RSA private key, 8192-bit Chinese Remainder Theorem format with AES encrypted OPK section

View the format of an RSA private key token, 8192-bit Chinese Remainder Theorem, with AES encrypted OPK section (X'31'), in internal and external format.

Table 1. RSA private key, 8192-bit Chinese Remainder Theorem format with AES encrypted OPK section (X'31')

RSA private key, 8192-bit Chinese Remainder Theorem format with AES encrypted OPK section (X'31')

Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'31'
RSA private key, 8192-bit Chinese-Remainder Theorem format with AES encrypted OPK (RSA-AESC)
001 001 Section version number (X'00').
002 002 Section length in bytes: 134 + nnn + ppp

Key size in bits      Section Length in bytes                       
    4096              134 + 512   + 1065 = 1711 (0x06AF)    
    6144              134 + 768   + 1577 = 2479 (0x09AF) 
    8192              134 + 1024  + 2089 = 3247 (0x0CAF)
004 002 Length in bytes of Associated Data section
006 002 Length in bytes of payload data: ppp

Key size in bits       Payload length in bytes 
    4096                    1065 (0x0429)           
    6144                    1577 (0x0629)              
    8192                    2089 (0x0829)
008 002 Reserved, binary zero.
Start of Associated Data section
010 001 Associated Data version:
X'03'
Version 3
X'05'
Version 5
011 001 Key format and security flag:

External key-token:

X'40'
Unencrypted RSA private-key subsection identifier
X'42'
Encrypted RSA private-key subsection identifier

Internal key-token:

X'08'
Encrypted RSA private-key subsection identifier

All other values are reserved and undefined.

012 001 Key source flag:

External key-token: Reserved, binary zero.

Internal key-token:

X'21'
External private key was specified in the clear.
X'22'
External private key was encrypted.
X'23'
Private key was generated using regeneration data.
X'24'
Private key was randomly generated.

All other values are reserved and undefined.

013 001 When associated data section version is X'03': Reserved, binary zero.

When associated data section version is X'05': Compliance and export control byte.

Bit
Meaning
B'1xxx xxxx'
Compliant-tagged key.
B'0xxx xxxx'
Non-compliant-tagged key.
B'xxxx xx1x'
Private key translation is allowed (XLATE-OK).
B'xxxx xx0x'
Private key translation is not allowed (NO-XLATE).
All other bits are reserved and must be zero.
014 001 Hash type:
X'00'
Clear key
X'02'
SHA-256
015 032 When associated data section version is X'03': SHA-256 hash of all optional sections that follow the public key section, if any. Otherwise, 32 bytes of binary zero.

When associated data section version is X'04': Hash value of:

  1. The public key section (section identifier X'04')
  2. All optional sections that follow the public key section, if any.
If there are no optional sections, the hash covers only the public keys section.
047 001 Reserved, binary zero.
048 002 When associated data section version is X'03': Reserved, binary zero.

When associated data section version is X'05':

Usage bytes:

  • Offset 48:
    Bit
    Meaning
    B'1xxx xxxx'
    Digital Signature usage is allowed (U-DIGSIG). Services: CSNDDSG, CSNDDSV, CSNDT34B, CSNDT34D.
    B'x1xx xxxx'
    Non-Repudiation usage is allowed (U-NONRPD). Services: CSNDDSG, CSNDDSV.
    B'xx1x xxxx'
    Key Encipherment usage is allowed (U-KEYENC). Services: CSNDSYG, CSNDSYX, CSNDSYI, CSNDSYI2, CSNDT34R, CSNDPKE, CSNDPKD.
    B'xxx1 xxxx'
    Data Encipherment usage is allowed (U-DATENC). Services: CSNDPKE, CSNDPKD.
    B'xxxx 1xxx'
    Key agreement usage is allowed (U-KEYAGR).
    B'xxxx x1xx'
    keyCertSign usage is allowed (U-KCRTSN). Services: CSNDDSG, CSNDDSV.
    B'xxxx xx1x'
    Certificate Revocation List Sign usage is allowed (U-CRLSN). Services: CSNDDSG, CSNDDSV.
    B'xxxx xxx1'
    Only encipher operations are allowed during key agreement (U-ENCONL).
  • Offset 49:
    Bit
    Meaning
    B'1xxx xxxx'
    Only decipher operations are allowed during key agreement (U-DECONL).
048 002 Continued description for Offset 048:

Comp-tag single-usage restrictions and bits that are allowed to be ON together: The left-column of the table shows the exclusive key types that are allowed with respect to CCA services and the usage bit that corresponds to each type.

Note:
  1. For some services, CCA cannot distinguish subsets of those service types operationally. The bits that correspond to the function subsets are allowed to be on at the same time as the key type bit, as shown in the table.
  2. There are cases in RFC 5280 where one bit depends on another bit. Bits that control unique CCA services are not allowed to be ON at the same time.
  3. For keyAgreement, the subset bit or dependent bit is not a stand-in for the primary key type bit. If encipherOnly is enabled, then keyAgreement must also be enabled.
  4. For digitalSignature the case is different, all of the bits that map to the CCA SIGN-ONLY usage are independent. For example, a digitalSignature private key is usable in CSNDDSG. If the key token also has the nonrepudiation bit set, the key token will still be acceptable for use in CSNDDSG and as a Comp-tag token. Also, if the nonrepudiation bit is set and the digitalSignature bit is not set, then the key token is usable with CSNDDSG.

Single Use Key                       bits allowed to be
allowed bits                         enabled at the same time

(Any of the 4 bits at right)         (0 - 0x80), digitalSignature       
== CCA SIGN-ONLY                     (1 - 0x40), nonrepudiation, 
                                     subset of CCA SIGN-ONLY 
                                     (5 - 0x04), keyCertSign, 
                                     subset of CCA SIGN-ONLY
                                     (6 - 0x02), cRLSign, 
                                     subset of CCA SIGN-ONLY

(2 - 0x20), keyEncipherment          NONE
== CCA KM-ONLY  

(3 - 0x10), dataEncipherment         NONE
== CCA services CSNDPKE, CNSDPKD  

(4 - 0x08), keyAgreement             (7 - 0x01), encipherOnly, cannot be 
== no current CCA service for RSA    ON at the same time as decipherOnly  
                                     (8 - 0x80), decipherOnly, cannot be 
                                     ON at the same time as encipherOnly 
050 001 Key-usage flag:
B'11xx xxxx'
Only key unwrapping (KM-ONLY)
B'10xx xxxx'
Both signature generation and key unwrapping (KEY-MGMT)
B'01xx xxxx'
Undefined
B'00xx xxxx'
Only signature generation (SIG-ONLY)

Translation control flag:

B'xxxx xx1x'
Private key translation is allowed (XLATE-OK)
B'xxxx xx0x'
Private key translation is not allowed (NO-XLATE)

All other bits are reserved and must be zero.

When associated data section version is X'05': Reserved, binary zero.

051 001 Format restriction for digital-signature hash-formatting method:
Value
Meaning
B'0000 0000'
No format restriction
B'0000 0001'
ISO-9796 only
B'0000 0010'
PKCS-1.0 only
B'0000 0011'
PKCS-1.1 only
B'0000 0100'
PKCS-PSS only
B'0000 0101'
X9.31 only
B'0000 0110'
ZERO-PAD only

All other values are reserved and undefined.

052 002 Length in bytes of the prime number p: ppp.

Key size in bits       Prime p length in bytes
    4096                     256 (0x0100)        
    6144                     384 (0x0180)              
    8192                     512 (0x0200)  
054 002 Length in bytes of the prime number q: qqq

Key size in bits       Prime p length in bytes
    4096                     256 (0x0100)        
    6144                     384 (0x0180)              
    8192                     512 (0x0200)  
056 002 Length in bytes of dp: rrr

Key size in bits       Prime dp length in bytes
    4096                     256 (0x0100)        
    6144                     384 (0x0180)              
    8192                     512 (0x0200)  
058 002 Length in bytes of dq: sss

Key size in bits       Prime dp length in bytes
    4096                     256 (0x0100)        
    6144                     384 (0x0180)              
    8192                     512 (0x0200)  
060 002 Length in bytes of U: uuu

Key size in bits       U length in bytes
    4096                     256 (0x0100)        
    6144                     384 (0x0180)              
    8192                     512 (0x0200)  
062 002 Length of modulus n: nnn.

Key size in bits       Modulus length in bytes
    4096                     512 (0x0200)        
    6144                     768 (0x0300)              
    8192                     1024 (0x0400)  
064 004 Reserved, binary zero.
Sub-section: Object Protection + Payload
068 048 Object Protection Key (OPK) data: 16-byte confounder followed by 32-byte AES key.

External key-token: Encrypted with an AES key-encrypting key (AES KEK)

Internal key-token: Encrypted with the APKA master key.

116 016 Key verification pattern

External key-token:

For an encrypted private key
Key-encrypting key verification pattern (KVP)
For a clear private key
Binary zero
For a skeleton
Binary zero

Internal key-token:

For an encrypted private key
  • When a non-compliant-tagged token (bit 0 at offset 13 is not set), the APKA master-key verification pattern (MKVP).
  • When a compliant-tagged token (bit 0 at offset 13 is set), 5 bytes of the ECC MKVP followed by 3 bytes of internal compliance information.
For a skeleton
Binary zero
132 002 Reserved, binary zeros
134 nnn Modulus n.
134+nnn ppp Formatted section (payload), including private key (exponent) d: opaque, no change for comp-tag.

Payload fields:

  1. X9.102 header fields: (x9102HashPtHdr_t)
    1. 6 B ICV
    2. 1 B padlen
    3. 1 B hlen
    4. 1 B hashOpt
  2. 32 B: SHA256 hash over
    1. Associated Data
    2. 'n', the modulus
  3. p, private key part, length of p bytes
  4. q, private key part, length of q bytes
  5. dp, private key part, length of dp bytes
  6. dq, private key part, length of dq bytes
Length in bytes of U: uuu

Key size in bits       Total length in bytes
    4096                   134 + 512   + 1065 = 1711 (0x06AF)          
    6144                   134 + 768   + 1577 = 2479 (0x09AF)          
    8192                   134 + 1024  + 2089 = 3247 (0x0CAF)  
Table 2. RSA public-key section (X'04')

RSA public-key section (X'04')

Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'04'
RSA public key.
001 001 Section version number: X'00'.
002 002 Section length in bytes, 12 + xxx + yyy.

Key size in bits       Section length in bytes (no modulus)
 
    4096                    12 + 512 = 524 (0x020C)    
    6144                    12 + 512 = 524 (0x020C)           
    8192                    12 + 512 = 524 (0x020C)  

Key size in bits       Section length in bytes (with modulus)
 
    4096                    12 + 512 + 512   = 1036 (0x040C)     
    6144                    12 + 512 + 768   = 1292 (0x050C)  
    8192                    12 + 512 + 1024  = 1548 (0x060C)  
004 002 Reserved, binary zero.
006 002 RSA public key exponent field length in bytes, xxx. The maximum length is 512 bytes.

Key size in bits       Section length in bytes
    4096                    512 (0x0200)    
    6144                    512 (0x0200)          
    8192                    512 (0x0200)  
008 002 Public key modulus length in bits.

Key size in bits       Length in bytes
    4096                    4096 (0x1000)  
    6144                    6144 (0x1800)           |
    8192                    8192 (0x2000)     
010 002 RSA public key modulus field length in bytes, yyy.
Note: If the token contains an RSA private key section, this field length, yyy, should be zero. The RSA private key section contains the modulus.

Key size in bits       Modulus length in bytes
    4096                    512  (0x0200)
    6144                    768  (0x0300)
    8192                   1024  (0x0400)
012 xxx Public key exponent e. This is an integer value. The exponent e must be odd and 1 ≤ e < n. The length xxx of the public key exponent field must not exceed 512 bytes.
012+xxx yyy yyy = Modulus n (generally this filed is absent).