Key Translate2 (CSNBKTR2)

The Key Translate2 verb uses one key-encrypting key to decipher an input key and then enciphers this key using another key-encrypting key within the secure environment.

It can also be used to change the wrapping method of the key with a single key-encrypting key.

To re-encipher a key token, specify the external key token, input and output key-encrypting keys. You can specify which key wrapping method to use. If no wrapping method is specified, the wrapping method of the input_key_token will be used.

To change the wrapping method of an external DES key token, specify the REFORMAT rule array keyword, the wrapping method to use, the external key token, and the input key-encrypting key. If no wrapping method is specified, the system default wrapping method will be used. Note that the output_KEK_identifier will be ignored.

To convert an operational AES DATA token (version X’04’) to an operational AES CIPHER token (version X’05’) or vice versa, specify the REFORMAT rule array keyword, the operational key token as input_key_token, and either a NULL token or skeleton token as output_key_token. Note that both the input_KEK_identifier and the output_KEK_identifier will be ignored as the corresponding lengths must be zero.

To convert an internal or external variable-length AES key token (version X’05’) from a variable-length payload to a fixed-length payload, specify the V1PYLD rule array keyword. The fixed-length payload will obfuscate the key length. This keyword is only valid for the CIPHER, EXPORTER and IMPORTER key types.

To convert an internal or external variable-length AES key token (version X’05’) from a fixed-length payload to a varialbe-length payload, specify the V0PYLD rule array keyword. This keyword is only valid for the CIPHER, EXPORTER and IMPORTER key types.

Note:
  • All key labels must be unique.
  • This verb supports PCI-HSM 2016 compliant-tagged key tokens.
  • It can check if the key token to be translated or reformatted can have the PCI-HSM 2016 compliance tag. For this purpose, specify the COMP-CHK rule array keyword.
  • To convert a key token from a non-compliant-tagged key token to a compliant-tagged key token, specify the COMP-TAG rule array keyword.