Functions of the AES, DES, and HMAC cryptographic keysEdit online The CCA API provides functions to create, import, and export AES, DES, and HMAC keys. Key separationThe cryptographic coprocessor controls the use of keys by separating them into unique types, allowing you to use a specific type of key only for its intended purpose. Master key variant for fixed-length tokensWhenever the master key is used to encipher a key, the cryptographic coprocessor produces a variation of the master key according to the type of key that the master key will encipher. Transport key variant for fixed-length tokensLike the master key, the coprocessor creates variations of a transport key to encrypt a key according to its type. Key formsA key that is protected under the master key is in operational form, which means the coprocessor can use it in cryptographic functions on the system.Key tokenCCA supports two types of symmetric key tokens, fixed-length and variable-length. Compliant-tagged key tokensA compliant-tagged key token must adhere to the requirements of the PCI-HSM 2016 compliance mode. A coprocessor in compliance mode must be available to use compliant-tagged key tokens. Key wrappingCCA supports two methods of wrapping the key value in a fixed-length symmetric key token for DES and AES keys: the original ECB wrapping and an enhanced CBC wrapping method, which is ANSI X9.24 compliant. Key strength and key wrappingKey strength is measured as bits of security as described in the documentation of NIST and other organizations. Each individual key will have its bits of security computed, then the different key types (AES, DES, ECC, RSA, HMAC) can have their relative strengths compared on a single scale. When the raw value of a particular key falls between discrete values of the NIST table, the lower value from the table is used as the bits of security.Control vectorA unique control vector exists for each type of CCA key. Types of keysThe cryptographic keys are grouped into the following categories based on the functions that they perform.DES key usage restrictionsTriple-length TDES keysThe cryptographic keys are grouped into the following categories based on the functions that they perform.Parent topic: Using AES, DES, and HMAC cryptography and verbs