Blue smart cards (00RY790)

Smart card part, 00RY790, was shipped with TKE 9.1. In addition to having the part number printed on it, the card is blue. The blue smart card supports 521-bit Elliptic Curve (EC) cryptography and has more storage than the previous TKE smart card. Because of the stronger encryption and increase in storage, the following important features were added to TKE 9.1:
  • With a blue smart card, you can create a TKE zone (defined when you initialize and personalize a Certificate Authority (CA) smart card) or a Migration zone (defined when you initialize and personalize a Migration Certificate Authority (MCA) smart card) with a zone strength of 521-bit EC. All the smart cards in any type of 521-bit EC zone must also be blue smart cards.
  • If your Migration Zone (MCA) strength is 521-bit EC, you can collect and apply data from domains that are in Imprint or PCI compliant mode. With the older smart cards, it was not possible to collect or apply the settings of domains in these two states.
  • When a new Local Adapter Logon key is generated on a blue smart card, the strength is 521-bit EC.
  • When an Authority Signature Key or Administrator Signature key is generated on a blue smart card, you can select 521-bit EC as the key strength. You would only select this strength if the host crypto module that you will manage also has 521-bit EC support.
  • Blue smart cards can hold up to 85 key parts. This is an increase of 35 key parts.
Things to know about the blue smart card:
  • TKE 9.1 is the minimum supported release for the blue smart card. You may not use the blue smart card on any TKE below TKE 9.1.
  • IMPORTANT RESTRICTIONS: The blue smart card is configured to run in FIPS mode. Therefore, the smart card hardware prohibits the generation of any 1024-bit RSA keys. This has the following significant implications:
    1. When you initialize a Certificate Authority (CA) smart card using a blue smart cart, the zone strength may not be 1024-bit RSA. The zone strength can be set to 2048-bit RSA or 521-bit EC.
    2. When you are making a backup CA smart card from an existing CA smart card, you may not use a blue smart card to make a backup of a 1024-bit RSA CA smart card.
    3. A blue smart card may not have a 1024-bit RSA alternate zone. This means that you must use a special procedure to move (migrate) key material from one 1024-bit RSA zone TKE smart card onto a blue TKE smart card, which must be in a different, stronger zone.
      Note: The process for moving data onto a blue smart card is described in Moving data from a TKE smart card in a 1024-bit zone to a blue smart card.
    4. You may not create an Authority Signature Key for managing a Crypto Express 2 host crypto module onto a blue smart card. The Crypto Express 2 only supports 1024-bit RSA signature keys.
      Note: You can copy an existing 1024-bit RSA Authority Signature Key or 1024-bit RSA local adapter logon key onto a blue smart card and use these keys.
      Recommendations:
      • Only continue to use 1024-bit RSA Authority Signature Keys if you are still managing Crypto Express 2 modules. This is a very weak key strength and it is recommended that you move to stronger keys.
      • You should stop using 1024-bit RSA local adapter logon keys. The strength is too weak. If you generate a local adapter logon key onto a blue smart card, the strength of the key will be 521-bit EC.