The generateBaseDerivationKey (GBK) operation uses the cryptographic hardware module of the appliance to generate a new 128-bit key that can be used for a Base Derivation Key as defined by the ANSI X9.24-1 DUKPT standard. The web service operation requires four parameters:

When SAKA receives the request, it verifies the credentials presented against its internal database—or an optional LDAP directory server—and determines their authorization to request the GBK service by verifying if they are a member of the KMCAuthorized group. If using LDAP, this group and its members must be created in the LDAP directory as a distinct task of the SAKA installation process; when using the internal database on SAKA, this group is created automatically.

If the requester is authorized, SAKA utilizes the True Random Number Generator (TRNG) from the appliance's cryptographic hardware module to generate a new 128-bit key. This key is divided into three key components. The key components are packaged in CCKeyComponentType objects along with their corresponding KCV and other metadata. Additionally, a fourth CCKeyComponentType object is created that does not store a key component, but contains the KCV of the assembled BDK.

Once the CCKeyComponentType objects are created, in the case of SOAP, an array of these objects will be returned. In the case of REST, a JSON representation of the array is returned:

An example JSON array response for KMS Module's GBK service:

[{
 "KeyName": "0",
 "KeyComponent": "F540DF52C1E3957D0B69BE23E443C003",
 "KeyCheckValue": "D35DF4",
 "KeyAlgorithm": "AES",
 "KeySize": "128",
 "K": 1,
 "N": 3
}, {
 "KeyName": "0",
 "KeyComponent": "EA60664815BF97F1692315842D331437",
 "KeyCheckValue": "6A3D7F",
 "KeyAlgorithm": "AES",
 "KeySize": "128",
 "K": 2,
 "N": 3
}, {
 "KeyName": "0",
 "KeyComponent": "554548549AFB786036FFF422D9DEBC54",
 "KeyCheckValue": "FB1843",
 "KeyAlgorithm": "AES",
 "KeySize": "128",
 "K": 3,
 "N": 3
}, {
 "KeyCheckValue": "4B0333"
}]