Key identifier for PKA key token
A key identifier for a PKA key token is a variable length (maximum allowed size is 6500 bytes) area that contains either a key label or a key token.
- A key label identifies keys that are in the PKA key storage file.
- A key token can be either an internal key token, an external key token, or a null key
token. Key tokens are generated by an application (for example, using the PKA Key Generate verb), or received from another system
that can produce external key tokens.
An internal key token can be used only on the local system, because the PKA master key encrypts the key value. Internal key tokens contain keys in operational form only.
An external key token can be exchanged with other systems because a transport key that is shared with the other system encrypts the key value. External key tokens contain keys in either exportable or importable form.
A null key token consists of eight bytes of binary zeros. The PKA Key Record Create verb can be used to write a null token to the key storage file. This record can subsequently be identified as the target token for the PKA Key Import or PKA Key Generate verb.
The term key identifier is used when a parameter could be one of the above items, and indicates that different inputs are possible. For example, you might want to specify a specific parameter as either an internal key token or a key label. The key label is, in effect, an indirect reference to a stored internal key token.