Usage notes

The usage notes for CSNBT31C.

You must use a valid CCA KEK or a TR-31 K1 KEK to wrap a TR-31 external token. K0 KEKs are valid for external TR-31 tokens in CSNBT31X, CSNBT31I, and CSNBKYT2 for legacy purposes, but they are not valid in any other services.

Compliant-tagged TR-31 token notes:

Compliant-tagged TR-31 key tokens are supported by CCA. The CSNBT31C service can be used to build compliant-tagged tokens. The compliance tag is specified in the IBM proprietary optional block, which has a block ID X’3130 (ASCII ’10’) and TLV X’3032’ (ASCII ’02’). The compliance tag flag is set in the first byte of data (bit 5) and the following three bytes are used as the KDF indicator (the last of these bytes is set to 0x04 to indicate a compliance tag for TR-31).
To build a compliant-tagged key token in T31C, the COMP-TAG keyword must be specified in the rule array and you must be building an internal key token. TR-31 tokens cannot be compliant-tagged if they have Exportability S. Additionally, you must be in active compliance mode. The returned key token contains the IBM optional block with compliance tag bit set and the KDF indicator. The token must also follow other compliance tag rules (for example, no single length DES). This token can then be used in services that require a compliant-tagged token or can be sent to services CSNBT31X orCSNBT31I to translate it.

Table 1 shows valid TR-31 key usages and Key Form rule array keywords for a single key (Y stands for 'Yes, keyword is allowed' and N for 'No, keyword is not allowed').

Table 1. Key usage keywords for a single key
Key Usage keywords for a single key
TR-31 key usage	TR-31 mode of key use	OP	EX	IM
B0	X	Y	Y	Y
B1	X	Y	Y	Y
B3	X	Y	Y	Y
C0	C,G,V	Y	Y	Y
D0	B,D,E	Y	Y	Y
D3	B,D,E	Y	Y	Y
E0	X	Y	Y	Y
E1	X	Y	Y	Y
E2	X	Y	Y	Y
E3	X	Y	Y	Y
E4	X	Y	Y	Y
E5	X	Y	Y	Y
F0	X	Y	Y	Y
F1	X	Y	Y	Y
F2	X	Y	Y	Y
F4	X	Y	Y	Y
K0	B,E	N	N	N
K1	B,E	N	N	N
K4	D,E	N	N	N
M0	C,G,V	Y	Y	Y
M1	C,G,V	Y	Y	Y
M3	C,G,V	Y	Y	Y
M7	C,G,V	Y	Y	Y
P0	B,D,E	Y	Y	Y
V0	C,G,V	Y	Y	Y
V1	C,G,V	Y	Y	Y
V2	C,G,V	Y	Y	Y

Valid TR-31 key usage and Key Form rule array keywords for a key pair can be seen on Table 2. Certain keys can not be built together as a pair, for example, you cannot build two keys together that both have TR-31 key usage D0 and TR-31 mode of key use D, because you need to have an encryption key to pair with a decryption key.

Table 2. Key usage and key form keywords
Key Usage and key form keywords
generated_key_identifier_1		generated_key_identifier_2		Key Form keywords
TR-31 key usage	TR-31 mode of key use	TR-31 key usage	TR-31 mode of key use	OPOP	OPOP, OPIM, IMIM	OPEX	EXEX	IMEX
B0	X	B0	X	N	Y	Y	Y	Y
B1	X	B1	X	N	Y	Y	Y	Y
B3	X	B3	X	N	Y	Y	Y	Y
C0	G	C0	G	N	Y	Y	Y	Y
C0	G	C0	V	N	Y	Y	Y	Y
C0	V	C0	G	N	Y	Y	Y	Y
D0	D	D0	E	N	Y	Y	Y	Y
D0	D	D0	E (XLATE)	N	Y	Y	Y	Y
D0	E	D0	D	N	Y	Y	Y	Y
D0	E	D0	D (XLATE)	N	Y	Y	Y	Y
D0	D (XLATE)	D0	E	N	Y	Y	Y	Y
D0	D (XLATE)	D0	E (XLATE)	N	N	Y	Y	Y
D0	E (XLATE)	D0	D	N	Y	Y	Y	Y
D0	E	D0	D	N	N	Y	Y	Y
D3	B	D3	B	N	N	Y	Y	Y
D3	D	D3	E	N	N	Y	Y	Y
D3	E	D3	D	N	N	Y	Y	Y
K0	E	K0	D	N	N	Y	Y	Y
K0	D	K0	E	N	N	Y	Y	Y
K1	D	K1	E	N	N	Y	Y	Y
K1	E	K1	D	N	N	Y	Y	Y
K4	D	K4	E	N	N	Y	Y	Y
K4	E	K4	D	N	N	Y	Y	Y
M*	G	M*	V	N	N	Y	Y	Y
M*	G	M*	G	N	Y	Y	Y	Y
M*	V	M*	G	N	Y	Y	Y	Y
P0 (ISO4 AES)	D	P0 (ISO4 AES)	E	Y	N	N	N	N
P0 (ISO4 AES)	E	P0 (ISO4 AES)	D	Y	N	N	N	N
P0 (DES)	E	P0 (DES)	D	N	Y	Y	Y	Y
P0 (DES)	D	P0 (DES)	E	N	Y	Y	Y	Y
V0	G	V0	V	N	N	Y	Y	Y
V0	V	V0	G	N	N	Y	Y	Y
10	G	V1	V	N	N	Y	Y	Y
V1	V	V1	G	N	N	Y	Y	Y
V2	G	V0	V	N	N	Y	Y	Y
V2	V	V0	G	N	N	Y	Y	Y

Table 3 describes the required ACPs for DK enabled keys. When using CSNBT31C to generate one or two DK keys that have DKPINOP, DKPINOPP, DKPINAD1, or DKPINAD2 set in key-usage field (KUF) 3 of at least one skeleton key-token, Table 3 shows the valid key usage for each DK key and the required access control command required for each TR-31 key usage.

Table 3. DK ACPs
DK ACPs
generated_key_identifier_1			generated_key_identifier_2			*Key Form* (see note at end of table)
TR-31 key usage	TR-31 mode of key use	KUF3 HOB usage	TR-31 key usage	TR-31 mode of key use	KUF3 HOB usage	OPOP, OPIM, IMIM	OPEX, IMEX	EXEX	OP, EX, IM
P0 (AES)	E	DKPINOP	P0 (AES)	D	DKPINOP	%
P0 (AES)	D	DKPINOP	P0 (AES)	E	DKPINOP	%
P0 (AES)	E	DKPINOP	D0	D	no DK user	%	*
D0	D	no DK user	P0 (AES)	E	DKPINOP	%
P0 (AES)	E	DKPINAD1	P0 (AES)	D	DKPINAD1	%	&
P0 (AES)	D	DKPINAD1	P0 (AES)	E	DKPINAD1	%
M*	G	DKPINOP	M*	V	DKPINOP	%
M*	V	DKPINOP	M*	G	DKPINOP	%
M*	G	DKPINAD1	M*	V	DKPINAD1	x	x
M*	V	DKPINAD1	M*	G	DKPINAD1	x
M*	G	DKPINAD2	M*	V	DKPINAD2	%	$
M*	V	DKPINAD2	M*	G	DKPINAD2	%
V0	G	DKPINOP	V0	V	DKPINOP
V0	V	DKPINOP	V0	G	DKPINOP
The symbols in the key form columns are as follows: %: Generate DK Set Locally (OPOP, OPIM, IMIM), offset X’02BB’ *: Generate DK PIN Print Pair, offset X’02BC’ &: Generate DK PIN Admin 1 PINPROT Pair, offset X’02BD’ x: Generate DK PIN Admin 1 MAC Pair, offset X’02BE’ $: Generate DK PIN Admin 2 MAC Pair, offset X’02BF’