE). |
| DUKPT (”B1”) |
Specifies to create an Initial DUKPT key. Sets the bytes at offset 5 – 6 of the header to
ASCII B1. This is only valid with TR-31 mode of key use X (K*DERIVE). Not valid
with wrapping method A. |
| KDK (”B3”) |
Specifies to create a Key Derivation Key. Sets the bytes at offset 5 – 6 of the header to
ASCII B3. This is only valid with TR-31 mode of key use X (K*DERIVE). Not valid
with wrapping method A. |
| CVK (”C0”) |
Specifies to create a CVK card verification key. Sets the bytes at offset 5 – 6 of the header
to ASCII C0. This is only valid with TR-31 modes of key use C (K*GENVER), G
(K*-GEN), and V (K*-VER). Only valid with algorithm DES. |
| ENC (”D0”) |
Specifies to create a symmetric data encryption key. Sets the bytes at offset 5 – 6 of the
header to ASCII D0. This is only valid with TR-31 modes of key use E (K*-ENC), D
(K*-DEC), and B (K*ENCDEC). |
| ENCSENS (”D3”) |
Specifies to create a data encryption key for sensitive data. Sets the bytes at offset 5 – 6
of the header to ASCII D3. This is only valid with TR-31 modes of key use E
(K*-ENC), D (K*-DEC), and B (K*ENCDEC). Only valid with wrapping method B or D. Not valid with
Key Form OPOP, OPIM, or IMIM. |
| EMVAC-E (”E0”) |
Specifies to create a derivation key for an EMV/chip issuer master key: application
cryptograms. Sets the bytes at offset 5 – 6 of the header to ASCII E0. This is only
valid with TR-31 mode of key use X (K*DERIVE). |
| EMVSC-E (”E1”) |
Specifies to create a derivation key for an EMV/chip issuer master key: secure messaging for
confidentiality. Sets the bytes at offset 5 – 6 of the header to ASCII E1. This is
only valid with TR-31 mode of key use X (K*DERIVE). |
| EMVSI-E (”E2”) |
Specifies to create a derivation key for an EMV/chip issuer master key: secure messaging for
integrity. Sets the bytes at offset 5 – 6 of the header to ASCII E2. This is only
valid with TR-31 mode of key use X (K*DERIVE). |
| EMVDA-E (”E3”) |
Specifies to create a derivation key for an EMV/chip issuer master key: data authentication
code. Sets the bytes at offset 5 – 6 of the header to ASCII E3. This is only valid
with TR-31 mode of key use X (K*DERIVE). |
| EMVDN-E (”E4”) |
Specifies to create a derivation key for an EMV/chip issuer master key: dynamic numbers. Sets
the bytes at offset 5 – 6 of the header to ASCII E4. This is only valid with TR-31
mode of key use X (K*DERIVE). |
| EMVCP-E (”E5”) |
Specifies to create a derivation key for an EMV/chip issuer master key: card personalization.
Sets the bytes at offset 5 – 6 of the header to ASCII E5. This is only valid with
TR-31 mode of key use X (K*DERIVE). |
| EMVAC-F (”F0”) |
Specifies to create an EMV/chip issuer master key: application cryptograms. Sets the bytes at
offset 5 – 6 of the header to ASCII F0. This is only valid with TR-31 mode of key
use X (K*DERIVE). |
| EMVSC-F (”F1”) |
Specifies to create an EMV/chip issuer master key: secure messaging for confidentiality. Sets
the bytes at offset 5 – 6 of the header to ASCII F1. This is only valid with TR-31
mode of key use X (K*DERIVE). |
| EMVSI-F (”F2”) |
Specifies to create an EMV/chip issuer master key: secure messaging for integrity. Sets the
bytes at offset 5 – 6 of the header to ASCII F2. This is only valid with TR-31 mode
of key use X (K*DERIVE). |
| EMVDA-F (”F3”) |
Specifies to create an EMV/chip issuer master key: data authentication code. Sets the bytes
at offset 5 – 6 of the header to ASCII F3. This is only valid with TR-31 mode of
key use X (K*DERIVE). |
| EMVDN-F (”F4”) |
Specifies to create an EMV/chip issuer master key: dynamic numbers. Sets the bytes at offset
5 – 6 of the header to ASCII F4. This is only valid with TR-31 mode of key use X
(K*DERIVE). |
| KEK (”K0”) |
Specifies to create a key encryption or wrapping key, used for wrapping CCA keys. This cannot be used to wrap TR-31
tokens. Sets the bytes at offset 5 – 6 of the header to ASCII K0. This is only
valid with TR-31 mode of key use E (K*-ENC) and D (K*-DEC). This can also be used in the CSNBSKY verb as the equivalent of a SECMSG key
with SMKEY attribute set. See Secure Messaging for Keys (CSNBSKY) for details. Only valid with Key
Form keywords OPEX, IMEX, or EXEX. |
| KEK-WRAP (”K1”) |
Specifies to create a TR-31 key block protection key, used for wrapping TR-31 tokens. This
cannot be used to wrap CCA tokens.
Sets the bytes at offset 5 – 6 of the header to ASCII K1. This is only valid with
TR-31 modes of key use E (K*-ENC) and D (K*-DEC). Not valid with wrapping method A. Only valid with
Key Form keywords OPEX, IMEX, or EXEX. |
| KEK-WRK4 (”K4”) |
Specifies to create an ISO 20038 key block protection key. Sets the bytes at offset 5 – 6 of
the header to ASCII K4. This is only valid with TR-31 modes of key use E (K*-ENC)
and D (K*-DEC). Only valid with wrapping method D. Only valid with Key Form keywords
OPEX, IMEX, or EXEX. |
| ISOMAC0 (”M0”) |
Specifies to create an ISO 16609 MAC algorithm 1 key (based on ISO 9797-1) using TDEA. Sets
the bytes at offset 5 – 6 of the header to ASCII M0. This is only valid with TR-31
modes of key use C (K*GENVER), G (K*-GEN), and V (K*-VER). Only valid with algorithm DES. |
| ISOMAC1 (”M1”) |
Specifies to create an ISO 9797-1 MAC algorithm 1 key. Sets the bytes at offset 5 – 6 of the
header to ASCII M1. This is only valid with TR-31 modes of key use C (K*GENVER), G
(K*-GEN), and V (K*-VER). Only valid with algorithm DES. |
| ISOMAC3 (”M3”) |
Specifies to create an ISO 9797-1 MAC algorithm 3 key. Sets the bytes at offset 5 – 6 of the
header to ASCII M3. This is only valid with TR-31 modes of key use C (K*GENVER), G
(K*-GEN), and V (K*-VER). Only valid with algorithm DES. |
| ISOMAC6 (”M6”) |
Specifies to create an ISO 9797-1:2011 MAC algorithm 5/CMAC key. Sets the bytes at offset 5 –
6 of the header to ASCII M6. This is only valid with TR-31 modes of key use C
(K*GENVER), G (K*-GEN), and V (K*-VER). Not valid with wrapping method A. |
| KEY-HMAC (”M7”) |
Specifies to create an HMAC algorithm key. Sets the bytes at offset 5 – 6 of the header to
ASCII M7. This is only valid with TR-31 modes of key use C (K*GENVER), G (K*-GEN),
and V (K*-VER). Only valid with algorithm HMAC. |
| PINENC (”P0”) |
Specifies to create a PIN encryption key. Sets the bytes at offset 5 – 6 of the header to
ASCII P0. This is valid with AES PINPROT, DES OPINENC or
IPINENC, TR-31 modes of key use E (K*-ENC), D (K*-DEC), and B (K*ENCDEC). This can also be
used as the equivalent of a SECMSG key with SMPIN in CSNBSPN. See Secure Messaging for PINs (CSNBSPN) for
details. |
| PINVO (”V0”) |
Specifies to create a PIN verification, KPV, other algorithm key. Sets the bytes at offset 5
– 6 of the header to ASCII ”V0”. This is only valid with Modes of Use ’C’ (K*GENVER), ’G’ (K*-GEN),
and ’V’ (K*-VER). Not valid with Key Form OPOP, OPIM, or IMIM. |
| PINV3624 (”V1”) |
Specifies to create a PIN verification, IBM 3624 key. Sets the bytes at offset 5 – 6 of the
header to ASCII V1. This is only valid with TR-31 modes of key use C (K*GENVER), G
(K*-GEN), and V (K*-VER). Only valid with algorithm DES. Not valid with Key Form
keywords OPOP, OPIM, or IMIM. |
| VISAPVV (”V2”) |
Specifies to create a PIN verification, Visa PVV key. Sets the bytes at offset 5 – 6 of the
header to ASCII V2. This is only valid with TR-31 modes of key use C (K*GENVER), G
(K*-GEN), and V (K*-VER). Only valid with algorithm DES. Not valid with Key Form
keywords OPOP, OPIM, or IMIM. |
| TR-31 mode of key use to be used for parameter
generated_key_identifier_1 (one required). |
| K1ENCDEC (”B”) |
Specifies that generated_key_identifier_1 can be used for both
encrypting and decrypting of data, or wrapping and unwrapping keys. Sets the bytes at offset 8 of
the header to ASCII B. |
| K1GENVER (”C”) |
Specifies that generated_key_identifier_1 can be used for both
generating and verifying of check/PIN value. Sets the byte at offset 8 of the header to ASCII
C. |
| K1-DEC (”D”) |
Specifies that generated_key_identifier_1 can be used to decrypt data or
unwrap keys only. Sets the byte at offset 8 of the header to ASCII D. |
| K1-ENC (”E”) |
Specifies that generated_key_identifier_1 can be used to encrypt data or
wrap keys only. Sets the byte at offset 8 of the header to ASCII E. |
| K1-GEN (”G”) |
Specifies that generated_key_identifier_1 can be used to generate a
check/PIN value only. Sets the byte at offset 8 of the header to ASCII G. |
| K1-VER (”V”) |
Specifies that generated_key_identifier_1 can be used to verify a
check/PIN value only. Sets the byte at offset 8 of the header to ASCII V. |
| K1DERIVE (”X”) |
Specifies that generated_key_identifier_1 can be used to derive other
keys. Sets the byte at offset 8 of the header to ASCII X. |
| TR-31 mode of key use to be used for parameter
generated_key_identifier_2 (one required for Key Form
keywords OPOP, OPIM, OPEX, IMIM, IMEX, EXEX, invalid otherwise). |
| K2ENCDEC (”B”) |
Specifies that the generated_key_identifier_2 parameter can be used for
both encrypting and decrypting of data, or wrapping and unwrapping keys. Sets the byte at offset 8
of the header to ASCII B. |
| K2GENVER (”C”) |
Specifies that the generated_key_identifier_2 parameter can be used for
both generating and verifying of check/PIN value. Sets the byte at offset 8 of the header to ASCII
C. |
| K2-DEC (”D”) |
Specifies that the generated_key_identifier_2 parameter can be used to
decrypt data or unwrap keys only. Sets the byte at offset 8 of the header to ASCII
D. If K1-DEC is set, this keyword is invalid. |
| K2-ENC (”E”) |
Specifies that the generated_key_identifier_2 parameter can be used to
encrypt data or wrap keys only. Sets the byte at offset 8 of the header to ASCII E.
If K1-ENC is set, this keyword is invalid. |
| K2-GEN (”G”) |
Specifies that the generated_key_identifier_2 parameter can be used to
generate a check/PIN value only. Sets the byte at offset 8 of the header to ASCII
G. If K1-GEN is set, this keyword is invalid. |
| K2-VER (”V”) |
Specifies that the generated_key_identifier_2 parameter can be used to
verify a check/PIN value only. Sets the byte at offset 8 of the header to ASCII V.
If K1-VER is set, this keyword is invalid. |
| K2DERIVE (”X”) |
Specifies that the generated_key_identifier_2 parameter can be used to
derive other keys. Sets the byte at offset 8 of the header to ASCII X. |
| Exportability to be used for parameter
generated_key_identifier_1 (one required) |
| K1-TRUST (’E’) |
Specifies that generated_key_identifier_1 will be exportable under a KEK
in a form meeting the requirements of ANSI X9.24 Parts 1 or 2. Sets the byte at offset 11 of the
header to ASCII E. |
| K1-NONE (’N’) |
Specifies that generated_key_identifier_1 will be non-exportable. Sets
the byte at offset 11 of the header to ASCII N. |
| K1-SENS (’S’) |
Specifies that generated_key_identifier_1 is sensitive, exportable under
a key-encrypting key in a form not necessarily meeting the requirements of X9.24 Parts 1 or 2. Sets
the byte at offset 11 of the header to ASCII S. |
| Exportability to be used for parameter
generated_key_identifier_2 (one required for Key Form
keywords OPOP, OPIM, OPEX, IMIM, IMEX, EXEX, invalid otherwise) |
| K2-TRUST (’E’) |
Specifies that generated_key_identifier_2 will be exportable under a KEK
in a form meeting the requirements of ANSI X9.24 Parts 1 or 2. Sets the byte at offset 11 of the
header to ASCII E. |
| K2-NONE (’N’) |
Specifies that generated_key_identifier_2 will be non-exportable. Sets
the byte at offset 11 of the header to ASCII N. |
| K2-SENS (’S’) |
Specifies that generated_key_identifier_2 is sensitive, exportable under
a key-encrypting key in a form not necessarily meeting the requirements of X9.24 Parts 1 or 2. Sets
the byte at offset 11 of the header to ASCII S. |
| HMAC hash algorithm (one required with Algorithm
HMAC, otherwise invalid) |
| ISOSHA-1 |
Specifies to use the SHA-1 hash algorithm with the HMAC key as defined by ISO 20038. Sets the
algorithm (offset 7 of the TR-31 key block) to ASCII H and does not include an
optional block with a block ID of HM (HM optional block). Note: Keyword ISOSHA-1 creates a TR-31 key
block with an algorithm of H and no HM optional block. Under ISO 20038 this key
block allows only SHA-1 as the hash algorithm to use with the HMAC key.
However, ASC X9 TR 31-2018 also allows a key block with an algorithm of H and no
HM optional block, which is interpreted as an HMAC key with no hash algorithm limits: there is no
limit to SHA-1. For this reason, you should use the ISOSHA-1 keyword only when sending a key to a
partner that is known to require and understand the ISO 20038 version of the hash limit, or to have
a clear understanding that the partner will receive an HMAC key with no hash algorithm limits under
TR 31-2018. When possible, the SHA-1 keyword should be used instead, provided that the partner can
receive a key block with the HM optional block that limits hash algorithm.
|
| ISOSHA-2 |
Specifies to use the SHA-2 hash algorithm with the HMAC key as defined by ISO 20038. Sets the
algorithm (offset 7 of the TR-31 key block) to ASCII I and does not include an HM
optional block. |
| SHA-1 |
Specifies to use the SHA-1 hash algorithm with the HMAC key as defined by ASC X9 TR 31-2018.
Sets the algorithm (offset 7 of the TR-31 key block) to ASCII H and includes an HM
optional block. Sets the hash algorithm used with the HMAC key (offset 4 of the optional block) to
ASCII 10. |
| SHA-224 |
Specifies to use the SHA-224 hash algorithm with the HMAC key as defined by ASC X9 TR
31-2018. Sets the algorithm (offset 7 of the TR-31 key block) to ASCII H and
includes an HM optional block. Sets the hash algorithm used with the HMAC key (offset 4 of the
optional block) to ASCII 20. |
| SHA-256 |
Specifies to use the SHA-256 hash algorithm with the HMAC key as defined by ASC X9 TR
31-2018. Sets the algorithm (offset 7 of the TR-31 key block) to ASCII H and
includes an HM optional block. Sets the hash algorithm used with the HMAC key (offset 4 of the
optional block) to ASCII 21. |
| SHA-384 |
Specifies to use the SHA-384 hash algorithm with the HMAC key as defined by ASC X9 TR
31-2018. Sets the algorithm (offset 7 of the TR-31 key block) to ASCII H and
includes an HM optional block. Sets the hash algorithm used with the HMAC key (offset 4 of the
optional block) to ASCII 22. |
| SHA-512 |
Specifies to use the SHA-512 hash algorithm with the HMAC key as defined by ASC X9 TR
31-2018. Sets the algorithm (offset 7 of the TR-31 key block) to ASCII H and
includes an HM optional block. Sets the hash algorithm used with the HMAC key (offset 4 of the
optional block) to ASCII 23. |
| Compliance tag (one optional, if building an
internal token) |
| COMP-TAG |
Generate a compliant-tagged key. While a skeleton key token with the compliance-tag can be
created at any time, the skeleton must be passed to an adapter domain that is in PCI-HSM 2016 compliance mode to be provisioned with key
material (for example, using service CSNBKPI2). This is only valid with internal
tokens. Not valid with Exportability S. |
| NOCMP-TAG |
Do not generate a compliant-tagged key. This is the default. |
| CPACF Control (one optional, if
building an internal token or K*OB-IBM is set) |
| XPRTCPAC |
Allow export of the key token to CPACF protected key format. |
| NOEXCPAC |
Prohibit export of the key token to CPACF protected key format. This is the
default. |
| DK PIN Enable (one optional, if building an
internal token or K*OB-IBM is set) |
| DKPINOP |
Allow the key token to be used for DK operations. |
|
Optional blocks to add for key_name_1 (multiple optional. Only
valid when generated_key_identifier_1 is external. If
generated_key_identifier_1 is internal, these optional blocks will be
automatically added.) |
| K1OB-IBM |
Specifies to add a proprietary IBM® optional block to the key in
generated_key_identifier_1. Currently, this optional block contains a
compliance tag bit and a KDF indicator. |
| K1OB-KC |
Specifies to add a KC optional block to the key in
generated_key_identifier_1. This optional block contains a key check value of
the key that is in the key block. Not valid with single length DES keys. Not valid with HMAC
tokens. |
| K1OB-KP |
Specifies to add a KP optional block to the key in
generated_key_identifier_1. This optional block contains a key check value of
the key that is used to wrap the key in the key block (that is, the KEK). |
| K1OB-TC |
Specifies to add a TC optional block to the key in
generated_key_identifier_1. This optional block contains the UTC time when the
key block was initially created. |
| K1OB-TS |
Specifies to add a TS optional block to the key in
generated_key_identifier_1. This optional block contains the UTC time when the
current key block was created. This field changes when the key is wrapped under a new KEK or master
key, such as with service CSNBKTC2.
|
| K1OB-WP |
Specifies to add a WP optional block to the key in
generated_key_identifier_1. This optional block contains the wrapping pedigree
of the key. This documents if the key was ever wrapped by a key that is weaker than itself. |
|
Optional blocks to add for key_name_2 (multiple optional. Only
valid when generated_key_identifier_2 is external. If
generated_key_identifier_2 is internal, these optional blocks are automatically
added.) |
| K2OB-IBM |
Specifies to add a proprietary IBM optional block to the key in
generated_key_identifier_2. Currently, this optional block contains a
compliance tag bit and a KDF indicator. |
| K2OB-KC |
Specifies to add a KC optional block to the key in
generated_key_identifier_2. This optional block contains a key check value of
the key that is in the key block. Not valid with single length DES keys. Not valid with HMAC
tokens. |
| K2OB-KP |
Specifies to add a KP optional block to the key in
generated_key_identifier_2. This optional block contains a key check value of
the key that is used to wrap the key in the key block (that is, the KEK). |
| K2OB-TC |
Specifies to add a TC optional block to the key in
generated_key_identifier_2. This optional block contains the UTC time when the
key block was initially created. |
| K2OB-TS |
Specifies to add a TS optional block to the key in
generated_key_identifier_2. This optional block contains the UTC time when the
current key block was created. This field changes when the key is wrapped under a new KEK or MK,
such as with service CSNBKTC2.
|
| K2OB-WP |
Specifies to add a WP optional block to the key in
generated_key_identifier_2. This optional block contains the wrapping pedigree
of the key. This documents if the key was ever wrapped by a key that is weaker than itself. |
|
Usage-specific OBs (one or two, optional). Only valid when parameter
ob_data is set). These keywords must be specified for internal or external
tokens to add the optional block data sent in via ob_data. |
| K1OB-DA |
Specifies to add a DA optional block to the key token specified in
generated_key_identifier_1. This optional block contains information on the
derivations allowed for a derivation key, which are sent in the ob_data
parameter. Only valid with TR-31 key usage B3. |
| K2OB-DA |
Specifies to add a DA optional block to the key token specified in
generated_key_identifier_2. This optional block contains information on the
derivations allowed for a derivation key, which are sent in the ob_data
parameter. Only valid with TR-31 key usage B3. |