Protection and control of cryptographic keys
Because the cryptographic algorithms are all key-controlled algorithms, the security of protected data depends on the security of the cryptographic key. With the exception of master keys, which are physically secured, keys that require a high level of protection are enciphered under another key to provide this necessary security.
A key can be protected under either a master key, a transport key, or a PKA key. The master key protects a key you use on the system. When you send a key to another system, you protect it under a transport key rather than under the master key. You can use RSA public keys to protect DES, AES, and HMAC keys that are transported between systems.
ICSF controls the use of AES and DES keys by separating them into types that can be used to do only specific functions.