|
Command: |
To translate a DES key from encryption under a public key to encryption under the LMK. |
|
|
Field |
Length & Type |
Details | |
|
|
COMMAND MESSAGE |
|||
|
|
Message header |
m A |
(Subsequently returned to the Host unchanged). |
|
|
|
Command code |
2 A |
Value GI. |
|
|
|
Encryption identifier |
2 A |
Identifier of the algorithm used to encrypt the DES key. |
|
|
|
Pad mode identifier |
2 N |
Identifier of the pad mode used in the encryption process: 01 = PKCS#1 v1.5 method |
|
|
|
Mask Generation Function |
2N |
01 = MGF1 as defined in PKCS#1 v2.0 (see Reference 3) Optional, only present if PAD Mode Identifier is 02 (OAEP) |
|
|
|
MGF Hash Function |
2N |
01 = SHA-1 |
|
|
|
OAEP Encoding Parameters Length |
2N |
Optional, only present if Pad Mode Identifier is 02 (OAEP). |
|
|
|
OAEP Encoding Parameters
|
NB |
Optional, only present if Pad Mode Identifier is 02 (OAEP) If present, this field should be encoded according to Reference 3 section 11.2.1. The HSM does not interpret or validate the contents of this field. If OAEP padding is used, but no Encoding Parameters are provided, then OAEP Parameters Length should be “00”, and this field will be empty. |
|
|
|
OAEP Encoding Parameters Delimiter |
1A |
Value “;”. Optional, only present if Pad Mode Identifier is 02 (OAEP) |
|
|
|
DES key type |
4 N |
Indicates the required LMK pair, including the LMK variant. |
|
|
|
Encrypted key length |
4 N |
Length (in bytes) of the encrypted DES key. |
|
|
|
DES key (PK) |
n B |
DES key, encrypted under the public key. |
|
|
|
Delimiter |
1 A |
Delimiter, indicates the end of the encrypted DES key field. Value “;”. |
|
|
|
Secret key flag |
2 N |
Flag, indicates the location of the secret key. The number is the index of the stored secret key, except 99 which means use the key supplied in the command. |
|
|
Secret key length |
4 N |
Length (in bytes) of the next field (present only if the secret key flag is 99). | ||
|
|
|
|
|
|
|
|
Field |
Length & Type |
Details |
|
Secret key |
n B |
Secret key, encrypted using LMK pair 34-35 (present only if the secret key flag is 99). | |
|
Delimiter |
1 A |
Optional. If present the following three fields must be present. Value “;”. | |
|
Key scheme ZMK |
1 A |
Optional. Key scheme for encrypting key under ZMK. | |
|
Key scheme LMK |
1 A |
Optional. Key scheme for encrypting key under LMK. | |
|
Key check value type |
1 A |
Optional. Key check value calculation method 0 - KCV backwards compatible. 1 - KCV 6H. | |
|
Delimiter |
1A |
Value “=”. Only Present if Key Block Type follows Note: The “=” delimiter is used to distinguish from the normal “;” delimiter. | |
|
Key Block Type |
2N |
01 : Key Block format backward compatible 02 : Key Block Template 03 : Unformatted Key Block Only present if the “=” delimiter above is present. | |
|
Key Block Template Length |
4N |
Length of Key Block data Only present if Key Block Type = 02. | |
|
Key Block Template |
NH |
Key Block, DER encoded in ASN.1 format. Key data zero filled. Only present if Key Block Type = 02. | |
|
Delimiter |
1A |
Value “;”. Only present if Key Block Type = 02. | |
|
DES Key Offset |
4N |
Offset to the location of the DES Key within the Key Block Only present if Key Block Type = 02. | |
|
Check value length |
1N |
Length in bytes of Check value field. Permitted values 0-8. If no check value is supplied then this field is 0. If Check Value is supplied then the HSM will perform a validation check using the extracted DES key. If Key Block Type = 02 then Check Value is expected at position indicated by Check Value Offset. Only present if Key Block Type = 02. | |
|
Check value offset |
4N |
Offset to the location of the check value within the Key Block. If Check Value length is 00 then this field is ignored. Only present if Key Block Type = 02. | |
|
End message delimiter |
1 C |
Optional. Must be present if a message trailer is present. Value X’19. | |
|
Message trailer |
n A |
Optional. Maximum length 32 characters. | |
|
|
|
|
|
|
Field |
Length & Type |
Details |
|
RESPONSE MESSAGE |
||
|
Message header |
n A |
Returned to the Host unchanged. |
|
Response code |
2 A |
Value GJ. |
|
Error code |
2 N |
00 : No error 03 : Invalid secret key type 04 : Invalid secret key flag 05 : Invalid DES key type 06 : Invalid encryption identifier 07 : Invalid pad mode identifier 13 : LMK error; report to supervisor 15 : Error in input data 47 : DSP error; report to supervisor 49 : Secret key error; report to supervisor 76 : Key block length error 77 : Clear data block error 78 : Secret key length error 80 : Encrypted DES key length error 81 : Invalid Key Block type 82 : Invalid check value length 83 : Key block format error 84 : Key block check value error 85 : Invalid OAEP Mask Generation Function 86 : Invalid OAEP MGF Hash Function 87 : OAEP Parameter Error 88 : OAEP Error |
|
Initialization value |
16 H |
Initialization value for the DES key. Optional. Only present if Key Block Type = 01. |
|
DES key (LMK) |
16H or 32H or |
DES key, encrypted under the LMK pair indicated by the DES key type. |
|
Key check value |
16 H or 6 H |
Check value on the DES key. 16H or 6H depends upon KCV type option. |
|
End message delimiter |
1 C |
Present only if present in the command message. Value X’19. |
|
Message trailer |
n A |
Present only if present in the command message. Maximum length 32 characters. |