RSA private key, 8192-bit Modulus-Exponent format with AES encrypted OPK section

View the RSA private key token, 8192-bit Modulus-Exponent format with AES encrypted OPK section in external and internal format (X'30').

Table 1. RSA private key, 8192-bit Modulus-Exponent format with AES-encrypted OPK section (X'30') external and internal form

RSA private key, 8192-bit Modulus-Exponent format with AES encrypted OPK section (X'30') external and internal form

Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'30'
RSA private-key, 8192-bit Modulus-Exponent format (RSAAESM2) with AES-encrypted OPK.
001 001 Section version number (X'00').
002 002 Section length in bytes: 122 + nnn + ppp

Key size in bits       Section length in bytes
    4096               122 + 512   + 553   = 1187 (0x04A3)  
    6144               122 + 768   + 809   = 1699 (0x06A3) 
    8192               122 + 1024  + 1065  = 2211 (0x08A3) 
004 002 Length of Associated Data section: 46
006 002 Length of payload data in bytes: (ppp)

Key size in bits       Payload data length in bytes
    4096               553 (0x0229)  
    6144               809 (0x0329)
    8192               1065 (0x0429  
008 002 Reserved, binary zero.
Sub-section: Associated Data
010 001 Associated Data Version:
X'02'
Version 2
X'03'
Version 3 (CRT)
X'04'
Version 4
011 001 Key format and security flag:

External format:

X'00'
Unencrypted ME RSA private-key subsection identifier
X'82'
Encrypted ME RSA private-key subsection identifier

Internal format:

X'02'
Encrypted ME RSA private-key subsection identifier
All other values are reserved and undefined.
012 001 Key source flag:

External key-token: Reserved, binary zero.

Internal key-token:

X'21'
External private key was specified in the clear.
X'22'
External private key was encrypted.
X'23'
Private key was generated using regeneration data
X'24'
Private key was randomly generated

All other values are reserved and undefined.

013 001 When associated data section version is X'02': Reserved, binary zero.

When associated data section version is X'04': Compliance and export control byte.

Bit
Meaning
B'1xxx xxxx'
Compliant-tagged key.
B'0xxx xxxx'
Non-compliant-tagged key.
B'xxxx xx1x'
Private key translation is allowed (XLATE-OK).
B'xxxx xx0x'
Private key translation is not allowed (NO-XLATE).
All other bits are reserved and must be zero.
014 001 Hash type:
X'00'
Clear key
X'02'
SHA-256
015 032 When associated data section version is X'02': SHA-256 hash of all optional sections that follow the public key section, if any. Otherwise, 32 bytes of binary zero.

When associated data section version is X'04': Hash value of:

  1. The public key section (section identifier X'04')
  2. All optional sections that follow the public key section, if any.
If there are no optional sections, the hash covers only the public keys section.
047 001 Reserved, binary zero.
048 002 When associated data section version is X'02': Reserved, binary zero.

When associated data section version is X'04':

Usage bytes:

  • Offset 48:
    Bit
    Meaning
    B'1xxx xxxx'
    Digital Signature usage is allowed (U-DIGSIG). Services: CSNDDSG, CSNDDSV, CSNDT34B, CSNDT34D.
    B'x1xx xxxx'
    Non-Repudiation usage is allowed (U-NONRPD). Services: CSNDDSG, CSNDDSV.
    B'xx1x xxxx'
    Key Encipherment usage is allowed (U-KEYENC). Services: CSNDSYG, CSNDSYX, CSNDSYI, CSNDSYI2, CSNDT34R, CSNDPKE, CSNDPKD.
    B'xxx1 xxxx'
    Data Encipherment usage is allowed (U-DATENC). Services: CSNDPKE, CSNDPKD.
    B'xxxx 1xxx'
    Key agreement usage is allowed (U-KEYAGR).
    B'xxxx x1xx'
    keyCertSign usage is allowed (U-KCRTSN). Services: CSNDDSG, CSNDDSV.
    B'xxxx xx1x'
    Certificate Revocation List Sign usage is allowed (U-CRLSN). Services: CSNDDSG, CSNDDSV.
    B'xxxx xxx1'
    Only encipher operations are allowed during key agreement (U-ENCONL).
  • Offset 49:
    Bit
    Meaning
    B'1xxx xxxx'
    Only decipher operations are allowed during key agreement (U-DECONL).
048 002 Continued description for Offset 048:

Comp-tag single-usage restrictions and bits that are allowed to be ON together: The left-column of the table shows the exclusive key types that are allowed with respect to CCA services and the usage bit that corresponds to each type.

Note:
  1. For some services, CCA cannot distinguish subsets of those service types operationally. The bits that correspond to the function subsets are allowed to be on at the same time as the key type bit, as shown in the table.
  2. There are cases in RFC 5280 where one bit depends on another bit. Bits that control unique CCA services are not allowed to be ON at the same time.
  3. For keyAgreement, the subset bit or dependent bit is not a stand-in for the primary key type bit. If encipherOnly is enabled, then keyAgreement must also be enabled.
  4. For digitalSignature the case is different, all of the bits that map to the CCA SIGN-ONLY usage are independent. For example, a digitalSignature private key is usable in CSNDDSG. If the key token also has the nonrepudiation bit set, the key token will still be acceptable for use in CSNDDSG and as a Comp-tag token. Also, if the nonrepudiation bit is set and the digitalSignature bit is not set, then the key token is usable with CSNDDSG

Single Use Key                       bits allowed to be
allowed bits                         enabled at the same time

(Any of the 4 bits at right)         (0 - 0x80), digitalSignature       
== CCA SIGN-ONLY                     (1 - 0x40), nonrepudiation, 
                                     subset of CCA SIGN-ONLY 
                                     (5 - 0x04), keyCertSign, 
                                     subset of CCA SIGN-ONLY
                                     (6 - 0x02), cRLSign, 
                                     subset of CCA SIGN-ONLY

(2 - 0x20), keyEncipherment          NONE
== CCA KM-ONLY  

(3 - 0x10), dataEncipherment         NONE
== CCA services CSNDPKE, CNSDPKD  

(4 - 0x08), keyAgreement             (7 - 0x01), encipherOnly, cannot be 
== no current CCA service for RSA    ON at the same time as decipherOnly  
                                     (8 - 0x80), decipherOnly, cannot be 
                                     ON at the same time as encipherOnly 
050 001

When associated data section version is X'02': Key-usage and translation control flag:

Key-usage flag:

B'11xx xxxx'
Only key unwrapping (KM-ONLY)
B'10xx xxxx'
Both signature generation and key unwrapping (KEY-MGMT)
B'01xx xxxx'
Undefined
B'00xx xxxx'
Only signature generation (SIG-ONLY)

All other values are undefined.

Translation control:

B'xxxx xx1x'
Private key translation is allowed (XLATE-OK)
B'xxxx xx0x'
Private key translation is not allowed (NO-XLATE)

All other bits are reserved and must be zero.

When associated data section version is X'04': Reserved, binary zero.

051 001 Format restriction for digital-signature hash-formatting method:
Value
Meaning
B'0000 0000'
No format restriction
B'0000 0001'
ISO-9796 only
B'0000 0010'
PKCS-1.0 only
B'0000 0011'
PKCS-1.1 only
B'0000 0100'
PKCS-PSS only
B'0000 0101'
X9.31 only
B'0000 0110'
ZERO-PAD only

All other values are reserved and undefined.

052 002 Length in bytes of modulus: nnn

Key size in bit                Modulus length in bytes 
    4096                             512 (0x0200)             
    6144                             768 (0x0300)             
    8192                            1024 (0x0400)     
054 002 Length in bytes of private exponent: ddd

Key size in bit                Modulus length in bytes 
    4096                             512 (0x0200)             
    6144                             768 (0x0300)             
    8192                            1024 (0x0400)     
Sub-section: Object Protection + Payload
056 048 Object Protection Key (OPK) Data: The OPK consists of a 16 byte confounder and a 256-bit AES key.

External token: The OPK data is wrapped with an AES key-encrypting key using the AESKW (ANS X9.102) algorithm.

Internal token: The OPK data is wrapped with an APKA master key using the AESKW algorithm.

104 016 Key verification pattern

External key-token:

For an encrypted private key
Key-encrypting key verification pattern (KVP)
For a clear private key
Binary zero
For a skeleton
Binary zero

Internal key-token:

For an encrypted private key
  • When a non-compliant-tagged token (bit 0 at offset 13 is not set), the APKA master-key verification pattern (MKVP).
  • When a compliant-tagged token (bit 0 at offset 13 is set), 5 bytes of the ECC MKVP followed by 3 bytes of internal compliance information.
For a skeleton
Binary zero
120 002 Reserved, binary zeros.
122 nnn Modulus n.
122+nnn ppp Formatted section (payload), including private key (exponent) d: opaque, no change for comp-tag. Payload fields:
  1. X9.102 header fields: (x9102HashPtHdr_t)
    1. 6 B ICV
    2. 1 B padlen
    3. 1 B hlen
    4. 1 B hashOpt
  2. 32 B: SHA256 hash over
    1. Associated Data
    2. 'n', the modulus
  3. d, private key, length of d bytes

Key size in bit                Total length in bytes 
    4096                     122 + 512   + 553   = 1187 (0x04A3)             
    6144                     122 + 768   + 809   = 1699 (0x06A3) 
    8192                     122 + 1024  + 1065  = 2211 (0x08A3)