Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

Eric,

Thanks for helping me out.   I'm sure the table applies to TR-34 in this case.  

The DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER.  I also provide a key token that I build with EXPORTER & NOCV settings for the operational EXPORTER key on the key gen command.   I think this gives me an operation exporter with a nocv attribute as one of the key pair.  And the other is an external token IMPORTER key, likely without the NOCV attribute.

I then pass the operational exporter key to the TR-34 as the source key, and using the ENC-ONLY flag.  This call completes successfully, but my partner doesn't like the TR-31 attribute of ENC-ONLY and wants me to use DEC-ONLY.

So I altered ENC-ONLY to DEC-ONLY to make the next call.  And I'm going to believe that the error returned (and noted above) probably means that DEC-ONLY and an EXPORTER key isn't a valid acceptable (or permitted?) combination thereby returning the error I noted above.

In my next test, I've altered the TR-34 export call to use the external IMPORTER key.  I've added the key unwrap exporter key to the parmlist.   I've left the DEC-ONLY parameter on the rule list.

I now get a x27/39 (Control Vector Violation) error on this new version of the call.   And I'm wondering if this error might be because my external IMPORTER key does not have the NOCV attribute.  And that maybe I need to build a key token for this half of the key pair as well.  

Does this sound reasonable or should I be looking elsewhere?

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

Which callable service(s) are you using? You say "DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER".

Then you said "TR-34 export call to use the external IMPORTER key". Are you referring to TR-34 Key Distribution (CSNDT34D and CSNFT34D)?

I need to know the specific services and rules you are using to be able to understand where it is going sideways.

Eric,

Thanks for helping me out.   I'm sure the table applies to TR-34 in this case.  

The DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER.  I also provide a key token that I build with EXPORTER & NOCV settings for the operational EXPORTER key on the key gen command.   I think this gives me an operation exporter with a nocv attribute as one of the key pair.  And the other is an external token IMPORTER key, likely without the NOCV attribute.

I then pass the operational exporter key to the TR-34 as the source key, and using the ENC-ONLY flag.  This call completes successfully, but my partner doesn't like the TR-31 attribute of ENC-ONLY and wants me to use DEC-ONLY.

So I altered ENC-ONLY to DEC-ONLY to make the next call.  And I'm going to believe that the error returned (and noted above) probably means that DEC-ONLY and an EXPORTER key isn't a valid acceptable (or permitted?) combination thereby returning the error I noted above.

In my next test, I've altered the TR-34 export call to use the external IMPORTER key.  I've added the key unwrap exporter key to the parmlist.   I've left the DEC-ONLY parameter on the rule list.

I now get a x27/39 (Control Vector Violation) error on this new version of the call.   And I'm wondering if this error might be because my external IMPORTER key does not have the NOCV attribute.  And that maybe I need to build a key token for this half of the key pair as well.  

Does this sound reasonable or should I be looking elsewhere?

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

Eric,

I'm using a key gen call to create the DES key I want to export via TR-34 call CSNDT34D.   You are correct.

Sincerely,

Mark

Which callable service(s) are you using? You say "DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER".

Then you said "TR-34 export call to use the external IMPORTER key". Are you referring to TR-34 Key Distribution (CSNDT34D and CSNFT34D)?

I need to know the specific services and rules you are using to be able to understand where it is going sideways.

Eric,

Thanks for helping me out.   I'm sure the table applies to TR-34 in this case.  

The DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER.  I also provide a key token that I build with EXPORTER & NOCV settings for the operational EXPORTER key on the key gen command.   I think this gives me an operation exporter with a nocv attribute as one of the key pair.  And the other is an external token IMPORTER key, likely without the NOCV attribute.

I then pass the operational exporter key to the TR-34 as the source key, and using the ENC-ONLY flag.  This call completes successfully, but my partner doesn't like the TR-31 attribute of ENC-ONLY and wants me to use DEC-ONLY.

So I altered ENC-ONLY to DEC-ONLY to make the next call.  And I'm going to believe that the error returned (and noted above) probably means that DEC-ONLY and an EXPORTER key isn't a valid acceptable (or permitted?) combination thereby returning the error I noted above.

In my next test, I've altered the TR-34 export call to use the external IMPORTER key.  I've added the key unwrap exporter key to the parmlist.   I've left the DEC-ONLY parameter on the rule list.

I now get a x27/39 (Control Vector Violation) error on this new version of the call.   And I'm wondering if this error might be because my external IMPORTER key does not have the NOCV attribute.  And that maybe I need to build a key token for this half of the key pair as well.  

Does this sound reasonable or should I be looking elsewhere?

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

I think I understand your problem more clearly now. So, if you are trying to export (via TR-34 distribute) an IMPORTER, you would need DEC-ONLY, as you noted. If that IMPORTER is already external, you would need the IMPORTER key that matches the EXPORTER used in CSNBKGN.

A control vector violation tells me that one of the input keys doesn't meet the needs. This is a bit more complicated than is easy to solve in the community, but if you want to keep working here, I'm OK with that. What I need to know are the specific inputs for both KGN and T34D. I don't need to know key values or anything, but I need to know what the rules are, what kind of key is being used (external or internal, key types, any unique key attributes, etc) for each parm.

Eric,

I'm using a key gen call to create the DES key I want to export via TR-34 call CSNDT34D.   You are correct.

Sincerely,

Mark

Which callable service(s) are you using? You say "DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER".

Then you said "TR-34 export call to use the external IMPORTER key". Are you referring to TR-34 Key Distribution (CSNDT34D and CSNFT34D)?

I need to know the specific services and rules you are using to be able to understand where it is going sideways.

Eric,

Thanks for helping me out.   I'm sure the table applies to TR-34 in this case.  

The DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER.  I also provide a key token that I build with EXPORTER & NOCV settings for the operational EXPORTER key on the key gen command.   I think this gives me an operation exporter with a nocv attribute as one of the key pair.  And the other is an external token IMPORTER key, likely without the NOCV attribute.

I then pass the operational exporter key to the TR-34 as the source key, and using the ENC-ONLY flag.  This call completes successfully, but my partner doesn't like the TR-31 attribute of ENC-ONLY and wants me to use DEC-ONLY.

So I altered ENC-ONLY to DEC-ONLY to make the next call.  And I'm going to believe that the error returned (and noted above) probably means that DEC-ONLY and an EXPORTER key isn't a valid acceptable (or permitted?) combination thereby returning the error I noted above.

In my next test, I've altered the TR-34 export call to use the external IMPORTER key.  I've added the key unwrap exporter key to the parmlist.   I've left the DEC-ONLY parameter on the rule list.

I now get a x27/39 (Control Vector Violation) error on this new version of the call.   And I'm wondering if this error might be because my external IMPORTER key does not have the NOCV attribute.  And that maybe I need to build a key token for this half of the key pair as well.  

Does this sound reasonable or should I be looking elsewhere?

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

I think I understand your problem more clearly now. So, if you are trying to export (via TR-34 distribute) an IMPORTER, you would need DEC-ONLY, as you noted. If that IMPORTER is already external, you would need the IMPORTER key that matches the EXPORTER used in CSNBKGN.

A control vector violation tells me that one of the input keys doesn't meet the needs. This is a bit more complicated than is easy to solve in the community, but if you want to keep working here, I'm OK with that. What I need to know are the specific inputs for both KGN and T34D. I don't need to know key values or anything, but I need to know what the rules are, what kind of key is being used (external or internal, key types, any unique key attributes, etc) for each parm.

Eric,

I'm using a key gen call to create the DES key I want to export via TR-34 call CSNDT34D.   You are correct.

Sincerely,

Mark

Which callable service(s) are you using? You say "DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER".

Then you said "TR-34 export call to use the external IMPORTER key". Are you referring to TR-34 Key Distribution (CSNDT34D and CSNFT34D)?

I need to know the specific services and rules you are using to be able to understand where it is going sideways.

Eric,

Thanks for helping me out.   I'm sure the table applies to TR-34 in this case.  

The DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER.  I also provide a key token that I build with EXPORTER & NOCV settings for the operational EXPORTER key on the key gen command.   I think this gives me an operation exporter with a nocv attribute as one of the key pair.  And the other is an external token IMPORTER key, likely without the NOCV attribute.

I then pass the operational exporter key to the TR-34 as the source key, and using the ENC-ONLY flag.  This call completes successfully, but my partner doesn't like the TR-31 attribute of ENC-ONLY and wants me to use DEC-ONLY.

So I altered ENC-ONLY to DEC-ONLY to make the next call.  And I'm going to believe that the error returned (and noted above) probably means that DEC-ONLY and an EXPORTER key isn't a valid acceptable (or permitted?) combination thereby returning the error I noted above.

In my next test, I've altered the TR-34 export call to use the external IMPORTER key.  I've added the key unwrap exporter key to the parmlist.   I've left the DEC-ONLY parameter on the rule list.

I now get a x27/39 (Control Vector Violation) error on this new version of the call.   And I'm wondering if this error might be because my external IMPORTER key does not have the NOCV attribute.  And that maybe I need to build a key token for this half of the key pair as well.  

Does this sound reasonable or should I be looking elsewhere?

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark

Eric,

I've reformatted the KEY GEN call (part of the prior message) to try and make sure it is clarified.

Key Gen - KEY FORM: OPEX
    KEYLEN : DOUBLE
    TYPE1  : EXPORTER
    TYPE2  : IMPORTER
    KEY ID1: LV
    KEK    : LABEL FOR EXPORTER UTILITY KEY  (DOUBLE LEN EXPORTER KEY WITH NOCV ATTRIBUTE)
    GEN-ID1: AFOREMENTIONED KEY TOKEN
    GEN-ID2: LV    LOW-VALUES (KEY-ID1)

Sincerely, 

Mark

I think I understand your problem more clearly now. So, if you are trying to export (via TR-34 distribute) an IMPORTER, you would need DEC-ONLY, as you noted. If that IMPORTER is already external, you would need the IMPORTER key that matches the EXPORTER used in CSNBKGN.

A control vector violation tells me that one of the input keys doesn't meet the needs. This is a bit more complicated than is easy to solve in the community, but if you want to keep working here, I'm OK with that. What I need to know are the specific inputs for both KGN and T34D. I don't need to know key values or anything, but I need to know what the rules are, what kind of key is being used (external or internal, key types, any unique key attributes, etc) for each parm.

Eric,

I'm using a key gen call to create the DES key I want to export via TR-34 call CSNDT34D.   You are correct.

Sincerely,

Mark

Which callable service(s) are you using? You say "DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER".

Then you said "TR-34 export call to use the external IMPORTER key". Are you referring to TR-34 Key Distribution (CSNDT34D and CSNFT34D)?

I need to know the specific services and rules you are using to be able to understand where it is going sideways.

Eric,

Thanks for helping me out.   I'm sure the table applies to TR-34 in this case.  

The DES key I'm trying to export has the following settings during key gen:  OPEX, EXPORTER, IMPORTER.  I also provide a key token that I build with EXPORTER & NOCV settings for the operational EXPORTER key on the key gen command.   I think this gives me an operation exporter with a nocv attribute as one of the key pair.  And the other is an external token IMPORTER key, likely without the NOCV attribute.

I then pass the operational exporter key to the TR-34 as the source key, and using the ENC-ONLY flag.  This call completes successfully, but my partner doesn't like the TR-31 attribute of ENC-ONLY and wants me to use DEC-ONLY.

So I altered ENC-ONLY to DEC-ONLY to make the next call.  And I'm going to believe that the error returned (and noted above) probably means that DEC-ONLY and an EXPORTER key isn't a valid acceptable (or permitted?) combination thereby returning the error I noted above.

In my next test, I've altered the TR-34 export call to use the external IMPORTER key.  I've added the key unwrap exporter key to the parmlist.   I've left the DEC-ONLY parameter on the rule list.

I now get a x27/39 (Control Vector Violation) error on this new version of the call.   And I'm wondering if this error might be because my external IMPORTER key does not have the NOCV attribute.  And that maybe I need to build a key token for this half of the key pair as well.  

Does this sound reasonable or should I be looking elsewhere?

Sincerely,

Mark

That column is the ACP number (in hex) for the operation listed to the left. That said, that table is for TR-31 Import. Can you say which service you are using? I suspect that table is unrelated to the service you are using.

Hello everyone.  I'm creating a TR-34 keyblock to send to a device. 

8/847(2119) - "Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.  User Action: Check the TR-31 key block header for correctness.

This call succeeded when I was using rule ENC-ONLY.  When I changed to DEC-ONLY at a request of the device (the only thing I changed), I got this error.

I think it is telling me that the DES key that I am wrapping was compatible with ENC-ONLY but not compatible with DEC-ONLY and as a result I need to generate a DES key that will match the DEC-ONLY setting.   But I am not sure.  Can anyone let me know if I'm on the right track?

I'm looking at a table in the APG  (Table 408. Export translation table for DES keys in TR-34 key blocks) and the column Offset (hex) has no meaning to me.  Can someone explain what that column of information is telling me?

Thanks for your help.

Sincerely,

Mark