Introduction to TR-31 symmetric key management
The format of a TR-31 key block has been standardized in ANSI X9.143-2022 and was originally defined in ASC X9 TR 31-2018: Interoperable Secure Key Exchange Block Specification.
The TR-31 key block is a format defined by the ANSI Standards Committee to support interchange of
symmetric keys in a secure manner and with key attributes included in the exchanged data. CCA supports the management of DES keys, AES
keys, and HMAC keys using TR-31. Table 1 lists the
verbs and shortly describes the provided services. You can read an explanation of TR-31 and a
detailed description of each of the available verbs in TR-31 symmetric key management. Additionally, TR-31 key block header and optional block data describes the
TR-31 key block header format and contains information about TR-31 optional block data.
| Verb | Page | Service | Service location |
|---|---|---|---|
| TR31 Key Create | TR31 Key Create (CSNBT31C) | Generates AES, DES, and HMAC keys in TR-31 blocks or creates a skeleton TR-31 key block header, as defined in the ANSI X9.143 specification. | cryptographic engine |
| TR31 Translate | TR31 Translate (CSNBT31X) | Translates a CCA external or internal symmetric key token, converting it into an external X9 TR-31 key block format. Also translates a TR-31 internal key token, converting it into an external TR-31 key token. Or translates a TR-31 external key token into an internal or another external TR-31 key token. | cryptographic engine |
| TR31 Key Import | TR31 Key Import (CSNBT31I) | Imports an external X9 TR-31 key block, converting it into a CCA external or internal symmetric key-token. | cryptographic engine |
| TR31 Key Token Parse | TR31 Key Token Parse (CSNBT31P) | Parses the information from the standard predefined fields of the TR-31 key block header without importing the key. | security API host software |
| TR31 Optional Data Build | TR31 Optional Data Build (CSNBT31O) | Constructs the optional blocks of a TR-31 key block, one block at a time. | security API host software |
| TR31 Optional Data Read | TR31 Optional Data Read (CSNBT31R) | Obtains the contents of any optional fields of a TR-31 key block header. | security API host software |