Support User Manuals

IBM 2 Computer Hardware User Manual

Open as PDF

of 508

CCA Release 2.54

Figure B-9. RSA Private Key, 1024-Bit Modulus-Exponent Format

Offset

(Bytes)

Length

(Bytes)

Description

000 001 X'02' Section identifier, RSA private key, modulus-exponent format

(RSA-PRIV). This section type is created by selected IBM 4755

Cryptographic Adapters and the IBM 4758 Version 1 CCA Support Program.

Version 2 software uses this format for a clear or an encrypted RSA private

key in an external key-token.

001 001 The version number (X'00')

002 002 Length of the RSA private-key section X'016C' (364 decimal)

004 020 SHA-1 hash value of the private-key subsection cleartext, offset 28 to and

including the modulus that ends at offset 363

024 002 Reserved, binary zero

026 002 Master key verification pattern in an internal key-token, else X'0000'

028 001 Key format and security

X'00' Unencrypted RSA private-key subsection identifier

X'82' Encrypted RSA private-key subsection identifier

029 001 Reserved, binary zero

030 020 SHA-1 hash of the optional key-name section; if there is no name section,

then 20 bytes of X'00'

050 001 Key usage flag bits

The two high-order bits indicate permitted key usage in the decryption of

symmetric keys and in the generation of digital signatures. Useful

combinations:

X'00' Only signature generation (SIG-ONLY)

X'C0' Only key unwrapping (KM-ONLY)

X'80' Both signature generation and key unwrapping (KEY-MGMT).

All other bits, reserved, B'0'

051 009 Reserved, binary zero

060 024 Reserved, binary zero

084 Start of the optionally encrypted subsection.

Private key encryption:

 External token: EDE2 process using the double-length transport key

 Internal token: EDE3 process using the asymmetric master key.

See “Triple-DES Ciphering Algorithms” on page D-10.

084 024 Random number (confounder)

108 128 Private-key exponent, d. d=e

-1

mod((p-1)(q-1)), 1<d<n, and where e is the

public exponent

End of the optionally encrypted subsection. All of the fields starting with the confounder

field and ending with the private-key exponent are enciphered for key confidentiality

when the key format and security flags (offset 28) indicate that the private key is

enciphered.

236 128 Modulus, n. n=pq, where p and q are prime and 2

512

<n<2

1024

Note: See “Number Representation in PKA Key-Tokens” on page B-8.

B-10 IBM 4758 CCA Basic Services, Release 2.54, February 2005

previous next