Compliant-tagged key tokens
CCA DES
The compliance-tag is indicated by bit 58 in the control vector of the key token. For more information about the compliance-tag, see Managing control vectors.
To generate a compliant-tagged key token, you must first build a skeleton token with the compliance-tag bit on. The Control Vector Generate (CSNBCVG) and Key Token Build (CSNBKTB) services provide this function. This skeleton token can then be passed to any verb that generates key tokens and supports compliant-tagged key tokens, for example, Key Generate (CSNBKGN). A list of services that support compliant-tagged key tokens can be found in Impact of the PCI-HSM 2016 compliance mode on the callable verbs.
The EMV (Europay MasterCard Visa) services are exceptions because they do not support skeleton tokens as input. Subsequent key tokens are generated based on the deriving key.
Compliant-tagged key tokens are defined by two features of the key token:
- The compliant-tag bit in the key attributes, which is the control vector for DES fixed-length key tokens.
- The key derivation function (KDF) value which indicates what generation of compliance is applicable.
The KDF value appears at the end of the truncated master-key verification pattern (MKVP) section. For additional information, see Key token formats.
Beginning with CCA 6.3, it is important to note that the KDF value for DES compliant-tagged tokens has been incremented. Key tokens with the compliant-tag bit on in the control vector and a key derivation function (KDF) of X'01' are no longer considered compliant-tagged. They are referred to as DES KDF 01 tokens throughout publications. They were either created on a coprocessor which does not have CCA 6.3 or later. Or they were created by the Diversified Key Generate (CSNBDKG) or the Unique Key Derive (CSNBUKD) services using an input DES KDF 01 token. The only keys they can be used with are other DES KDF 01 tokens or X.509 certificates (CSNBCTT2 being the exception).
It is recommended that DES KDF 01 tokens are migrated using the Key Translate2 (CSNBKTR2) verb with the COMP-TAG keyword set. The output is a key token with the compliant-tag bit set in the control vector and a KDF greater than X'01'. Only DES tokens with a KDF greater than X'01' are referred to as compliant-tagged key tokens. Key tokens without the compliant-tag bit set or DES KDF 01 tokens are referred to as non-compliant-tagged tokens. Though DES KDF 01 tokens are not compliant-tagged, a coprocessor in compliance mode is required to use them.
CCA AES
Only version 05 AES key tokens may become compliant-tagged. The compliant-tag is indicated by a key management flag in the key token. For more information about the compliant-tag, see Key token formats.
To generate a compliant-tagged key token, the Key Token Build2 (CSNBKTB2) verb must first be used to build a skeleton token with the COMP-TAG keyword set. This skeleton token can then be passed to any callable service that generates version 05 AES key tokens and supports compliant-tagged key tokens, for example Key Generate2 (CSNBKGN2). A list of verbs that support compliant-tagged key tokens can be found in Impact of the PCI-HSM 2016 compliance mode on the callable verbs. The Diversify Directed Key (CSNBDDK) verb is an exception because it does not support skeleton tokens as input. When creating a directed key, if the diversifying key is compliant-tagged, the resulting key is also compliant-tagged. For more information, see the description of the individual verbs.