Trusted block section X'14' subsections

Section X'14' has two information subsections (tag-length-value objects) defined.

These subsections are summarized in Table 1. See also Number representation in trusted blocks.
Table 1. Summary of trusted block information subsections

Summary of trusted block information subsections

Rule subsection tag TLV object Optional or required Comments
X'0001' Protection information Required Contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key, the ISO-16609 TDES CBC MAC value, and the MKVP of the PKA master key (computed using MDC4).
X'0002' Activation and expiration dates Optional Contains flags indicating whether or not the coprocessor is to validate dates, and contains the activation and expiration dates that are considered valid for the trusted block.

Trusted block section X'14' subsection X'0001'

Subsection X'0001' of the trusted block information section (X'14') is the protection information TLV object. This subsection is required. It contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key, the ISO-16609 TDES CBC MAC value, and the MKVP of the PKA master key (computed using MDC4).

This subsection is defined in Table 2.
Table 2. Protection information subsection (X'0001') of trusted block information section (X'14')

Protection information subsection of trusted block information section

Offset (bytes) Length (bytes) Description
000 002 Subsection tag:
X'0001'
Trusted block information TLV object
002 002 Subsection length in bytes (62).
004 001 Subsection version number (X'00').
005 001 Reserved, must be binary zero.
006 032 Encrypted MAC key.

Contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key in the following format:

Offset
Description
00 - 07
Confounder
08 - 15
Left key
16 - 23
Middle key
24 - 31
Right key
038 008 MAC.

Contains the ISO-16609 TDES CBC Message Authentication Code value.

046 016 MKVP.

Contains the PKA master-key verification pattern, computed using MDC4, when the trusted block is in internal form, otherwise contains binary zero.

Trusted block section X'14' subsection X'0002'

Subsection X'0002' of the trusted block information section (X'14') is the activation and expiration dates TLV object. This subsection is optional. It contains flags indicating whether or not the coprocessor is to validate dates, and contains the activation and expiration dates that are considered valid for the trusted block.

This subsection is defined in Table 3.
Table 3. Activation/expiration dates subsection X'0002' of trusted block information section X'14'

Activation and expiration dates subsection of trusted block information section

Offset (bytes) Length (bytes) Description
000 002 Subsection tag:
X'0002'
Activation and expiration dates TLV object
002 002 Subsection length in bytes (16).
004 001 Subsection version number (X'00').
005 001 Reserved, must be binary zero.
006 002 Flags:
Value
Description
X'0000'
The coprocessor does not check dates.
X'0001'
The coprocessor checks dates.

Compare the activation date (offset 008) and the expiration date (offset 012) to the coprocessor's internal real-time clock. Return an error if the coprocessor date is before the activation date or after the expiration date.

008 004 Activation date.
Contains the first date that the trusted block can be used for generating or exporting keys. Format of the date is YYMDD, where:
YY
Big-endian year (return an error if greater than 9999)
MM
Month (return an error if any value other than X'01' - X'0C')
DD
Day of month (return an error if any value other than X'01' - X'1F'. Day must be valid for given month and year, including leap years).

Return an error if the activation date is after the expiration date or is not valid.

012 004 Expiration date.

Contains the last date that the trusted block can be used. Same format as activation date (offset 008). Return an error if date is not valid.