Restrictions
The restrictions for CSNBUKD.
Table 1 shows the valid skeleton
tokens depending on the key type to be derived.
| Key to be derived | Supported key types in the skeleton token | ||
|---|---|---|---|
| Data encryption key | CIPHER | 00 03 71 00 03 41 00 00 | 00 03 71 00 03 21 00 00 |
| ENCIPHER | 00 03 60 00 03 41 00 00 | 00 03 60 00 03 21 00 00 | |
| DECIPHER | 00 03 50 00 03 41 00 00 | 00 03 50 00 03 21 00 00 | |
| Message authentication code(MAC) | MAC | 00 05 4D 00 03 41 00 00 | 00 05 4D 00 03 21 00 00 |
| MACVER | 00 05 44 00 03 41 00 00 | 00 05 44 00 03 21 00 00 | |
| PIN key | IPINENC | 00 21 5F 00 03 41 00 00 | 00 21 5F 00 03 21 00 00 |
| OPINENC | 00 24 77 00 03 41 00 00 | 00 24 77 00 03 21 00 00 | |
| PIN key with rule keyword PIN-DATA | DATA PIN | 00 00 7D 00 03 41 00 00 | 00 00 7D 00 03 21 00 00 |
Note that the following bits of the control vector are not checked and may have a value of either 0 or 1:
- Bit 17 - Export control
- Bit 56 – Enhanced wrapping control
- Bit 57 – TR-31 export control
- Bits 4 and 5 – UDX
Additional control vector bit that is not checked for PIN key with rule keyword PIN-DATA:
- Bit 61 - Not-CCA
TR-31 tokens can only be used with this verb starting with CCA 8.1.
Key wrapping method rules are only allowed for CCA tokens.