AES internal fixed-length key token
Fixed-length AES key tokens are 64 bytes and consist of an internal key token identifier and a token version number, reserved fields, a flag byte containing various flag bits, and a token validation value.
Depending on the flag byte, the key token either contains an encrypted key, a clear key, or the key is absent. An encrypted key is encrypted under an AES master key that is identified by a master-key verification pattern (MKVP) in the key token. The key token contains a two-byte integer that specifies the length of the clear-key value in bits, valued to 0, 128, 192, or 256, and a two-byte integer that specifies the length of the encrypted-key value in bytes, valued to 0 or 32. An LRC checksum byte of the clear-key value is also in the key token.
All keys in fixed-length AES key tokens are DATA keys. If the flag byte indicates that a control vector (CV) is present, it must be all binary zeros. An all-zero CV represents the CV value of an AES DATA key. If a key is present without a control vector in a key token, that is accepted and the key is interpreted as an AES DATA key.
The AES internal key token is the structure that is used to hold AES keys that are either encrypted with the AES master-key or in clear text format.
Table 1 shows the format for an AES internal key token.
Offset (Dec) | Length of field (Bytes) | Description |
---|---|---|
00 | 1 | X'01' (flag indicating that this is an internal key token) |
01 | 3 | Implementation-dependent bytes (X'000000' for ICSF) |
04 | 1 | Key token version number (X'04') |
05 | 1 | Reserved - must be set to X'00' |
06 | 1 | Flag byte
|
07 | 1 | 1-byte LRC checksum of clear key value. |
08 | 8 | Master key verification pattern (MKVP). (For a clear AES key token, this value is hex zeros.) |
16 | 32 | Key value, if present. Contains either:
|
48 | 8 | 8-byte control vector. (For a clear AES key token, this value is hex zeros.) |
56 | 2 | 2-byte integer that specifies the length in bits of the clear key value. |
58 | 2 | 2-byte integer that specifies the length in bytes of the encrypted
key value. (For a clear AES key token, this value is hex zeros.) |
60 | 4 | Token validation value (TVV). For more information, see Token validation value. |