Usage notes

Edit online

The usage notes for CSNDT34D.

This service is used to perform these operations:
  • 2PASSCRE: The TR34 Key Transport (2-pass) token (KT-KDH) CREATE service.
    • Kn-T: (INPUT, source_key_identifier). CCA or TR-31 key token to be exported to the KRD.
    • KEK-N: (INPUT, unwrap_kek_identifier). CCA or TR-31 internal key token for KEK to unwrap Kn-T.
    • RT-KRD: (INPUT, freshness_indicator). Random number token received from KRD.
    • CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
    • CredKDH: (INPUT, cred_kdh). KDH credential (X.509 certificate) with ID and public key.
    • CredKRD: (INPUT, cred_krd). KRD credential (X.509 certificate) with ID and public key. The public key from this is used to RSA-encipher the RSA-encrypted part of the key block.
    • D-kdh: (INPUT, private_key_identifier). Private key to sign data block.
    • KVN: (INPUT, key_version_number). Two-byte version number for TR-31 Key block header,
    • Opt-blocks: (INPUT, opt_blocks). Application generated optional blocks for TR-31 Key block header.
    • KT-KDH: (OUTPUT, output_token). Key transport (2-pass) token in DER format.
  • 1PASSCRE: The TR34 Key Transport (1-pass) token (KT-KDH) CREATE service.
    • Kn-T: (INPUT, source_key_identifier). CCA or TR-31 key token to be exported to the KRD.
    • KEK-N: (INPUT, unwrap_kek_identifier). CCA or TR-31 internal key token for KEK to unwrap Kn-T.
    • Timestamp: (INPUT, freshness_indicator). Freshness indicator to defend against replay attacks.
    • CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
    • CredKDH: (INPUT, cred_kdh). KDH credential (X.509 certificate) with ID and public key.
    • CredKRD: (INPUT, cred_krd). KRD credential (X.509 certificate) with ID and public key. The public key from this is used to RSA-encipher the RSA-encrypted part of the key block.
    • D-kdh: (INPUT, private_key_identifier). Private key to sign data block.
    • KVN: (INPUT, key_version_number). Two-byte version number for TR-31 Key block header.
    • Opt-blocks: (INPUT, opt_blocks). Application generated optional blocks for TR-31 Key block header.
    • KT-KDH: (OUTPUT, output_token), Key transport (1-pass) token in DER format.
Notes:
  1. This verb supports PCI-HSM 2016 compliant-tagged key tokens.
  2. Comp-tag AES and DES tokens are exportable using this service. A comp-tag RSA private key is required.
  3. The RT-KRD token can be created with correct formatting using the RT-KRD processing of the CSNBRNGL service. See Random Number Generate (CSNBRNG) for more details.
  4. RSA keys with 2048 bit and 3072 bit modulus are supported by CCA. Public exponent 65537 is currently the only supported exponent reflecting the support documented in ASC X9 TR-34-2019. This allows strength equivalent to an AES 128-bit key. TR-34 explicitly supports only RSA 2048-bit keys. So some vendors will only support that key size.