General format of a variable-length symmetric key-token
View a table showing the general format of a variable-length symmetric key-token.
| Offset (bytes) | Length (bytes) | Description | ||
|---|---|---|---|---|
| Header | ||||
| 000 | 01 | Token identifier:
All unused values are reserved and undefined. |
||
| 001 | 01 | Reserved, binary zero. | ||
| 002 | 02 | Length in bytes of the overall token structure. For a null
key-token, the value is 8. Otherwise, the length is calculated as: 46 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlvs + ((pl + 7) / 8)
|
||
| 004 | 01 | Token version number (identifies the format of this key
token):
|
||
| 005 | 03 | Reserved, binary zero. | ||
| End of header | ||||
| Wrapping information section (all data related to wrapping the key) | ||||
| 008 | 01 | Key material state:
All unused values are reserved and undefined. |
||
| 009 | 01 | Key verification pattern (KVP) type:
All unused values are reserved and undefined. |
||
| 010 | 16 | This field has different meanings for
compliant-tagged and non-compliant tagged key tokens.
1. Non-compiant tagged key tokens: KVP of the key used to wrap the payload
(value depends on value of key material state, that is, the value at offset 8):
2. Compliant -tagged key tokens: 5 bytes of the AES MKVP followed by 3 bytes of internal compliance information. Values are left justified. |
||
| 026 | 01 | Encrypted section key-wrapping method (indicates the
key-wrapping method used to protect the data in the encrypted section):
All unused values are reserved and undefined. |
||
| 027 | 01 | Hash algorithm used for wrapping key or encoding message.
Meaning depends on whether the encrypted section key-wrapping method (value at offset 26) is no
key-wrapping method, AESKW, or PKOAEP2: No key-wrapping method (value at offset 26 is X'00') Hash algorithm used for wrapping key when encrypted section key-wrapping method is no key-wrapping method:
All unused values are reserved and undefined. The key token is external or internal. AESKW key-wrapping method (value at offset 26 is X'02') Hash algorithm used for wrapping key when encrypted section key-wrapping method is AESKW. The value indicates the algorithm used to calculate the message digest of the associated data. The message digest is included in the wrapped payload and is calculated starting at offset 30 for the length in bytes of all the associated data for the key token (length value at offset 32).
All unused values are reserved and undefined. The key token is external or internal. PKOAEP2 key-wrapping method (value at offset 26 is X'03') Hash algorithm used for encoding message when encrypted section key-wrapping method is PKOAEP2. The value indicates the given hash algorithm used for encoding message M using the RSAES-OAEP scheme of the RSA PKCS #1 v2.1 standard.
All unused values are reserved and undefined. The key token is external. |
||
| 028 | 01 | Payload format version (identifies format of the payload):
All unused values are reserved and undefined. |
||
| 029 | 01 | Reserved, binary zero. | ||
|
End of wrapping information section |
||||
|
Clear key, AESKW, or PKOAEP2 components: (1) associated data sections and (2) optional clear key payload, wrapped AESKW formatted payload, or wrapped PKOAEP2 encoded payload (no payload if no key present) |
||||
| Associated data sections: (1) required associated data section and (2) optional associated data sections | ||||
| Required associated data section | ||||
| 030 | 01 |
Associated data section version:
|
||
| 031 | 01 | Reserved, binary zero. | ||
| 032 | 02 | Length in bytes of all the associated data for the key token (adl): ≥ 16. | ||
| 034 | 01 | Length in bytes of the optional key label (kl): 0 or 64. | ||
| 035 | 01 | Length in bytes of the optional IBM extended associated data (iead): 0 - 255. | ||
| 036 | 01 | Length in bytes of the optional user-definable associated data (uad): 0 - 255. | ||
| 037 | 01 | Reserved, binary zero. | ||
| 038 | 02 | Length in bits of the clear or wrapped payload
(pl): ≥ 0.
HMAC algorithm (value at offset 41 is X'03'). An HMAC key can have a length of 80 - 2048 bits. An HMAC key in an AESKW formatted payload is always wrapped with a V0 payload. |
||
| 040 | 01 | Reserved, binary zero. | ||
| 041 | 01 | Type of algorithm for which the key can be used:
All unused values are reserved and undefined. |
||
| 042 | 02 | Key type (general class of the key): For algorithm AES:
For algorithm HMAC:
For algorithm DES:
All unused values are reserved and undefined. |
||
| 044 | 01 | Key usage fields count (kuf): 0 - 255. Key-usage field
information defines restrictions on the use of the key. Each key type can have a variable number of key usage fields from none to a maximum of 255. Each key-usage field is 2 bytes in length. The value in this field indicates how many 2-byte key usage fields follow. |
||
| 045, for kuf > 0 | 01 | Optional key-usage field 1, high-order byte. Defined based on algorithm type (value at offset 41) and key type (value at offset 42). All unused bits are reserved and must be zero. |
||
| 046, for kuf > 0 | 01 | Optional key-usage field 1, low-order byte (user-defined
extension control):
Note: This byte is common for all key types except for DES DESUSECV in which case this byte is
reserved and must zero. All unused bits are reserved and must be zero. |
||
| 047, for kuf > 1 | 01 | Optional key-usage field 2, high-order byte. | ||
| 048, for kuf > 1 | 01 | Optional key-usage field 2, low-order byte. | ||
|
|
||||
| 043 + (2 * kuf), for kuf > 0 | 01 | Optional key-usage field kuf, high-order byte. | ||
| 044 + (2 * kuf), for kuf > 0 | 01 | Optional key-usage field kuf, low-order byte. | ||
| 045 + (2 * kuf) | 01 | Key management fields count (kmf): 0 - 255.
Key-management field information describes how the data is to be managed or helps with management of
the key material. Each key type can have a variable number of key management fields from none to a maximum of 255. Each key-management field is 2 bytes in length. The value in this field indicates how many 2-byte key management fields follow. |
||
| 046 + (2 * kuf), for kmf > 0 | 01 | Optional key-management field 1, high-order byte (export
control): Symmetric-key export control:
Unauthenticated asymmetric-key export control:
Authenticated asymmetric-key export control:
RAW-key export control:
Compliance information:
Note: This byte is common for all key types. Except for DES DESUSECV, this byte is reserved and must
zero. All unused bits are reserved and must be zero. |
||
| 047 + (2 * kuf), for kmf > 0 | 01 | Optional key-management field 1, low-order byte (export control
by algorithm): DES-key export control:
AES-key export control:
RSA-key export control:
Note: This byte is common for all key types except for DES DESUSECV in which case this byte is
undefined. All unused bits are reserved and must be zero. |
||
| 048 + (2 * kuf), for kmf > 1 | 01 | Optional key-management field 2, high-order byte (key
completeness):
Note: This byte is common for all key types except for DES DESUSECV in which case this byte is
undefined. All unused bits are reserved and must be zero. |
||
| 049 + (2 * kuf), for kmf > 1 | 01 | Optional key-management field 2, low-order byte (security
history). Used to reflect the overall history of the key, not just the history at the most recent
import or other operation.
Note: This byte is common for all key types except for DES DESUSECV in which case this byte is
undefined. All unused bits are reserved and must be zero. |
||
| 050 + (2 * kuf), for kmf > 2 | 01 | Optional key-management field 3, high-order byte (pedigree
original). Used to indicate how the key was originally created and how it got into the current
system.
Note: This byte is common for all key types except for DES DESUSECV in which case this byte is
undefined. All unused values are reserved and must be zero. |
||
| 051 + (2 * kuf), for kmf > 2 | 01 | Optional key-management field 3, low-order byte (pedigree
current). Used to indicate how the key was originally created and how it got into the current
system. Description is continued on next table row. |
||
|
Description continued for offset 051 + (2 * kuf), for kmf > 2: X'00': Unknown (PCUNKNWN). X'01': Other method than those defined here, probably used in UDX (PCOTHER). X'02': Randomly generated (PCRANDOM). X'03': Established by key agreement such as Diffie-Hellman (PCKEYAGR). X'04': Created from cleartext key components (PCCLCOMP). X'05': Entered as a cleartext key value (PCCLVAL). X'06': Derived from another key (PCDERVD). X'07': Imported from CCA Version X'05' variable-length symmetric key-token with pedigree field (PCMVARWP). X'08': Imported from CCA Version X'05' variable-length symmetric key-token with no pedigree field (PCMVARNP). X'09': Imported from CCA key-token that contained a nonzero control vector (PCMWCV). X'0A': Imported from CCA key-token that either had no control vector or contained a zero control vector (PCMNOCV). X'0B': Imported from a TR-31 key block that contained a control vector (ATTR-CV option) (PCMT31WC). X'0C': Imported from a TR-31 key block that did not contain a control vector (PCMT31NC). X'0D': Imported using PKCS 1.2 RSA encryption (PCMPK1-2). X'0E': Imported using PKCS OAEP encryption (PCMOAEP). X'0F': Imported using PKA92 RSA encryption (PCMPKA92). X'10': Imported using RSA ZERO-PAD encryption (PCMZ-PAD). X'11': Converted from a CCA key-token that contained a nonzero control vector (PCCNVTWC). X'12': Converted from a CCA key-token that either had no control vector or contained a zero control vector (PCCNVTNC). X'13': Cleartext keys or key parts that were entered at a TKE and secured from there to the target card (PCKPSEC). X'14': Exported from CCA Version X'05' variable-length symmetric key-token with pedigree field (PCXVARWP). X'15': Exported from CCA Version X'05' variable-length symmetric key-token with no pedigree field (PCXVARNP). X'16': Exported using PKCS OAEP encryption (PCXOAEP). Note: This byte is common for all key types except for DES DESUSECV in which case this byte is
undefined.
All unused values are reserved and must be zero. |
||||
|
. |
||||
| 044 + (2 * kuf) + (2 * kmf), for kmf > 0 | 01 | Optional key-usage field kmf, high-order byte. | ||
| 045 + (2 * kuf) + (2 * kmf), for kmf > 0 | 01 | Optional key-usage field kmf, low-order byte. | ||
| 046 + (2 * kuf) + (2 * kmf) | kl | Optional key label. | ||
| 046 + (2 * kuf) + (2 * kmf) + kl | iead | Optional IBM extended associated data. | ||
| 046 + (2 * kuf) + (2 * kmf) + kl + iead | uad | Optional user-defined associated data. | ||
| End of required associated data section | ||||
| Optional associated data sections (defined for future use) | ||||
| Optional tag-length-value (TLV) fields. The length of tlvn is in bytes and is calculated as follows: tlvn = size of TLVn tag + size of tlvn length field + size of the TLV n value in bytes for n > 0, where n = number of TLV fields. The summation of TLV lengths is in bytes and is calculated as follows:
for n > 0, where n = number of TLV fields. For n = 0, tlvs = 0. |
||||
| 046 + (2 * kuf) + (2 * kmf) + kl + iead + uad, for tlv1 > 0 | 01 | Optional tag-length-value 1 (TLV1) tag. | ||
| 047 + (2 * kuf) + (2 * kmf) + kl + iead + uad, for tlv1 > 0 | 02 | Optional TLV1 length: tlv1. | ||
| 049 + (2 * kuf) + (2 * kmf) + kl + iead + uad, for tlv1 > 0 | tlv1 - 3 | Optional TLV1 value. | ||
| 046 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlv1, for n > 1 | 01 | Optional tag-length-value 2 (TLV2) tag. | ||
| 047 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlv1, for n > 1 | 02 | Optional TLV2 length: tlv2. | ||
| 049 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlv1, for n > 1 | tlv2 - 3 | Optional TLV2 value. | ||
|
|
||||
| 046 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlvs - tlv n, for n > 0 | 01 | Optional TLVn tag. | ||
| 047 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlvs - tlv n, for n > 0 | 02 | Optional TLVn length: tlv n | ||
| 049 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlvs - tlv n, for n > 0 | tlv n - 3 | Optional TLVn value. | ||
| End of TLV fields | ||||
| End of optional associated data sections | ||||
| End of associated data sections | ||||
| Optional clear key payload, wrapped AESKW formatted payload, or wrapped PKOAEP2 encoded payload (no payload if no key present) | ||||
|
046 + (2 * kuf) + (2 * kmf) + kl + iead + uad + tlvs |
(pl + 7) / 8 |
Contents of payload (pl is in bits) depending on the encrypted section key-wrapping method (value at offset 26): | ||
| Value at offset 26 | Encrypted section key-wrapping method | Meaning | ||
| X'00' | No key-wrapping method. Only applies when key is clear (key material state (value at offset 8) is X'01'). | Only the key material is in the payload. The key token is external or internal. | ||
| X'02' | AESKW | An encrypted AESKW payload which the Segment 2 code creates by wrapping the unencrypted AESKW formatted payload. The payload is made up of the integrity check value, pad length, length of hash options and hash, hash options, hash of the associated data, key material, and padding. The key token is external or internal. | ||
| X'03' | PKOAEP2 | An encrypted PKOAEP2 payload which the Segment 2 code creates using the RSAES-OAEP scheme of
the PKCS #1 v2.1 standard. The message M is encoded for a given hash algorithm using the
Bellare and Rogaway Optimal Asymmetric Encryption Padding (OAEP) method for encoding messages. For
PKAOEP2, M is defined as follows: M = [32 bytes: hAD] || [2 bytes: bit length of the clear key] || [clear key] where hAD is the message digest of the associated data, and is calculated using the SHA-256 algorithm starting at offset 30 for the length in bytes of all the associated data for the key token (length value at offset 32). The encoded message is wrapped with an RSA public-key according to the standard. The key token is external. |
||
| End of optional clear key payload, wrapped AESKW formatted payload, or wrapped PKOAEP2 encoded payload | ||||
| End of clear key, AESKW, or PKOAEP2 components | ||||
|
Note: All numbers are in big endian format.
|
||||