Keywords reference
Here you find a keywords reference for the CSNBKTB2 rule_array parameter.
- V0PYLD is the default. V1PYLD is recommended because it
provides improved security.Note: V0PYLD is not allowed with the COMP-TAG keyword for compliant-tagged key tokens.
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of a high-order byte (HOB) and a low-order byte (LOB).
- DECRYPT and ENCRYPT are defaults if neither of these keywords is specified, regardless of whether C-XLATE is specified or not.
- Choose any number of keywords in this group. No keywords in this group are defaults.
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- XPRTCPAC requires a CEX6C to generate the key token using the Key Generate2 (CSNBKGN2) callable service.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required) | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional) | |||
| 008 | KEY-CLR | X'01' | Build a key token that contains a clear key. |
| NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. | |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V0PYLD | X'00' | Build a key token with a version 0 payload format. This format has a variable length and the
key length can be inferred from the size of the payload. This format is compatible with all
releases. This is the default. Note: V0PYLD is not allowed with the COMP-TAG keyword
for compliant-tagged key tokens. |
| V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. | |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required) | |||
| 042 | CIPHER | X'0001' | Key can be used for encryption, decryption, and translation of data. |
| Encryption and translation control (one or more, optional). Key-usage field 1, high-order byte. Keywords DECRYPT and ENCRYPT are defaults unless one or more keywords in the group are specified. | |||
| 045 | C-XLATE (Release 4.3 or later) | B'xx1x xxxx' | Key can only be used for Cipher Text Translate2 (CSNBCTT2) operations. This is only valid with AES CIPHER keys. |
| DECRYPT | B'x1xx xxxx' | Key can be used for decryption. Symmetric_Algorithm_Decipher. | |
| ENCRYPT | B'1xxx xxxx' | Key can be used for encryption. Symmetric_Algorithm_Encipher. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1xx' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xx1x' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xxx1' | Rightmost user-defined UDX bit is set on. | |
| Encryption mode (one, optional). Key-usage field 2, high-order byte. | |||
| 047 | ANY-MODE | X'FF' | Key can be used for any encryption mode. |
| CBC | X'00' | Key can be used for Cipher Block Chaining. This is the default. | |
| CFB | X'02' | Key can be used for Cipher Feedback. | |
| ECB | X'01' | Key can be used for Electronic Code Book. | |
| FF1 | X'06' | Key can be used for Format Preserving method FF1. | |
| FF2 | X'07' | Key can be used for Format Preserving method FF2. | |
| FF2.1 | X'08' | Key can be used for Format Preserving method FF2.1. | |
| GCM | X'04' | Key can be used for Galois/Counter Mode. | |
| OFB | X'03' | Key can be used for Output Feedback. | |
| XTS | X'05' | Key can be used for Xor-Encrypt-Xor-based Tweaked Stealing. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| Raw-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| CPACF export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | XPRTCPAC | B'xxxx 1xxx' | Allow export of key to CPACF. |
| NOEXCPAC | B'xxxx 0xxx' | Prohibit export of key to CPACF. This is the default. | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 051 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 051 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 051 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |

- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- DKYUSAGE specifies that the verb_data variable contains all of the keywords necessary to define the key usage attributes related to the type of key to diversify. Based on the verb_data keywords, CSNBKTB2 appends the key usage attributes of the type of key to diversify to the key usage fields of the DKYGENKY key. The related key usage fields control which key usage attributes are permissible for the final generated diversified key. DKYUSAGE is not valid with D-ALL because the type of key to diversify is unspecified. DKYUSAGE is optional with D-CIPHER, D-EXP, and D-IMP because key types CIPHER, EXPORTER and IMPORTER have default key usage attributes. For these key types, if DKYUSAGE is not specified, CSNBKTB2 assigns default key usage attributes to the related KUF fields. DKYUSAGE is required for the remaining values of type of key to diversify because those key types do not have default key usage attributes. DKYUSAGE is not valid with A-DUKPT.
- KUF-MBP is not valid if DKADMIN1, DKADMIN2, DKPINOP, or DKPINOPP is specified in the verb_datavariable (that is, the type of key to diversify is DK enabled).
- Choose any number of keywords in this group. No keywords in this group are defaults.
- To create a base derivation key skeleton to be used in AES DUKPT key derivation, specify key-usage keywords A-DUKPT, D-ALL, and DKYL0. That is, the A-DUKPT keyword can only be specified with the D-ALL keyword. All other KUF1 HOB keywords are not valid with A-DUKPT. Also, the A-DUKPT keyword cannot be specified in combination with DKYUSAGE. When A-DUKPT is specified, verb_data_length is set to 0.
- If D-ALL is specified, KMF-GND and KMF-MBP are not valid and there is no default. Otherwise, the default is KMF-GND. KMF-MBP is not valid if DKYUSAGE is specified and DKPINOP, DKPINOPP, DKPINAD1, or DKPINAD2 is specified in the verb_data variable (for example, the type of key to diversify is DK enabled). KMF-MBP is also not valid if the type of key to diversify is specified by the D-KDKGKY rule. KMF-MBP may not be specified with KMF-MBE.
- If D-ALL is specified, KMF-GND2 and KMF-MBE are not valid and there is no default. Otherwise, the default is KMF-GND2. KMF-MBE may not be specified with KMF-MBP.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional). | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required). | |||
| 042 | DKYGENKY | X'0009' | Key can be used for generating a diversified key. |
| Type of key to diversify (one required). Key-usage field 1, high-order byte. DKYUSAGE is required for DKDKGKY, D-MAC, D-PCALC, D-PPROT, D-PPRW, and D-SECMSG. A-DUKPT is only valid with D-ALL. | |||
| 045 | D-ALL | X'00' | Key can generate a diversified key for any key type listed herafter. |
| D-CIPHER | X'01' | Key can generate a diversified CIPHER key. | |
| D-EXP | X'03' | Key can generate a diversified EXPORTER key. | |
| D-IMP | X'04' | Key can generate a diversified IMPORTER key. | |
| D-KDKGKY | X'09' | Key can generate a diversified KDKGENKY key. | |
| D-MAC | X'02' | Key can generate a diversified MAC key. | |
| D-PCALC | X'06' | Key can generate a diversified PINCALC key. | |
| D-PPROT | X'05' | Key can generate a diversified PINPROT key. | |
| D-PPRW | X'07' | Key can generate a diversified PINPRW key. | |
| D-SECMSG | X'08' | Key can generate a diversified SECMSG key. | |
| Special usage and user-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | A-DUKPT | B'1xxx xxxx' | This key can be used as the base derivation key (BDK) in the AES DUKPT key derivation algorithm. |
| UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. | |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| 047 | Related generated key-usage field level of control (one required). Key-usage field 2, high-order byte. If D-ALL is specified, KUF-MBE and KUF-MBP are not valid. Otherwise, the default is KUF-MBE. KUF-MBP is not valid if DKYUSAGE is specified and DKPINOP, DKPINOPP, DKADMIN1, or DKADMIN2 is specified in the verb_data variable (that is, the type of key to diversify is DK enabled). | ||
| KUF-MBE | B'1xxx xxxx' | The key usage fields of the key to be generated must be equal to the related generated key-usage fields starting with key usage field 3. | |
| KUF-MBP | B'0xxx xxxx' | The key usage fields of the key to be generated must be permissible based on the related generated key usage fields starting with key-usage field 3. A key to be diversified is not permitted to have a higher level of usage than any of the related key usage fields permit. The key to be diversified is only permitted to have key usage that is less than or equal to the related key usage fields. One exception is the UDX-ONLY setting in the generated key usage fields. This setting must always be equal to the UDX-ONLY setting in the related key usage fields. | |
| Related generated key management field permissive level of control (one optional). Key-usage field 2, high-order byte. If D-ALL is specified, KMF-GND and KMF-MBP are not valid. Otherwise, the default is KMF-GND. KMF-MBP is not valid if DKYUSAGE is specified and DKPINOP, DKPINOPP, DKPINAD1, or DKPINAD2 is specified in the verb_data variable (that is, the type of key to diversify is DK enabled) or if the type of key to diversify is specified by the D-KDKGKY rule. KMF-MBP may not be specified with KMF-MBE. | |||
| KMF-GND | B'x0xx xxxx' | This keyword maintains the current behavior of using the key management fields (KMF) from the key to be generated. This is the default. | |
| KMF-MBP | B'x1xx xxxx' | The key management fields (KMF) of the key to be generated must be permissible based on the key management fields of the generating key. The KMF of the key to be generated must have an equal or lower value for each of the KMF. | |
| Related generated key management field equal level of control (one optional). Key-usage field 2, high-order byte. If D-ALL is specified, KMF-GND2 and KMF-MBE are not valid. Otherwise, the default is KMF-GND2. KMF-MBE may not be specified with KMF-MBP. | |||
| KMF-GND2 | B'xx0x xxxx' | This keyword maintains the current behavior of using the KMFs from the key to be generated. This is the default. | |
| KMF-MBE | B'xx1x xxxx' | The KMFs of the key to be generated must be equal to the KMFs of the generating key. | |
The other KMFs are not security-relevant and are set as follows:
|
|||
| Key-derivation sequence level (one required). Key-usage field 2, low-order byte. A-DUKPT is only valid with DKYL0. | |||
| 048 | DKYL0 | X'00' | Use this diversifying key to generate a Level 0 diversified key. The type of key to diversify (value at offset 45) determines the key type of the generated key. Level 0 is a completed key. |
| DKYL1 | X'01' | Use this diversifying key to generate a Level 1 diversified key. | |
| DKYL2 | X'02' | Use this diversifying key to generate a Level 2 diversified key. | |
| Related generated key usage fields (not allowed for D-ALL, one, optional, for D-CIPHER, D-EXP, and D-IMP, otherwise one required). Key-usage field 3, high-order byte. | |||
| 049 | DKYUSAGE | Based on verb_data keywords. | The verb_data variable contains key-usage field keywords related to the type of key to diversify. These related attributes become part of the key usage fields of the DKYGENKY diversifying key, beginning with key-usage field 3, high-order byte. They are related because they are used to control which key usage attributes are permissible in the generated diversified key. To generate a diversified key, use the Diversified Key Generate2 (CSNBDKG2) verb. This keyword is not valid with A-DUKPT. |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
| Keyword | Meaning |
|---|---|
| M of N MAC Scheme MMSAUTH1 control (one, optional). Key-usage field 4, low-order byte. | |
| NOMAUTH1 | This keyword ensures that the MMSAUTH1 attribute is not set in a DKYGENKY D-MAC base derivation key. This is the default. |
| MMSAUTH1 | Allows a DKYGENKY D-MAC key to be used in CSNBDKG2 to derive a resulting AES MAC key under control of access control point 'Diversified Key Generate2 - Allow AES DKYGENKY with MMSAUTH1' as part of the M of N Mac scheme used with CSNBMMS. The DKYGENKY: D-MAC:MMSAUTH1 key is used to derive the subordinate M of N AES-MAC keys. The resulting MAC keys will not retain the MMSAUTH1 attribute. This keyword is only usable inverb_data keyword list when creating a DKYGENKY DKYUSAGE D-MAC key token. Must be combined with GENERATE. The key token type must be INTERNAL. |
| M of N MAC Scheme MMSAUTH2 control (one, optional). Key-usage field 4, low-order byte. | |
| NOMAUTH2 | This keyword ensures that the MMSAUTH2 attribute is not set in a DKYGENKY D-MAC base derivation key. This is the default. |
| MMSAUTH2 | Creates a DKYGENKY D-MAC key that is only usable with the CSNBMMS service for use in the M of N MAC scheme. A key usable with CSNBMMS must have the MMSAUTH2 attribute. This keyword is only usable in the verb_data keyword list when creating a DKYGENKY DKYUSAGE D-MAC key token. This keyword is not allowed with PTR2AUTH or MMSAUTH1. Must be combined with GENERATE. The key token type must be EXTERNAL. |
As of CCA 5.4 and CCA 6.2, Key Token Build2 rule-array keyword EXPTT31D has been added to KUF1 HOB, and keyword VARDRV-D has been added to KUF2 HOB.
- V0PYLD is the default for compatibility reasons. V1PYLD is recommended because it
provides improved security.Note: V0PYLD is not allowed with the COMP-TAG keyword for compliant-tagged key tokens.
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of a high-order byte (HOB) and a low-order byte (LOB).
- Excluding EXPTT31D, all keywords in this group are defaults except unless one or more of these keywords are specified. EXPTT31D cannot be specified with any other keyword in this group.
- WR-TR31 is defined for future use and its meaning is currently undefined. No keywords in this group are defaults.
- WR-AES, WR-DES, and WR-HMAC are defaults unless one or more keywords in this group are specified, or if KUF2 HOB keyword VARDRV-D is specified. If VARDRV-D is specified, only keywords WR-AES, WR-DES, and WR-HMAC are allowed, and one or more keywords must be specified.
- Choose any number of keywords in this group. No keywords in this group are defaults.
- KEK-RAW is defined for future use. To avoid this restriction in the future when the meaning is defined, specify this keyword. There is no default.
- WR-CARD, WR-DATA, WR-KEK, WR-PIN, and WRDERIVE are defaults unless one or more keywords in this group are specified.
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional) | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V0PYLD | X'00' | Build a key token with a version 0 payload format. This format has a variable length and the
key length can be inferred from the size of the payload. This format is compatible with all
releases. This is the default. Note: V0PYLD is not allowed with the
COMP-TAG keyword for compliant-tagged key tokens. |
| V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. | |
| Associated data section | |||
| Algorithm type (one required) | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required) | |||
| 042 | EXPORTER | X'0003' | Key can be used to wrap an external key to be taken from this local node or to wrap an output key in the Key Translate2 verb. |
| KEK control (one or more, optional). Key-usage field 1, high-order byte. All keywords in the group are defaults unless one or more keywords in the group are specified. | |||
| 045 | EXPORT | B'1xxx xxxx' | Key can be used to wrap a key taken from this local node. |
| EXPTT31D (Release 5.4 or later) | B’0000 0001’ | Key can be used by TR31 Translate to export an AES-wrapped TR-31 key block version "D" (EXPTT31D) as defined in ISO 20038 or ASC X9 TR 31-2018. | |
| GEN-EXEX | B'xxxx 1xxx' | Key can be used to wrap the first or the second key that is generated by the CSNBKGN2 verb as part of an EXEX key pair. | |
| GEN-IMEX | B'xxx1 xxxx' | Key can be used to wrap the second key that is generated by the CSNBKGN2 verb as part of an IMEX key pair. | |
| GEN-OPEX | B'xx1x xxxx' | Key can be used to wrap the second key that is generated by the CSNBKGN2 verb as part of an OPEX key pair. | |
| GEN-PUB | B'xxxx x1xx' | Key can be used to wrap the private key (to be used at another node) generated by the CSNDPKG verb as part of an ECC public-private key pair. | |
| TRANSLAT | B'x1xx xxxx' | Key can be used to wrap an output key in the Key Translate2 verb. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| TR-31 wrap control (one, optional). Key-usage field 2, high-order byte. | |||
| 047 | VARDRV-D | B'0000 0001' | Key can wrap an AES-based TR-31 key block version "D" (VARDRV-D) by using ECB mode. Only valid if value at offset 45 is B'0000 0001' (EXPTT31D). |
| WR-TR31 | B'1xxx xxxx' | Key can wrap a TR-31 key. Defined for future use. Currently ignored. | |
| Raw key wrap control (one, optional). Key-usage field 2, low-order byte. | |||
| 048 | KEK-RAW | B'xxxx xxx1' | Key can wrap a raw key. Defined for future use. Currently ignored. |
| Algorithm wrap control (one or more, optional). Key-usage field 3, high-order byte. Keywords WR-AES, WR-DES, and WR-HMAC are defaults unless one or more keywords in the group are specified. | |||
| 049 | WR-AES | B'x1xx xxxx' | Key can wrap AES keys. |
| WR-DES | B'1xxx xxxx' | Key can wrap DES keys. | |
| WR-ECC | B'xxxx 1xxx' | Key can wrap ECC keys. | |
| WR-HMAC | B'xx1x xxxx' | Key can wrap HMAC keys. | |
| WR-QSA | B'xxxx x1xx' | Key can wrap QSA keys such as CRYSTALS-Dilithium or ML-KEM keys. | |
| WR-RSA | B'xxx1 xxxx' | Key can wrap RSA keys. | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| Class wrap control (one or more, optional). Key-usage field 4, high-order byte. Keywords WR-CARD, WR-DATA, WR-KEK, WR-PIN, and WRDERIVE are defaults unless one or more keywords in the group are specified. | |||
| 051 | WR-CARD | B'xxxx 1xxx' | Key can wrap card class keys. |
| WR-CVAR | B'xxxx x1xx' | Key can wrap cryptovariable class keys. | |
| WR-DATA | B'1xxx xxxx' | Key can wrap data class keys. | |
| WR-KEK | B'x1xx xxxx' | Key can wrap KEK class keys. | |
| WR-PIN | B'xx1x xxxx' | Key can wrap PIN class keys. | |
| WRDERIVE | B'xxx1 xxxx' | Key can wrap derivation class keys. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 055 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 055 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 055 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
-
V0PYLD is the default for compatibility reasons. V1PYLD is recommended because it
provides improved security.Note: V0PYLD is not allowed with the COMP-TAG keyword for compliant-tagged key tokens.
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- All keywords in this group are defaults except for IMPTT31D unless one or more of these keywords are specified. IMPTT31D cannot be specified with any other keyword in this group.
- WR-TR31 is defined for future use and its meaning is currently undefined. To avoid this restriction in the future when the meaning is defined, specify this keyword. No keywords in this group are defaults.
- WR-AES, WR-DES, and WR-HMAC are defaults unless one or more keywords in this group are specified, or if KUF2 HOB keyword VARDRV-D is specified. If VARDRV-D is specified, only keywords WR-AES, WR-DES and WR-HMAC are allowed, and one or more keywords must be specified.
- Choose any number of keywords in this group. No keywords in this group are defaults.
- KEK-RAW is defined for future use. To avoid this restriction in the future when the meaning is defined, specify this keyword. There is no default.
- WR-CARD, WR-DATA, WR-KEK, WR-PIN, and WRDERIVE are defaults unless one or more keywords in this group are specified.
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required) | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional) | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V0PYLD | X'00' | Build a key token with a version 0 payload format. This format has a variable length and the
key length can be inferred from the size of the payload. This format is compatible with all
releases. This is the default. Note: V0PYLD is not allowed with the COMP-TAG keyword
for compliant-tagged key tokens. |
| V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. | |
| Associated data section | |||
| Algorithm type (one required) | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required) | |||
| 042 | IMPORTER | X'0004' | Key can be used to unwrap an external key brought to this local node, wrap a generated key to be brought to this local node, or unwrap an input key in the Key Translate2 verb. |
| KEK control (one or more, optional). Key-usage field 1, high-order byte. All keywords in the group are defaults unless one or more keywords in the group are specified. | |||
| 045 | GEN-IMEX | B'xxx1 xxxx' | Key can be used to wrap the first key that is generated by the CSNBKGN2 verb as part of an IMEX key pair. |
| GEN-IMIM | B'xxxx 1xxx' | Key can be used to wrap the first or second key that is generated by the CSNBKGN2 verb as part of an IMIM key pair. | |
| GEN-OPIM | B'xx1x xxxx' | Key can be used to wrap the second key that is generated by the CSNBKGN2 verb as part of an OPIM key pair. | |
| GEN-PUB | B'xxxx x1xx' | Key can be used to wrap the private key (to be used at the local node) generated by the CSNDPKG verb as part of an ECC public-private key pair. | |
| IMPORT | B'1xxx xxxx' | Key can be used to unwrap a key brought to this local node by Symmetric Key Import. | |
| IMPTT31D (Release 5.4 or later) | B'0000 0001' | Key can be used by verb TR31 Key Import for importing an AES-wrapped TR-31 key block version "D" to an AES KDKGENKY (usage KDKTYPEA or KDKTYPEB) or DES DKYGENKY (usage DKYL0 and DMPIN) to an AES-wrapped TR-31 key block version "D" (IMPTT31D). | |
| TRANSLAT | B'x1xx xxxx' | Key can be used to unwrap an input key in the Key Translate2 verb. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| TR-31 wrap control (one, optional). Key-usage field 2, high-order byte. | |||
| 047 | VARDRV-D | B'0000 0001' | Key can unwrap an AES-based TR-31 key block version "D" (VARDRV-D) by using ECB mode. Only valid if value at offset 45 is B'0000 0001' (IMPTT31D). |
| WR-TR31 | B'1xxx xxxx' | Key can unwrap a TR-31 key. Defined for future use. Currently ignored. | |
| 047 | WR-TR31 | B'1xxx xxxx' | Key can unwrap a TR-31 key. Defined for future use. Currently ignored. |
| Raw key wrap control (one, optional). Key-usage field 2, low-order byte. | |||
| 048 | KEK-RAW | B'xxxx xxx1' | Key can unwrap a raw key. Defined for future use. Currently ignored. |
| Algorithm wrap control (one or more, optional). Key-usage field 3, high-order byte. Keywords WR-AES, WR-DES, and WR-HMAC are defaults unless one or more keywords in the group are specified. | |||
| 049 | WR-AES | B'x1xx xxxx' | Key can unwrap AES keys. |
| WR-DES | B'1xxx xxxx' | Key can unwrap DES keys. | |
| WR-ECC | B'xxxx 1xxx' | Key can unwrap ECC keys. | |
| WR-HMAC | B'xx1x xxxx' | Key can unwrap HMAC keys. | |
| WR-QSA | B'xxxx x1xx' | Key can unwrap QSA keys such as CRYSTALS-Dilithium or ML-KEM keys. | |
| WR-RSA | B'xxx1 xxxx' | Key can unwrap RSA keys. | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| Class wrap control (one or more, optional). Key-usage field 4, high-order byte. Keywords WR-CARD, WR-DATA, WR-KEK, WR-PIN, and WRDERIVE are defaults unless one or more keywords in the group are specified. | |||
| 051 | WR-CARD | B'xxxx 1xxx' | Key can unwrap card class keys. |
| WR-CVAR | B'xxxx x1xx' | Key can unwrap cryptovariable class keys. | |
| WR-DATA | B'1xxx xxxx' | Key can unwrap data class keys. | |
| WR-KEK | B'x1xx xxxx' | Key can unwrap KEK class keys. | |
| WR-PIN | B'xx1x xxxx' | Key can unwrap PIN class keys. | |
| WRDERIVE | B'xxx1 xxxx' | Key can wrap derivation class keys. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 054 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 055 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 055 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 055 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- Choose any number of keywords in this group. No keywords in this group are defaults.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional). | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required) | |||
| 042 | MAC | X'0002' | Key can be used for generation and verification of message authentication codes. |
| MAC operation (one required). Key-usage field 1, high-order byte. | |||
| 045 | GENERATE | B'11xx xxxx' | Key can be used for generate; key can be used for verify. Not valid with keywords DKPINOP, DKPINAD1, and DKPINAD2. MAC Generate2 and MAC Verify2. |
| GENONLY | B'10xx xxxx' | Key can be used for generate; key cannot be used for verify. | |
| VERIFY | B'01xx xxxx' | Key cannot be used for generate; key can be used for verify (MAC Verify2). | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| MAC mode (one required). Key-usage field 2, high-order byte. | |||
| 047 | CMAC | X'01' | Key can be used for block cipher-based MAC algorithm, called CMAC (NIST SP 800-38B). |
| Authentication data verification (one or more, optional). Key-usage field 2, low-order byte. | |||
| 048 | NOP2AUTH | B'0xxx xxxx' | Key cannot be used by Encrypted PIN Translate2 to verify authentication data using NIST SP 800-38B CMAC for ISO-4 to ISO-4 PAN change if the Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 PTR2AUTH command (offset X'0395') is enabled in the active role. Only valid with key usage VERIFY. This is the default. |
| PTR2AUTH | B'1xxx xxxx' | Key can be used by CSNBPTR2 to verify authentication data using NIST SP 800-38B CMAC for ISO-4 to ISO-4 PAN change. Only valid with key usage VERIFY or with MMSAUTH1 and GENERATE. | |
| NOMAUTH1 | B'x0xx xxxx' | This keyword ensures that the MMSAUTH1 attribute is not set in a DKYGENKY D-MAC base derivation key. This is the default. | |
| MMSAUTH1 | B'x1xx xxxx' | Allows a DKYGENKY D-MAC key to be used in the CSNBDKG2 verb to derive a resulting AES MAC key under access control restriction offset X'00D1' as part of the M of N MAC scheme used with CSNBMMS. The DKYGENKY: D-MAC:MMSAUTH1 key is used to derive the subordinate M of N AES-MAC keys. The resulting MAC keys do not retain the MMSAUTH1 attribute. This keyword is only usable in the verb_data keyword list when creating a DKYGENKY DKYUSAGE D-MAC key token. If combined with PTR2AUTH, the attribute PTR2AUTH is inherited by the derived MAC-verify key. Must be combined with GENERATE. | |
| NOMAUTH2 | B'xx0x xxxx' | This keyword ensures that the MMSAUTH2 attribute is not set in a DKYGENKY D-MAC base derivation key. This is the default. | |
| MMSAUTH2 | B'xx1x xxxx' | Creates a DKYGENKY D-MAC key that is only usable with the CSNBMMS service for use in the M of N MAC scheme. A key usable with CSNBMMS must have the MMSAUTH2 attribute. This keyword is only usable in the verb_data keyword list when creating a DKYGENKY DKYUSAGE D-MAC key token. This keyword is not allowed with PTR2AUTH. Must be combined with GENERATE. | |
| Common control (one, optional). Key-usage field 3, high-order byte. Use of a common control keyword causes key-usage field 3, low-order byte (field format identifier at token offset 050) to be set to X'01' (DK enabled). | |||
| 049 | DKPINOP | X'01' | PIN_OP |
| DKPINAD1 | X'03' | PIN_AD1 | |
| DKPINAD2 | X'04' | PIN_AD2 | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 if DK enabled, else 050 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 if DK enabled, else 050 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 if DK enabled, else 050 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 if DK enabled, else 050 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 if DK enabled, else 051 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 if DK enabled, else 051 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 if DK enabled, else 051 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- All keywords in this group are defaults unless one or more keywords in this group are specified.
- Choose any number of keywords in this group. No keywords in this group are defaults.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional) | |||
| 008 | KEY-CLR | X'01' | Build a key token that contains a clear key. |
| NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. | |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V0PYLD | X'00' | Build a key token with a version 0 payload format. This format has a variable length and the key length can be inferred from the size of the payload. This is the default. This format is compatible with all releases. |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | HMAC | X'03' | Key can be used for HMAC algorithm. |
| Key type (one required) | |||
| 042 | MAC | X'0002' | Key can be used for generation or verification of message authentication codes. |
| MAC operation (one required). Key-usage field 1, high-order byte. | |||
| 045 | GENERATE | B'11xx xxxx' | Key can be used for generate; key can be used for verify. HMAC Generate andHMAC Verify. |
| VERIFY | B'01xx xxxx' | Key cannot be used for generate; key can be used for verify. HMAC_Verify. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| Hash method (one, optional). Key-usage field 2, high-order byte. All keywords in the group are defaults unless one or more keywords in the group are specified. | |||
| 047 | SHA-1 | B'1xxx xxxx' | SHA-1 hash method is allowed for the key. |
| SHA-224 | B'x1xx xxxx' | SHA-224 hash method is allowed for the key. | |
| SHA-256 | B'xx1x xxxx' | SHA-256 hash method is allowed for the key. | |
| SHA-384 | B'xxx1 xxxx' | SHA-384 hash method is allowed for the key. | |
| SHA-512 | B'xxxx 1xxx' | SHA-512 hash method is allowed for the key. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 050 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 051 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 051 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 051 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- Choose any number of keywords in this group. No keywords in the group are defaults.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required) | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional) | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required) | |||
| 042 | PINCALC | X'0006' | Key can be used for generation and verification of message authentication codes. |
| MAC operation (one required). Key-usage field 1, high-order byte. | |||
| 045 | GENONLY | B'1xxx xxxx' | Key can only be used for generate. |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| Encryption mode (one required). Key-usage field 2, high-order byte. | |||
| 047 | CBC | X'00' | Key can be used for Cipher Block Chaining. |
| Common control (one required). Key-usage field 3, high-order byte. Use of a common control keyword causes key-usage field 3, low-order byte (field format identifier at token offset 050) to be set to X'01' (DK enabled). | |||
| 049 | DKPINOP | X'01' | PIN_OP |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAWare defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- If and only if KUF3 HOB keyword NOFLDFMT (Release 5.4 or later) is specified, one keyword must be selected from this group. If keyword NOFLDFMT is not specified, KUF4 is not created.
- Choose any number of keywords in this group. No keywords in the group are defaults.
- If and only if KUF3 HOB keyword NOFLDFMT is specified, at least one keyword must be
selected from this group. No keywords in this group are defaults. Keyword RFMT4TO1 is not
supported in releases before Release 5.5.12.
When NOFLDFMT is specified, valid KUF2 LOB keyword combinations depend on which KUF1 HOB keyword is specified (that is, DECRYPT or ENCRYPT), as shown in Table 9:
| KUF1 HOB keyword | KUF2 LOB keyword count | Valid KUF2 LOB keywords | Invalid KUF2 LOB keywords |
|---|---|---|---|
| DECRYPT | 1 – 5 |
CPINGENA, |
CPINENC, |
| ENCRYPT | 1 – 5 |
CPINENC, |
CPINGENA, |
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required) | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional) | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required) | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required). | |||
| 042 | PINPROT | X'0005' | Key can be used for encrypting PIN blocks. |
| Encryption operation (one required). Key-usage field 1, high-order byte. | |||
| 045 | DECRYPT | B'01xx xxxx' | Key cannot be used for encryption; key can be used for decryption. |
| ENCRYPT | B'10xx xxxx' | Key can be used for encryption; key cannot be used for decryption. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| Encryption mode (one required). Key-usage field 2, high-order byte. | |||
| 047 | CBC | X'00' | Key can be used for Cipher Block Chaining. |
| PIN services control (one or more, required). Key-usage field 2, low-order byte. Release 5.4 or later. In releases before Release 5.4, this field is reserved and must be binary zero. | |||
| 048 | CPINENC | B’xx1x xxxx’ | For encryption operation ENCRYPT (value at offset 045 = B’10xx xxxx’), key can be used with the Clear PIN Encrypt verb (CPINENC), otherwise invalid. |
| CPINGENA | B’xxxx 1xxx’ | For encryption operation DECRYPT (value at offset 045 = B’01xx xxxx’), key can be used with the Clear PIN Generate Alternate verb (CPINGENA), otherwise invalid. | |
| EPINGEN | B’xxx1 xxxx’ | For encryption operation ENCRYPT (value at offset 045 = B’10xx xxxx’), key can be used with the Encrypted PIN Generate verb (EPINGEN). | |
| EPINVER | B’xxx1 xxxx’ | For encryption operation DECRYPT (value at offset 045 = B’01xx xxxx’), key can be used with the Encrypted PIN Verify verb (EPINVER). | |
| REFORMAT | B’xxxx xx1x’ | Key can be used with the Encrypted PIN Translate verb for a reformat operation (REFORMAT). | |
| PINXLATE | B’xxxx x1xx’ | Key can be used with the Encrypted PIN Translate2 verb for a PIN translation operation (PINXLATE). | |
| RFMT1TO4 | B’xxxx xxx1’ | For encryption operation ENCRYPT (value at offset 045 = B’10xx xxxx’), key can be used to restrictively reformat an ISO-1 encrypted PIN to an ISO-4 encrypted PIN (RFMT1TO4). | |
| RFMT4TO1 | B'xxxx xxx1' | For encryption operation DECRYPT (value at offset 045 = B’01xx xxxx’), key can be used to restrictively reformat an ISO-4 encrypted PIN to an ISO-1 encrypted PIN (RFMT4TO1). | |
| Common control (one required). Key-usage field 3, high-order byte. Use of DK enabled common control keyword DKPINOP, DKPINOPP, or DKPINAD1 causes key-usage field 3, low-order byte (field format identifier at token offset 050) to be set to X'01' (DK enabled), while use of common control keyword NOFLDFMT causes offset 050 to be set to X’00’ (no field format specification). | |||
| 049 | DKPINOP | X'01' | PIN_OP |
| DKPINOPP | X'02' | PIN_OPP | |
| DKPINAD1 | X'03' | PIN_AD1 | |
| NOFLDFMT | X'00' | No field format specification. | |
| 050 | DKPINOP | X'01' | DK enabled. |
| DKPINOPP | X'01' | DK enabled. | |
| DKPINAD1 | X'01' | DK enabled. | |
| NOFLDFMT | X'00' | No field format specification. | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| PIN-block format usage (Release 5.4 or later). Key-usage field 4, high-order byte. Only valid when offset 49 = X’00’ (NOFLDFMT). | |||
| 051 | ISO-4 | B’xxxx xxx1’ | Allow only ISO-4 PIN-block format. |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAWare defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- Choose any number of keywords in this group. No keywords in the group are defaults.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional). | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required) | |||
| 042 | PINPRW | X'0007' | Key can be used for generation and verification of message authentication codes. |
| MAC operation (one required). Key-usage field 1, high-order byte. | |||
| 045 | GENONLY | B'10xx xxxx' | Key can be used for generate; key cannot be used for verify. |
| VERIFY | B'01xx xxxx | Key cannot be used for generate; key can be used for verify. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| MAC mode (one required). Key-usage field 2, high-order byte. | |||
| 047 | CMAC | X'01' | Key can be used for block cipher-based MAC algorithm, called CMAC (NIST SP 800-38B). |
| Common control (one, required). Key-usage field 3, high-order byte. Use of a common control keyword causes key-usage field 3, low-order byte (field format identifier at token offset 050) to be set to X'01' (DK enabled). | |||
| 049 | DKPINOP | X'01' | PIN_OP |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| XPRT-SYM | B'1xxx xxxx' | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B'x1xx xxxx' | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B'xx1x xxxx' | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| RAW-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 052 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using raw key. Defined for future use. Currently ignored. |
| XPRT-RAW | B'xxx1 xxxx' | Allow export using raw key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| XPRT-DES | B'0xxx xxxx | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| XPRT-AES | B'x0xx xxxx' | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 053 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |
| XPRT-RSA | B'xxxx 0xxx' | Allow export using an RSA key. This is the default. | |
Figure 10 shows all the valid keyword combinations and their defaults for CSNBKTB2 when constructing an AES key token for a KDKGENKY key and for CSNBKTP2 when deconstructing one.
- Each key-usage field (KUF) and key-management field (KMF) of a version X’05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- NOEX-RAW and XPRT-RAW are defined for future use and their meanings are currently undefined. To avoid this export restriction in the future when the meaning is defined, specify XPRT-RAW.
- Choose any number of keywords in this group. No keywords in this group are defaults.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | EXTERNAL | X'02' | Build a key token that is not to be used locally. |
| INTERNAL | X'01' | Build a key token that is to be used locally. | |
| Wrapping-information section | |||
| Key status (one, optional). | |||
| 008 | NO-KEY | X'00' | |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required). | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Key type (one required). | |||
| 042 | KDKGENKY | X'000B' | Key can be used for generating a diversified key. |
| Key diversification type (one required). | |||
| 045 | KDKTYPEA | X'00' | Entity A of communications partners A and B. One partner has active use of the key (for example, encipher or generate), while the other partner has passive use of the key (for example, decipher or verify). |
| KDKTYPEB | X'01' | Entity B of communications partners A and B. | |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| Symmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 048 | NOEX-SYM | B’0xxx xxxx’ | Prohibit export using symmetric key. |
| XPRT-SYM | B’1xxx xxxx’ | Allow export using symmetric key. This is the default. | |
| Unauthenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 048 | NOEXUASY | B’x0xx xxxx’ | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| XPRTUASY | B’x1xx xxxx’ | Allow export using an unauthenticated asymmetric key (not a trusted block). This is the default. | |
| Authenticated asymmetric-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 048 | NOEXAASY | B’xx0x xxxx’ | Prohibit export using an authenticated asymmetric key (trusted block). |
| XPRTAASY | B’xx1x xxxx’ | Allow export using an authenticated asymmetric key (trusted block). This is the default. | |
| Raw-key export control (one, optional). Key-management field 1, high-order byte. | |||
| 048 | NOEX-RAW | B’xxx0 xxxx’ | Prohibit export using RAW key. Defined for future use. Currently ignored. |
| XPRT-RAW | B’xxx1 xxxx’ | Allow export using RAW key. Defined for future use. Currently ignored. | |
| DES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 049 | NOEX-DES | B’1xxx xxxx’ | Prohibit export using a DES key. |
| XPRT-DES | B’0xxx xxxx’ | Allow export using a DES key. This is the default. | |
| AES-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 049 | NOEX-AES | B’x1xx xxxx’ | Prohibit export using an AES key. |
| XPRT-AES | B’x0xx xxxx’ | Allow export using an AES key. | |
| RSA-key export control (one, optional). Key-management field 1, low-order byte. | |||
| 049 | NOEX-RSA | B’xxxx 1xxx’ | Prohibit export using an RSA key. |
| XPRT-RSA | B’xxxx 0xxx’ | Allow export using an RSA key. This is the default. | |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
Figure 11 shows all the valid keyword combinations and their defaults for AES key type SECMSG.
- An AES SECMSG key is always derived. The derived key is the result of a key derivation function (KDF) applied to a fixed diversified key generating key (DKYGENKY) and derivation data. The final derived key is used as a session key and is typically used to encipher and decipher PIN information between devices. An AES SECMSG key can only be wrapped by an AES master key and cannot be stored in an external key-token.
- Each key-usage field (KUF) and key-management field (KMF) of a version X'05' variable-length symmetric key-token consists of two bytes: a high-order byte (HOB) and a low-order byte (LOB).
- Choose any number of keywords in this group. No keywords in this group are defaults.
- NOEX-RAW is defined for future use.
- There is no default. Specifying NOEXPORT is equivalent to specifying all of the export control keywords (NOEX-SYM, NOEXUASY, NOEXAASY, NOEX-RAW,NOEX-DES, NOEX-AES, and NOEX-RSA). Do not specify any export control keywords together with NOEXPORT. If NOEXPORT is not specified, NOEX-SYM, NOEXUASY, NOEXAASY, NOEX-DES, NOEX-AES, and NOEX-RSA all must be specified, and NOEX-RAW is optional.
| Token offset | Rule-array keyword | Offset value | Meaning |
|---|---|---|---|
| Key-token header section | |||
| Token identifier (one required). | |||
| 000 | INTERNAL | X'01' | Build a key token that is to be used locally. |
| Wrapping-information section | |||
| Key status (one, optional). | |||
| 008 | NO-KEY | X'00' | Build a key token that does not contain a key value. This is the default. |
| Payload format version (one, optional). Identifies format of the payload. | |||
| 028 | V1PYLD | X'01' | Build the key token with a version 1 payload format. This format has a fixed length and the key length cannot be inferred by the size of the payload. An obscured key length is considered more secure. This is the default. |
| Associated data section | |||
| Algorithm type (one required) | |||
| 041 | AES | X'02' | Key can be used for AES algorithm. |
| Associated data section | |||
| Key type (one required) | |||
| 042 | SECMSG | X'000A' | Key can be used as an EMV secure messaging key for encrypting PINs or for encrypting keys. |
| Secure message encryption enablement (one required). Key-usage field 1, high-order byte | |||
| 045 | SMPIN | X'00' | Enable the encryption of PINs in an EMV secure message. |
| User-defined extension (UDX) control (one or more, optional). Key-usage field 1, low-order byte. No keywords in the group are defaults. | |||
| 046 | UDX-ONLY | B'xxxx 1xxx' | Key can only be used in UDXs. |
| UDX-100 | B'xxxx x1uu' | Leftmost user-defined UDX bit is set on. | |
| UDX-010 | B'xxxx xu1u' | Middle user-defined UDX bit is set on. | |
| UDX-001 | B'xxxx xuu1' | Rightmost user-defined UDX bit is set on. | |
| Verb restriction (one, optional) | |||
| 047 | ANY-USE | X'00' | Any verb (service) can use this key. This is the default. |
| DPC-ONLY | X'01' | Only CSNBDPC can use this key. | |
| General export control (one, optional). Equivalent to specifying all export control keywords (NOEX-SYM, NOEXUASY, NOEXAASY, NOEX-RAW , NOEX-DES, NOEX-AES, and NOEX-RSA). Not valid with any other export control keyword. There is no default. Key-management field 1, high-order byte and low-order byte. | |||
| 050 | NOEXPORT | B'0000 xxxx' | Prohibits the export of this key in all cases. Equivalent to specifiying NOEX-SYM, NOEXUASY, NOEXAASY, NOEX-RAW, NOEX-DES, NOEX-AES, and NOEX-RSA. |
| 051 | B'11xx 1xxx' | ||
| Symmetric-key export control (one required if NOEXPORT not specified, otherwise not valid). Key-management field 1, high-order byte. | |||
| 050 | NOEX-SYM | B'0xxx xxxx' | Prohibit export using symmetric key. |
| Unauthenticated asymmetric-key export control (one required if NOEXPORT not specified, otherwise not valid). Key-management field 1, high-order byte. | |||
| 050 | NOEXUASY | B'x0xx xxxx' | Prohibit export using an unauthenticated asymmetric key (not a trusted block). |
| Authenticated asymmetric-key export control (one required if NOEXPORT not specified, otherwise not valid ). Key-management field 1, high-order byte. | |||
| 050 | NOEXAASY | B'xx0x xxxx' | Prohibit export using an authenticated asymmetric key (trusted block). |
| RAW-key export control (one optional if NOEXPORT not specified; otherwise not valid ). Key-management field 1, high-order byte. | |||
| 050 | NOEX-RAW | B'xxx0 xxxx' | Prohibit export using RAW key. Defined for future use. Currently ignored. |
| Compliance (Optional). | |||
| 050 | COMP-TAG | B'xxxx xxx1' | Build a compliant-tagged key token. |
| NOCMPTAG | B'xxxx xxx0' | Do not build a compliant-tagged key token. This is the default. | |
| DES-key export control (one required if NOEXPORT not specified, otherwise not valid). Key-management field 1, low-order byte. | |||
| 051 | NOEX-DES | B'1xxx xxxx' | Prohibit export using a DES key. |
| AES-key export control (one required if NOEXPORT not specified, otherwise not valid). Key-management field 1, low-order byte | |||
| 051 | NOEX-AES | B'x1xx xxxx' | Prohibit export using an AES key. |
| RSA-key export control (one required if NOEXPORT not specified, otherwise not valid). Key-management field 1, low-order byte. | |||
| 051 | NOEX-RSA | B'xxxx 1xxx' | Prohibit export using an RSA key. |