Restrictions

The restrictions for CSNBUKD.

Table 1 shows the valid skeleton tokens depending on the key type to be derived.
Table 1. Valid Control Vectors for Derived Keys

Valid Control Vectors for Derived Keys with columns Key to be derived and Supported key types in the skeleton token

Key to be derived Supported key types in the skeleton token
Data encryption key CIPHER 00 03 71 00 03 41 00 00 00 03 71 00 03 21 00 00
ENCIPHER 00 03 60 00 03 41 00 00 00 03 60 00 03 21 00 00
DECIPHER 00 03 50 00 03 41 00 00 00 03 50 00 03 21 00 00
Message authentication code(MAC) MAC 00 05 4D 00 03 41 00 00 00 05 4D 00 03 21 00 00
MACVER 00 05 44 00 03 41 00 00 00 05 44 00 03 21 00 00
PIN key IPINENC 00 21 5F 00 03 41 00 00 00 21 5F 00 03 21 00 00
OPINENC 00 24 77 00 03 41 00 00 00 24 77 00 03 21 00 00
PIN key with rule keyword PIN-DATA DATA PIN 00 00 7D 00 03 41 00 00 00 00 7D 00 03 21 00 00

Note that the following bits of the control vector are not checked and may have a value of either 0 or 1:

  • Bit 17 - Export control
  • Bit 56 – Enhanced wrapping control
  • Bit 57 – TR-31 export control
  • Bits 4 and 5 – UDX

Additional control vector bit that is not checked for PIN key with rule keyword PIN-DATA:

  • Bit 61 - Not-CCA

TR-31 tokens can only be used with this verb starting with CCA 8.1.

Key wrapping method rules are only allowed for CCA tokens.