Key separation
The cryptographic feature controls the use of keys by separating them into unique types, allowing you to use a specific type of key only for its intended purpose. For example, a key used to protect data cannot be used to protect a key.
An ICSF system has one DES master key and one AES master key. To provide for key separation for
fixed-length tokens, the cryptographic feature automatically encrypts each type of key in a
fixed-length token under a unique variation of the master key. Each variation of the master key
encrypts a different type of key. Although you enter only one master key, you have a unique master
key to encrypt all other keys of a certain type.
Note: The enhanced wrapping method
version 3 does not use a variant.
Key separation for variable-length tokens is provided by the associated data (key usage and key management fields). When the key is encrypted, the associated data is cryptographically bound to the key.