Null key tokens
With some CCA verbs, a null key-token can be used instead of an internal or an external key-token. A verb generally accepts a null key token as a signal to use a key token with default values. A null key token always has a value of X'00' as its first byte.
Null AES key-token
A null AES key-token consists of 64 bytes of X'00'.
Null DES key-token
A null DES key-token is indicated by the value X'00' at offset zero in a key token, a key-token record in key storage, a key-token variable, or a key-identifier variable. The (DES) Key Import verb accepts input with offset zero valued to X'00'. In this special case, the verb treats information starting at offset 16 as an enciphered, single-length key. In a very limited sense, this special case can be considered a null DES key-token.
Table 1 shows the format for a DES null key
token.
| Bytes | Description |
|---|---|
| 0 | X'00' (flag indicating this is a null key token). |
| 1 - 15 | Reserved (set to binary zeros). |
| 16 - 23 | Single-length encrypted key, left half of double-length encrypted key, or Part A of triple-length encrypted key. |
| 24 - 31 | X'0000000000000000' if a single-length encrypted key, the right half of double-length encrypted key, or Part B of triple-length encrypted key. |
| 32 - 39 | X'0000000000000000' if a single-length encrypted key or double-length encrypted key. |
| 40 - 47 | Reserved (set to binary zeros). |
| 48 - 55 | Part C of a triple-length encrypted key. |
| 56 - 63 | Reserved (set to binary zeros). |
Null PKA key-token
PKA key-storage uses an 8-byte structure, shown in Table 1, to represent a null PKA key
token. The PKA Key Record Read verb returns this
structure if a key record with a null PKA key-token is read. When examining PKA key-storage, expect
key records without a key token containing specific key values to be represented by a null PKA
key-token. In the case of key-storage records, the record length (offset 2 and 3) can be greater
than 8.