ICSF groups AES cryptographic keys into these categories according
to the functions they perform.
- AES Master key
A 256-bit AES key that is used only to encrypt and decrypt
AES or HMAC operational keys. The ICSF administrator installs and
changes the AES master key using the ICSF panels or the optional TKE
workstation. The AES master key always remains within the secure boundaries
of the cryptographic coprocessors.
- Transport keys (or key-encrypting keys)
Transport keys protect
a key that is sent to another system, received from another system,
or stored with data in a file. AES transport keys are variable-length
keys up to 725 bytes in length.
The AES transport keys are:
- EXPORTER Key-encrypting Key
An EXPORTER key-encrypting key protects
keys that are sent from your system to another system. The exporter
key at the originator has the same clear value as the importer key
at the receiver. An exporter key is paired with an importer key-encrypting
key.
- IMPORTER Key-encrypting Key
An importer key-encrypting key protects
keys that are sent from another system to your system. It also protects
keys that you store externally in a file that you can import to your
system later. The importer key at the receiver has the same clear
value as the exporter key at the originator. An importer key is paired
with an exporter key-encrypting key.
- Data-encrypting keys
Data-encrypting keys, also referred to
as DATA keys, are used to encrypt and decrypt data. AES DATA keys
can be 128-bits, 192-bits, or 256-bits in length. DATA keys can be
either encrypted under the master key or in the clear.
- CIPHER keys
AES CIPHER keys are used for enciphering and deciphering
data. 128-, 192-, or 256-bits in length.
|