DES external key token
The format for a DES external key token. DES key tokens are almost always in a fixed-length token, except for a DESUSECV key type in a variable-length symmetric key token.
Table 1 shows the format for a DES external
key token.
| Bytes | Description |
|---|---|
| 0 | X'02' (flag indicating an external key token) |
| 1 | Reserved (X'00') |
| 2 - 3 | Implementation-dependent bytes (X'0000' for CCA) |
| 4 | Key token version number (X'00' or X'01') |
| 5 | Reserved (X'00') |
| 6 | Flag byte
Other bits are reserved and are binary zeros. |
| 7 | Flag byte
|
| 8 - 15 | Reserved (X'0000000000000000') |
| 16 - 23 | Single-length key or left half of a double-length key, or Part A of a triple-length key. The value is encrypted under a transport key. |
| 24 - 31 | X'0000000000000000' if a single-length key or right half of a double-length key, or Part B of a triple-length key. The right half of a double-length key or Part B of a triple-length key is encrypted under a transport (key-encrypting key) for export or import. For WRAPENH3, this field always holds ciphertext in order to obfuscate the length of a single or double-length key. The CCA coprocessor uses the effective length (determined by the number of repeated 56-bit sections, if any) of the key to determine key strength for wrapping of other keys or other key strength comparisons. |
| 32 - 39 | The control vector (CV) for single-length key or the left half of CV for double-length key. For WRAPENH3, this field has an update to the key form bits (bits 41-42). These bits always have the value '11', which indicates a triple-length key. |
| 40 - 47 | X'0000000000000000' if a single-length key or the right half of the control vector for a double-length operational key. For WRAPENH3, this field holds an 8 byte TDES-CMAC over the entire key block, with this field set to 0x00 bytes before calculation of the TDES-CMAC. |
| 48 - 55 | X'0000000000000000' if a single-length key, double-length key, or Part C of a triple-length key. This key part is encrypted under a transport key-encrypting key when flag bit 0 is on. Otherwise, it is in the clear. For WRAPENH3, this field always holds ciphertext in order to obfuscate the length of a single or double-length key. |
| 56 - 58 | Reserved (X'000000') |
| 59 | Key length for zero CV DATA keys.
|
| 60 - 63 | Token validation value (see Token validation value and record-validation value for a description). |