The Token Key Service (TKS) manages one or more master keys required to set up secure channels directly to the token management system. The privileged operations such as key generation can only be requested on the tokens through a secure channel.

A Token Key Service manages the master and transport keys required to generate and distribute keys for smart cards or tokens. A master key is a Triple Digital Encryption Standard (DES) symmetric key stored either in software or hardware token. When supplied with the token Card Unique ID (CUID), a TKS can generate the corresponding three secret keys ‐ authentication key, Message Authentication Code (MAC) key, and key encryption key (KEK) ‐ on the tokens.

The Token Key Service (TKS) subsystem provides secure channels for communication between smart card tokens and a TPS subsystem. It creates these channels by using a pre-generated master key to derive secret keys that are specific for each individual token enrolled through the TPS. These secure channels allow the commands and keys sent to the smart card to be encrypted, and the shared secrets between tokens and the TKS help the smart card validate that the privileged commands sent to it are from the appropriate TPS. During server-side key generation, the TKS also generates transport keys which wrap, or encrypt, the user’s private keys to secure them during transit.