|
Header
|
000 |
01 |
Token identifier:
- Value
- Meaning
- X'01'
- Internal key-token (encrypted key is wrapped with the master key
or there is no payload).
- X'02'
- External key-token (encrypted payload is wrapped with a transport
key or there is no payload). A transport key can be a key-encrypting
key or an RSA public-key.
All unused values are reserved and undefined. |
001 |
01 |
Reserved, binary zero. |
002 |
02 |
Length in bytes of the overall
token structure: 46 + (2 * kuf) + (2 * kmf) +
kl + iead + uad + ((pl + 7) / 8)
- Key token
- Minimum token length
- Skeleton
- 46 + (2 * 4) + (2 * 3) + 0 + 0 + 0 + 0 = 60
- Encrypted V0 payload
- 46 + (2 * 4) + (2 * 3) + 0 + 0 + 0 + ((512 + 7) / 8) = 124
- Encrypted V1 payload
- 46 + (2 * 4) + (2 * 3) + 0 + 0 + 0 + ((640 + 7) / 8) = 140
- Key token
- Maximum token length
- External*
- 46 + (2 * 4) + (2 * 3) + 64 + 0 + 255 + ((8192 + 7) / 8) = 1403
- Internal
- 46 + (2 * 4) + (2 * 3) + 64 + 0 + 255 + ((640 + 7) / 8) = 459
*This assumes a PKOAEP2 key-wrapping method using a 8192-bit RSA transport key. |
004 |
01 |
Token version number (identifies
the format of this key token):
- Value
- Meaning
- X'05'
- Version 5 format of the key token (variable-length symmetric key-token)
|
005 |
03 |
Reserved, binary zero. |
End of header |
Wrapping information
section (all data related to wrapping the key) |
008 |
01 |
Key material state:
- Value
- Meaning
- X'00'
- No key is present. This is called a skeleton key-token. The key
token is external or internal.
- X'02'
- Key is wrapped with a transport key. When the encrypted section
key-wrapping method is AESKW (value at offset 26 is X'02'), the transport
key is an AES key-encrypting key. When it is PKOAEP2 (value at offset
26 is X'03'), the transport key is an RSA public-key. The key token
is external.
- X'03'
- Key is wrapped with the AES master-key. The encrypted section
key-wrapping method is AESKW. The key token is internal.
All unused values are reserved and undefined. |
009 |
01 |
Key verification pattern (KVP)
type:
- Value
- Meaning
- X'00'
- No KVP (no key present or key is wrapped with an RSA public-key).
The key token is external or internal.
- X'01'
- AESMK (8 leftmost bytes of SHA-256 hash: X'01 ∥ clear
AES MK). The key token is internal.
- X'02'
- KEK (8 leftmost bytes of SHA-256 hash: X'01 ∥ clear KEK).
The key token is external.
All unused values are reserved and undefined. |
010 |
16 |
KVP (value depends on value
of key material state, that is, the value at offset 8):
- Value at offset 8
- Value
of KVP
- X'00'
- The key-material state is no key present. The field should be
filled with binary zeros. The key token is external or internal.
- X'02'
- The key material state is the key is wrapped with a transport
key. The value of the KVP depends on the value of the encrypted section
key-wrapping method:
- X'03'
- The key-material state is the key is wrapped with the AES master-key.
The field contains the MKVP of the AES master-key used to wrap the
key. The 8-byte MKVP is left-aligned in the field and padded on the
right low-order bytes with binary zeros. The key token is internal.
|
026 |
01 |
Encrypted section key-wrapping
method (how data in the encrypted section is protected):
- Value
- Meaning
- X'00'
- No key-wrapping method (no key present). The key token is external
or internal.
- X'02'
- AESKW (ANS X9.102). The key token is external with a key wrapped
by an AES key-encrypting key, or the key token is internal with a
key wrapped by the AES master-key.
- X'03'
- PKOAEP2. Message M, which contains the key, is encoded
using the RSAES-OAEP scheme of the RSA PKCS #1 v2.1 standard.
The encoded message (EM) is produced using the given
hash algorithm by encoding message M using the Bellare
and Rogaway Optimal Asymmetric Encryption Padding (OAEP)
method for encoding messages. For PKAOEP2, M is
defined as follows:
M = [32 bytes: hAD] ∥
[2 bytes: bit length of the clear key] ∥ [clear
key] where hAD is the message digest of the
associated data, and is calculated using the SHA-256 algorithm
on the data starting at offset 30 for the length in bytes
of all the associated data for the key token (length value at offset
32). EM is wrapped with an RSA
public-key. The key token is external.
All unused values are reserved and undefined. |
027 |
01 |
Hash algorithm used for wrapping
key or encoding message. Meaning depends on whether the encrypted
section key-wrapping method (value at offset 26) is no key-wrapping
method, AESKW, or PKOAEP2: No key-wrapping method (value
at offset 26 is X'00') Hash algorithm used for wrapping
key when encrypted section key-wrapping method is no key-wrapping
method:
- Value
- Meaning
- X'00'
- No hash (no key present)
All unused values are reserved and undefined. The
key token is external or internal. AESKW key-wrapping
method (value at offset 26 is X'02') Hash algorithm
used for wrapping key when encrypted section key-wrapping method is
AESKW. The value indicates the algorithm used to calculate
the message digest of the associated data. The message digest
is included in the wrapped payload and is calculated starting
at offset 30 for the length in bytes of all the associated
data for the key token (length value at offset 32).
- Value
- Meaning
- X'02'
- SHA-256
All unused values are reserved and undefined. The
key token is external or internal. PKOAEP2 key-wrapping
method (value at offset 26 is X'03') Hash algorithm
used for encoding message when encrypted section key-wrapping method
is PKOAEP2. The value indicates the given hash algorithm used for
encoding message M using the RSAES-OAEP scheme of the RSA PKCS
#1 v2.1 standard.
- Value
- Meaning
- X'01'
- SHA-1
- X'02'
- SHA-256
- X'04'
- SHA-384
- X'08'
- SHA-512
All unused values are reserved and undefined. The
key token is external. |
028 |
01 |
Payload format version (identifies
format of the payload). Release 4.4 or later, otherwise undefined.
- Value
- Meaning
- X'00'
- V0 payload (V0PYLD). The payload format depends on the encrypted
section key-wrapping method (value at offset 26):
- Value at offset 26
- Meaning
- X'00'
- There is no key-wrapping method. When no key is present, there
is no payload. The key token is external or internal.
- X'02'
- The key-wrapping method is AESKW and the payload is variable length.
The payload is formatted with the minimum size possible to contain
the key material. The payload length varies for a given algorithm
and key type. The key length can be inferred by the size of the payload.
The key token is external or internal.
- X'03'
- The key-wrapping method is PKOAEP2 and the payload length is equal
to the modulus size in bits of the RSA transport key used to wrap
the encoded message. The key token is external. When the external
key is exported, the internal target key will have the same V0 payload
format.
- X'01'
- V1 payload (Release 4.4 or later). The payload format depends
on the encrypted section key-wrapping method (value at offset 26):
- Value at offset 26
- Meaning
- X'00'
- There is no key-wrapping method. When no key is present, there
is no payload. The key token is external or internal.
- X'02'
- The key-wrapping method is AESKW and the payload is fixed length
based on the maximum possible key size of the algorithm for the key.
The key is padded with random data to the size of the largest key
for that algorithm. This helps to deter attacks on keys known to be
weaker. The key length cannot be inferred by the size of the payload.
The key token is external or internal.
- X'03'
- The key-wrapping method is PKOAEP2 and the payload length is equal
to the modulus size in bits of the RSA transport key used to wrap
the encoded message. The key token is external. When the external
key is exported, the internal target key will have the same V1 payload
format.
All unused values are reserved and undefined. |
029 |
01 |
Reserved, binary zero. |
End of wrapping
information section |
AESKW or PKOAEP2
components: (1) associated data section and (2) optional wrapped AESKW
formatted payload or wrapped PKOAEP2 encoded payload (no payload if
no key present) |
Associated data
section |
030 |
01 |
Associated data section version:
- Value
- Meaning
- X'01'
- Version 1 format of associated data
|
031 |
01 |
Reserved, binary zero. |
032 |
02 |
Length in bytes of all the
associated data for the key token: 30 - 349. |
034 |
01 |
Length in bytes of the optional
key label (kl): 0 or 64. |
035 |
01 |
Length in bytes of the optional
IBM extended associated data (iead): 0. |
036 |
01 |
Length in bytes of the optional
user-definable associated data (uad): 0 - 255. |
037 |
01 |
Reserved, binary zero. |
038 |
02 |
Length in bits of the
wrapped payload (pl): 0, 512 - 4096.
- For no key-wrapping method (no key present), pl is 0.
- For PKOAEP2 encoded payloads, pl is the length in bits
of the modulus size of the RSA key used to wrap the payload. This
can be 512 - 4096.
- For an AESKW formatted payload, pl is based on the key
size of the algorithm type and the payload format version:
- AES algorithm (value at offset 41 is X'02')
|
040 |
01 |
Reserved, binary zero. |
041 |
01 |
Algorithm type (algorithm for
which the key can be used):
- Value
- Meaning
- X'02'
- AES
All unused values are reserved and undefined. |
042 |
02 |
Key type (general class of
the key):
- Value
- Meaning
- X'0003'
- EXPORTER
- X'0004'
- IMPORTER
All unused values are reserved and undefined. |
044 |
01 |
Key usage fields count (kuf):
4. Key-usage field information defines restrictions on the use of
the key. For key type EXPORTER, see AES EXPORTER Key Token Build2 keywords
(Figure 3). For
key type IMPORTER, see AES IMPORTER Key Token Build2 keywords
(Figure 4). Each
key-usage field is 2 bytes in length. The value in this field indicates
how many 2-byte key usage fields follow. |
045 (1 of 2) |
01 |
Key-usage field 1, high-order
byte (KEK control). The meaning is determined by the key type (value
at offset 42). The key type can be EXPORTER or IMPORTER. EXPORTER (value at offset 42 is X'0003')
- Value
- Meaning
- B'1xxx xxxx'
- Key can be used to export a key (EXPORT).
- B'0xxx xxxx'
- Key cannot be used to export a key.
- B'x1xx xxxx'
- Key can be used to translate a key (TRANSLAT).
- B'x0xx xxxx'
- Key cannot be used to translate a key.
- B'xx1x xxxx'
- Key can be used by KGN2 for generating an OPEX key pair (GEN-OPEX).
- B'xx0x xxxx'
- Key cannot be used by KGN2 for generating an OPEX key pair.
- B'xxx1 xxxx'
- Key can be used by KGN2 for generating an IMEX key pair (GEN-IMEX).
- B'xxx0 xxxx'
- Key cannot be used by KGN2 for generating an IMEX key pair.
- B'xxxx 1xxx'
- Key can be used by KGN2 for generating an EXEX key pair (GEN-EXEX).
- B'xxxx 0xxx'
- Key cannot be used by KGN2 for generating an EXEX key pair.
- B'xxxx x1xx'
- Key can be used by PKG for generating an ECC public-private key
pair (GEN-PUB).
- B'xxxx x0xx'
- Key cannot be used by PKG for generating an ECC public-private
key pair (GEN-PUB).
Note: At least one defined bit must be B'1'. All
unused bits are reserved and must be zero. |
045 (2 of 2) |
01 |
IMPORTER
(value at offset 42 is X'0004')
- Value
- Meaning
- B'1xxx xxxx'
- Key can be used to import a key (IMPORT).
- B'0xxx xxxx'
- Key cannot be used to import a key.
- B'x1xx xxxx'
- Key can be used to translate a key (TRANSLAT).
- B'x0xx xxxx'
- Key cannot be used to translate a key.
- B'xx1x xxxx'
- Key can be used by KGN2 for generating an OPIM key pair (GEN-OPIM).
- B'xx0x xxxx'
- Key cannot be used by KGN2 for generating an OPIM key pair.
- B'xxx1 xxxx'
- Key can be used by KGN2 for generating an IMEX key pair (GEN-IMEX).
- B'xxx0 xxxx'
- Key cannot be used by KGN2 for generating an IMEX key pair.
- B'xxxx 1xxx'
- Key can be used by KGN2 for generating an IMIM key pair (GEN-IMIM).
- B'xxxx 0xxx'
- Key cannot be used by KGN2 for generating an IMIM key pair.
- B'xxxx x1xx'
- Key can be used by PKG for generating an ECC public-private key
pair (GEN-PUB).
- B'xxxx x0xx'
- Key cannot be used by PKG for generating an ECC public-private
key pair (GEN-PUB).
Note: At least one defined bit must be B'1'. All
unused bits are reserved and must be zero. |
046 |
01 |
Key-usage
field 1, low-order byte (user-defined
extension control). |
047 |
01 |
Key-usage
field 2, high-order byte (TR-31
wrap control):
- Value
- Meaning
- B'1xxx xxxx'
- Key can wrap or unwrap a TR-31 key (WR-TR31). Defined for future
use.
- B'0xxx xxxx'
- Key cannot wrap or unwrap a TR-31 key. Defined for future use.
All unused bits are reserved and must be zero. |
| 048 |
01 |
Key-usage
field 2, low-order byte (raw
key wrap control):
- Value
- Meaning
- B'xxxx xxx1'
- Key can wrap or unwrap a raw key (KEK-RAW). Defined for future
use.
- B'0xxx xxxx'
- Key cannot wrap or unwrap a raw key. Defined for future use.
All unused bits are reserved and must be zero. |
049 |
01 |
Key-usage
field 3, high-order byte (algorithm
wrap control):
- Value
- Meaning
- B'1xxx xxxx'
- Key can wrap or unwrap DES keys (WR-DES).
- B'0xxx xxxx'
- Key cannot wrap or unwrap DES keys.
- B'x1xx xxxx'
- Key can wrap or unwrap AES keys (WR-AES).
- B'x0xx xxxx'
- Key cannot wrap or unwrap AES keys.
- B'xx1x xxxx'
- Key can wrap or unwrap HMAC keys (WR-HMAC).
- B'xx0x xxxx'
- Key cannot wrap or unwrap HMAC keys.
- B'xxx1 xxxx'
- Key can wrap or unwrap RSA keys (WR-RSA).
- B'xxx0 xxxx'
- Key cannot wrap or unwrap RSA keys.
- B'xxxx 1xxx'
- Key can wrap or unwrap ECC keys (WR-ECC).
- B'xxxx 0xxx'
- Key cannot wrap or unwrap ECC keys.
Note: At least one defined bit must be B'1'. All
unused bits are reserved and must be zero. |
050 |
01 |
Key-usage
field 3, low-order byte (reserved). All
bits are reserved and must be zero. |
051 |
01 |
Key-usage
field 4, high-order byte (class
wrap control).
- Value
- Meaning
- B'1xxx xxxx'
- Key can wrap or unwrap data class keys (WR-DATA).
- B'0xxx xxxx'
- Key cannot wrap or unwrap data class keys.
- B'x1xx xxxx'
- Key can wrap or unwrap KEK class keys (WR-KEK).
- B'x0xx xxxx'
- Key cannot wrap or unwrap KEK class keys.
- B'xx1x xxxx'
- Key can wrap or unwrap PIN class keys (WR-PIN).
- B'xx0x xxxx'
- Key cannot wrap or unwrap PIN class keys.
- B'xxx1 xxxx'
- Key can wrap or unwrap derivation class keys (WRDERIVE).
- B'xxx0 xxxx'
- Key cannot wrap or unwrap derivation class keys.
- B'xxxx 1xxx'
- Key can wrap or unwrap card class keys (WR-CARD).
- B'xxxx 0xxx'
- Key cannot wrap or unwrap card class keys.
- B'xxxx x1xx'
- Key can wrap or unwrap cryptovariable class keys (WR-CVAR). Undefined
in releases before Release 4.4.
- B'xxxx x0xx'
- Key cannot wrap or unwrap cryptovariable class keys. Undefined
in releases before Release 4.4.
Note: At least one defined bit must be B'1'. All
unused values are reserved and undefined. |
052 |
01 |
Key-usage
field 4, low-order byte (reserved). All
bits are reserved and must be zero. |
053 |
01 |
Key management fields count
(kmf): 3. Key-management field information describes how the
data is to be managed or helps with management of the key material. For
key type EXPORTER, see AES EXPORTER Key Token Build2 keywords
(Figure 3). For
key type IMPORTER, see AES IMPORTER Key Token Build2 keywords
(Figure 4). Each
key-management field is 2 bytes in length. The value in this field
indicates how many 2-byte key management fields follow. |
054 |
01 |
Key-management field 1, high-order
byte (symmetric-key export control). |
055 |
01 |
Key-management field 1, low-order
byte (export control by algorithm). |
056 |
01 |
Key-management field 2, high-order
byte (key completeness). |
057 |
01 |
Key-management field 2, low-order
byte (security history). |
058 |
01 |
Key-management field 3, high-order
byte (pedigree original). |
059 |
01 |
Key-management field 3, low-order
byte (pedigree current). |
060 |
kl |
Optional key label. |
060 + kl |
iead |
Optional IBM extended associated
data (unused). |
060 + kl + iead |
uad |
Optional user-defined associated
data. |
End of associated
data section |
Optional wrapped
AESKW formatted payload or wrapped PKOAEP2 encoded payload (no payload
if no key present) |
060 + kl + iead + uad |
(pl + 7) / 8 |
Contents of payload (pl is
in bits) depending on the encrypted section key-wrapping method
(value at offset 26): |
| Value at offset 26 |
Encrypted section key-wrapping method |
Meaning |
| X'02' |
AESKW |
An encrypted payload which the Segment 2 code creates by
wrapping the unencrypted AESKW formatted payload. The payload is made
up of the integrity check value, pad length, length of hash options
and hash, hash options, hash of the associated data, key material,
and padding. The key token is internal. |
| X'03' |
PKOAEP2 |
An encrypted PKOAEP2 encoded payload created using the RSAES-OAEP
scheme of the PKCS #1 v2.1 standard. The message M is encoded
for a given hash algorithm using the Bellare and Rogaway Optimal Asymmetric
Encryption Padding (OAEP) method for encoding messages. For PKAOEP2,
M is defined as follows: M = [32 bytes: hAD]
∥ [2 bytes: bit length of the clear key] ∥ [clear
key] where hAD is the message digest of the associated
data, and is calculated using the SHA-256 algorithm starting
at offset 30 for the length in bytes of all the associated
data for the key token (length value at offset 32). The encoded message
is wrapped with an RSA public-key according to the standard.
The key token is external. |
End of optional
wrapped AESKW formatted payload or wrapped PKAOEP2 encoded payload |
End of AESKW or
PKOAEP2 components |
Note: All numbers
are in big endian format. |