Table 1 presents the basic record format of an RSA private external key token. All length fields are in binary. All binary fields (exponents, lengths, and so on) are stored with the high-order byte first. All binary fields (exponents, modulus, and so on) in the private sections of tokens are right-justified and padded with zeros to the left.
Offset (Dec) | Number of Bytes | Description |
---|---|---|
Token Header (required) | ||
000 | 001 | Token identifier. X'1E' indicates an external token. The private key is either in cleartext or enciphered with a transport key-encrypting key. |
001 | 001 | Version, X'00'. |
002 | 002 | Length of the key token structure. |
004 | 004 | Ignored. Should be zero. |
RSA Private Key Section (required)
|
||
RSA Public Key Section (required) | ||
000 | 001 | X'04', section identifier, RSA public key. |
001 | 001 | X'00', version. |
002 | 002 | Section length, 12+xxx. |
004 | 002 | Reserved field. |
006 | 002 | RSA public key exponent field length in bytes, "xxx". |
008 | 002 | Public key modulus length in bits. |
010 | 002 | RSA public key modulus field length
in bytes, which is zero for a private token. Note: In an RSA private
key token, this field should be zero. The RSA private key section
contains the modulus.
|
012 | xxx | Public key exponent, e (this is generally a 1-, 3-, or 64- to 512-byte quantity). e must be odd and 1<e<n. (Frequently, the value of e is 16+1 2**16+1 (=65,537). |
Private Key Name (optional) | ||
000 | 001 | X'10', section identifier, private key name. |
001 | 001 | X'00', version. |
002 | 002 | Section length, X'0044' (68 decimal). |
004 | 064 | Private key name (in ASCII), left-justified, padded with space characters (X'20'). An access control system can use the private key name to verify that the calling application is entitled to use the key. |
Offset (Dec) | Number of Bytes | Description |
---|---|---|
000 | 001 | X'02', section identifier, RSA private key, modulus-exponent format (RSA-PRIV) |
001 | 001 | X'00', version. |
002 | 002 | Length of the RSA private key section X'016C' (364 decimal). |
004 | 020 | SHA-1 hash value of the private key subsection cleartext, offset 28 to the section end. This hash value is checked after an enciphered private key is deciphered for use. |
024 | 004 | Reserved; set to binary zero. |
028 | 001 | Key format and security:
|
029 | 001 | Reserved, binary zero. |
030 | 020 | SHA-1 hash of the optional key-name section. If there is no key-name section, then 20 bytes of X'00'. |
050 | 004 | Key use flag bits.
All other bits reserved, set to binary zero. |
054 | 006 | Reserved; set to binary zero. |
060 | 024 | Reserved; set to binary zero. |
Start of the optionally-encrypted secure subsection. | ||
084 | 024 | Random number, confounder. |
108 | 128 | Private-key exponent, d. d=(e**-1) mod((p-1)(q-1)), and 1<d<n where e is the public exponent. |
End of the optionally-encrypted subsection; the confounder field and the private-key exponent field are enciphered for key confidentiality when the key format and security flags (offset 28) indicate that the private key is enciphered. They are enciphered under a double-length transport key using the ede2 algorithm. | ||
236 | 128 | Modulus, n. n=pq where p and q are prime and 1024. 1<n<2**1024. |
This RSA private key token and the external X'09' token is supported on a CCA Crypto Express coprocessor.
Offset (Dec) | Number of Bytes | Description |
---|---|---|
000 | 001 | X'09', section identifier, RSA private key, modulus-exponent format (RSAMEVAR). |
001 | 001 | X'00', version. |
002 | 002 | Length of the RSA private key section 132+ddd+nnn+xxx. |
004 | 020 | SHA-1 hash value of the private key subsection cleartext, offset 28 to the section end. This hash value is checked after an enciphered private key is deciphered for use. |
024 | 002 | Length of the encrypted private key section 8+ddd+xxx. |
026 | 002 | Reserved; set to binary zero. |
028 | 001 | Key format and security:
|
029 | 001 | Reserved, set to binary zero. |
030 | 020 | SHA-1 hash of the optional key-name section. If there is no key-name section, then 20 bytes of X'00'. |
050 | 001 | Key use flag bits.
All other bits reserved, set to binary zero. |
051 | 001 | Reserved; set to binary zero. |
052 | 048 | Reserved; set to binary zero. |
100 | 016 | Reserved; set to binary zero. |
116 | 002 | Length of private exponent, d, in bytes: ddd. |
118 | 002 | Length of modulus, n, in bytes: nnn. |
120 | 002 | Length of padding field, in bytes: xxx. |
122 | 002 | Reserved; set to binary zero. |
Start of the optionally-encrypted secure subsection. | ||
124 | 008 | Random number, confounder. |
132 | ddd | Private-key exponent, d. -1 mod((p-1)(q-1)), d=(e**-1) mod((p-1)(q-1)), and 1<d<n where e is the public exponent. |
132+ddd | xxx | X'00' padding of length xxx bytes such that the length from the start of the random number above to the end of the padding field is a multiple of eight bytes. |
End of the optionally-encrypted subsection; the confounder field and the private-key exponent field are enciphered for key confidentiality when the key format and security flags (offset 28) indicate that the private key is enciphered. They are enciphered under a double-length transport key using the ede2 algorithm. | ||
132+ddd+xxx | nnn | Modulus, n. n=pq where p and q are prime and 4096. 1<n<2**4096. |
This RSA private key token with up to 2048-bit modulus is supported on all coprocessors. The modulus size is increased to 4096-bit on the z9 EC, z9 BC, z10 EC, z10 BC, or later machines with the Nov. 2007 or later version of the licensed internal code installed on the CCA Crypto Express coprocessor.
Offset (Dec) | Number of Bytes | Description |
---|---|---|
000 | 001 | X'08', section identifier, RSA private key, CRT format (RSA-CRT) |
001 | 001 | X'00', version. |
002 | 002 | Length of the RSA private-key section, 132 + ppp + qqq + rrr + sss + uuu + xxx + nnn. |
004 | 020 | SHA-1 hash value of the private key subsection cleartext, offset 28 to the end of the modulus. |
024 | 004 | Reserved; set to binary zero. |
028 | 001 | Key format and security:
|
029 | 001 | Reserved; set to binary zero. |
030 | 020 | SHA-1 hash of the optional key-name section and any following optional sections. If there are no optional sections, then 20 bytes of X'00'. |
050 | 004 | Key use flag bits.
All other bits reserved, set to binary zero. |
054 | 002 | Length of prime number, p, in bytes: ppp. |
056 | 002 | Length of prime number, q, in bytes: qqq. |
058 | 002 | Length of dp, in bytes: rrr. |
060 | 002 | Length of dq, in bytes: sss. |
062 | 002 | Length of U, in bytes: uuu. |
064 | 002 | Length of modulus, n, in bytes: nnn. |
066 | 004 | Reserved; set to binary zero. |
070 | 002 | Length of padding field, in bytes: xxx. |
072 | 004 | Reserved, set to binary zero. |
076 | 016 | Reserved, set to binary zero. |
092 | 032 | Reserved; set to binary zero. |
Start of the optionally-encrypted secure subsection. | ||
124 | 008 | Random number, confounder. |
132 | ppp | Prime number, p. |
132 + ppp | qqq | Prime number, q |
132 + ppp + qqq | rrr | dp = d mod(p - 1) |
132 + ppp + qqq + rrr | sss | dq = d mod(q - 1) |
132 + ppp + qqq + rrr + sss | uuu | U = q**-1 mod(p). |
132 + ppp + qqq + rrr + sss + uuu | xxx | X'00' padding of length xxx bytes such that the length from the start of the random number above to the end of the padding field is a multiple of eight bytes. |
End of the optionally-encrypted secure subsection; all of the fields starting with the confounder field and ending with the variable length pad field are enciphered for key confidentiality when the key format-and-security flags (offset 28) indicate that the private key is enciphered. They are enciphered under a double-length transport key using the TDES (CBC outer chaining) algorithm. | ||
132 + ppp + qqq + rrr + sss + uuu + xxx | nnn | Modulus, n. n = pq where p and q are prime and 1**<n<2**2048. |
This RSA private key token is supported on the Crypto Express3 Coprocessor and Crypto Express4 Coprocessor.
Offset (bytes) | Length (bytes) | Description |
---|---|---|
000 | 001 | Section identifier:
|
001 | 001 | Section version number (X'00'). |
002 | 002 | Section length: 122 + nnn + ppp |
004 | 002 | Length of “Associated Data” section |
006 | 002 | Length of payload data: ppp |
008 | 002 | Reserved, binary zero. |
Start of Associated Data | ||
010 | 001 | Associated Data Version:
|
011 | 001 | Key format and security flag:
|
012 | 001 | Key source flag: Reserved, binary zero. |
013 | 001 | Reserved, binary zeroes. |
014 | 001 | Hash type:
|
015 | 032 | SHA-256 hash of all optional sections that follow the public key section, if any; else 32 bytes of X'00'. |
047 | 003 | Reserved, binary zero. |
050 | 001 | Key-usage flag:
Translation control:
|
051 | 001 | Reserved, binary zero. |
052 | 002 | Length of modulus: nnn bytes |
054 | 002 | Length of private exponent: ddd bytes |
End of Associated Data | ||
056 | 048 | 16 byte confounder + 32-byte Object Protection
Key. OPK used as an AES key. encrypted with an AES KEK. |
104 | 016 | Key verification pattern
|
120 | 002 | Reserved, binary zeros. |
122 | nnn | Modulus |
122+nnn | ppp | Payload starts here and includes: When this
section is unencrypted:
When this section is encrypted:
|
This RSA private key token is supported on the Crypto Express3 Coprocessor and Crypto Express4 Coprocessor.
Offset (bytes) | Length (bytes) | Description |
---|---|---|
000 | 001 | Section identifier:
|
001 | 001 | Section version number (X'00'). |
002 | 002 | Section length: 134 + nnn + xxx |
004 | 002 | Length of “Associated Data” section |
006 | 002 | Length of payload data: xxx |
008 | 002 | Reserved, binary zero. |
Start of Associated Data | ||
010 | 001 | Associated Data Version:
|
011 | 001 | Key format and security flag:
|
012 | 001 | Key source flag: Reserved, binary zero. |
013 | 001 | Reserved, binary zeroes. |
014 | 001 | Hash type:
|
015 | 032 | SHA-256 hash of all optional sections that follow the public key section, if any; else 32 bytes of X'00'. |
047 | 003 | Reserved, binary zero. |
050 | 001 | Key-usage flag:
Translation control:
|
051 | 001 | Reserved, binary zero. |
052 | 002 | Length of the prime number, p, in bytes: ppp. |
054 | 002 | Length of the prime number, q, in bytes: qqq |
056 | 002 | Length of dp : rrr. |
058 | 002 | Length of dq : sss. |
060 | 002 | Length of U: uuu. |
062 | 002 | Length of modulus, nnn. |
064 | 002 | Reserved, binary zero. |
066 | 002 | Reserved, binary zero. |
End of Associated Data | ||
068 | 048 | 16 byte confounder + 32-byte Object Protection
Key. OPK used as an AES key. External tokens: encrypted with an AES KEK. Internal tokens: encrypted with the ECC master key. |
116 | 016 | Key verification pattern
|
132 | 002 | Reserved, binary zeros |
134 | nnn | Modulus, n, n=pq, where p and q are prime. |
134+nnn | xxx | Payload starts here and includes: When this section is unencrypted:
When this section is encrypted:
|