To use the keys or other data in user memory, the HSM must have the index that points to the appropriate storage location. The Host provides this index in place of the encrypted key (or other data element) that would otherwise be required.
To indicate the substitution of an index for a data element, the data element in the transaction must begin with the index flag K, followed by the 3-digit index value. These four characters replace the key (or other data elements). A key of appropriate length will be extracted based upon the key scheme and the key length expected by the command. The exception is if the HSM is configured for single length keys and the command expects a double length key (32H) for backwards compatibility the command will require two indices to be specified.
If the triple DES key schemes are used a number of scenarios exist:
· All key lengths used – configure for either single or triple length keys.
· Single and double length keys used - configure for either single or double length keys.
· Single and triple length keys used - configure for either single or triple length keys.
· Double length keys used - configure for either single or double length keys.
· Triple length keys used - configure for either single or triple length keys.
Example 1:
To supply a single length key to a command there is no key scheme and a single index. - K000
To supply a double length key to a command using the U scheme the key scheme and a single index must be provided. - UK000
To supply a triple length key using the T scheme to a command the key scheme and the index must be provided. - TK000
If the HSM is configured for single length keys an index will return a single length key if no key scheme is specified or an appropriate key if a key scheme is supplied.
Example 2:
To supply a single length key to a command there is no key scheme and a single index. - K000
To supply a double length key (32H) to a command there is no key scheme and two indices must be provided. - UK000
To supply a triple length key to a command the key scheme and a single index must be provided. - TK000