Understanding and managing master keys
In a CCA node, AES, DES, APKA, and PKA master keys are used to wrap or unwrap working keys. These master keys are also used to wrap or unwrap the object protection keys (OPKs) of the working keys that have an OPK defined. These keys are used by the node and can appear outside of the cryptographic engine, and therefore need wrapping.
The ECC keys are wrapped by using 32-byte AES keys. The DES and RSA working keys are wrapped using Triple-DES encryption. DES working keys can be wrapped by a more secure method of Triple-DES by using CBC mode. This method is called the enhanced key-wrapping method. These methods of securing keys enable a node to operate on an unlimited number of working keys, without concern for storage space within the confines of the secured cryptographic engine.
The CCA design supports a set of three master-key registers for each master key: new, current, and old. While a master key is being assembled, it is accumulated in the new-master-key register. Then the Master Key Process verb is used to transfer the contents of the new-master-key register to the current-master-key register.
Working keys are normally encrypted by their associated current master key. To facilitate continuous operations, CCA also has an old-master-key register. When a new master key is transferred to the current-master-key register, the preexisting contents, if any, of the current-master-key register are transferred to the old-master-key register. Whenever a working key must be decrypted by the master key in CCA, the master key verification pattern information that is included in the key token is used to determine whether the current or the old master key must be used to recover the working key. Special status (return code 0, reason code 10001) is returned if the old master key is used. Thus, application programs can arrange to update the working key by encryption with the current master key (with the help of the Key Token Change and PKA Key Token Change verbs). Whenever a working key is encrypted for local use, the key or its OPK is wrapped with the current master key.