Entrust nShield Security Manual page 86

hash has the following properties:
• H
is not modified by any operations on the key (for example, altering the ACL,
ID
the application data field, or other modes and flags)
• H
is the same for both public and private halves of a key pair.
ID
Unique data is added to the hash so that a
other hash value that might be derived from the key material.
Key blob
A key blob is a key object with its ACL and application data encrypted by a module
key, a logical token, or a recovery key. Key blobs are used for the long-term storage of
keys. Blobs are cryptographically secure; they can be stored on the host computer's
hard disk and are only readable by units that have access to the same module key.
See also
Access Control List (ACL)
Key object: K
A
This is a key object to be kept securely by the module. A key object may be a private
key, a public counterpart to a private key, a key for a symmetric cipher (MAC or some
other symmetric algorithm), or an arbitrary block of data. Applications can use this
last type to allow the module to protect any other data items in the same way that it
protects cryptographic keys. Each key object is stored with an ACL and a 20-byte
data block that the application can use to hold any relevant information.
KeyID: ID
KA
When a key object KA is loaded within the module's RAM, it is given a short identifier
or handle that is notated as
the key hash HID(KA).
Logical token: K
T
A logical token is a key used to protect key blobs. A logical token is generated on the
nShield module and never revealed, except as shares.
MAC: MAC
KC
This notation indicates a MAC (Message Authentication Code) created using key KC.
Module
See also
hardware security module (HSM)
nShield® Security Manual
H
is most unlikely to be the same as any
ID
ID
. This is a transient identifier, not to be confused with
KA
86 of 90