Required commands
The required commands for CSNBT31C.
The following access control points affect the wrapping of a key with a weaker transport key:
- To disallow the wrapping of a key with a weaker transport key, enable the Prohibit weak wrapping - Transport keys command (offset X’0328’) in the active role.
- To receive an informational message when wrapping a key with a weaker transport key, enable the Warn when weak wrap - Transport keys command (offset X’032C’) in the active role. The Prohibit weak wrapping - Transport keys command overrides this command.
- To disable the wrapping of a key with a weaker master key, the Prohibit weak wrapping - Master keys command (offset X’0333’) must be enabled in the active role.
- To receive a warning when wrapping a key with a weaker master key, enable the Warn when weak wrap - Master keys command (offset X’0332’) in the active role. The Prohibit weak wrapping - Master keys command overrides this command.
Note: These four access control points affect multiple verbs when enabled. See Table 1.
Table 1 shows more ACPs that are
specific to CSNBT31C, along with the
DK specific ACPs that are used in CSNBT31C. See Table 3 for more information
about the DK-specific ACPs.
| Keyword | Offset | Command | Description |
|---|---|---|---|
| AES | X'03C1' | T31C - Permit TR-31 AES creation | Permits the use of TR-31 key blocks with algorithm AES |
| DES | X'03C2' | T31C - Permit TR-31 DES creation | Permits the use of TR-31 key blocks with algorithm DES |
| HMAC | X'03C3' | T31C - Permit TR-31 HMAC creation | Permits the use of TR-31 key blocks with algorithm HMAC |
| OP, OPOP | X'03C4' | T31C - Permit TR-31 internal key creation | When building a single internal key or an internal key pair with the CSNBT31C service, this command must be enabled. Internal/External is determined by the Key Context (byte 14 of the TR-31 KBH), with 0x31 indicating an internal key. For internal keys, there is no key context rule array keyword. |
| IM, EX, IMIM, IMEX, EXEX | X'03C5' | T31C - Permit TR-31 external key creation | When building a single external key or an external key pair with the CSNBT31C service, this command must be enabled. Internal/External is determined by the Key Context (byte 14 of the TR-31 KBH), with 0x30 or 0x32 indicating an external key. |
| OPIM, OPEX | X'03C6' | T31C - Permit TR-31 internal/external key pair creation | When building a key pair with one internal key and one external key, this command must be enabled. |
| K1-BM-A or K2-BM-A | X'03C7' | T31C - Permit TR-31 KB Version A creation | Permits the use of TR-31 key blocks with wrapping method A. |
| K1-BM-B or K2-BM-B | X'03C8' | T31C - Permit TR-31 KB Version B creation | Permits the use of TR-31 key blocks with wrapping method B. |
| K1-BM-C or K2-BM-C | X'03C9' | T31C - Permit TR-31 KB Version C creation | Permits the use of TR-31 key blocks with wrapping method C. |
| K1-BM-D or K2-BM-D | X'03CA' | T31C - Permit TR-31 KB Version D creation | Permits the use of TR-31 key blocks with wrapping method D |
| N/A | X'02BB' | Key Generate2 - DK PIN key set | See Table 3 for use cases. |
| N/A | X'02BC' | Key Generate2 - DK PIN print key | See Table 3 for use cases. |
| N/A | X'02BD' | Key Generate2 - DK PIN admin1 key set PINPROT | See Table 3 for use cases. |
| N/A | X'02BE' | Key Generate2 - DK PIN admin1 key set MAC | See Table 3 for use cases. |
| N/A | X'02BF' | Key Generate2 - DK PIN admin2 key set MAC | See Table 3 for use cases. |