ICSF groups AES cryptographic keys into these categories according to the functions they perform.
A 256-bit AES key that is used only to encrypt and decrypt AES or HMAC operational keys. The ICSF administrator installs and changes the AES master key using the ICSF panels or the optional TKE workstation. The AES master key always remains within the secure boundaries of the cryptographic coprocessors.
Transport keys protect a key that is sent to another system, received from another system, or stored with data in a file. AES transport keys are variable-length keys up to 725 bytes in length.
The AES transport keys are:
An EXPORTER key-encrypting key protects keys that are sent from your system to another system. The exporter key at the originator has the same clear value as the importer key at the receiver. An exporter key is paired with an importer key-encrypting key.
An importer key-encrypting key protects keys that are sent from another system to your system. It also protects keys that you store externally in a file that you can import to your system later. The importer key at the receiver has the same clear value as the exporter key at the originator. An importer key is paired with an exporter key-encrypting key.
Data-encrypting keys, also referred to as DATA keys, are used to encrypt and decrypt data. AES DATA keys can be 128-bits, 192-bits, or 256-bits in length. DATA keys can be either encrypted under the master key or in the clear.
AES CIPHER keys are used for enciphering and deciphering data. 128-, 192-, or 256-bits in length.
These keys can be used to generate and verify MACs. The CMAC algorithm is supported.
Key-generating keys are used to derive unique-key-per transaction keys.
The personal identification number (PIN) is a basis for verifying the identity of a customer across financial industry networks.