AES EXPORTER and IMPORTER variable-length symmetric key token

View a table showing the format of the AES EXPORTER and IMPORTER variable-length symmetric key-token.

Table 1 shows the format of the EXPORTER and IMPORTER variable-length symmetric key tokens that can be used with the AES algorithm. An EXPORTER operational key-token is used by the Symmetric Key Export (CSNDSYX) verb to export an internal AES or HMAC variable-length symmetric key-token into an external variable-length symmetric key-token, either into an AESKW or PKOAEP2 wrapped payload. An IMPORTER operational key-token is used by theSymmetric Key Import2 (CSNDSYI2) verb to import an external AES or HMAC variable-length symmetric key-token, containing either an AESWK or PKOAEP2 wrapped payload, into an internal variable-length symmetric key-token.
Table 1. AES EXPORTER and IMPORTER variable-length symmetric key-token, version X'05'

AES EXPORTER and IMPORTER variable-length symmetric key-token, version X'05'

Offset (bytes) Length (bytes) Description

Header

000

01

Token identifier:

Value
Meaning
X'01'
Internal key-token (encrypted key is wrapped with the master key or there is no payload).
X'02'
External key-token (encrypted payload is wrapped with a transport key or there is no payload). A transport key can be a key-encrypting key or an RSA public-key.

All unused values are reserved and undefined.

001

01

Reserved, binary zero.

002

02

Length in bytes of the overall token structure:

46 + (2 * kuf) + (2 * kmf) + kl + iead + uad + ((pl + 7) / 8)

Key token
Minimum token length
Skeleton
46 + (2 * 4) + (2 * 3) + 0 + 0 + 0 + 0 = 60
Encrypted V0 payload
46 + (2 * 4) + (2 * 3) + 0 + 0 + 0 + ((512 + 7) / 8) = 124
Encrypted V1 payload
46 + (2 * 4) + (2 * 3) + 0 + 0 + 0 + ((640 + 7) / 8) = 140
Key token
Maximum token length
External*
46 + (2 * 4) + (2 * 3) + 64 + 0 + 255 + ((8192 + 7) / 8) = 1403
Internal
46 + (2 * 4) + (2 * 3) + 64 + 0 + 255 + ((640 + 7) / 8) = 459

*This assumes a PKOAEP2 key-wrapping method using a 8192-bit RSA transport key.

004

01

Token version number (identifies the format of this key token):

Value
Meaning
X'05'
Version 5 format of the key token (variable-length symmetric key-token)

005

03

Reserved, binary zero.

End of header

Wrapping information section (all data related to wrapping the key)

008

01

Key material state:

Value
Meaning
X'00'
No key is present. This is called a skeleton key-token. The key token is external or internal.
X'02'
Key is wrapped with a transport key. When the encrypted section key-wrapping method is AESKW (value at offset 26 is X'02'), the transport key is an AES key-encrypting key. When it is PKOAEP2 (value at offset 26 is X'03'), the transport key is an RSA public-key. The key token is external.
X'03'
Key is wrapped with the AES master-key. The encrypted section key-wrapping method is AESKW. The key token is internal.

All unused values are reserved and undefined.

009

01

Key verification pattern (KVP) type:

Value
Meaning
X'00'
No KVP (no key present or key is wrapped with an RSA public-key). The key token is external or internal.
X'01'
AESMK (8 leftmost bytes of SHA-256 hash: X'01 ∥ clear AES MK). The key token is internal.
X'02'
KEK (8 leftmost bytes of SHA-256 hash: X'01 ∥ clear KEK). The key token is external.

All unused values are reserved and undefined.

010

16

KVP (value depends on value of key material state, that is, the value at offset 8):

Value at offset 8
Value of KVP
X'00'
The key-material state is no key present. The field should be filled with binary zeros. The key token is external or internal.
X'02'
The key material state is the key is wrapped with a transport key. The value of the KVP depends on the value of the encrypted section key-wrapping method:
  • When the key-wrapping method is AESKW (value at offset 26 is X'02'), the field contains the KVP of the key-encrypting key used to wrap the key. The 8-byte KEK KVP is left-aligned in the field and padded on the right low-order bytes with binary zeros.
  • When the key-wrapping method is PKOAEP2 (value at offset 26 is X'03'), the value should be filled with binary zeros. The encoded message, which contains the key, is wrapped with an RSA public-key.

    The key token is external.

X'03'
The key-material state is the key is wrapped with the AES master-key. The field contains the MKVP of the AES master-key used to wrap the key. The 8-byte MKVP is left-aligned in the field and padded on the right low-order bytes with binary zeros. The key token is internal.

026

01

Encrypted section key-wrapping method (how data in the encrypted section is protected):

Value
Meaning
X'00'
No key-wrapping method (no key present). The key token is external or internal.
X'02'
AESKW (ANS X9.102). The key token is external with a key wrapped by an AES key-encrypting key, or the key token is internal with a key wrapped by the AES master-key.
X'03'
PKOAEP2. Message M, which contains the key, is encoded using the RSAES-OAEP scheme of the RSA PKCS #1 v2.1 standard. The encoded message (EM) is produced using the given hash algorithm by encoding message M using the Bellare and Rogaway Optimal Asymmetric Encryption Padding (OAEP) method for encoding messages. For PKAOEP2, M is defined as follows:

M = [32 bytes: hAD] ∥ [2 bytes: bit length of the clear key] ∥ [clear key]

where hAD is the message digest of the associated data, and is calculated using the SHA-256 algorithm on the data starting at offset 30 for the length in bytes of all the associated data for the key token (length value at offset 32).

EM is wrapped with an RSA public-key. The key token is external.

All unused values are reserved and undefined.

027

01

Hash algorithm used for wrapping key or encoding message. Meaning depends on whether the encrypted section key-wrapping method (value at offset 26) is no key-wrapping method, AESKW, or PKOAEP2:

No key-wrapping method (value at offset 26 is X'00')

Hash algorithm used for wrapping key when encrypted section key-wrapping method is no key-wrapping method:

Value
Meaning
X'00'
No hash (no key present)

All unused values are reserved and undefined. The key token is external or internal.

AESKW key-wrapping method (value at offset 26 is X'02')

Hash algorithm used for wrapping key when encrypted section key-wrapping method is AESKW. The value indicates the algorithm used to calculate the message digest of the associated data. The message digest is included in the wrapped payload and is calculated starting at offset 30 for the length in bytes of all the associated data for the key token (length value at offset 32).

Value
Meaning
X'02'
SHA-256

All unused values are reserved and undefined. The key token is external or internal.

PKOAEP2 key-wrapping method (value at offset 26 is X'03')

Hash algorithm used for encoding message when encrypted section key-wrapping method is PKOAEP2. The value indicates the given hash algorithm used for encoding message M using the RSAES-OAEP scheme of the RSA PKCS #1 v2.1 standard.

Value
Meaning
X'01'
SHA-1
X'02'
SHA-256
X'04'
SHA-384
X'08'
SHA-512

All unused values are reserved and undefined. The key token is external.

028

01

Payload format version (identifies format of the payload). Release 4.4 or later, otherwise undefined.

Value
Meaning
X'00'
V0 payload (V0PYLD). The payload format depends on the encrypted section key-wrapping method (value at offset 26):
Value at offset 26
Meaning
X'00'
There is no key-wrapping method. When no key is present, there is no payload. The key token is external or internal.
X'02'
The key-wrapping method is AESKW and the payload is variable length. The payload is formatted with the minimum size possible to contain the key material. The payload length varies for a given algorithm and key type. The key length can be inferred by the size of the payload. The key token is external or internal.
X'03'
The key-wrapping method is PKOAEP2 and the payload length is equal to the modulus size in bits of the RSA transport key used to wrap the encoded message. The key token is external. When the external key is exported, the internal target key will have the same V0 payload format.
X'01'
V1 payload (Release 4.4 or later). The payload format depends on the encrypted section key-wrapping method (value at offset 26):
Value at offset 26
Meaning
X'00'
There is no key-wrapping method. When no key is present, there is no payload. The key token is external or internal.
X'02'
The key-wrapping method is AESKW and the payload is fixed length based on the maximum possible key size of the algorithm for the key. The key is padded with random data to the size of the largest key for that algorithm. This helps to deter attacks on keys known to be weaker. The key length cannot be inferred by the size of the payload. The key token is external or internal.
X'03'
The key-wrapping method is PKOAEP2 and the payload length is equal to the modulus size in bits of the RSA transport key used to wrap the encoded message. The key token is external. When the external key is exported, the internal target key will have the same V1 payload format.

All unused values are reserved and undefined.

029

01

Reserved, binary zero.

End of wrapping information section

AESKW or PKOAEP2 components: (1) associated data section and (2) optional wrapped AESKW formatted payload or wrapped PKOAEP2 encoded payload (no payload if no key present)

Associated data section

030

01

Associated data section version:

Value
Meaning
X'01'
Version 1 format of associated data

031

01

Reserved, binary zero.

032

02

Length in bytes of all the associated data for the key token: 30 - 349.

034

01

Length in bytes of the optional key label (kl): 0 or 64.

035

01

Length in bytes of the optional IBM extended associated data (iead): 0.

036

01

Length in bytes of the optional user-definable associated data (uad): 0 - 255.

037

01

Reserved, binary zero.

038

02

Length in bits of the wrapped payload (pl): 0, 512 - 4096.

  • For no key-wrapping method (no key present), pl is 0.
  • For PKOAEP2 encoded payloads, pl is the length in bits of the modulus size of the RSA key used to wrap the payload. This can be 512 - 4096.
  • For an AESKW formatted payload, pl is based on the key size of the algorithm type and the payload format version:
  • AES algorithm (value at offset 41 is X'02')
  • An AES key can have a length of 16, 24, or 32 bytes (128, 192, or 256 bits). The following table shows the payload length for a given AES key size and payload format:
                            Bit length of            Bit length of
                            V0 payload (value at     V1 payload (value at
    AES key size            offset 28 is X'00')      offset 28 is X'01')
    16 bytes (128 bits)     512                      640
    24 bytes (192 bits)     576                      640
    32 bytes (256 bits)     640                      640

040

01

Reserved, binary zero.

041

01

Algorithm type (algorithm for which the key can be used):

Value
Meaning
X'02'
AES

All unused values are reserved and undefined.

042

02

Key type (general class of the key):

Value
Meaning
X'0003'
EXPORTER
X'0004'
IMPORTER

All unused values are reserved and undefined.

044

01

Key usage fields count (kuf): 4. Key-usage field information defines restrictions on the use of the key.

For key type EXPORTER, see AES EXPORTER Key Token Build2 keywords (Figure 3).

For key type IMPORTER, see AES IMPORTER Key Token Build2 keywords (Figure 4).

Each key-usage field is 2 bytes in length. The value in this field indicates how many 2-byte key usage fields follow.

045
(1 of 2)

01

Key-usage field 1, high-order byte (KEK control). The meaning is determined by the key type (value at offset 42). The key type can be EXPORTER or IMPORTER.

EXPORTER (value at offset 42 is X'0003')

Value
Meaning
B'1xxx xxxx'
Key can be used to export a key (EXPORT).
B'0xxx xxxx'
Key cannot be used to export a key.
B'x1xx xxxx'
Key can be used to translate a key (TRANSLAT).
B'x0xx xxxx'
Key cannot be used to translate a key.
B'xx1x xxxx'
Key can be used by KGN2 for generating an OPEX key pair (GEN-OPEX).
B'xx0x xxxx'
Key cannot be used by KGN2 for generating an OPEX key pair.
B'xxx1 xxxx'
Key can be used by KGN2 for generating an IMEX key pair (GEN-IMEX).
B'xxx0 xxxx'
Key cannot be used by KGN2 for generating an IMEX key pair.
B'xxxx 1xxx'
Key can be used by KGN2 for generating an EXEX key pair (GEN-EXEX).
B'xxxx 0xxx'
Key cannot be used by KGN2 for generating an EXEX key pair.
B'xxxx x1xx'
Key can be used by PKG for generating an ECC public-private key pair (GEN-PUB).
B'xxxx x0xx'
Key cannot be used by PKG for generating an ECC public-private key pair (GEN-PUB).
Note: At least one defined bit must be B'1'.

All unused bits are reserved and must be zero.

045
(2 of 2)

01

IMPORTER (value at offset 42 is X'0004')

Value
Meaning
B'1xxx xxxx'
Key can be used to import a key (IMPORT).
B'0xxx xxxx'
Key cannot be used to import a key.
B'x1xx xxxx'
Key can be used to translate a key (TRANSLAT).
B'x0xx xxxx'
Key cannot be used to translate a key.
B'xx1x xxxx'
Key can be used by KGN2 for generating an OPIM key pair (GEN-OPIM).
B'xx0x xxxx'
Key cannot be used by KGN2 for generating an OPIM key pair.
B'xxx1 xxxx'
Key can be used by KGN2 for generating an IMEX key pair (GEN-IMEX).
B'xxx0 xxxx'
Key cannot be used by KGN2 for generating an IMEX key pair.
B'xxxx 1xxx'
Key can be used by KGN2 for generating an IMIM key pair (GEN-IMIM).
B'xxxx 0xxx'
Key cannot be used by KGN2 for generating an IMIM key pair.
B'xxxx x1xx'
Key can be used by PKG for generating an ECC public-private key pair (GEN-PUB).
B'xxxx x0xx'
Key cannot be used by PKG for generating an ECC public-private key pair (GEN-PUB).
Note: At least one defined bit must be B'1'.

All unused bits are reserved and must be zero.

046

01

Key-usage field 1, low-order byte (user-defined extension control).

047

01

Key-usage field 2, high-order byte (TR-31 wrap control):

Value
Meaning
B'1xxx xxxx'
Key can wrap or unwrap a TR-31 key (WR-TR31). Defined for future use.
B'0xxx xxxx'
Key cannot wrap or unwrap a TR-31 key. Defined for future use.

All unused bits are reserved and must be zero.

048

01

Key-usage field 2, low-order byte (raw key wrap control):

Value
Meaning
B'xxxx xxx1'
Key can wrap or unwrap a raw key (KEK-RAW). Defined for future use.
B'0xxx xxxx'
Key cannot wrap or unwrap a raw key. Defined for future use.

All unused bits are reserved and must be zero.

049

01

Key-usage field 3, high-order byte (algorithm wrap control):

Value
Meaning
B'1xxx xxxx'
Key can wrap or unwrap DES keys (WR-DES).
B'0xxx xxxx'
Key cannot wrap or unwrap DES keys.
B'x1xx xxxx'
Key can wrap or unwrap AES keys (WR-AES).
B'x0xx xxxx'
Key cannot wrap or unwrap AES keys.
B'xx1x xxxx'
Key can wrap or unwrap HMAC keys (WR-HMAC).
B'xx0x xxxx'
Key cannot wrap or unwrap HMAC keys.
B'xxx1 xxxx'
Key can wrap or unwrap RSA keys (WR-RSA).
B'xxx0 xxxx'
Key cannot wrap or unwrap RSA keys.
B'xxxx 1xxx'
Key can wrap or unwrap ECC keys (WR-ECC).
B'xxxx 0xxx'
Key cannot wrap or unwrap ECC keys.
Note: At least one defined bit must be B'1'.

All unused bits are reserved and must be zero.

050

01

Key-usage field 3, low-order byte (reserved).

All bits are reserved and must be zero.

051

01

Key-usage field 4, high-order byte (class wrap control).

Value
Meaning
B'1xxx xxxx'
Key can wrap or unwrap data class keys (WR-DATA).
B'0xxx xxxx'
Key cannot wrap or unwrap data class keys.
B'x1xx xxxx'
Key can wrap or unwrap KEK class keys (WR-KEK).
B'x0xx xxxx'
Key cannot wrap or unwrap KEK class keys.
B'xx1x xxxx'
Key can wrap or unwrap PIN class keys (WR-PIN).
B'xx0x xxxx'
Key cannot wrap or unwrap PIN class keys.
B'xxx1 xxxx'
Key can wrap or unwrap derivation class keys (WRDERIVE).
B'xxx0 xxxx'
Key cannot wrap or unwrap derivation class keys.
B'xxxx 1xxx'
Key can wrap or unwrap card class keys (WR-CARD).
B'xxxx 0xxx'
Key cannot wrap or unwrap card class keys.
B'xxxx x1xx'
Key can wrap or unwrap cryptovariable class keys (WR-CVAR). Undefined in releases before Release 4.4.
B'xxxx x0xx'
Key cannot wrap or unwrap cryptovariable class keys. Undefined in releases before Release 4.4.
Note: At least one defined bit must be B'1'.

All unused values are reserved and undefined.

052

01

Key-usage field 4, low-order byte (reserved).

All bits are reserved and must be zero.

053

01

Key management fields count (kmf): 3. Key-management field information describes how the data is to be managed or helps with management of the key material.

For key type EXPORTER, see AES EXPORTER Key Token Build2 keywords (Figure 3).

For key type IMPORTER, see AES IMPORTER Key Token Build2 keywords (Figure 4).

Each key-management field is 2 bytes in length. The value in this field indicates how many 2-byte key management fields follow.

054

01

Key-management field 1, high-order byte (symmetric-key export control).

055

01

Key-management field 1, low-order byte (export control by algorithm).

056

01

Key-management field 2, high-order byte (key completeness).

057

01

Key-management field 2, low-order byte (security history).

058

01

Key-management field 3, high-order byte (pedigree original).

059

01

Key-management field 3, low-order byte (pedigree current).

060

kl

Optional key label.

060 + kl

iead

Optional IBM extended associated data (unused).

060 + kl + iead

uad

Optional user-defined associated data.

End of associated data section

Optional wrapped AESKW formatted payload or wrapped PKOAEP2 encoded payload (no payload if no key present)

060 + kl + iead + uad

(pl + 7) / 8

Contents of payload (pl is in bits) depending on the encrypted section key-wrapping method (value at offset 26):

Value at offset 26 Encrypted section key-wrapping method Meaning
X'02'

AESKW

An encrypted payload which the Segment 2 code creates by wrapping the unencrypted AESKW formatted payload. The payload is made up of the integrity check value, pad length, length of hash options and hash, hash options, hash of the associated data, key material, and padding. The key token is internal.

X'03'

PKOAEP2

An encrypted PKOAEP2 encoded payload created using the RSAES-OAEP scheme of the PKCS #1 v2.1 standard. The message M is encoded for a given hash algorithm using the Bellare and Rogaway Optimal Asymmetric Encryption Padding (OAEP) method for encoding messages. For PKAOEP2, M is defined as follows:

M = [32 bytes: hAD] ∥ [2 bytes: bit length of the clear key] ∥ [clear key]

where hAD is the message digest of the associated data, and is calculated using the SHA-256 algorithm starting at offset 30 for the length in bytes of all the associated data for the key token (length value at offset 32). The encoded message is wrapped with an RSA public-key according to the standard. The key token is external.

End of optional wrapped AESKW formatted payload or wrapped PKAOEP2 encoded payload

End of AESKW or PKOAEP2 components

Note: All numbers are in big endian format.