Trusted block section X'12'

Trusted block section X'12' contains information that defines a rule.

TA trusted block can have zero or more rule sections.

  1. A trusted block with no rule sections can be used by the PKA Key Token Change and PKA Key Import verbs. A trusted block with no rule sections can be used by the Digital Signature Verify verb, provided there is an RSA public key section that has its key-usage flag set to allow digital signature operations.
  2. At least one rule section is required when the Remote Key Export verb is used to:
    • Generate an RKX key-token
    • Export an RKX key-token
    • Export a CCA DES key-token
    • Generate or export a key encrypted by a public key. The public key is contained in a vendor certificate and is the root certification key for the ATM vendor. It is used to verify the digital signature on public-key certificates for specific individual ATMs.
  3. If a trusted block has multiple rule sections, each rule section must have a unique 8-character Rule ID.
Section X'12' is the only section that can have multiple sections. Section X'12' is optional.
Note: The overall length of the trusted block cannot exceed its maximum size of 3500 bytes.

Five subsections (TLV objects) are defined.

Table 1. Trusted block rule section (X'12')

Trusted block rule section

Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'12'
Trusted block rule
001 001 Section version number (X'00').
002 002 Section length in bytes (20 + yyy).
004 008 Rule ID (in ASCII).

An 8-byte character string that uniquely identifies the rule within the trusted block.

Valid ASCII characters are: A - Z, a - z, 0 - 9, - (hyphen), and _ (underscore), left-aligned and padded on the right with space characters.

012 004 Flags (undefined flag bits are reserved and must be zero).
Value
Description
X'00000000'
Generate new key
X'00000001'
Export existing key
016 001 Generated key length.

Length in bytes of key to be generated when flags value (offset 012) is set to generate a new key; otherwise ignore this value. Valid values are 8, 16, or 24; return an error if not valid.

017 001 Key-check algorithm identifier (all others are reserved and must not be used):
Value
Description
X'00'
Do not compute key-check value. Set the key_check_value_length variable to zero.
X'01'
Encrypt an 8-byte block of binary zeros with the key. See Encrypt zeros DES-key verification algorithm.
X'02'
Compute the MDC-2 hash of the key. See Modification Detection Code calculation.
018 001 Symmetric encrypted output key format flag (all other values are reserved and must not be used).

Return the indicated symmetric key-token using the sym_encrypted_key_identifier parameter.

Value
Description
X'00'
Return an RKX key-token encrypted under a variant of the MAC key.
Note: This key format is permitted when the flags value (offset 012) is set to either:
  1. Generate a new key
  2. Export an existing key
X'01'
Return a CCA DES key-token encrypted under a transport key.
Note: This key format is not permitted if the flags value (offset 012) is set to generate a new key; it is only permitted when exporting an existing key.
019 001 Asymmetric encrypted output key format flag (all other values are reserved and must not be used).

Return the indicated asymmetric key-token in the asym_encrypted_key variable.

Value
Description
X'00'
Do not return an asymmetric key. Set the asym_encrypted_key_length variable to zero.
X'01'
Output in PKCS-1.2 format.
X'02'
Output in RSA-OAEP format.
X'04'
Output in RSA-OAEP format (RSA PKCS #1 v2.0) using SHA-256.
020 yyy Rule section subsections (tag-length-value objects). A series of zero - five objects in TLV format.