RSA variable Modulus-Exponent token

A description of the fields in the new variable length Modulus-Exponent token. RSA variable Modulus-Exponent token.

Table 1 describes the fields in the new variable length Modulus-Exponent token. Currently, only the external form of the token will be used. There are no blinding values for the token. The latest level hardware makes this unnecessary.
Table 1. RSA variable Modulus-Exponent token format

RSA variable Modulus-Exponent token format

Number If External Key New version '09' field If Internal Key Length in bytes
1 '09' sectionId '09' 1
2 '00' version '00' 1
3 132 + dLength + nLength + padLength sectionLength 132 + dLength + nLength + padLength 2
4 Hash over fields 7 - end of section (clear values) sha1Hash Hash over fields 7 - end of section 20
5 8 + dLength + padLength encrypted sectionLength 8 + dLength + padLength 2
6 This is actually a reserved field, not a pad '0000' pad '0000' 2
7

'82' encrypted external key or
'00' clear external key

keyFormat '02' encrypted operational key 1
8 '00' pedigree '21', '22', '23', or '24' as '06' token 1
9 Hash over sections which follow the public key section, or '00' sha1Key NameHash Hash over sections which follow the public key section, or '00' 20
10 ’02’ indicates that the key is translatable keyUsageFlag same as in '06' 1
11 '00' reserved1 '00' 1
12 Binary zeroes OPK 8 byte confounder + 40-byte (5-part) DES key, encrypted with the PKA master key 48
13 Binary zeroes mkHash Pattern 16 byte MKVP 16
14 Length of private exponent dLength Length of private exponent 2
15 Length of modulus nLength Length of modulus 2
16 Length required to pad dLength to a multiple of 8 padLength Length required to pad dLength to a multiple of 8 2
17 '0000' reserved2 '0000' 2
18 Random value - encrypted data (with PKA MK) begins here confounder encrypted data (with 5-part OPK) begins here 8
19 <d follows, then pad, then n> 1