Product Documentation

The generateBaseDerivationKey (GBK) operation uses the cryptographic hardware module of the appliance to generate a new 128-bit key that can be used for a Base Derivation Key as defined by the ANSI X9.24-1 DUKPT standard. The web service operation requires four parameters:

DID

The unique encryption domain identifier.

username

The username (service credential) within the encryption domain with the authorization to call this web service. The user requires the Key Management Custodian privilege to execute this operation.

password

The password of the username to authenticate the credential of the requester.

mfr

The numerical identifier of the manufacturer for which this BDK is assigned. In this web service, this value is used primarily for logging purposes.

When SAKA receives the request, it verifies the credentials presented against its internal database—or an optional LDAP directory server—and determines their authorization to request the GBK service by verifying if they are a member of the KMCAuthorized group. If using LDAP, this group and its members must be created in the LDAP directory as a distinct task of the SAKA installation process; when using the internal database on SAKA, this group is created automatically.

If the requester is authorized, SAKA utilizes the True Random Number Generator (TRNG) from the appliance's cryptographic hardware module to generate a new 128-bit key. This key is divided into three key components. The key components are packaged in CCKeyComponentType objects along with their corresponding KCV and other metadata. Additionally, a fourth CCKeyComponentType object is created that does not store a key component, but contains the KCV of the assembled BDK.

Once the CCKeyComponentType objects are created, in the case of SOAP, an array of these objects will be returned. In the case of REST, a JSON representation of the array is returned:

CCKeyComponentTypeArray[0]

Contains the first key component with KCV and metadata.

CCKeyComponentTypeArray[1]

Contains the second key component with KCV and metadata.

CCKeyComponentTypeArray[2]

Contains the third key component with KCV and metadata.

CCKeyComponentTypeArray[3]

Contains only the KCV of the assembled BDK (does not include the assembled BDK itself).

 

An example JSON array response for KMS Module's GBK service:

[{
 "KeyName": "0",
 "KeyComponent": "F540DF52C1E3957D0B69BE23E443C003",
 "KeyCheckValue": "D35DF4",
 "KeyAlgorithm": "AES",
 "KeySize": "128",
 "K": 1,
 "N": 3
}, {
 "KeyName": "0",
 "KeyComponent": "EA60664815BF97F1692315842D331437",
 "KeyCheckValue": "6A3D7F",
 "KeyAlgorithm": "AES",
 "KeySize": "128",
 "K": 2,
 "N": 3
}, {
 "KeyName": "0",
 "KeyComponent": "554548549AFB786036FFF422D9DEBC54",
 "KeyCheckValue": "FB1843",
 "KeyAlgorithm": "AES",
 "KeySize": "128",
 "K": 3,
 "N": 3
}, {
 "KeyCheckValue": "4B0333"
}]