Symmetric and asymmetric master keys
Read the contained information on how CCA handles symmetric and asymmetric master keys.
| Master key | Key size | Wrapping method |
|---|---|---|
| AES | 32 bytes (256 bits) | AESKW |
| APKA | 32 bytes (256 bits) | AESKW |
| SYM | 24 bytes (168 bits) | Triple-DES |
| ASYM | 24 bytes (168 bits) | Triple-DES |
The AES master key and the APKA master key are both 32-byte, 256-bit AES keys that wrap or unwrap keys using the ANS X9.102:2020 AESKW algorithm.
CCA incorporates the following sets of master-key registers:
- The DES master-key register set is used to wrap and unwrap DES (symmetric) working keys.
- The PKA master-key register set is used to wrap and unwrap RSA (asymmetric) private working keys, or the object protection keys (OPKs) of the RSA working keys that have an OPK defined, excluding private key sections X'30' and X'31', which have their OPKs wrapped and unwrapped by the APKA master key.
- The AES master-key register set is used to wrap and unwrap AES (symmetric) fixed-length, and AES and HMAC variable-length, symmetric working keys.
- The APKA master-key register set is used to wrap and unwrap the Object Protection Key (OPK) that is itself used to wrap the key material of an Elliptic Curve Cryptography (ECC) key or the OPK of RSA private key sections X'30' and X'31'. ECC keys are asymmetric.
The verbs that operate on the master keys permit you to specify a register set (with keywords AES-MK, APKA-MK, SYM-MK and ASYM-MK). For DES and PKA master keys, if applications that modify these master-key registers never explicitly select a register set, the master keys in the two register sets are modified in the same way and contain the same keys. However, if at any time you modify only one of the DES or PKA register sets, applications thereafter need to manage the two register sets independently.