Diversified Key Generate2 (CSNBDKG2)

The Diversified Key Generate2 service generates an AES key based on a function of a key-generating key, the process rule, and data that you supply.

To use this service, specify:

  • the rule array keyword to select the diversification process
  • the operational AES key-generating key from which the diversified keys are generated:
    • Key usage field 1 determines the type of key that is generated and restricts the use of this key to the key-diversification process.
    • Key usage field 2 contains a flag to determine how key usage fields 3 through 6 control the key usage fields of the generated key.
      • When the flag is on, the key usage fields of the DKYGENKY must be equal to the key usage fields of the generated key (KUF-MBE, meaning: key usage fields must be equal).
      • When the flag is off, the key usage fields of the DKYGENKY limit the values of the key usage fields of the generated key (KUF-MBP, meaning: key usage fields must be permitted).

      For the service to be valid, the generated key cannot have a usage that is not enabled in the DKYGENKY key. The UDX-ONLY bit is always treated as must be equal.

    • Key usage fields 3 through 6 in the key generating key indicate the key usage attributes for the key to be generated. The only exception to this rule is when the type of key to diversify is D-ALL.
  • the data and length of data used in the diversification process
  • the AES key token with a suitable key usage field for receiving the diversified key.
Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.