PKA key tokens

PKA key tokens contain RSA, ECC, or QSA private or public keys.

PKA tokens are variable length because they contain either RSA, ECC, or QSA key values, which are variable in length. Consequently, length parameters precede all PKA token parameters. The maximum allowed size is 8000 bytes. PKA key tokens consist of a token header, any required sections, and any optional sections. Optional sections depend on the token type. PKA key tokens can be public or private, and private key tokens can be internal or external. Therefore, there are three basic types of tokens, each of which can contain either RSA, ECC, or QSA information:
  • A public key token
  • A private external key token
  • A private internal key token
Public key tokens contain only the public key. Private key tokens contain the public and private key pair. Table 1 summarizes the sections in each type of token.
Table 1. Summary of PKA key token sections

Summary of PKA key token sections

Section Public external key token Private external key token Private internal key token
Header X X X
RSA, ECC, or QSA private key information X X
RSA, ECC, or QSA public key information X X X
Key name (optional, RSA or QSA only) X X
Internal information X

As with DES key tokens, the first byte of a PKA key token contains the token identifier which indicates the type of token.

A first byte of X'1E' indicates an external token with a cleartext public key and optionally a private key that is either in cleartext or enciphered by a transport key-encrypting key. An external key token is in importable key form. It can be sent on the link.

A first byte of X'1F' indicates an internal token with a cleartext public key and a private key that is enciphered by the PKA master key and ready for internal use. An internal key token is in operational key form. A PKA private key token must be in operational form for the coprocessor to use it. (PKA public key tokens are used directly in the external form.)