|
Header
|
|
000
|
01
|
Token identifier:
- Value
- Meaning
- X'01'
- Internal key-token (encrypted key is wrapped with the master key or there is no payload).
- X'02'
- External key-token (encrypted payload is wrapped with a transport key or there is no payload). A
transport key can be a key-encrypting key or an RSA public-key.
All unused values are reserved and undefined.
|
|
001
|
01
|
Reserved, binary zero.
|
|
002
|
02
|
Length in bytes of the overall token structure:
46 + (2 * kuf) + (2 * kmf) + kl + iead + uad + ((pl +
7) / 8)
- Key token
- Minimum token length
- Skeleton
- 46 + (2 * 2) + (2 * 3) + 0 + 0 + 0 + 0 = 56
- Encrypted V1 payload
- 46 + (2 * 2) + (2 * 3) + 0 + 0 + 0 + ((640 + 7) / 8) = 136
- Key token
- Maximum token length
- External*
- 46 + (2 * 6) + (2 * 3) + 64 + 0 + 255 + ((8192 + 7) / 8) = 1407
- Internal
- 46 + (2 * 6) + (2 * 3) + 64 + 0 + 255 + ((640 + 7) / 8) = 463
*This assumes a PKOAEP2 key-wrapping method using a 8192-bit RSA transport key.
|
|
004
|
01
|
Token version number (identifies the format of this key token):
- Value
- Meaning
- X'05'
- Version 5 format of the key token (variable-length symmetric key-token)
|
|
005
|
03
|
Reserved, binary zero.
|
|
End of header
|
|
Wrapping information section (all data related to wrapping the key)
|
|
008
|
01
|
Key material state:
- Value
- Meaning
- X'00'
- No key is present. This is called a skeleton key-token. The key token is external or
internal.
- X'02'
- Key is wrapped with a transport key. When the encrypted section key-wrapping method is AESKW
(value at offset 26 is X'02'), the transport key is an AES key-encrypting key. When it is PKOAEP2
(value at offset 26 is X'03'), the transport key is an RSA public-key. The key token is
external.
- X'03'
- Key is wrapped with the AES master-key. The encrypted section key-wrapping method is AESKW. The
key token is internal.
All unused values are reserved and undefined.
|
|
009
|
01
|
Key verification pattern (KVP) type:
- Value
- Meaning
- X'00'
- No KVP (no key present or key is wrapped with an RSA public-key). The key token is external or
internal.
- X'01'
- AESMK (8 leftmost bytes of SHA-256 hash: X'01 ∾ˆ¥ clear AES MK). The key token is
internal.
- X'02'
- KEK (8 leftmost bytes of SHA-256 hash: X'01 ∾ˆ¥ clear KEK). The key token is
external.
All unused values are reserved and undefined.
|
|
010
|
16
|
KVP (value depends on value of key material state, that is, the value at offset 8):
- Value at offset 8
- Value of KVP
- X'00'
- The key-material state is no key present. The field should be filled with binary zeros. The key
token is external or internal.
- X'02'
- The key material state is the key is wrapped with a transport key. The value of the KVP depends
on the value of the encrypted section key-wrapping method:
- When the key-wrapping method is AESKW (value at offset 26 is X'02'), the field contains the KVP
of the key-encrypting key used to wrap the key. The 8-byte KEK KVP is left-aligned in the field and
padded on the right low-order bytes with binary zeros.
- When the key-wrapping method is PKOAEP2 (value at offset 26 is X'03'), the value should be
filled with binary zeros. The encoded message, which contains the key, is wrapped with an RSA
public-key.
The key token is external.
- X'03'
- The key-material state is the key is wrapped with the AES master-key. The field contains the
MKVP of the AES master-key used to wrap the key. The 8-byte MKVP is left-aligned in the field and
padded on the right low-order bytes with binary zeros. The key token is internal.
|
|
026
|
01
|
Encrypted section key-wrapping method (how data in the encrypted section is protected):
- Value
- Meaning
- X'00'
- No key-wrapping method (no key present or key is clear). The key token is external or
internal.
- X'02'
- AESKW (ANS X9.102). The key token is external with a key wrapped by an AES key-encrypting key,
or the key token is internal with a key wrapped by the AES master-key.
- X'03'
- PKOAEP2. Message M, which contains the key, is encoded using the RSAES-OAEP scheme of the
RSA PKCS #1 v2.1 standard. The encoded message (EM) is produced using the given hash
algorithm by encoding message M using the Bellare and Rogaway Optimal Asymmetric Encryption
Padding (OAEP) method for encoding messages. For PKAOEP2, M is defined as follows:
M
= [32 bytes: hAD] ∾ˆ¥ [2 bytes: bit length of the clear key] ∾ˆ¥ [clear
key]
where hAD is the message digest of the associated data, and is calculated using the
SHA-256 algorithm on the data starting at offset 30 for the length in bytes of all the associated
data for the key token (length value at offset 32).
EM is wrapped with an RSA public-key. The key token is external.
All unused values are reserved and undefined.
|
|
027
|
01
|
Hash algorithm used for wrapping key or encoding message. Meaning depends on whether the
encrypted section key-wrapping method (value at offset 26) is no key-wrapping method, AESKW, or
PKOAEP2:
No key-wrapping method (value at offset 26 is X'00')
Hash algorithm used for wrapping key when encrypted section key-wrapping method is no
key-wrapping method:
- Value
- Meaning
- X'00'
- No hash (no key present)
All unused values are reserved and undefined. The key token is external or internal.
AESKW key-wrapping method (value at offset 26 is X'02')
Hash algorithm used for wrapping key when encrypted section key-wrapping method is AESKW. The
value indicates the algorithm used to calculate the message digest of the associated data. The
message digest is included in the wrapped payload and is calculated starting at offset 30 for the
length in bytes of all the associated data for the key token (length value at offset 32).
- Value
- Meaning
- X'02'
- SHA-256
All unused values are reserved and undefined. The key token is external or internal.
PKOAEP2 key-wrapping method (value at offset 26 is X'03')
Hash algorithm used for encoding message when encrypted section key-wrapping method is PKOAEP2.
The value indicates the given hash algorithm used for encoding message M using the RSAES-OAEP
scheme of the RSA PKCS #1 v2.1 standard.
- Value
- Meaning
- X'01'
- SHA-1
- X'02'
- SHA-256
- X'04'
- SHA-384
- X'08'
- SHA-512
All unused values are reserved and undefined. The key token is external.
|
|
028
|
01
|
Payload format version (identifies format of the payload):
- Value
- Meaning
- X'01'
- V1 payload (V1PYLD). The payload format depends on the encrypted section key-wrapping method
(value at offset 26):
- Value at offset 26
- Meaning
- X'00'
- There is no key-wrapping method. When no key is present, there is no payload. The key token is
external or internal.
- X'02'
- The key-wrapping method is AESKW and the payload is fixed length based on the maximum possible
key size of the algorithm for the key. The key is padded with random data to the size of the largest
key for that algorithm. This helps to deter attacks on keys known to be weaker. The key length
cannot be inferred by the size of the payload. The key token is external or internal.
- X'03'
- The key-wrapping method is PKOAEP2 and the payload length is equal to the modulus size in bits
of the RSA transport key used to wrap the encoded message. The key token is external. When the
external key is exported, the internal target key will have the same V1 payload format.
All unused values are reserved and undefined.
|
|
029
|
01
|
Reserved, binary zero.
|
|
End of wrapping information section
|
|
AESKW or PKOAEP2 components: (1) associated data section and (2) optional wrapped AESKW payload
or wrapped PKOAEP2 payload (no payload if no key present)
|
|
Associated data section
|
|
030
|
01
|
Associated data section version:
- Value
- Meaning
- X'01'
- Version 1 format of associated data
|
|
031
|
01
|
Reserved, binary zero.
|
|
032
|
02
|
Length in bytes of all the associated data for the key token: 26 - 353.
|
|
034
|
01
|
Length in bytes of the optional key label (kl): 0 or 64.
|
|
035
|
01
|
Length in bytes of the optional IBM extended associated data (iead): 0.
|
|
036
|
01
|
Length in bytes of the optional user-definable associated data (uad): 0 - 255.
|
|
037
|
01
|
Reserved, binary zero.
|
|
038
|
02
|
Length in bits of the wrapped payload (pl): 0, 512 - 4096.
- For no key-wrapping method (no key present), pl is 0.
- For PKOAEP2 encoded payloads, pl is the length in bits of the modulus size of the RSA key
used to wrap the payload. This can be 512 - 4096.
- For an AESKW formatted payload, pl is based on the key size of the algorithm type and the
payload format version:
- AES algorithm (value at offset 41 is X'02')
An AES key can have a length of 16, 24, or 32 bytes (128, 192, or 256 bits). The following table
shows the payload length for a given AES key size and payload
format: Bit length of Bit length of
V0 payload (value at V1 payload (value at
AES key size offset 28 is X'00') offset 28 is X'01')
16 bytes (128 bits) Not applicable 640
24 bytes (192 bits) Not applicable 640
32 bytes (256 bits) Not applicable 640
|
|
040
|
01
|
Reserved, binary zero.
|
|
041
|
01
|
Algorithm type (algorithm for which the key can be used):
All unused values are reserved and undefined.
|
|
042
|
02
|
Key type (general class of the key):
- Value
- Meaning
- X'0009'
- DKYGENKY
All unused values are reserved and undefined.
|
|
044
|
01
|
Key usage fields count (kuf): 2, 4 - 6. Key-usage field information defines restrictions
on the use of the key.
Count is based on type of key to diversify (value at offset
45): Value at Type of key
offset 45 to diversify kuf count
X'00' D-ALL 2
X'01' D-CIPHER 4
X'02' D-MAC 4 (not DK enabled)
5 (DK enabled)
X'03' D-EXP 6
X'04' D-IMP 6
X'05' D-PPROT 5
X'06' D-PCALC 5
X'07' D-PPRW 5
X'08' D-SECMSG 4
X'09' D-KDKGKY 15, 27, 39, or 51
Each key-usage field is 2 bytes in length. The value in this field indicates how many 2-byte key
usage fields follow.
|
|
045
|
01
|
Key-usage field 1, high-order byte (type of key to diversify). Defines the type of diversified
key that this diversifying key can generate.
- Value
- Meaning
- X'00'
- Any key type listed below (D-ALL)
- X'01'
- CIPHER (D-CIPHER)
- X'02'
- MAC (D-MAC)
- X'03'
- EXPORTER (D-EXP)
- X'04'
- IMPORTER (D-IMP)
- X'05'
- PINPROT (D-PPROT)
- X'06'
- PINCALC (D-PCALC)
- X'07'
- PINPRW (D-PPRW)
- X'08'
- SECMSG (D-SECMSG)
- X'09'
- KDKGENKY (D-KDKGKY) (Release 5.4 or later)
All unused values are reserved and undefined.
|
|
046
|
01
|
Key-usage field 1, low-order byte (user-defined extension control and other special usages):
- Value
- Meaning
- B'1xxx xxxx'
- Key can be used as the base derivation key (BDK) in the AES DUKPT key
derivation algorithm.
- B'xxxx 1xxx'
- Key can only be used in UDXs (UDX-ONLY).
- B'xxxx 0xxx'
- Key can be used in UDXs and CCA.
- B'xxxx x1uu'
- UDX-defined bit reserved for UDXs (UDX-100).
- B'xxxx xu1u'
- UDX-defined bit reserved for UDXs (UDX-010).
- B'xxxx xuu1'
- UDX-defined bit reserved for UDXs (UDX-001).
|
|
047
|
01
|
Key-usage field 2, high-order byte (related generated key-usage field level of control):
- Value
- Meaning
- B'1xxx xxxx'
- The key usage fields of the key to be generated must be equal (KUF-MBE) to the related generated
key usage fields that start with key usage field 3 below.
- B'0xxx xxxx'
- The key usage fields of the key to be generated must be permissible (KUF-MBP) based on the
related generated key usage fields that start with key usage field 3 below. A key to be diversified
is not permitted to have a higher level of usage than the related key usage fields permit. The key
to be diversified is only permitted to have key usage that is less than or equal to the related key
usage fields. One exception is the UDX-ONLY setting in the generated key usage fields. The UDX-ONLY
setting must always be equal to the UDX-ONLY setting in the related key usage fields.
- B'x1xx xxxx'
- The key management fields of the generated key must be permitted (KMF-MBP) based on the
related key management fields of the DKYGENKY generating key. The key to be diversified is
not permitted to have a higher level of management than the related key management fields
permit. The key to be diversified is only permitted to have key management that is less than
or equal to the related key management fields.
- B'x0xx xxxx'
- The key management fields of the key to be generated does not have to be permitted by the
related key management fields of the DKYGENKY generating key.
- B'xx1x xxxx'
- The key management fields of the key to be generated must be equal (KMF-MBE) to the
related key management fields of the DKYGENKY generating key.
- B'xx0x xxxx'
- The key management fields of the key to be generated does not have to be equal to the
related key management fields of the DKYGENKY generating key.
Note: When both bits 1 and 2 are OFF (B'x0xx xxxx' and B'xx0x xxxx'), the DKYGENKY generating
key does not present any restrictions on the key management fields of the generated key.
Undefined when the value at offset 45 = X'00' (D-ALL). All unused bits are reserved and must be
zero.
|
|
048
|
01
|
Key-usage field 2, low-order byte (key-derivation sequence level):
- Value
- Meaning
- X'00'
- Use this diversifying key to generate a Level 0 diversified key (DKYL0). The type of key to
diversify (value at offset 45) determines the key type of the generated key. Level 0 is a completed
key.
- X'01'
- Use this diversifying key to generate a Level 1 diversified key (DKYL1).
- X'02'
- Use this diversifying key to generate a Level 2 diversified key (DKYL2).
All unused values are reserved and undefined.
|
|
049, for kuf > 3
|
02
|
Optional key-usage field 3 (related generated key usage fields). Controls the key usage field 1
values of the diversified key. Meaning depends on type of key to diversify (value at offset 45):
- Value at offset 45
- Meaning
- X'01'
- Same as key-usage field 1 of AES CIPHER key.
- X'02'
- Same as key-usage field 1 of AES MAC key.
- X'03'
- Same as key-usage field 1 of AES EXPORTER key.
- X'04'
- Same as key-usage field 1 of AES IMPORTER key.
- X'05'
- Same as key-usage field 1 of AES PINPROT key .
- X'06'
- Same as key-usage field 1 of AES PINCALC key.
- X'07'
- Same as key-usage field 1 of AES PINPRW key.
All unused bits are reserved and must be zero.
|
|
051, for kuf > 3
|
02 |
Optional key-usage field 4 (related generated key usage fields). Controls the key usage field 2
values of the diversified key. Meaning depends on type of key to diversify (value at offset 45):
- Value at offset 45
- Meaning
- X'01'
- Same as key-usage field 2 of AES CIPHER key.
- X'02'
- High order byte:
- X'01'
All unused bits are reserved and must be zero.
Low-order byte (key-derivation sequence level):
- B'0xxx xxxx'
- Key cannot be used by CSNBPTR2 to verify authentication data using NIST SP 800-38B
CMAC for ISO-4 to ISO-4 PAN change. Only valid with key usage VERIFY.
- B'1xxx xxxx'
- Key can be used by CSNBPTR2 to verify authentication data using NIST SP 800-38B
CMAC for ISO-4 to ISO-4 PAN change. Only valid with key usage VERIFY.
- B'x0xx xxxx'
- AES DKYGENKY D-MAC key cannot be used as k-base-1 by CSNBDKG2 in the M of N MAC Scheme.
- B'x1xx xxxx'
- AES DKYGENKY D-MAC key can be used as k-base-1 by CSNBDKG2 in the M of N MAC Scheme.
- B'xx0x xxxx'
- AES DKYGENKY D-MAC key cannot be used as k-base-2 by CSNBMMS in the M of N MAC Scheme.
- B'xx1x xxxx'
- AES DKYGENKY D-MAC key can be used as k-base-2 by CSNBMMS in the M of N MAC Scheme.
- X'03'
- Same as key-usage field 2 of AES EXPORTER key.
- X'04'
- Same as key-usage field 2 of AES IMPORTER key.
- X'05'
- Same as key-usage field 2 of AES PINPROT key.
- X'06'
- Same as key-usage field 2 of AES PINCALC key.
- X'07'
- Same as key-usage field 2 of AES PINPRW key.
All unused bits are reserved and must be zero.
|
|
053, for kuf > 4
|
02
|
Optional key-usage field 5 (related generated key usage fields). Controls the key usage field 3
values of the diversified key. Meaning depends on type of key to diversify (value at offset 45):
- Value at offset 45
- Meaning
- X'02'
- Same as key-usage field 3 of AES MAC key.
- X'03'
- Same as key-usage field 3 of AES EXPORTER key.
- X'04'
- Same as key-usage field 3 of AES IMPORTER key.
- X'05'
- Same as key-usage field 3 of AES PINPROT key.
- X'06'
- Same as key-usage field 3 of AES PINCALC key.
- X'07'
- Same as key-usage field 3 of AES PINPRW key.
All unused bits are reserved and must be zero.
|
|
055, for kuf > 5
|
02
|
Optional key-usage field 6 (related generated key usage fields). Controls the key usage field 4
values of the diversified key. Meaning depends on type of key to diversify (value at offset 45):
- Value at offset 45
- Meaning
- X'03'
- Same as key-usage field 4 of AES EXPORTER key.
- X'04'
- Same as key-usage field 4 of AES IMPORTER key.
All unused bits are reserved and must be zero.
|
|
045 + (2 * kuf)
|
01
|
Key management fields count (kmf): 3. Key-management field information describes how the
data is to be managed or helps with management of the key material.
Each key-management field is 2 bytes in length. The value in this field indicates how many 2-byte
key management fields follow.
|
|
046 + (2 * kuf)
|
01
|
Key-management field 1, high-order byte (symmetric-key export control).
|
|
047 + (2 * kuf)
|
01
|
Key-management field 1, low-order byte (export control by algorithm).
|
|
048 + (2 * kuf)
|
01
|
Key-management field 2, high-order byte (key completeness).
|
|
049 + (2 * kuf)
|
01
|
Key-management field 2, low-order byte (security history).
|
|
050 + (2 * kuf)
|
01
|
Key-management field 3, high-order byte (pedigree original).
|
|
051 + (2 * kuf)
|
01
|
Key-management field 3, low-order byte (pedigree current).
|
|
052 + (2 * kuf)
|
kl
|
Optional key label.
|
|
052 + (2 * kuf) + kl
|
iead
|
Optional IBM extended associated data (not used).
|
|
052 + (2 * kuf) + kl + iead
|
uad
|
Optional user-defined associated data.
|
|
End of associated data section
|
|
Optional wrapped AESKW formatted payload or wrapped PKOAEP2 encoded payload (no payload if no key
present)
|
|
052 + (2 * kuf) + kl + iead + uad
|
(pl + 7) / 8
|
Contents of payload (pl is in bits) depending on the encrypted section key-wrapping
method (value at offset 26):
|
| Value at offset 26 |
Encrypted section key-wrapping method |
Meaning |
| X'02' |
AESKW
|
An encrypted payload which the Segment 2 code creates by wrapping the unencrypted AESKW formatted
payload. The payload is made up of the integrity check value, pad length, length of hash options and
hash, hash options, hash of the associated data, key material, and padding. The key token is
internal.
|
| X'03' |
PKOAEP2
|
An encrypted PKOAEP2 encoded payload created using the RSAES-OAEP scheme of the PKCS #1 v2.1
standard. The message M is encoded for a given hash algorithm using the Bellare and Rogaway
Optimal Asymmetric Encryption Padding (OAEP) method for encoding messages. For PKAOEP2, M is
defined as follows:
M = [32 bytes: hAD] ∾ˆ¥ [2 bytes: bit length of the clear key] ∾ˆ¥
[clear key]
where hAD is the message digest of the associated data, and is calculated using the
SHA-256 algorithm starting at offset 30 for the length in bytes of all the associated data for the
key token (length value at offset 32). The encoded message is wrapped with an RSA public-key
according to the standard. The key token is external.
|
|
End of optional wrapped AESKW formatted payload or wrapped PKOAEP2 encoded payload
|
|
End of AESKW or PKOAEP2 components
|
|
Note: All numbers are in big endian format.
|