PKA master keys

On the cryptographic coprocessor, PKA keys are protected by the Asymmetric-Keys Master Key (ASYM-MK).

The ASYM-MK is a triple-length DES key used to protect PKA private keys. On the cryptographic coprocessor, the ASYM-MK protects RSA private keys.

There are two PKA master keys: the ASYM-MK mentioned above, and the 256-bit AES PKA Master Key (APKA-MK), used to protect ECC private keys stored in ECC key tokens.

In order for PKA verbs to function on the processor, the hash pattern of the ASYM-MK must match the hash pattern of the SYM-MK on the cryptographic coprocessor. The administrator installs the PKA master keys and the ASYM-MK on the cryptographic coprocessor by using either the pass phrase initialization routine, the Clear Master Key Entry panels, or the optional Trusted Key Entry workstation (TKE).

Operational private keys

Operational private keys are protected under two layers of DES encryption.

They are encrypted under an Object Protection Key (OPK) that in turn is encrypted under the ASYM-MK. You dynamically generate the OPK for each private key at import time or when the private key is generated on a CEX*C. CCA provides a public key storage file for the storage of application PKA keys. Although you cannot change PKA master keys dynamically, the PKA Key Token Change verb can be run to change a private PKA token (RSA or ECC) from encryption under the old ASYM-MK (or APKA-MK) to encryption under the current ASYM-MK (or APKA-MK).