Trusted block section X'14' subsections
Section X'14' has two information subsections (tag-length-value objects) defined.
| Rule subsection tag | TLV object | Optional or required | Comments |
|---|---|---|---|
| X'0001' | Protection information | Required | Contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key, the ISO-16609 TDES CBC MAC value, and the MKVP of the PKA master key (computed using MDC4). |
| X'0002' | Activation and expiration dates | Optional | Contains flags indicating whether or not the coprocessor is to validate dates, and contains the activation and expiration dates that are considered valid for the trusted block. |
Trusted block section X'14' subsection X'0001'
Subsection X'0001' of the trusted block information section (X'14') is the protection information TLV object. This subsection is required. It contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key, the ISO-16609 TDES CBC MAC value, and the MKVP of the PKA master key (computed using MDC4).
| Offset (bytes) | Length (bytes) | Description |
|---|---|---|
| 000 | 002 | Subsection tag:
|
| 002 | 002 | Subsection length in bytes (62). |
| 004 | 001 | Subsection version number (X'00'). |
| 005 | 001 | Reserved, must be binary zero. |
| 006 | 032 | Encrypted MAC key. Contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key in the following format:
|
| 038 | 008 | MAC. Contains the ISO-16609 TDES CBC Message Authentication Code value. |
| 046 | 016 | MKVP. Contains the PKA master-key verification pattern, computed using MDC4, when the trusted block is in internal form, otherwise contains binary zero. |
Trusted block section X'14' subsection X'0002'
Subsection X'0002' of the trusted block information section (X'14') is the activation and expiration dates TLV object. This subsection is optional. It contains flags indicating whether or not the coprocessor is to validate dates, and contains the activation and expiration dates that are considered valid for the trusted block.
| Offset (bytes) | Length (bytes) | Description |
|---|---|---|
| 000 | 002 | Subsection tag:
|
| 002 | 002 | Subsection length in bytes (16). |
| 004 | 001 | Subsection version number (X'00'). |
| 005 | 001 | Reserved, must be binary zero. |
| 006 | 002 | Flags:
|
| 008 | 004 | Activation date. Contains the first date that the trusted block can be used for generating
or exporting keys. Format of the date is YYMDD, where:
Return an error if the activation date is after the expiration date or is not valid. |
| 012 | 004 | Expiration date. Contains the last date that the trusted block can be used. Same format as activation date (offset 008). Return an error if date is not valid. |