Diversified Key Generate2 (CSNBDKG2)
The Diversified Key Generate2 service generates an AES key based on a function of a key-generating key, the process rule, and data that you supply.
To use this service, specify:
- the rule array keyword to select the diversification process
- the operational AES key-generating key from which the diversified keys are generated:
- Key usage field 1 determines the type of key that is generated and restricts the use of this key to the key-diversification process.
- Key usage field 2 contains a flag to determine how key usage fields 3 through 6 control the key
usage fields of the generated key.
- When the flag is on, the key usage fields of the DKYGENKY must be equal to the key usage fields of the generated key (KUF-MBE, meaning: key usage fields must be equal).
- When the flag is off, the key usage fields of the DKYGENKY limit the values of the key usage fields of the generated key (KUF-MBP, meaning: key usage fields must be permitted).
For the service to be valid, the generated key cannot have a usage that is not enabled in the DKYGENKY key. The UDX-ONLY bit is always treated as must be equal.
- Key usage fields 3 through 6 in the key generating key indicate the key usage attributes for the key to be generated. The only exception to this rule is when the type of key to diversify is D-ALL.
- the data and length of data used in the diversification process
- the AES key token with a suitable key usage field for receiving the diversified key.
Note: This verb supports PCI-HSM 2016
compliant-tagged key tokens.