PKA key token

A PKA key token is a variable length field (maximum allowed size is 8000 bytes) composed of key value and control information.

PKA keys can be either public or private RSA, ECC, or post quantum cryptography (PQC) keys. PQC keys are CRYSTALS-Dilithium, CRYSTALS-Kyber, ML-KEM, or pure or pre-hash ML-DSA keys. Each key token can be either an internal key token (the first byte of the key identifier is X'1F'), an external key token (the first byte of the key identifier is X'1E'), or a null PKA private key token (the first byte of the key identifier is X'00').

For descriptions of the PKA key tokens and for debugging information, see Key token formats .

Internal key token

An internal key token is a token that can be used only on the system that created it or another system with the same PKA master key.

It contains a key that is encrypted under the PKA master key.

An application obtains an internal key token by using one of the verbs such as those listed below. The verbs are described in detail in Managing PKA cryptographic keys.
  • PKA Key Generate
  • PKA Key Import

The PKA Key Token Change verb can re-encipher private internal tokens from encryption under the old ASYM-MK to encryption under the current ASYM-MK. PKA key storage Re-encipher/Activate options are available to re-encipher RSA and ECC internal tokens in the PKA key storage when the SYM-MK/ASYM-MK (or APKA-MK) keys are changed.

PKA master keys cannot be changed dynamically.

External key token

If the first byte of the key identifier is X'1E', the key identifier is interpreted as an external key token.

An external PKA key token contains (possibly encrypted) key information and control information. By using the external key token, you can exchange keys between systems.

An application obtains the external key token by using one of the verbs such as those listed below. They are described in detail in Managing PKA cryptographic keys.

  • PKA Public Key Extract
  • PKA Key Token Build
  • PKA Key Generate

Null key token

If the first byte of the key identifier is X'00', the key identifier is interpreted as a null key token.

Compliant-tagged key tokens

A compliant-tagged key token must adhere to the requirements of the PCI-HSM 2016 compliance mode. A coprocessor in compliance mode must be available to use compliant-tagged key tokens. For additional information, read Using verbs and applications in PCI-HSM 2016 compliance mode.

RSA

The compliant-tag is indicated by a flag in the private key section of the key token. For more information about the compliant-tag, see Key token formats.

To generate a compliant-tagged key token, the PKA Key Token Build (CSNDPKB) must first be used to build a skeleton token with the compliant-tag flag on. This skeleton token can then be passed to any callable service that generates RSA key tokens and supports compliant-tagged key tokens, for example PKA Key Generate (CSNDPKG). A list of services that support compliant-tagged key tokens can be found in Impact of the PCI-HSM 2016 compliance mode on the callable verbs.

The PKA Key Import (CSNDPKI) service is the exception because it does not support skeleton tokens as input. When importing a PKA key, if the key encrypting key is compliant-tagged, the resulting key is also compliant-tagged. For more information, see the verb description.