Trusted blocks
A trusted block is an extension of CCA PKA key tokens using new section identifiers. They are an integral part of a remote key-loading process.
Trusted blocks contain various items, some of which are optional, and some of which can be present in different forms. Tokens are composed of concatenated sections that, unlike CCA PKA key tokens, occur in no prescribed order.
As with other CCA key-tokens, both internal and external forms
are defined:
- An external trusted block contains a randomly generated confounder
and a triple-length MAC key enciphered under a DES IMP-PKA transport
key. The MAC key is used to calculate an ISO 16609 CBC mode TDES MAC
of the trusted block contents. An external trusted block is created
by the Trusted Block Create callable service. This
service can:
- Create an inactive external trusted block.
- Change an external trusted block from inactive to active.
- An internal trusted block contains a confounder and triple-length
MAC key enciphered under a variant of the PKA master key. The MAC
key is used to calculate a TDES MAC of the trusted block contents.
A PKA master key verification pattern is also included to enable determination
that the proper master key is available to process the key. The Remote Key Export service only operates on trusted
blocks that are internal. An internal trusted block must be imported
from an external trusted block that is active using the PKA
Key Import service. Note: Trusted blocks do not contain a private key section.