|
Command: |
Generate an HMAC Secret Key. |
|
Notes: |
Use of this command requires the optional User Authentication licence. Error code 67 will be returned if the command is not licenced. This function generates a secret key for use in a Keyed-Hash Message Authentication Code (HMAC). Currently, SHA-1 is the only supported hash algorithm. FIPS 198 states that there is little value in choosing a key longer in length than the length of the hash algorithm output (20 bytes in the case of SHA-1). However, this limitation will not be enforced by this command, so the maximum length of a key generated by this command is limited only by the size of the HSM’s message buffers. The HMAC Key may only be used as input to HMAC functions; it is not available for use with any other HSM functions. |
|
Field |
Length & Type |
Details |
|
COMMAND MESSAGE |
||
|
Message header |
m A |
(Subsequently returned to the Host unchanged). |
|
Command Code |
2 A |
Value "L0" (L zero) |
|
Hash Identifier |
2 N |
Identifier of the hash algorithm. Currently only SHA-1 is supported · 01 = SHA-1 HMAC |
|
HMAC Key Usage |
2 N |
· 01 = HMAC Generation · 02 = HMAC Verification · 03 = HMAC Generation and Verification |
|
HMAC Key Length |
4 N |
The number of bytes in the HMAC Key Must satisfy (L/2 £ key length), where L is the size of the hash function output (so L = 20 in the case of SHA-1). See Note above. |
|
HMAC Key Block Format |
2 N |
Defines the format of the stored key. Currently only format 00 is supported · 00 = format defined |
|
End message delimiter |
1 C |
Optional. Must be present if a message trailer is present. Value X’19. |
|
Message trailer |
n A |
Optional. Maximum length 32 characters. |
|
Field |
Length & Type |
Details | |
|
RESPONSE MESSAGE |
|||
|
Message header |
m A |
Returned to the Host unchanged. |
|
|
Response code |
2 A |
Value "L1" |
|
|
Error code |
2 N |
00 : No error. 04 : Key length error 05 : Invalid Hash Identifier 06 : Invalid Key Usage 07 : Invalid Key Block Format 13 : LMK error ; report to supervisor 15 : Error in input data. 47 : DSP error ; report to supervisor.
|
|
|
HMAC Key Block Length |
4 N |
Length (in bytes) of the next field. |
|
|
HMAC Key (LMK) |
n B |
The HMAC Key, encrypted under LMK pair 34-35 variant 1 |
|
|
End message delimiter |
1 C |
Present only if supplied in the command message. Value X’19. |
|
|
Message trailer |
n A |
Present only if present in the command message. Maximum length 32 characters. |
|