Symmetric and asymmetric master keys

Read the contained information on how CCA handles symmetric and asymmetric master keys.

Currently a CCA node has four master keys, namely AES, APKA, SYM, and ASYM. The master key sizes and their wrapping methods are as shown in Table 1.
Table 1. CCA master keys

CCA node wrapping methods with three columns describing the master key, the key size and the wrapping method

Master key Key size Wrapping method
AES 32 bytes (256 bits) AESKW
APKA 32 bytes (256 bits) AESKW
SYM 24 bytes (168 bits) Triple-DES
ASYM 24 bytes (168 bits) Triple-DES

The AES master key and the APKA master key are both 32-byte, 256-bit AES keys that wrap or unwrap keys using the ANS X9.102:2020 AESKW algorithm.

CCA incorporates the following sets of master-key registers:

  • The DES master-key register set is used to wrap and unwrap DES (symmetric) working keys.
  • The PKA master-key register set is used to wrap and unwrap RSA (asymmetric) private working keys, or the object protection keys (OPKs) of the RSA working keys that have an OPK defined, excluding private key sections X'30' and X'31', which have their OPKs wrapped and unwrapped by the APKA master key.
  • The AES master-key register set is used to wrap and unwrap AES (symmetric) fixed-length, and AES and HMAC variable-length, symmetric working keys.
  • The APKA master-key register set is used to wrap and unwrap the Object Protection Key (OPK) that is itself used to wrap the key material of an Elliptic Curve Cryptography (ECC) key or the OPK of RSA private key sections X'30' and X'31'. ECC keys are asymmetric.

The verbs that operate on the master keys permit you to specify a register set (with keywords AES-MK, APKA-MK, SYM-MK and ASYM-MK). For DES and PKA master keys, if applications that modify these master-key registers never explicitly select a register set, the master keys in the two register sets are modified in the same way and contain the same keys. However, if at any time you modify only one of the DES or PKA register sets, applications thereafter need to manage the two register sets independently.