PKA key tokens
PKA key tokens contain RSA, ECC, or QSA private or public keys.
- A public key token
- A private external key token
- A private internal key token
| Section | Public external key token | Private external key token | Private internal key token |
|---|---|---|---|
| Header | X | X | X |
| RSA, ECC, or QSA private key information | X | X | |
| RSA, ECC, or QSA public key information | X | X | X |
| Key name (optional, RSA or QSA only) | X | X | |
| Internal information | X |
As with DES key tokens, the first byte of a PKA key token contains the token identifier which indicates the type of token.
A first byte of X'1E' indicates an external token with a cleartext public key and optionally a private key that is either in cleartext or enciphered by a transport key-encrypting key. An external key token is in importable key form. It can be sent on the link.
A first byte of X'1F' indicates an internal token with a cleartext public key and a private key that is enciphered by the PKA master key and ready for internal use. An internal key token is in operational key form. A PKA private key token must be in operational form for the coprocessor to use it. (PKA public key tokens are used directly in the external form.)