Usage notes

Edit online

Test. Usage notes for CSNBMMS.

Description of the scheme

To perform the Multi-MAC Scheme, complete the following steps:

  1. Generate the Base Derivation Keys (BDK).
    • The KMS is used to generate two BDKs known as k-base-1 and k-base-2. These may be unique per product line, set of entities, or comply with other business needs for key separation.
    • To generate k-base-1, use the Key Token Build2 (CSNBKTB2) service. Build an INTERNAL AES DKYGENKY D-MAC skeleton token with CMAC, GENERATE, and MMSAUTH1 specified in the verb_data parameter. PTR2AUTH can be optionally specified in the verb_data parameter.
    • To generate k-base-2, use the CSNBKTB2 service. Build an EXTERNAL AES DKYGENKY D-MAC skeleton token with CMAC, GENERATE, and MMSAUTH2 specified in the verb_data parameter.
    • Pass both key token skeletons into the Key Generate2 (CSNBKGN2) service to complete the key generation. Pass the OPEX keyword in the rule_array. Ensure that the Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS access control point has been enabled.
  2. Select the M of N MAC Scheme parameters.
    • The M of N MAC Scheme parameters are encoded in the derivation_data0 parameter in theMulti-MAC Scheme (CSNBMMS) service and the derivation_data parameter in the Diversified Key Generate2(CSNBDKG2) service. See Table 2 for more information.
    • ds: optional data that indicates the service line or another unique identifier for this derivation instance. This data must be coordinated between CSNBDKG2 and CSNBMMS.
    • L: length of the MAC to be verified.
    • N: total number of MAC keys that will be used, which matches the number of external entities that will generate MAC values that may be verified by CSNBMMS.
    • M: the minimum number of MAC values that must verify correctly before CSNBMMS will proceed with the M of N MAC Scheme processing.

      An information reason code (2717x) is returned when 1 or more MACs fail verification even though M MACs pass.

    • c: the counter or N value for the MAC generation key that is being generated in that call.CSNBDKG2 derives MAC keys 1 through N, using counter values 1 - N. CSNBMMS derives MAC generation key 0 using counter value 0, used in the final phases of the M of N MAC Scheme.
    Note: Other field values are possible although the format is required to be fixed for operational security. Some use cases may only require that N=2 and M=2, or that the service data portion of the derivation_data0 be much longer. While ds may be as long as needed and as supported for the key derivation algorithm, the fields L,N,M, and c are fixed in size and occupy the last four bytes of derivation_data0. The following are rules for the format of the derivation_data parameter:
    • The derivation_data0 format used in CSNBMMS must be the same as the derivation_data format used in CSNBDKG2.
    • The derivation_data0 and derivation_data length must conform to the minimum and maximum length rules of CSNBMMS and CSNBDKG2.
  3. Derive MAC generation keys from k-base-1
    • The KMS or a central node are used to derive N MAC generation keys with CSNBDKG2. The derivation_data parameter value encodes the M of N MAC Scheme parameters. The counter value c must be decremented for each derived AES MAC generation key until the counter reaches 0.
    • K-base-1 is passed into the generating_key_identifier parameter. The Allow CSNBDKG2 to derive keys from AES DKYGENKY keys with MMSAUTH1 attribute (X'00D1') access control point must be enabled.
    Note: Multiple derivation rounds are supported through the DKLY* indication in the DKYGENKY:D-MAC key, where '*' indicates 0, 1, 2. For each DKYL* level of K-base-1, the derivation expected by CSNBMMS is as follows:
    • K-base-1 is DKYL0:
      • Derive MAC-generate key with M of N MAC Scheme parameter derivation_data0.
    • K-base-1 is DKYL1:
      • Derive DKYL0 key with M of N MAC Scheme parameter derivation_data0.
      • Derive MAC-generate key with derivation_data1.
    • K-base-1 is DKYL2:
      • Derive DKYL1 key with M of N MAC Scheme parameter derivation_data0.
      • Derive DKYL0 key with derivation_data1.
      • Derive MAC-generate key with derivation_data2.
  4. Generate ‘M’ MAC values using AES MAC generation keys
    • The M of N cooperating entities each receive an AES MAC generation key from the KMS and generate one MAC over the text data that is used. The MAC Generate2 (CSNBMGN2) service can be used to generate each MAC value.
    • The M of N entities send the MAC values to the central entity that uses the CSNBMMS service. It is not necessary to indicate which counter values corresponded to the keys used to create the MAC values.
  5. Validate M MAC values and produce final MAC using CSNBMMS
    • Once the M MAC values have been generated, the final entity calls CSNBMMS using the M of N MAC Scheme parameters:

      generating_key_identifier: the token or label of k-base-2. K-base-2 would have been imported to an internal CCA key token before this.

      derivation_data0: the binary string encoding the service data and M of N parameters. For more information, see Table 2.

      MAC_values: a binary string containing the M count of MAC values generated in Step 4.

      MAC_values_length: an integer that must be M * L representing the byte length of the MAC_values parameter.

      derivation_data1: additional derivation data used for the second derivation when K-base-2 is level DKYL1 or DKYL2. See Step 3.

      derivation_data2: additional derivation data used for the 3rd derivation when K-base-2 is level DKYL2. See Step 3.

      text: the data over which the MAC is calculated.

    • CSNBMMS will perform the following actions:

      Derive N MAC verification keys from k-base-2.

      Verify MAC values over the text using the N MAC verification keys. If less than M MAC values verify successfully. RC 4 RSN 1 is returned. If more than M, but less than N, MAC values verify successfully, RC 0 RSN 10007 (2717x) is returned. Failing MAC values are returned in the MAC_values parameter.

      Derive AES MAC generation key with c value of 0.

      Calculate and return final_MAC using the derived AES MAC generation key.

    • Ensure that the Allow CSNBMMS service with KDFFM-DK access control point is enabled.
  6. Derive the final MAC verification key

    Derive the final AES MAC verification key using k-base-1 with CSNBDKG2. CSNBDKG2 will only derive an AES MAC verification key when counter c is 0 in the derivation_data parameter.

  7. Verify the final MAC
    • Verify the final MAC using the MAC verification key derived in Step 6.
    • Use the same text value supplied in CSNBMMS.
    • The MAC Verify2 (CSNBMVR2) service can be used to verify the final MAC.

Notes on the Multi-MAC Scheme:

  • Control of DKYGENKY key generation and MAC key derivation must be very tight. Only a KMS administrator with proper authority should be able to generate new keys or derive the MAC generate keys.
  • The maximum value for N, the maximum count of MACs needed to verify, is 32 (X'20').
  • The minimum value for M, the minimum count of MACs needed to verify, is 1 (X'01').
  • The maximum value for L, the length of a single MAC, is 16 bytes (X'10') - corresponding to an AES CMAC.
Table 1 contains sample encodings for the derivation_data0 parameter.
Table 1. Sample encodings for derivation_data0

Sample encodings for derivation_data0
M of N MAC Scheme Parameters derivation_data0 Notes


L=16 (X'10'),
N=32 (X'20'),
M=31 (X'1F')

 X'10201F00' This is the minimum size sample of derivation_data0, with no optional service data ds.
X'DD10201F00' This is a sample of derivation_data0 with 1 byte optional service data field ds (value X'DD').
X'DDDDDDDDDDDD10201F00' This is a sample of derivation_data0 with 6 bytes optional service data field ds (value X'DDDDDDDDDDDD').


L=16 (X'10'),
N=2 (X'02'),
M=2 (X'01')

 X'BB10020100' This is a sample of derivation_data0 with 1 byte optional service data field ds (value X'BB').