Académique Documents
Professionnel Documents
Culture Documents
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
iii
Access_Control_Initialization (CSUAACI) . . . . . . . . . . . . . . . . . . . . . . . 35
Access_Control_Maintenance (CSUAACM) . . . . . . . . . . . . . . . . . . . . . . 38
Cryptographic_Facility_Control (CSUACFC) . . . . . . . . . . . . . . . . . . . . . . 42
Cryptographic_Facility_Query (CSUACFQ) . . . . . . . . . . . . . . . . . . . . . . 48
Cryptographic_Facility_Version (CSUACFV) . . . . . . . . . . . . . . . . . . . . . . 58
Cryptographic_Resource_Allocate (CSUACRA) . . . . . . . . . . . . . . . . . . . . 59
Cryptographic_Resource_Deallocate (CSUACRD) . . . . . . . . . . . . . . . . . . . 61
Key_Storage_Designate (CSUAKSD) . . . . . . . . . . . . . . . . . . . . . . . . 63
Key_Storage_Initialization (CSNBKSI) . . . . . . . . . . . . . . . . . . . . . . . . 65
Logon_Control (CSUALCT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Master_Key_Distribution (CSUAMKD) . . . . . . . . . . . . . . . . . . . . . . . . 70
Master_Key_Process (CSNBMKP) . . . . . . . . . . . . . . . . . . . . . . . . . 74
Random_Number_Tests (CSUARNT) . . . . . . . . . . . . . . . . . . . . . . . . 78
Contents v
Chapter 6. Data confidentiality and data integrity . . . . . . . . . . . . . . . . . . . 357
Encryption and message authentication codes . . . . . . . . . . . . . . . . . . . . . 357
Ensuring data confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Ensuring data integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Data confidentiality and data integrity verbs . . . . . . . . . . . . . . . . . . . . . . 359
Decipher (CSNBDEC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Encipher (CSNBENC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
HMAC_Generate (CSNBHMG) . . . . . . . . . . . . . . . . . . . . . . . . . . 366
HMAC_Verify (CSNBHMV) . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
MAC_Generate (CSNBMGN). . . . . . . . . . . . . . . . . . . . . . . . . . . 372
MAC_Verify (CSNBMVR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Symmetric_Algorithm_Decipher (CSNBSAD) . . . . . . . . . . . . . . . . . . . . . 378
Symmetric_Algorithm_Encipher (CSNBSAE) . . . . . . . . . . . . . . . . . . . . . 383
Contents vii
Changing control vectors with the Remote_Key_Export verb . . . . . . . . . . . . . . . 671
Understanding DES and RSA key encryption and decryption processes . . . . . . . . . . . . 671
DES key encryption and decryption processes . . . . . . . . . . . . . . . . . . . . 671
RSA private-key encryption and decryption process . . . . . . . . . . . . . . . . . . 671
PKA92 key format and encryption process . . . . . . . . . . . . . . . . . . . . . . 674
Encrypting a key-encrypting key in the NL-EPP-5 format . . . . . . . . . . . . . . . . 675
Appendix E. Financial system verbs calculation methods and data formats . . . . . . . . . 697
PIN calculation methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
IBM 3624 PIN-calculation method . . . . . . . . . . . . . . . . . . . . . . . . . 698
IBM 3624 PIN-offset calculation method. . . . . . . . . . . . . . . . . . . . . . . 698
Netherlands PIN-1 calculation method . . . . . . . . . . . . . . . . . . . . . . . 699
IBM German Bank Pool Institution PIN-calculation method . . . . . . . . . . . . . . . . 699
Visa PIN-validation value PIN-calculation method . . . . . . . . . . . . . . . . . . . 700
InterBank PIN-calculation method . . . . . . . . . . . . . . . . . . . . . . . . . 700
PIN-block formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
IBM 3624 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
ISO-0 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
ISO-1 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
ISO-2 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
ISO-3 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Derived unique-key-per-transaction calculation method . . . . . . . . . . . . . . . . . . 704
Deriving an ANS X9.24 unique-key-per-transaction key . . . . . . . . . . . . . . . . . 704
Performing the special encryption and special decryption processes . . . . . . . . . . . . 705
CVV and CVC card-verification method . . . . . . . . . . . . . . . . . . . . . . . . 706
Visa and EMV-related smart card formats and processes . . . . . . . . . . . . . . . . . 707
Deriving the smart-card-specific authentication code . . . . . . . . . . . . . . . . . . 708
Constructing the PIN-block for transporting an EMV smart-card PIN . . . . . . . . . . . . 708
Deriving the CCA TDES-XOR session key . . . . . . . . . . . . . . . . . . . . . . 708
Deriving of the EMV TDESEMVn tree-based session key . . . . . . . . . . . . . . . . 709
PIN-block self-encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
IBM agreement for licensed internal code . . . . . . . . . . . . . . . . . . . . . . . 758
Actions you must not take . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Contents ix
x CCA Basic Services October 14, 2011
Figures
1. CCA security API, access layer, and cryptographic engine . . . . . . . . . . . . . . . . 2
2. Coprocessor-to-coprocessor DES or RSA master-key cloning . . . . . . . . . . . . . . 30
| 3. PKA96 verbs with key-token flow . . . . . . . . . . . . . . . . . . . . . . . . . 82
4. Default key-wrapping method configuration . . . . . . . . . . . . . . . . . . . . . 144
5. Flow of cryptographic command processing in a cryptographic facility . . . . . . . . . . . 149
| 6. Key_Token_Build2 keyword combinations for AES CIPHER keys. . . . . . . . . . . . . 154
| 7. Key_Token_Build2 keyword combinations for AES EXPORTER keys . . . . . . . . . . . 155
| 8. Key_Token_Build2 keyword combinations for AES IMPORTER keys . . . . . . . . . . . 156
| 9. Key_Token_Build2 keyword combinations for HMAC MAC keys . . . . . . . . . . . . . 157
| 10. Control_Vector_Generate and Key_Token_Build CV keyword combinations for fixed-length DES
| key tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
| 11. AES and DES fixed-length key-token contents . . . . . . . . . . . . . . . . . . . 165
| 12. Use of fixed-length AES key tokens and key labels . . . . . . . . . . . . . . . . . . 167
13. Use of fixed-length DES key tokens and key labels. . . . . . . . . . . . . . . . . . 168
| 14. Key-processing and key-storage verbs for keys in fixed-length AES key tokens . . . . . . . 170
15. Key-processing and key-storage verbs for keys in fixed-length DES key tokens . . . . . . . 172
16. DES key exporting and key importing . . . . . . . . . . . . . . . . . . . . . . . 176
17. Overview of trusted block contents . . . . . . . . . . . . . . . . . . . . . . . . 180
18. Simplified RKX key-token structure. . . . . . . . . . . . . . . . . . . . . . . . 184
19. Trusted block creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
20. Exporting DES keys using a trusted block . . . . . . . . . . . . . . . . . . . . . 185
21. Generating DES keys using a trusted block . . . . . . . . . . . . . . . . . . . . 188
22. Typical flow of verbs for remote key export . . . . . . . . . . . . . . . . . . . . . 189
23. Financial PIN verbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
24. Access-control system role structure . . . . . . . . . . . . . . . . . . . . . . . 639
25. Aggregate role structure with header . . . . . . . . . . . . . . . . . . . . . . . 640
26. Access-control-point structure. . . . . . . . . . . . . . . . . . . . . . . . . . 641
27. Access-control system profile structure . . . . . . . . . . . . . . . . . . . . . . 642
28. Format of profile activation date and expiration date . . . . . . . . . . . . . . . . . 642
29. Aggregate profile structure with header . . . . . . . . . . . . . . . . . . . . . . 643
30. Layout of the authentication data field. . . . . . . . . . . . . . . . . . . . . . . 644
31. Passphrase authentication data structure example . . . . . . . . . . . . . . . . . . 646
32. User profile data structure example . . . . . . . . . . . . . . . . . . . . . . . 646
33. Aggregate profile structure example . . . . . . . . . . . . . . . . . . . . . . . 647
34. Access-control-point list example . . . . . . . . . . . . . . . . . . . . . . . . 647
35. Role data structure example . . . . . . . . . . . . . . . . . . . . . . . . . . 648
36. Aggregate role data structure example . . . . . . . . . . . . . . . . . . . . . . 649
37. DES control-vector-base bit map . . . . . . . . . . . . . . . . . . . . . . . . 658
38. Exchanging a key with a non-control-vector system. . . . . . . . . . . . . . . . . . 666
39. Control_Vector_Translate verb mask_array processing . . . . . . . . . . . . . . . . 669
40. Control_Vector_Translate verb process . . . . . . . . . . . . . . . . . . . . . . 670
41. Multiply-enciphering and multiply-deciphering DES and RSA keys . . . . . . . . . . . . 673
42. Triple-DES data encryption and decryption . . . . . . . . . . . . . . . . . . . . . 682
43. Enciphering using the NIST SP 800-38A CBC method . . . . . . . . . . . . . . . . 683
44. Deciphering using the CBC method . . . . . . . . . . . . . . . . . . . . . . . 684
45. Enciphering using the ANS X9.23 method . . . . . . . . . . . . . . . . . . . . . 685
46. Deciphering using the ANS X9.23 method . . . . . . . . . . . . . . . . . . . . . 685
47. Triple-DES CBC encryption process . . . . . . . . . . . . . . . . . . . . . . . 686
48. Triple-DES CBC decryption process . . . . . . . . . . . . . . . . . . . . . . . 687
49. EDE algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
50. DED process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
51. MAC calculation method . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
52. Example of logon key computation . . . . . . . . . . . . . . . . . . . . . . . . 692
xi
53. 3624 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
54. ISO-0 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
55. ISO-1 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
56. ISO-2 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
57. ISO-3 PIN-block format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
58. CVV track 2 algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Tables xv
160. FCV distribution structure, FCV format version X'01' (Release 4.1 or later) . . . . . . . . . 653
161. DES key classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
162. Key-type default control-vector values. . . . . . . . . . . . . . . . . . . . . . . 657
163. PKA92 clear DES key-record (PKR) . . . . . . . . . . . . . . . . . . . . . . . 674
164. NL-EPP-5 key-record format . . . . . . . . . . . . . . . . . . . . . . . . . . 676
165. Versions of the MDC calculation method. . . . . . . . . . . . . . . . . . . . . . 680
166. MDC calculation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 681
167. Financial PIN-calculation methods, data formats, and other items . . . . . . . . . . . . 697
168. Security API verbs in supported environments. . . . . . . . . . . . . . . . . . . . 711
169. Supported CCA commands . . . . . . . . . . . . . . . . . . . . . . . . . . 715
170. Example roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
171. PIN data exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
172. Roles and permissions for a digital-signing server . . . . . . . . . . . . . . . . . . 738
173. Roles and permissions for a simple certification authority case . . . . . . . . . . . . . 740
174. Format summary of JNI calls . . . . . . . . . . . . . . . . . . . . . . . . . . 743
| IBM provides a PCIe cryptographic coprocessor and an older PCI-X cryptographic coprocessor for your
| cryptographic needs. These coprocessors are supported on IBM Power Systems and IBM System x
| servers. The PCI-X cryptographic coprocessor is also provided on IBM System i and System p, which
| has since been changed to Power Systems. The different coprocessor products that are available on each
| platform are shown in Table 1.
| Table 1. Coprocessor product by platform and CCA Release
| Cryptographic CCA
| Platform coprocessor Release Coprocessor product
| IBM Power Systems PCIe 4.1 Feature code 4807 (without custom carrier)
| 4.0
| Feature code 4808 (IBM POWER6 custom carrier and
| instruction EC N23386)
| Feature code 4809 (IBM POWER7 customer carrier
| and instruction EC N23597)
| IBM System i PCI-X 3.30 Feature code 4806
| 3.25
| IBM System p PCI-X 3.30 Feature code 4764
| 3.27
| IBM System x PCIe 4.2 IBM machine type-model 4765-001
| 4.1
| PCI-X 3.60 IBM machine type-model 4764-001
| 3.30
|
| The different software offerings that are supported for each CCA release are shown in Table 2 on page
| xviii.
xvii
| Table 2. Software offering by CCA Release
| CCA
| Operating system Platform Release Software offering
| IBM AIX Power Systems 4.1 Release 7.10 and later, 32-bit
| Release 6.1L and later, 32-bit
| Release 5.3X and later, 32-bit
| 4.0 Release 6.1J and later, 32-bit
| Release 5.3X and later, 32-bit
| System p 3.30 Release 6.1 and later
| Release 5.3 TL7 and later
| 3.27 Release 5.3H and later
| Release 5.2Q and later
| IBM i Power Systems 4.1 Option 35 Cryptographic Service
| Provider 7.1
| System i 3.30 Option 35 Cryptographic Service
| Provider 6.1
| 3.25 Option 35 Cryptographic Service
| Provider 5.3
| Microsoft Windows Server 2003 System x 3.60 Standard Edition, 32-bit
| R2, Standard Edition, 32-bit
| 3.30 Standard Edition, 32-bit
| Red Hat Enterprise Linux (RHEL) System x 3.60 RHEL 5.4, Server Edition, 32-bit
| RHEL 5.2, Server Edition, 32-bit
| 3.30 RHEL 5.2, Server Edition, 32-bit
| SUSE Linux Enterprise Server from System x 4.2 SLES 11 Service Pack 1, 32-bit
| Novell (SLES)
| 4.1 SLES 11 Service Pack 1, 32-bit
| 3.60 SLES 11 Service Pack 1, 32-bit
| SLES 10 Service Pack 1, 32-bit
| SLES 10, 32-bit
| 3.30 SLES 10, 32-bit
|
| Note: See the PCIe Cryptographic Coprocessor or PCI-X Cryptographic Coprocessor link at
| http://www.ibm.com/security/cryptocards for the latest supported environments and product ordering
| information. From there, click on Product support and then click on Software updates.
Summary of changes
The SUSE Linux Enterprise Server 9 from Novell operating system has been withdrawn from all releases
for IBM System x.
In addition, support for Release 3.25 on IBM System x has been withdrawn.
Release 3.60 adds support for new operating systems on IBM System x. See Table 2 on page xviii.
Note: The Master_Key_Distribution (CSUAMKD) verb is not enhanced to support cloning of the
AES master key.
6. New access control points for verb Master_Key_Process (CSNBMKP):
Clear AES OMK Register (CLR-OLD) (offset X'0123')
Clear AES NMK Register (CLEAR) (offset X'0124')
Load First AES Master Key Part (offset X'0125')
Combine Intermediate AES Master Key Parts (offset X'0126')
Activate New AES Master Key (SET) (offset X'0128')
7. An enhanced version of the CNM utility to support key management of AES master keys and the
loading of AES keys using cleartext key parts.
8. The addition of a new symmetric CCA key-token structure for internal AES key tokens.
9. An enhanced version of the Key_Generate (CSNBKGN) verb to generate AES internal key tokens
containing encrypted or cleartext keys. New key-type keywords AESDATA and AESTOKEN. New
key-length keywords KEYLN24 and KEYLN32.
10. An enhanced version of the Key_Token_Build (CSNBKTB) verb to build AES internal key tokens.
New key-type keyword CLRAES, and new key-length keywords KEYLN24 and KEYLN32.
11. Enhanced versions of the Key_Test (CSNBKYT) and Key_Test_Extended (CSNBKYTX) verbs to
support both the AES master-key and AES encryption/decryption keys. New rule-array keywords
CLR-A128, CLR-A192, CLR-A256, TOKEN, AES-MK, and SHA-256 for Key_Test (CSNBKYT).
New rule-array keywords TOKEN, AES-MK, and SHA-256 for Key_Test_Extended (CSNBKYTX).
12. An enhanced version of the Key_Token_Change (CSNBKTC) verb to reencipher AES internal key
tokens when the AES master key is changed. New rule-array keywords AES and DES.
13. An enhanced version of the Multiple_Clear_Key_Import (CSNBCKM) verb to load AES keys using
multiple cleartext key parts. New rule-array keyword AES.
14. New access control point for verb Multiple_Clear_Key_Import (CSNBCKM): Encipher Under AES
Master Key (offset X'0129').
15. Enhanced versions of the asymmetric-key-based verbs Symmetric_Key_Export (CSNDSYX),
Symmetric_Key_Generate (CSNDSYG), and Symmetric_Key_Import (CSNDSYI) to transport AES
keys to and from other systems under RSA keys. New rule-array keywords AES and DES. New
rule-array keywords KEYLN24 and KEYLN32 for Symmetric_Key_Generate (CSNDSYG).
Note: Excluding generating an AES key and encrypting it under the AES master key, there is no
symmetric-key-based management of AES keys, only RSA key management of AES keys.
There are no functions to import or export AES keys encrypted under DES, TDES, or AES
keys.
16. New access control points for verb Symmetric_Key_Generate (CSNDSYG):
Generate AES DATA Key (PKCSOAEP or PKCS-1.2) (offset X'012C')
Generate AES DATA Key (ZERO-PAD) (offset X'012D')
17. New access control points for verb Symmetric_Key_Import (CSNDSYI):
Import AES Key (PKCSOAEP or PKCS-1.2) (offset X'012E')
Import AES Key (ZERO-PAD) (offset X'012F')
18. New access control points for verb Symmetric_Key_Export (CSNDSYX):
Export AES Key (PKCSOAEP or PKCS-1.2) (offset X'0130')
Note: The ATM remote key loading verbs Trusted_Block_Create (CSNDTBC) and
Remote_Key_Export (CSNDRKX), which rely on control vectors and key typing, do not
support AES keys.
v The addition of ISO/DIS 9564-1 Format 3 PIN-block support (ISO-3).
ISO-3 is identical to ISO-0, except it uses random pad digits ranging from X'A' through X'F' instead of
only X'F' pad digits. The following verbs are enhanced to include support for ISO-3 format PIN blocks:
Clear_PIN_Encrypt (CSNBCPE)
Clear_PIN_Generate_Alternate (CSNBCPA)
Encrypted_PIN_Generate (CSNBEPG)
Encrypted_PIN_Translate (CSNBPTR)
Encrypted_PIN_Verify (CSNBPVR)
PIN_Change/Unblock (CSNBPCU)
Secure_Messaging_for_PINs (CSNBSPN)
v Enhanced versions of the following verbs to add 4096-bit RSA key support (RSA-CRT and RSA-PUBL):
Cryptographic_Facility_Control (CSUACFC) enables the verb to load the enhanced version of the
function control vector (FCV) needed for export control of 4096-bit RSA key strength
Cryptographic_Facility_Query (CSUACFQ) enables the verb to query the status of the 4096-bit RSA
key size enabled in the function control vector (FCV)
Digital_Signature_Generate (CSNDDSG)
Digital_Signature_Verify (CSNDDSV)
Master_Key_Distribution (CSUAMKD)
PKA_Decrypt (CSNDPKD)
PKA_Encrypt (CSNDPKE)
PKA_Key_Generate (CSNDPKG)
PKA_Key_Import (CSNDPKI)
PKA_Key_Record_Create (CSNDKRC)
PKA_Key_Record_Delete (CSNDKRD)
PKA_Key_Record_Read (CSNDKRR)
PKA_Key_Record_Write (CSNDKRW)
Support includes:
1. The addition of an overview section describing improved remote key distribution and remote
key-loading.
2. The addition of a new key-token structure called a trusted block that is an extension of CCA PKA
key tokens. A trusted block is an integral part of the remote key loading process. It consists of the
following parts, some of which are optional, and some of which can be present in different forms:
A header
Trusted public-key section
Rule section with (1) transport key variant, (2) transport key rule references, (3) common export
key parameters, (4) source key rule reference, and (5) export key CCA token parameters
subsections
Name (key label) section
Information section with (1) protection information and (2) activation and expiration dates
subsections
Related publications
In addition to the documents listed below, you might want to refer to other CCA product publications.
These publications might be of use with applications and systems you might develop for use with the IBM
4765 and IBM 4764. While there is substantial commonality in the API supported by the CCA products,
and while this document seeks to guide you to a common subset supported by all CCA products, other
individual product publications might provide further insight into potential issues of compatibility.
IBM 4765 PCIe and IBM 4764 PCI-X Cryptographic Coprocessors
All of the IBM 4765-related and 4764-related publications can be obtained from the Library page
that you can reach from the product Web site at http://www.ibm.com/security/cryptocards
IBM 4765 PCIe Cryptographic Coprocessor CCA Support Program Installation Manual and the
IBM 4764 PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual
Describe the installation of the CCA Support Program and the operation of the
Cryptographic Node Management utility.
IBM 4765 PCIe Cryptographic Coprocessor Installation Manual and the IBM 4764 PCI-X
Cryptographic Coprocessor Installation Manual
Describe the physical installation of the IBM 4765 and the IBM 4764, and also the
battery-changing procedure.
Custom Programming for the IBM 4765 and the IBM 4764
The Library portion of the product Web site also includes programming information for creating
applications that perform within the IBM 4765 and the IBM 4764. See the reference to custom
programming. The product Web site is located at http://www.ibm.com/security/cryptocards
Cryptography publications
The following publications describe cryptographic standards, research, and practices relevant to the
coprocessor:
| v Accredited Standards Committee X9, Inc.: X9 TR-31 2010: Interoperable Secure Key Exchange Block
| Specification for Symmetric Algorithms
v American National Standards Institute (ANSI). ANSI is the official U.S. representative to the International
Organization for Standardization (ISO) and, via the U.S. National Committee, the International
Electrotechnical Commission (IEC). ANSI is also a member of the International Accreditation Forum
(IAF).
ANS X9.8-1:2003 Banking -- Personal Identification Number Management and Security -- Part 1: PIN
Protection Principles and Techniques for Online PIN Verification in ATM & POS Systems.
ANS X9.9:1986 Financial Institution Message Authentication (Wholesale).
ANS X9.19:1998 Financial Institution Retail Message Authentication.
ANS X9.23:1998 Financial Institution Encryption of Wholesale Financial Messages.
Subsequent sections group the many available services by topic. Each section lists the services in
alphabetical order by verb pseudonym.
The remainder of this section provides an overview of the structure of a CCA cryptographic framework and
introduces some important concepts and terms.
The products that implement the CCA security API consist of both hardware and software components.
CCA software support: The software consists of application development and runtime software
components.
v The application development software primarily consists of language bindings that can be included in
new applications to assist in accessing services available at the API. Language bindings are provided
for the C and C++ programming languages. The IBM i Option 35, CCA Cryptographic Service Provider
feature also provides language bindings for COBOL, RPG, and CL.
Note: For availability of the various IBM i code levels, see the IBM i information center
(http://www.ibm.com/eserver/iseries/infocenter).
v The runtime software can be divided into the following categories:
Service-requesting programs, including application and utility programs.
The security API, an agent function that is logically part of the calling application program or utility.
The cryptographic services access layer: an environment-dependent request routing function,
key-storage (directory) support services, and device driver to access one or more hardware
cryptographic engines.
You can create application programs that employ the CCA security API, or you can purchase applications
from IBM or other sources that use the products. This document is the primary source of information for
designing systems and application programs that use the CCA security API with the cryptographic
coprocessors.
Cryptographic engine: The CCA architecture defines a cryptographic subsystem that contains a
cryptographic engine operating within a protected boundary. The coprocessor's tamper-resistant,
tamper-responding environment provides physical security for this boundary, and the CCA architecture
provides the logical security needed for the full protection of critical information.
IBM 4765 PCIe and IBM 4764 PCI-X Cryptographic Coprocessors: The cryptographic coprocessors
provide a secure programming and hardware environment wherein AES (beginning with Release 3.30),
DES, ECC (beginning with Release 4.1), and RSA processes are performed. Each cryptographic
coprocessor includes a general-purpose processor, nonvolatile storage, and specialized cryptographic
electronics. These components are encapsulated in a protective environment to enhance security.
The IBM CCA Support Program enables applications to employ a set of cryptographic services based on
AES, DES, ECC, HMAC, and RSA, utilizing the coprocessor hardware. Services include:
| v AES, DES, HMAC, and PKA (ECC and RSA) key and key-pair generation
v Digital signature generation and verification using either the RSA algorithm or ECDSA algorithm
v Cryptographic key wrapping and unwrapping
v Data encryption and decryption, and MAC generation/verification
v PIN and card security code processing for the financial services industry
v Other services, including DES key-management based on CCA's control-vector-enforced key separation
CCA: The IBM Common Cryptographic Architecture (CCA) is the basis for a consistent cryptographic
product family. Applications employ the CCA security API to obtain services from, and to manage the
operation of, a cryptographic system that meets CCA architecture specifications.
CCA access control: Each CCA node has an access-control system enforced by the hardware and
protected software. This access-control system permits you to determine whether programs and persons
can use the cryptographic and data-storage services. Although your computing environment might be
considered open, the specialized processing environment provided by the cryptographic engine can be
kept secure because selected services are provided only when logon requirements are met. The
access-control decisions are performed within the secured environment of the cryptographic engine and
cannot be subverted by rogue code that might run on the main computing platform.
Coprocessor certification: After quality checking a newly manufactured coprocessor, IBM loads and
certifies the embedded software. Following the loading of basic, authenticated software, the coprocessor
generates an RSA key-pair and retains the private key within the cryptographic engine. The associated
public key is signed by a certification key securely held at the manufacturing facility, and then the certified
The private key within the coprocessor, known as the device private key, is retained in the coprocessor.
From this time on, if tampering is detected or if the coprocessor loses power (batteries are removed or
lose power in the absence of bus power), the coprocessor sets all security-relevant keys and data items to
zero. This process is irreversible and results in the permanent loss of the factory-certified device key, the
device private key, and all other data stored in battery-protected memory. Security-sensitive data stored in
the coprocessor flash memory is encrypted. The key used to encrypt such data is itself retained in the
battery-backed memory.
CCA master keys: When using the CCA architecture, working keysincluding session keys and the RSA
and ECC private keys used at a node to form or verify digital signatures or to unwrap other keysare
generally stored outside of the cryptographic-engine protected environment. These working keys are
wrapped (AES encrypted or DES triple-encrypted) by the AES, APKA, DES, or PKA master keys. The
master keys are held in the clear (not enciphered) within the cryptographic engine.
The number of keys usable with a CCA subsystem is thus restricted only by the host server storage, not
by the finite amount of storage within the coprocessor secure module. In addition, the working keys can be
used by additional CCA cryptographic engines which have the same master key. This CCA characteristic is
useful in high-availability and high-throughput environments where multiple cryptographic processors must
function in parallel.
Establishing CCA master keys: To protect working keys, master keys must be generated and initialized
in a secure manner. For DES and PKA master keys (but not AES and APKA master keys), one method
uses the internal random-number generator for the source of the master key. In this case, the master key
is never external to the node as an entity, and no other node has the same master key unless master-key
cloning is authorized and in use (unless, out of the 2168 possible values, another node randomly generates
the same master-key data). If an uncloned coprocessor loses its random DES or PKA master key (for
example, the coprocessor detects tampering and destroys the master key), there is no way to recover the
working keys that it wrapped.
Another master-key-establishment method enables authorized users to enter multiple, separate, 256-bit
AES key parts for AES or APKA master keys, or 168-bit DES key parts for DES or PKA master keys, into
the cryptographic engine. As each key part is entered, that part is exclusive-ORed with the contents of the
specified new-master-key register. When all parts have been accumulated, a separate command is issued
to promote the contents of the current-master-key register to the old-master-key register, and to promote
the contents of the new-master-key register to the current-master-key register.
A DES or PKA master key (but not an AES or APKA master key) can be cloned (copied) from one
coprocessor node to another coprocessor node through master-key-shares distribution. This process is
protected using digital certificates and authorizations. In this process, the master key can be reconstituted
in one or more additional coprocessors by transporting encrypted shares of the master key.
Understanding and managing master keys on page 27 provides additional detail about master-key
management.
CCA verbs: Application and utility programs called requestors obtain service from the CCA Support
Program by issuing service requests (verb calls or procedure calls) to the runtime subsystem. To fulfill
these requests, the Support Program obtains service from the coprocessor software and hardware.
The available services are collectively described as the CCA security API. All of the software and hardware
accessed through the CCA security API should be considered an integrated subsystem. A command
processor performs the verb request within the cryptographic engine.
Commands and access control, roles, profiles: In order to ensure that only designated individuals (or
programs) can run commands such as master-key loading, each command processor that performs
The access-control system includes one or more roles. Each role defines the permissible control points for
users of that role. The access-control system also supports user profiles that are referenced by a user ID.
Each profile associates the user ID with a role, logon verification method and authentication information,
and a logon session-key. Within a host process, one and only one profile, and thus role, can be logged on
at a time. In the absence of a logged-on user, a default role defines the permitted commands (using the
control points in the role) that a process can use.
For the coprocessor, there can be multiple logons by different users from different host processes. There
can also be requests from multiple threads within a single host process.
A user is logged on and off by the Logon_Control verb. During logon, the Logon_Control verb establishes
a logon session key. This key is held in user-process memory space and in the cryptographic engine. All
verbs append and verify a MAC based on this key on verb control information exchanged with the
cryptographic engine. Logoff causes the cryptographic engine to destroy its copy of the session key and to
mark the user profile as not active.
Using CCA access-control on page 14 provides a further explanation of the access-control system, and
Logon_Control (CSUALCT) on page 67 provides details about the Logon_Control verb.
When the cryptographic-services access layer receives requests concurrently from multiple application
programs, it serializes the requests and returns a response for each request. There are other
multiprocessing implications arising from the existence of a common master-key and a common
key-storage facility. These topics are covered later in this manual.
The way application programs and utilities are linked to the API services depends on the computing
environment. In the AIX, Linux, and Microsoft Windows Server 2003 environments, the operating systems
dynamically link application security API requests to the subsystem DLL code (AIX: shared library; IBM i:
service program; Linux: shared object). In the IBM i environment, the CCA API is implemented in a set of
64-bit entry-point service programs, one for each security API verb. Details for linking to the API on the
IBM i platform can be found by following the IBM i link from the CCA support section of the product Web
site, http://www.ibm.com/security/cryptocards.
Details for linking to the API are covered in the individual software product documentation. See either the
IBM 4765 PCIe Cryptographic Coprocessor CCA Support Program Installation Manual, or the IBM 4764
PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual.
Together, the security API DLL and the environment-dependent request routing mechanism act as an
agent on behalf of the application and present a request to the server. Requests can be issued by one or
more programs. Each request is processed by the server as a self-contained unit of work. The
programming interface can be called concurrently by applications running as different processes. The
security API can be used by multiple threads in a process and is thread safe.
In each server environment, a device driver provided by IBM supplies low-level control of the hardware
and passes the request to the hardware device. Requests can require one or more I/O commands from
the security server to the device driver and hardware.
Overlapped processing
Calls to the CCA security API are synchronous, that is, your program loses control until the verb
completes. Multiple processing-threads can make concurrent calls to the API. CCA for Windows and Linux
restricts the number of concurrent outstanding calls for a coprocessor to 32.
Note: The limitation of 32 concurrent API calls does not apply to AIX implementations.
You can maximize throughput by organizing your application or applications to make multiple, overlapping
calls to the CCA API. You can also increase throughput by employing multiple coprocessors, each with
CCA (see Multi-coprocessor capabilities on page 25).
Within the coprocessor, the CCA software is organized into multiple threads of processing. This
multiprocessing design is intended to enable concurrent use of the coprocessor's main engine, PCIe or
PCI-X communications, AES, DES, and Secure Hash Algorithm (SHA-1, SHA-224, SHA-256, SHA-384,
and SHA-512) engine, and modular-exponentiation engine.
Your application program requests a service through the security API by using a procedure call for a verb.
The term verb implies an action that an application program can initiate; other systems and publications
might use the term callable service instead. The procedure call for a verb uses the standard syntax of a
programming language, including the entry-point name of the verb, the parameters of the verb, and the
variables for the parameters. Each verb has an entry-point name and a fixed-length parameter list.
The security API is designed for use with high-level languages, such as C, COBOL (IBM i), or RPG (IBM
i), and for low-level languages, such as assembler. It is also designed to enable you to use the same verb
entry-point names and variables in the various supported environments. Therefore, application code that
you write for use in one environment generally can be ported to additional environments with minimal
change.
Each verb has a pseudonym (also called a general-language name) and an entry-point name (known as a
computer-language name). The entry-point name is used in your program to call the verb. Each verb's
7-character or 8-character entry-point name begins with one of the following prefixes:
CSNB Symmetric algorithm (AES and DES) services
CSND RSA public-key services
CSUA Cryptographic-node and hardware-control services
The last three or four letters in the entry-point name after the prefix identify the specific service in a group
and are often the first letters of the principal words in the verb pseudonym.
Description: The verb is described in general terms. Be sure to read the parameter descriptions as these
add additional detail. A Related information section appears at the end of the verb material for some
verbs.
Restrictions: Any restrictions are noted. The Restrictions section for each verb starts with a table that
describes which operating systems and CCA releases use the verb. For example:
| The left column of the table indicates which operating systems are valid. The top row indicates which CCA
| releases are valid. An 'X' indicates that the verb is supported for that CCA release for the operating system
| indicated.
Format: The format section for each verb lists the entry-point name on the first line in bold type. This is
followed by the list of parameters for the verb. Generally the input or output direction in which the variable
identified by the parameter is listed along with the type of variable (integer or string), and the size, number,
or other special information about the variable. You must code all of the parameters and in the order listed.
Parameters: All information that is exchanged between your application program and a verb is through the
variables that are identified by the parameters in the procedure call. These parameters are pointers to the
entry-point name
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
parameter_5 Direction Data type length
parameter_6 Direction Data type length
.
.
.
The first four parameters are the same for all of the verbs. For a description of these parameters, see
Parameters common to all verbs on page 9. The remaining parameters (parameter_5, parameter_6, ...,
parameter_n) are unique for each verb. For descriptions of these parameters, see the definitions with the
individual verbs.
Direction: The parameter descriptions use the following terms to identify the flow of information:
Input The application program sends the variable to the verb (to the called routine).
Output The verb returns the variable to the application program.
In/Output The application program sends the variable to the verb, or the verb returns the variable to
the application program, or both.
Data type: Data that is identified by a verb parameter can be a single value or a one-dimensional array. If
a parameter identifies an array, each data element of the array is of the same data type. If the number of
elements in the array is variable, a preceding parameter identifies a variable that contains the actual
number of elements in the associated array. Unless otherwise stated, a variable is a single value, not an
array.
For each verb, the parameter descriptions use the following terms to describe the data type of the
variable:
Integer A 4-byte (32-bit), signed, two's-complement binary number. In the IBM i environment,
integer values are presented in 4 bytes in the sequence high-order to low-order
(little-endian). All integer values are greater than or equal to 0.
String A series of bytes where the sequence of the bytes must be maintained. Each byte can
take on any bit configuration. The string consists only of the data bytes. No string
terminators, field-length values, or typecasting parameters are included. Individual verbs
can restrict the byte values within the string to characters or numerics.
Character data must be encoded in the native character set of the computer where the
data is used. Exceptions to this rule are noted where necessary.
Array An array of values, which can be integers or strings. Only one-dimensional arrays are
permitted. For information about the parameters that use arrays, see Rule_array and
other keyword parameters on page 10.
For example, the length of the exit_data variable is expressed in this manner. The length of the exit_data
string variable is specified in the exit_data_length variable. This length is shown in the parameter tables as
exit_data_length bytes. The rule_array variable, however, is an array whose elements are 8-byte strings.
The number of elements in the rule array is specified in the rule_array_count variable and its length is
shown as rule_array_count * 8 bytes.
As you examine the verb descriptions throughout this book, you see references to Required commands.
See Appendix G, Access-control-point codes for a summary of all access-control commands, along with
the verbs that use them. Almost all of the verbs request the cryptographic engine (coprocessor) to perform
one or more commands in the performance of the verb. Each of these commands must be authorized for
use. Access-control administration concerns managing these authorizations.
Restriction: You cannot use the IBM 4765 and IBM 4764 CCA Support Programs with user exits. The
exit_data_length and exit_data variables must be declared in the parameter list. The
exit_data_length parameter should be set to 0.
Return code and reason code overview: The return_code variable provides a general indication of the
results of verb processing and is the value that your application program should generally use in
determining the course of further processing. For a list of return codes and their meanings, see Table 79
on page 561.
See Appendix A, Return codes and reason codes for a detailed discussion of return codes and a
complete list of all return and reason codes.
The number of keywords in a rule array is specified by a rule_array_count variable, an integer that defines
the number of (8-byte) elements in the array.
In some cases, a rule_array variable is used to convey information other than keywords between your
application and the server. This is, however, an exception.
Key tokens can be stored in a file that is maintained by the directory server. These key tokens are
referenced by use of a key label. A key label is an alphanumeric string that you place in a variable and
reference with a verb parameter.
Table 4 lists the verbs used to accomplish these tasks. See Using the CCA node, access control, and
master-key management verbs on page 34 for a detailed description of these verbs.
Table 4. CCA node, access control, and master-key management verbs
Entry Service
Verb Page Service point location
Access_Control_Initialization 35 Initializes or updates access-control tables in the coprocessor. CSUAACI E
Access_Control_Maintenance 38 Queries or controls installed roles and user profiles. CSUAACM E
Cryptographic_Facility_Control 42 Reinitializes the CCA application, sets the coprocessor clock, CSUACFC E
resets the intrusion latch, resets the battery-low indicator, sets
the CCA EID, sets the number of master-key shares required
and possible for distributing the DES or PKA master key,
loads or clears the CCA function control vector (FCV) that
manages international export and import regulation
limitations, initiates a hardware error (for testing purposes),
| loads, activates, and deletes PIN decimalization tables.
Cryptographic_Facility_Query 48 Retrieves information about the coprocessor and the state of CSUACFQ E
master-key-shares distribution processing.
Cryptographic_Facility_Version 58 Retrieves the CCA application version and the CCA CSUACFV E
application build date.
Cryptographic_Resource_Allocate 59 Connects subsequent calls to an alternative cryptographic CSUACRA S
resource (coprocessor).
Cryptographic_Resource_Deallocate 61 Reverts subsequent calls to the default cryptographic CSUACRD S
resource (coprocessor).
Key_Storage_Designate 63 Specifies the key-storage file used by the process. CSUAKSD S
Key_Storage_Initialization 65 Initializes one of the key-storage files that can store AES, CSNBKSI S/E
DES, variable-length symmetric, or PKA (both RSA and ECC)
keys.
Logon_Control 67 Logs a user on or off the coprocessor. CSUALCT E
Master_Key_Distribution 70 Supports the distribution and reception of DES and PKA CSUAMKD E
master-key shares.
Master_Key_Process 74 Enables the introduction of an AES, DES, APKA, or PKA CSNBMKP E
master key into the coprocessor, the random generation of a
DES or PKA master key, and the setting and clearing of the
AES, DES, APKA, or PKA master key registers.
Random_Number_Tests 78 Performs tests of the random-number generator and CSUARNT E
FIPS-mandated known-answer tests.
E=cryptographic engine, S=Security API host software
13
Using CCA access-control
This section describes these CCA access-control system topics:
v Understanding access control
v Role-based access control
v Initializing and managing the access-control system
v Logging on and logging off
v Protecting your transaction information
Note: At the end of each CCA verb description, you find a list of commands that must be enabled to use
specific capabilities of the CCA verb.
The system administrator can give users differing authority so that some users have the ability to use CCA
services that are not available to others. In addition, a given user's authority might be limited by
parameters such as the time of day or the day of the week.
See Appendix H, Observations on secure operations, on page 725 for more information.
Note: For purposes of this discussion, a user is defined as either a human user or an automated,
computerized process.
Typically, only a few users are associated with the Key-Management Officer role, but a large population of
users associated with General User role. The Access-Control Administrator role is typically limited to a
single super user, because he can make any change to the access control settings. In some cases, once
the system is set up, it is desirable to delete all profiles linked to Access-Control Administrator roles to
prevent further changes to the access controls.
A role-based system is more efficient than one in which the authority is assigned individually for each user.
In general, users can be segregated into just a few different categories of access rights. The use of roles
allows the administrator to define each of these categories just once, in the form of a role.
In addition, the role contains control and error-checking fields. The detailed layout of the role data-structure
can be found in Role structures on page 638.
The default role: Every coprocessor must have at least one role, called the default role. Any user who
has not logged on and been authenticated can operate with the capabilities and restrictions defined in the
default role.
Requirement: Because unauthenticated users have authentication strength equal to zero, the Required
User-Authentication Strength Level of the Default Role must also be zero.
The coprocessor can have a variable number of additional roles, as needed and defined by the customer.
For simple applications, the default role by itself might be sufficient. Any number of roles can be defined,
as long as the coprocessor has enough available storage to hold them.
Understanding profiles
Any user who needs to be authenticated to the coprocessor must have a user profile. Users who only
need the capabilities defined in the default role do not need a profile.
A user profile defines a specific user to the CCA implementation. Each profile contains the following
information:
User ID
The name used to identify the user to the coprocessor. The user ID is an 8-byte value, with no
restrictions on its content. Although it is typically an unterminated ASCII (or EBCDIC on IBM i)
character string, any 64-bit string is acceptable. A utility program is used to enter the user ID. That
utility might restrict the ID to a specific character set.
Comment
A 20-byte comment can be incorporated into the profile.
In addition, the profile contains other control and error-checking fields. The detailed layout of the profile
data-structure can be found in Profile structures on page 642.
Profiles are stored in non-volatile memory inside the secure module of the coprocessor. When a user logs
on, his stored profile is used to authenticate the information presented to the coprocessor. In most
applications, the majority of the users operate under the default role, and do not have user profiles. Only
the security officers and other special users need profiles.
Note: The Cryptographic Node Management utility is described in the IBM 4765 PCIe
Cryptographic Coprocessor CCA Support Program Installation Manual and in the IBM 4764
PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual.
v IBM i Cryptographic Coprocessor Web-based configuration utility.
2. Write programs that use the access-control verbs described in this section.
Use the verbs to write programs that do more than the utility program. If your needs are simple, the utility
program might do everything you need.
Note: See Access_Control_Initialization (CSUAACI) on page 35 for additional information about this
verb.
Note: See Access_Control_Maintenance (CSUAACM) on page 38 for additional information about this
verb.
See Access-control data structures on page 638 for additional information about data structures.
Ensure that you define roles that have the authority to perform initialization, including the RQ-TOKEN and
RQ-REINT options of the Cryptographic_Facility_Control (CSUACFC) verb. You must also ensure there
are active profiles that use these roles.
If you configure the coprocessor so that initialization is not allowed, you can recover.
Important: To recover from this condition, all the data stored in the coprocessor, including master keys,
retained keys, roles, and profiles, will be destroyed. There is no way to recover retained keys
that have been destroyed.
On an IBM i software platform, instructions on how to reinitialize the coprocessor can be found in the
Troubleshooting article of the Cryptographic Coprocessor topic in the IBM i information center
(http://www.ibm.com/eserver/iseries/infocenter). On a software platform other than IBM i, use the
coprocessor load utility (CLU) and the file CRSxxyy.CLU to reset the coprocessor CCA software. This
deletes all information previously loaded. Then use CLU and the file CNWxxxyy.CLU to load a new copy of
the coprocessor CCA software. This restores the coprocessor's CCA function to its initial state.
All users have operating time limits, based on values in their roles and profiles. These include:
v Profile activation and expiration dates
v Time-of-day limits
v Day-of-the-week limits
In the Eastern United States, your time differs from UTC by 4 hours during the part of the year Daylight
Savings Time is in effect. At noon EDT, it is 4:00 PM UTC. At 8:00 PM EDT, it is midnight UTC, which is
the time that the coprocessor increments its date and day-of-the-week to the next day.
For example, at 7:00 PM EDT on Tuesday, December 30, it is 11:00 PM, Tuesday, December 30 to the
coprocessor. Two hours later, however, at 9:00 PM EDT, Tuesday, December 30, it is 1:00 AM Wednesday,
December 31 to the coprocessor. If your role only allows you to use the coprocessor on Tuesday, you
would have access until 8:00 PM on Tuesday. After that, it would be Wednesday in the UTC time frame
used by the coprocessor.
This happens because the coprocessor does not know where you are located, and how much your time
differs from UTC. Time zone information can be obtained from your local workstation or server, but this
information cannot be trusted by the coprocessor; it could be forged in order to obtain access at times the
system administrator intended to keep you from using the coprocessor.
Notes:
1. During the portions of the year when Daylight Savings Time is not in effect, the time difference
between EST and UTC is 5 hours.
2. In the IBM i environment, no translation is provided for Role and Profile names. The coprocessor
initializes the default role name to DEFAULT encoded in ASCII. Users of the IBM i CCA need to
consider the encoding of Role and Profile names.
When you successfully log on, the CCA implementation establishes a session between your application
program and the coprocessor's access-control system. Security Application Program Interface (SAPI)
stores the logon context information, which contains the session information needed by the host computer
to protect and validate transactions sent to the coprocessor. As part of that session, a randomly derived
session key, generated in the coprocessor, is subsequently used to protect information you interchange
with the coprocessor. This protection is described in Protecting your transaction information on page 19.
The logon process and its algorithms are described in Passphrase verification protocol on page 692.
With AIX, Linux, and Windows, the logon context information resides in memory associated with the
process thread that performed the Logon_Control verb. With IBM i, the logon context information resides in
memory owned by the process in which the application runs. Host-side logon context information can be
saved and shared with other threads, processes, or programs; see Using logon context information on
page 19.
Thus, with AIX, Linux, and Windows, each thread in any process can log on to the CCA access control
system within a specific CCA coprocessor. Because the coprocessor code creates the session key, and
the session key is stored in the active context information, a thread cannot concurrently be logged on to
more than one coprocessor.
In order to log on, you must prove the user's identity to the coprocessor. This is accomplished using a
passphrase, a string of up to 64 characters which are known only to you and the coprocessor. A good
passphrase meets the following criteria:
v Is not too short.
When you log on, no part of the passphrase ever travels over any interface to the coprocessor. The
passphrase is hashed and processed into a key that encrypts information passed to the coprocessor. The
coprocessor has a copy of the hash and can construct the same key to recover and validate the logon
information. CCA does not communicate your passphrase outside of the memory owned by the calling
process.
When you have finished your work with the coprocessor, you must log off in order to end your session.
This invalidates the session key you established when you logged on, and frees resources you were using
in the host system and in the coprocessor.
The GET-CNTX keyword is used to retrieve a copy of your active logon context information, which you can
then store for subsequent use. The PUT-CNTX keyword is used to make active previously stored context
information. The coprocessor is unaware of what thread, program, or process has initiated a request. The
host CCA supplies session information from the active context information in each request to the
coprocessor. The coprocessor attempts to match this information with information it has retained for its
active sessions. Unmatched session information causes the coprocessor to reject the associated request.
As an example, consider a simple application that contains two programs, LOGON and ENCRYPT:
v The program LOGON logs you on to the coprocessor using your passphrase.
v The program ENCRYPT encrypts some data. The roles defined for your system require you to be
logged on in order to use the ENCIPHER function.
These two programs must use the GET-CNTX and PUT-CNTX keywords in order to work properly. They
work as follows:
LOGON
1. Log the user on to the coprocessor using the CSUALCT verb with the PPHRASE keyword.
2. Retrieve the logon context information using CSUALCT with the GET-CNTX keyword.
3. Save the logon context information in a place that is available to the ENCIPHER program. This
can be as simple as a disk file, or it can be something more complicated such as shared
memory or a background process.
ENCRYPT
1. Retrieve the logon context information saved by the LOGON program.
2. Restore the logon context information to the CCA API using the CSUALCT verb with the
PUT-CNTX keyword.
3. Encipher the data.
Important: Take care in storing the logon context information. Design your software so that the saved
context is protected from disclosure to others who might be using the same computer. If
someone is able to obtain your logon context information, they might be able to impersonate
you for the duration of your logon session.
For some verbs, it is also important to keep the information secret. This is especially important with the
Access_Control_Initialization verb, which is used to send new role and profile data to the coprocessor. To
ensure secrecy, some verbs offer a special protected option, which causes the data to be encrypted using
your session key. This prevents disclosure of the critical data, even if the message is intercepted during
transmission to the coprocessor.
The Cryptographic_Facility_Query verb enables you to obtain the status of the CCA node. You specify one
of several status categories, and the verb returns that category of status. Status information you can
obtain includes:
| v The size and contents of PIN decimalization tables, if any, stored on the coprocessor.
v The condition of the AES, DES, or PKA new, current, and old master-key registers: clear, contains a
partially complete key, or contains a complete key. The extended CCA status returns information about
both the DES and the PKA master-key-register sets.
v The name of the role ID in effect for your processing thread (the active role).
v Information about the coprocessor hardware including the unique 8-byte IBM serial number. This serial
number is also printed on the label on the coprocessor's mounting bracket.
v Information about the coprocessor's operating system.
v The state of the coprocessor's battery: OK or change the battery within at most two weeks.
v Various tamper indications. This information is also returned in X'8040xxxx' status messages, for
example, when using the coprocessor load utility (CLU).
v Export status information about available algorithms.
v Information about master-key shares distribution for master-key cloning.
v Time and date from the coprocessor's internal clock, used to control access.
| v The environment ID (EID), which is a 16-byte identifier. It is used in the PKA92 key
| encryption/decryption scheme, when generating an RSA token from a skeleton token that contains an
| RSA public-key certificate section (X'40') that includes an EID tag (X'51'), and in master-key cloning.
| See PKA92 key format and encryption process on page 674. Assign an EID to represent the
| coprocessor node.
v Diagnostic information that could be of value to product development in the event of malfunction.
The Key_Storage_Initialization verb is used to establish a fresh symmetric (AES or DES) or asymmetric
(PKA) key-storage dataset. The dataset that holds the key records is initialized with header records that
contain a verification pattern for the applicable master key. Any existing key records in the key storage are
lost if you initialize the key-storage dataset. The index file associated with the key-record file is also
initialized. The file names and paths for the key storage and its index file are obtained from different
sources depending on the operating system:
Table 6. Key-storage location by operating system
Source AIX Linux Windows
ODM registry X
Environment variables X
Registry X
See the CCA Support Program Installation Manual for more information.
Restriction: The IBM i does not use an index file, nor does it provide master-key verification information
in the key-storage dataset.
Multi-coprocessor capabilities
Multi-coprocessor capabilities allow you to employ more than one coprocessor, some or all of which might
be loaded with the CCA application. When more than one coprocessor with CCA is installed, an
application program can explicitly select which cryptographic resource (coprocessor) to use, or it can
optionally employ the default coprocessor. To explicitly select a coprocessor, use the
Cryptographic_Resource_Allocate verb. This verb allocates a coprocessor loaded with the CCA software.
Once allocated, CCA requests are routed to it until it is deallocated. To deallocate an allocated
coprocessor, use the Cryptographic_Resource_Deallocate verb. When a coprocessor is not allocated
(either before an allocation occurs or after the cryptographic resource is deallocated), requests are routed
to the default coprocessor.
To determine the number of CCA coprocessors installed in a machine, or in an IBM i partition, use the
Cryptographic_Facility_Query verb with the STATCRD2 (Release 4.0 or later) or STATCARD (before
Release 4.0) rule-array keyword. The verb returns the number of coprocessors running CCA software. The
count includes any coprocessors loaded with CCA user defined function (UDX) code.
When using multiple coprocessors, consider the implications of the master keys in each of the
coprocessors. See Master-key considerations with multiple CCA coprocessors on page 31. You must also
consider the implications of a logged-on session. See Logging on and logging off on page 18.
Chapter 2. CCA node management and access control 25
When you log on to a coprocessor, the coprocessor creates a session key and communicates this to the
CCA, which saves the key in a session-context memory area. If your processing alternates between
coprocessors, be sure to save and restore the appropriate session context information.
Using a multi-coprocessor CCA in IBM i host systems varies from that in the other environments. The
following sections describe each approach:
v IBM i multi-coprocessor
v AIX, Linux, and Windows multi-coprocessor
In the absence of a specific coprocessor allocation, the host code employs the device designated CRP01
by default. You can alter the default designation by explicitly setting the CSU_DEFAULT_ADAPTER
environment variable. The selection of a default device occurs with the first CCA call to a coprocessor.
Once selected, the default remains constant throughout the life of the thread. Changing the value of the
environment variable after a thread uses a coprocessor does not affect the assignment of the default
coprocessor.
If a thread with an allocated coprocessor ends without first deallocating the coprocessor, excess memory
consumption results. It is not necessary to deallocate a cryptographic resource if the process itself is
ended; it is only suggested if individual threads end while the process continues to run.
The CCA design supports a set of three master-key registers for each master key: new, current, and old.
While a master key is being assembled, it is accumulated in the new-master-key register, then the
Master_Key_Process verb is used to transfer the contents of the new-master-key register to the
current-master-key register.
Working keys are normally encrypted by their associated current master key. To facilitate continuous
operations, CCA also has an old-master-key register. When a new master-key is transferred to the
current-master-key register, the preexisting contents, if any, of the current-master-key register are
transferred to the old-master-key register. With CCA, whenever a working key must be decrypted by the
master key, master-key verification pattern information that is included in the key token is used to
determine if the current or the old master-key must be used to recover the working key. Special status
(return code 0, reason code 10001) is returned in case of use of the old master-key so that application
programs can arrange to have the working key updated to encryption by the current master-key (using the
Key_Token_Change and PKA_Key_Token_Change verbs). Whenever a working key is encrypted for local
use, it is encrypted using the current master-key.
The verbs that operate on the master keys permit you to specify a register set (with keywords AES-MK,
APKA-MK, SYM-MK and ASYM-MK). For DES and PKA master keys, if applications that modify these
master-key registers never explicitly select a register set, the master keys in the two register sets are
modified in the same way and contain the same keys. However, if at any time you modify only one of the
DES or PKA register sets, applications thereafter need to manage the two register sets independently.
Using the Cryptographic Node Management (CNM) utility to manage DES and PKA master keys results in
operating as though there were only a single set of DES and PKA master key registers. If another program
is used to modify a register in only one of the DES or PKA register sets, the CNM utility is no longer
Figure 2 depicts the steps of a master-key cloning scenario. These steps include:
1. Install appropriate access-control roles and profiles, m-of-n, and EID values. Have operators change
their profile passwords. Ensure that the roles provide the degree of responsibility-separation that you
require.
2. Audit the setup of the share administration, share source, and share receiving nodes.
3. Generate a retained RSA private key, the Share-Administration (SA) key. This key is used to certify
the public keys used in the scheme. Self-certify the SA key. Distribute the hash of this certificate to
the source and share-receiving nodes under dual control.
4. Install (register) the hash of the SA public-key in both the source and receiving nodes. Two different
roles can be used to permit this and the next step to aid in ensuring dual control of the cloning
process.
5. Install (register) the SA public-key in both the source and receiving nodes.
6. In the source node, generate a retained key usable for master-key administration, the coprocessor
share signing (CSS) key, and have this key certified by the SA key.
The approach to multiple coprocessors differs in detail between IBM i and the workstation or server
environments. Each type of environment is discussed:
v IBM i
v AIX, Linux, and Windows
With IBM i, multiple key-storage files can exist. To avoid confusion, keep all keys in the key-storage files
encrypted by a common, current master-key. The master-key verification pattern is not stored in the
header record of any key-storage file. Therefore, it is important that when you change the master key, you
reencipher all of the keys in all of your key-storage files. The organization that manages all users of the
coprocessors must arrange procedures for keeping all key-storage files up to date with the applicable
current master-key. The person changing the master key might not have authorization to, or knowledge of,
all key-storage files on the system.
The order for loading and setting of the master key between coprocessors is not significant. However, be
sure that after all coprocessor master keys have been updated that you then update all key-storage files.
Remember that if you import a key or generate a key, it is returned encrypted by the current master key
within the coprocessor used for the task.
If you fail to change all of the master keys with the same program running on the same thread, either
because there is an unplanned interruption, or perhaps because you intend to have different master keys
between coprocessors, you need to understand the design of the CCA host code that is described next.
CCA keeps two flags in memory associated with a host-processing thread. If there are multiple threads,
each thread has its own set of flags. Both flags, symmetric-directory-open (SDO) and
asymmetric-directory-open (ADO), are set to false when CCA processing begins on the thread.
When a CCA verb is called and a key storage is referenced, and if the associated flag (SDO or ADO) is
false, CCA obtains the verification pattern for the current master-key and compares this to the
header-record information. If the patterns match, the flag is set to true, and processing continues. If the
existing patterns do not match, processing ends with an error indication. If there is no current master key
or if key storage has not been initialized, processing continues although, depending on the CCA verb,
other error conditions might arise.
Situations to consider
When you employ multiple coprocessors with CCA, consider the following cases regarding DES and PKA
master keys. Remember that if you explicitly manage the DES (symmetric) or the PKA (asymmetric)
master keys (using the SYM-MK or ASYM-MK keywords with the Master_Key_Process verb), you have
both master keys and both key storages to consider. If you do not explicitly manage these two classes of
master keys, then CCA operates as though there is a single set of DES and PKA master keys. The CNM
utility provided with the CCA program does not explicitly manage the two sets of keys, and the program
design assumes that the DES and PKA master keys have always been managed without explicit reference
to the symmetric or the asymmetric keys.
Setting master keys in multiple coprocessors
If you keep the DES and PKA master keys the same in all of the CCA coprocessors, and you set
the master key in each of the coprocessors from a single program running on the same thread,
the following steps take place:
v When all of the coprocessors are newly initialized, that is, their current-master-key registers are
clear, install the same master key in each of the DES and PKA new-master-key registers. Then
set the master key in each of the coprocessors. Finally, if you are going to use DES or PKA
key-storage, initialize key storage.
v If all of the coprocessors have the same DES and PKA current master-key, when you undertake
to set the master key in the first coprocessor, the code attempts to set the directory-open flags
(SDO and ADO). This succeeds if you have the proper key-storage files (or key storage is not
initialized). The verification pattern in the key-storage header is changed as soon as the first
master key is set.
When you set the master key in the additional coprocessors, because the directory-open flags
are already set, no check is made to ensure that the verification patterns in key storage and for
the current master-key match (and they would not match because the header was updated
when the first coprocessor master-key was set). As soon as the master key is set, its
verification pattern is copied to the header in key storage.
The key in the new-master-key register is not verified. You might want to confirm the proper and
consistent contents of these registers using the Key_Test verb prior to undertaking setting of the
master keys.
Setting the master key in a coprocessor after other coprocessors are successfully in operation
If you have one or more coprocessors in operation, and then wish to do the following:
v Add an additional coprocessor
v Set its current, and possibly old, master keys to the keys already in the other coprocessors
While you are changing master keys in a multiple-coprocessor arrangement, it might be undesirable to
continue other cryptographic processing. Consider the following possibilities:
v Keys generated or imported and returned enciphered with the latest master key are not usable with
other coprocessors until they too have been updated with the latest master key. Existing keys might still
be usable because the previous master key in the updated coprocessors are in the old-master-key
register and CCA can use this to recover the working keys.
v The header record in the key-storage file might have been altered to an undesirable valuerefer to the
earlier discussion.
v When the Master_Key_Process verb is used to set the master key without specifying a master-key
register class keyword, you need to have both the DES and PKA key-storage files initialized, even if you
do not place keys in one or both of the key storages files.
| Note: Keys stored in the coprocessor (master keys and RSA retained keys) are not considered part of
| external key-storage. The coprocessor has limited internal storage for RSA retained keys.
Use the Key_Storage_Initialization (CSNBKSI) verb to initialize an AES, DES, or PKA key-storage file.
Before using the Key_Storage_Initialization verb, you must establish the appropriate master keys.
In addition, the standard specifies that the cryptographic module provide a means to initiate
"known-answer" tests on demand for periodic testing of the cryptographic algorithms.
Use the Random_Number_Tests (CSUARNT) verb to perform the FIPS-mandated tests described above.
The known-answer tests include testing of DES encipher and decipher, PKA encipher and decipher, and
SHA-1 hash.
You select which function to perform by specifying the corresponding keyword in the input rule-array. You
can only perform one of these services per verb call.
Note: Use the Access_Control_Maintenance (CSUAACM) verb to query or control installed roles and user
profiles. See page 38 for more information.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSUAACI
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
verb_data_1_length Input Integer
verb_data_1 Input String verb_data_1_length bytes
verb_data_2_length Input Integer
verb_data_2 Input String verb_data_2_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
Function to perform (one required)
INIT-AC Initializes roles and user profiles.
CHGEXPDT Changes the expiration date in a user profile.
CHG-AD Changes authentication data in a user profile or changes a user's passphrase.
Note: The PROTECTD keyword must also be used whenever the CHG-AD keyword is
used. You must authenticate yourself before being allowed to change authentication
data, and the use of protected mode verifies that you have been authenticated.
RESET-FC Resets the count of consecutive failed logon attempts for a user. Clearing the logon
failure-count permits a user to log on again, after being locked out due to too many failed
consecutive attempts.
Options (one or two, optional)
PROTECTD Specifies to operate in protected mode. Data sent to the coprocessor is protected by
encrypting the data with the user's session key, KS.
If the user has not successfully logged on, there is no session key in effect, and the
PROTECTD keyword results in a not-logged-on error.
REPLACE Specifies that a new profile can replace an existing profile with the same name. This
keyword applies only when the rule array contains the INIT-AC keyword.
Without the REPLACE keyword, any attempt to load a profile which already exists are
rejected. This protects against accidentally overlaying a user's profile with one for a
different user who has chosen the same profile ID as one that is already on the
coprocessor.
verb_data_1_length
The verb_data_1_length parameter is a pointer to an integer variable containing the number of bytes
of data in the verb_data_1 variable.
verb_data_1
The verb_data_1 parameter is a pointer to a string variable containing data used by the verb.
This variable is used differently depending on the function being performed.
verb_data_length_2
The verb_data_length_2 parameter is a pointer to an integer variable containing the number of bytes
of data in the verb_data_2 variable.
If the profile currently contains authentication data for the same authentication
mechanism, that data is replaced by the new data. If the profile does not contain
authentication data for the mechanism, the new data is added to the data currently
stored for the specified profile.
RESET-FC The verb_data_2 field is empty. Its length is zero.
Required commands
The Access_Control_Initialization verb requires the following commands to be enabled in the active role:
You select which service to perform by specifying the corresponding keyword in the input rule-array. You
can only perform one of these services per verb call.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSUAACM
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
name Input String 8 bytes
output_data_length In/Output Integer
output_data Output String output_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
Keyword Meaning
Function to perform (one required)
LSTPROFS Retrieves a list of the user profiles installed in the coprocessor.
Keyword Q-NUM-RP shows how to determine how much data this request returns to the
application program.
LSTROLES Retrieves a list of the roles installed in the coprocessor.
Keyword Q-NUM-RP shows how to determine how much data this request returns to the
application program.
GET-PROF Retrieves the non-secret part of a specified user profile.
GET-ROLE Retrieves the non-secret part of a role definition from the coprocessor.
DEL-PROF Deletes a specified user profile.
DEL-ROLE Deletes a specified role definition from the coprocessor.
Q-NUM-RP Queries the number of roles and profiles presently installed in the coprocessor. This enables
the application program to know how much data is returned with the LSTROLES or
LSTPROFS keywords.
Q-NUM-UR Queries the number of users logged on to the coprocessor. This enables the application
program to know how much data is returned with the LSTUSERS keyword.
Users can log on or log off between the time Q-NUM-UR is used and the time LSTUSERS is
used, so the list of users might not always contain exactly the number the coprocessor
reported was logged on.
LSTUSERS Retrieves a list of the profile IDs for all users who are logged on to the coprocessor.
name
The name parameter is a pointer to a string variable containing the name of a role or user profile
which is the target of the request.
The manner in which this variable is used depends on the function being performed.
output_data_length
The output_data_length parameter is a pointer to an integer variable containing the number of bytes of
data in the output_data variable. The value must be a multiple of four bytes.
On input, the output_data_length variable must be set to the total size of the variable pointed to by the
output_data parameter. On output, this variable contains the number of bytes of data returned by the
verb in the output_data variable.
output_data
The output_data parameter is a pointer to a string variable containing data returned by the verb. Any
The authentication data itself is not returned; only the IDs, strength, and expiration date of
the data are returned.
Required commands
The Access_Control_Maintenance verb requires the following commands to be enabled in the active role:
Table 5 on page 21 shows the relationship between CSUACFC keywords and CSUACFQ keywords.
Select which operation to perform by specifying the corresponding control function keyword in the input
rule-array. You can perform only one of these services per verb call.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
The alphabetic and numeric characters should be encoded in the normal character set for the
computing platform that is in use, either ASCII or EBCDIC.
v It is possible to force a hardware error using the ERRINJ1 keyword. This capability is not available on
IBM i.
v The CHGKEYWR keyword is not supported in releases before Release 4.1.
| v The PINTB-LD, PINTB-RM, and PINTB-AC keywords are not supported in releases before Release 4.2.
Format
Parameter name Direction Data type Data length or value
CSUACFC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
verb_data_length In/Output Integer 0 - 588
verb_data In/Output String verb_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
This verb accepts two keywords in the rule array. One specifies the coprocessor for which the request
is intended, the other specifies the function to perform. No rule-array elements are set by the verb.
The rule_array keywords are:
You must put the date, UTC time, and the current day of the week values in the verb_data
variable.
RESET-IL Clears the intrusion latch on the coprocessor.
RESETBAT Clears the battery-low indicator (latch) on the coprocessor.
LOAD-FCV Loads a new distributed function control vector into the coprocessor. See page 650.
CLR-FCV Clears the function control vector from the coprocessor.
SET-EID Sets a node environment identifier value.
Note: See Restrictions on page 42.
SET-MOFN Sets the minimum and maximum number of cloning-information shares that are required and
that can be used to pass sensitive information from one coprocessor to another coprocessor.
| ERRINJ1 Causes a simulated coprocessor hardware error. This capability can be used for testing
purposes. Using this keyword results in return code 16, reason code 336.
Note: See Restrictions on page 42.
CHGKEYWR Sets the default key-wrapping method for either internal or external key tokens.
(Rel. 4.1 or later)
| PINTB-LD (Rel. Loads one or more authorized PIN decimalization tables onto the coprocessor.
| 4.2 or later)
| Notes:
| 1. When loading more than one table at a time, no tables are changed if an error occurs
| while processing any of the tables provided by the verb_data variable.
| 2. If a table to be loaded from the verb_data variable has the same PIN decimalization
| table identifier as one that is already stored on the coprocessor (1 - 100), the previously
| stored table is replaced.
| 3. In order to replace a table that is currently in the active state on the coprocessor, the
| Delete Decimalization Tables command (offset X'0354') must be enabled in the active
| role.
| PINTB-RM (Rel. Deletes (removes) one or more authorized PIN decimalization tables from the coprocessor.
| 4.2 or later)
| Notes:
| 1. When deleting more than one table at a time, no tables are changed if an error occurs
| while processing any of the tables identified by the verb_data variable.
| 2. A warning is issued when an attempt is made to delete one or more tables that are not
| currently stored on the coprocessor. This does not result in an error.
verb_data_length
The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of
data in the verb_data variable. On input, specify the size of the variable. The verb updates the variable
with the size of the returned data.
verb_data
The verb_data parameter is a pointer to a string variable containing data used by the verb on input, or
generated by the verb on output.
The manner in which this variable is used differs depending on the value of the control function
selected by a rule_array keyword.
| Control Variable
| function length
| keyword Direction (bytes) Description
RQ-TOKEN Output 8 The verb_data variable receives an 8-byte randomly generated
and masked token. The one's complement of this returned value,
which is provided as input in the verb_data variable with the
RQ-REINT keyword, is required to reinitialize the CCA application
in the coprocessor.
RQ-REINT Input 8 The verb_data variable must contain the one's complement of the
token most recently returned using the RQ-TOKEN keyword.
SETCLOCK Input 16 The verb_data variable contains the UTC date and time to set in
the coprocessor clock. The character string has the form
YYYYMMDDHHmmSSWW, where:
YYYY Is the current year
MM Is the current month, from 01 12
DD Is the current day of the month, from 01 31
HH Is the current hour of the day, from 00 23
mm Is the current minutes past the hour, from 00 59
SS Is the current seconds past the minute, from 00 59
WW Is the current day of the week, from 01 - 07, where
Sunday is represented as 01, and Saturday is
represented as 07
Note: Some functions can return the day of the week in a format
different than that required. Be sure to adjust such a value for
WW. For example, if a function returns 00 to represent Sunday
and 06 to represent Saturday, add 1 to the value returned for
WW.
RESET-IL N/A 0 The verb_data variable is not used for this function.
RESETBAT N/A 0 The verb_data variable is not used for this function.
Use one of the following strings for the verb_data variable to set
the default key-wrapping method.
X'00000100' Internal key tokens, enhanced (WRAP-ENH)
X'00000000' Internal key tokens, legacy (WRAP-ECB)
X'00010100' External key tokens, enhanced (WRAP-ENH)
X'00010000' External key tokens, legacy (WRAP-ECB)
Required commands
The Cryptographic_Facility_Control verb requires the following commands to be enabled in the active role:
In the case of the CHGKEYWR rule-array keyword (Release 4.1 or later), the value of the verb_data
variable determines which command is required to be enabled in the active role:
Rule-array verb_data
keyword variable Offset Command
CHGKEYWR X'00000100' X'0139' Wrap Internal Key with Enhanced Method
X'00000000' X'013A' Wrap Internal Key with ECB Method
X'00010100' X'013B' Wrap External Key with Enhanced Method
X'00010000' X'013C' Wrap External Key with ECB Method
Table 5 on page 21 shows the relationship between CSUACFC keywords and CSUACFQ keywords.
On input, you specify a rule-array count of 1 or 2 and the class of information queried with a rule-array
keyword.
Tip: Allocate a minimum of 30 rule-array elements to allow for extensions of the returned information.
The verb returns information elements in the rule array and sets the rule_array_count variable to the
number of returned elements.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v You cannot limit the number of returned rule-array elements. Table 7 on page 50 describes the number
and meaning of the information in output rule-array elements.
v It is possible to obtain diagnostic information using the DBGREGS1 keyword. This capability is for use
by IBM Support. The returned information is non-sensitive and not publicly defined.
v The STATAES rule-array keyword is not supported in releases before Release 3.30.
v The STATCRD2 rule-array keyword is not supported in releases before Release 4.0.
v The STATAPKA and WRAPMTHD rule-array keywords are not supported in releases before Release
4.1.
| v The NUM-DECT and STATDECT rule array keywords are not supported in releases before Release 4.2.
CSUACFQ
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length
rule_array_count In/Output Integer 1 or 2 on input
rule_array In/Output String array rule_array_count * 8 bytes
verb_data_length In/Output Integer
verb_data In/Output String verb_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. On input, the value must be 1 or 2.
On output, the verb sets the variable to the number of rule_array elements it returns to the application
program.
Tip: With this verb, the number of returned rule_array elements can exceed the rule_array_count that
you specified on input. Be sure that you allocate adequate memory to receive all of the
information elements according to the information class that you select on input with the
information-to-return keyword in the rule_array.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
On input, set the rule array to specify the type of information to retrieve. There are two input rule-array
elements, as described in the following table.
Keyword Meaning
Adapter to use (optional)
ADAPTER1 This keyword is ignored. It is accepted for backward compatibility.
Information to return (one required)
DBGREGS1 Obtains non-sensitive coprocessor information. This option is for diagnostic purposes.
The returned information is not publicly defined. See Restrictions on page 48.
| NUM-DECT (Rel. 4.2 Returns the number of bytes of data required for the verb_data variable when the
| or later) STATDECT rule-array keyword is specified.
STATAES (Rel. 3.30 Obtains status information on AES master-key registers and AES key-length enablement.
or later) See also STATEXPT.
STATAPKA (Rel. 4.1 Obtains status information on AES PKA master-key registers and ECC key-length
or later) enablement. See also STATEXPT.
The format of the output rule-array depends on the value of the rule-array element which identifies the
information to be returned. Different sets of rule-array elements are returned depending on whether the
input keyword is DBGREGS1, STATAES, STATAPKA, STATCCA, STATCCAE, STATCARD,
| STATCRD2, STATDIAG, STATEID, STATEXPT, STATMOFN, TIMEDATE, or WRAPMTHD. Keywords
| NUM-DECT and STATDECT return output in the verb_data variable.
For rule-array elements that contain numbers, those numbers are represented by numeric characters
which are left-aligned and padded on the right with space characters. For example, a rule-array
element which contains the number 2 contains the character string 2 (the number 2
followed by 7 space characters).
On output, the rule-array elements can have the values shown in Table 7.
Table 7. Cryptographic_Facility_Query information returned in the rule array
Element Name Description
Output rule-array for option DBGREGS1
Twelve rule-array elements are filled with non-sensitive information from
the coprocessor's control registers. This information is for debugging
purposes and is not publicly disclosed. See Restrictions on page 48.
Output rule-array for option STATAES
1 AES NMK status The state of the AES new-master-key register:
1 Register is clear.
2 Register contains a partially complete key.
3 Register contains a complete key.
2 AES CMK status The state of the AES current-master-key register:
1 Register is clear.
2 Register contains a key.
The first four characters define the MiniBoot0 version, and the last four
characters define the MiniBoot1 version.
10 CPU speed A numeric character string containing the operating speed of the
microprocessor chip, in megahertz.
The first four characters define the MiniBoot0 version, and the last four
characters define the MiniBoot1 version.
10 CPU speed A numeric character string containing the operating speed of the
microprocessor chip, in megahertz.
11 Coprocessor ID A unique identifier manufactured into the coprocessor. The coprocessor
(see also element adapter ID is an 8-byte binary value where the high-order byte is X'85'
number 15) for an IBM 4765-001, and is X'71' for an IBM 4764-001. The remaining
bytes are a random value.
The first four characters define the POST2 version, and the last four
characters are reserved and valued to space characters.
Output rule-array for option STATDIAG
1 Battery state A numeric character string containing a value which indicates whether
the battery on the coprocessor needs to be replaced:
1 Battery is good.
2 Battery should be replaced.
2 Intrusion latch A numeric character string containing a value which indicates whether
state the intrusion latch on the coprocessor is set or cleared:
1 Latch is cleared.
2 Latch is set.
3 Error log status A numeric character string containing a value which indicates whether
there is data in the coprocessor CCA error log:
1 Error log is empty.
2 Error log contains abnormal termination data, but is not yet full.
3 Error log is full, and cannot hold any more data.
4 Mesh intrusion A numeric character string containing a value to indicate whether the
coprocessor has detected tampering with the protective mesh that
surrounds the secure module. This indicates a probable attempt to
physically penetrate the module:
1 No intrusion has been detected.
2 An intrusion attempt has been detected
5 Low voltage A numeric character string containing a value to indicate whether a
detected power-supply voltage was below the minimum acceptable level. This
might indicate an attempt to attack the security module:
1 Only acceptable voltages have been detected.
2 A voltage has been detected below the low-voltage tamper threshold.
6 High voltage A numeric character string containing a value indicates whether a
detected power-supply voltage was above the maximum acceptable level. This
might indicate an attempt to attack the security module:
1 Only acceptable voltages have been detected.
2 A voltage has been detected above the high-voltage tamper
threshold.
7 Temperature A numeric character string containing a value to indicate whether the
range exceeded temperature in the secure module was outside of the acceptable limits.
This might indicate an attempt to attack the security module:
1 Temperature is acceptable.
2 Temperature has been detected outside of an acceptable limit.
Elements 1 and 2 are treated as a 16-byte string, as are elements 3 and 4, with the high-order 15 bytes
containing meaningful information and the 16th byte containing a space character. Each byte provides status
information about the ith share, 1 i 15, of master-key information.
verb_data_length
The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of
data in the verb_data variable.
verb_data
The verb_data parameter is a pointer to a string variable containing data sent to the coprocessor for
this verb, or received from the coprocessor as a result of this verb. Its use depends on the options
specified by the host application program. In releases before Release 4.2, the verb_data parameter is
| not used by this verb. Beginning with Release 4.2, this parameter is used by the NUM-DECT and
| STATDECT keywords as shown in Table 8 on page 57.
| Required commands
None
The CCA application version is a character string returned in the first eight bytes of the version_data
variable, and the CCA application build date is a character string returned in the second eight bytes. The
version_data variable is null terminated and has a total length of 17 bytes.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSUACFV
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
version_data_length In/Output Integer 17
version_data Output String version_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9. Note that there is no rule_array.
version_data_length
The version_data_length parameter is a pointer to an integer variable containing the number of bytes
in the version_data variable. The value must be at least 17 bytes.
On input, the version_data_length variable must be set to the total size of the variable pointed to by
the version_data parameter. On output, this variable contains the number of bytes of data returned by
the verb in the version_data variable.
version_data
The version_data parameter is a pointer to a string variable containing data returned by the verb. An
8-byte character string that identifies the version of the Security Application Program Interface library,
followed by an 8-byte character string containing the build date for the Security Application Program
Interface library, followed by a null terminating character.
Required commands
None
58 CCA Basic Services October 14, 2011
Cryptographic_Resource_Allocate (CSUACRA)
The Cryptographic_Resource_Allocate verb is used to allocate a specific CCA coprocessor for use by the
thread or process, depending on the scope of the verb. For the IBM i, this verb is scoped to a process; for
the other implementations, this verb is scoped to a thread. When a thread or process, depending on the
scope, allocates a cryptographic resource requests are routed to that resource. When a cryptographic
resource is not allocated, requests are routed to the default cryptographic resource.
You can set the default cryptographic resource. See the IBM 4765 PCIe Cryptographic Coprocessor CCA
Support Program Installation Manual or IBM 4764 PCI-X Cryptographic Coprocessor CCA Support
Program Installation Manual for more information. If you take no action, the default assignment is CRP01.
To determine the number of CCA coprocessors installed in a machine, or in an IBM i partition, use the
Cryptographic_Facility_Query verb with the STATCRD2 (Release 4.0 or later) or STATCARD (before
Release 4.0) rule-array keyword. The verb returns the number of coprocessors running CCA software. The
count includes any coprocessors loaded with CCA user defined function (UDX) code.
You cannot allocate a cryptographic resource while one is already allocated. Use the
Cryptographic_Resource_Deallocate verb to deallocate an allocated cryptographic resource.
Be sure to review Multi-coprocessor capabilities on page 25 and Master-key considerations with multiple
CCA coprocessors on page 31.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSUACRA
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
resource_name_length Input Integer 1 - 64
resource_name Input String resource_name_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Cryptographic resource (required)
DEVICE Specifies an IBM 4765 or IBM 4764 CCA Cryptographic Coprocessor.
resource_name_length
The resource_name_length parameter is a pointer to an integer variable containing the number of
bytes of data in the resource_name variable. The length must be 1 64.
resource_name
The resource_name parameter is a pointer to a string variable containing the name of the coprocessor
to be allocated.
Required commands
None
You can set the default cryptographic resource. See the IBM 4765 PCIe Cryptographic Coprocessor CCA
Support Program Installation Manual or IBM 4764 PCI-X Cryptographic Coprocessor CCA Support
Program Installation Manual for more information. If you take no action, the default assignment is CRP01.
To determine the number of CCA coprocessors installed in a machine, or in an IBM i partition, use the
Cryptographic_Facility_Query verb with the STATCRD2 (Release 4.0 or later) or STATCARD (before
Release 4.0) rule-array keyword. The verb returns the number of coprocessors running CCA software. The
count includes any coprocessors loaded with CCA user defined function (UDX) code.
Be sure to review Multi-coprocessor capabilities on page 25 and Master-key considerations with multiple
CCA coprocessors on page 31.
If a thread with an allocated coprocessor ends without first deallocating the coprocessor, excess memory
consumption results. It is not necessary to deallocate a cryptographic resource if the process itself is
ending, only if individual threads end while the process continues to run.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSUACRD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
resource_name_length Input Integer 1 - 64
resource_name Input String resource_name_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Cryptographic resource (required)
DEVICE Specifies an IBM 4765 or IBM 4764 CCA Cryptographic Coprocessor.
resource_name_length
The resource_name_length parameter is a pointer to an integer variable containing the number of
bytes of data in the resource_name variable. The length must be 1 64.
resource_name
The resource_name parameter is a pointer to a string variable containing the name of the coprocessor
to be deallocated.
Required commands
None
Beginning with Release 3.30, a key-storage file name can be undesignated by specifying a value of 0 for
the key_storage_file_name_length variable. A length of 0 is not supported in releases before Release 3.30.
If a process that accesses AES key-storage does not have an AES key-storage file designated, the
process will try to use the value of the QIBM_CCA_AES_KEYSTORE environment variable for the
key-storage file name. If a process that accesses DES or PKA key-storage does not have the applicable
key-storage file designated, the process will try to use the name from the device description, followed by
the value of the applicable environment variable, as shown in the table below. The device description is
not used for the AES key-storage file.
When a job designates a key-storage file name, the designated name overrides the device description or
environment variable setting for the life of the job or until the name is undesignated.
Select the type of key storage, either AES, DES, or PKA, using a rule-array keyword. There is no default.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i X X X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v A length of 0 is not supported for the key_storage_file_name_length variable in releases before Release
3.30.
v AES key-storage is not supported in releases before Release 3.30.
v ECC and variable-length symmetric key tokens are not supported in releases before Release 4.1.
CSUAKSD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
key_storage_file_name_length Input Integer 0 - 64
key_storage_file_name Input String key_storage_file_name_length bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Key-storage type (one required)
AES (Rel. 3.30 or Indicates that the file name applies to the AES key-storage specification. (AES and,
later) beginning with Release 4.1, variable-length symmetric key tokens).
DES Indicates that the file name applies to the DES key-storage specification.
PKA Indicates that the file name applies to the PKA key-storage specification (RSA and,
beginning with Release 4.1, ECC key tokens).
key_storage_file_name_length
The key_storage_file_name_length parameter is a pointer to an integer variable containing the number
of bytes of data in the key_storage_file_name variable. The length must be within the range of 0 - 64.
If the value is 0, the key_storage_file_name parameter is ignored, and any previous key-storage file
name becomes undesignated.
key_storage_file_name
The key_storage_file_name parameter is a pointer to a string variable containing the fully qualified file
name of the key-storage file to be selected.
The file name must follow standard naming conventions for objects in the IBM i QSYS.LIB file system.
Required commands
None
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The AES rule-array keyword is not supported in releases before Release 3.30.
v ECC and variable-length symmetric key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNBKSI
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2
rule_array Input String array rule_array_count * 8 bytes
key_storage_file_name_length Input Integer 1 - 64
key_storage_file_name Input String key_storage_file_name_length bytes
key_storage_description_length Input Integer 64
key_storage_description Input String key_storage_description_length bytes
clear_master_key Input String 24 or 32 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2.
Keyword Meaning
Master-key source (optional)
CURRENT Specifies that the current master-key of the default cryptographic facility is to be used for the
initialization.
Note: This keyword is ignored. It is accepted for backward compatibility.
Key-storage selection (one required)
| AES (Rel. 3.30 Initialize AES key-storage (fixed-length AES and, beginning with Release 4.1, variable-length
| or later) AES and HMAC key tokens).
DES Initialize DES key-storage.
| Note: Use of this keyword requires both the symmetric and the asymmetric master keys
| (SYM-MK and ASYM-MK) to be set. See Master_Key_Process (CSNBMKP) on page 74 for
| information on setting these master keys.
PKA Initialize PKA key-storage (PKA and, beginning with Release 4.1, ECC key tokens).
key_storage_file_name_length
The key_storage_file_name_length parameter is a pointer to an integer variable containing the number
of bytes of data in the key_storage_file_name variable. The length must be within the range of 1 - 64.
key_storage_file_name
The key_storage_file_name parameter is a pointer to a string variable containing the fully qualified file
name of the key-storage file to be initialized. If the file does not exist, it is created. If the file does
exist, it is overwritten and all existing keys are lost.
key_storage_description_length
The key_storage_description_length parameter is a pointer to an integer variable containing the
number of bytes of data in the key_storage_description variable.
key_storage_description
The key_storage_description parameter is a pointer to a string variable containing the description
string that is stored in the key-storage file when it is initialized.
clear_master_key
The clear_master_key parameter is unused, but it must be declared and requires 24 data bytes in
application storage for DES and PKA, and 32 data bytes for AES.
Required commands
Except in the IBM i environment, the Key_Storage_Initialization verb requires the Compute Verification
Pattern command (offset X'001D') to be enabled in the active role. In the IBM i environment, no
commands are issued to the coprocessor and command authorization does not apply.
Select the service to perform by specifying the corresponding keyword in the input rule-array. Only one
service is performed for each call to this verb.
When an application logs on to a coprocessor, the CCA implementation establishes a session between the
application program and the coprocessor's access-control system. Logon context information is created
during logon, including a randomly derived session key that is generated in the coprocessor. The
coprocessor is unaware of which thread, program, or process has initiated a request. The logon context
information resides in memory associated with the process thread that performed the Logon_Control verb.
If a process thread already has valid logon context information (put there by logging on or by using the
GET-CNTX keyword), then trying to log on a second time results in an 'already logged on' error. If a
process thread does not have valid logon context information, it can log on. Any logon context information
in the coprocessor is updated with new session information (including a new randomly derived session
key), and any previous logon context information becomes invalid (session key no longer recognized).
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSUALCT
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
user_id Input String 8 bytes
auth_parms_length In/Output Integer
auth_parms In/Output String auth_parms_length bytes
auth_data_length In/Output Integer
auth_data In/Output String auth_data_length bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Keywords used to log on (zero or two)
LOGON Tells the coprocessor that you want to log on. When the LOGON keyword is used, a second
keyword, PPHRASE, must also be used to indicate how you identify yourself to the
coprocessor.
PPHRASE Specifies that you are going to identify yourself using a passphrase.
Keywords used to log off (zero, one, or two)
LOGOFF Tells the coprocessor you want to log off.
FORCE Tells the coprocessor that a specified user is to be logged off. The user's profile ID is specified
by the user_id parameter. When the FORCE keyword is used, the LOGOFF keyword must also
be used.
Keywords used to save and restore logon context information (zero or one)
GET-CNTX Obtains a copy of the logon context information that is active in your session. See Using logon
context information on page 19.
PUT-CNTX Restores the logon context information that was saved using the GET_CNTX keyword. See
Using logon context information on page 19.
user_id
The user_id parameter is a pointer to a string variable containing the ID string which identifies the user
to the system. The user ID must be exactly 8 characters in length. Shorter user IDs should be padded
on the right with space characters.
The user_id parameter is always used when logging on. It is also used when the LOGOFF keyword
used in conjunction with the FORCE keyword to force a user off.
auth_parms_length
The auth_parms_length parameter is a pointer to an integer variable containing the number of bytes of
data in the auth_parms variable.
On input, this variable contains the length (in bytes) of the auth_parms variable. On output, this
variable contains the number of bytes of data returned in the auth_parms variable.
auth_parms
The auth_parms parameter is a pointer to a string variable containing data used in the authentication
process.
This variable is used differently depending on the authentication method specified in the rule array.
Required commands
The Logon_Control verb requires the following command to be enabled in the active role:
You choose which class of master key, either symmetric (DES) or asymmetric (PKA), to clone with the
SYM-MK and the ASYM-MK rule-array keywords. If neither keyword is specified, the verb performs the
same operation on both classes of registers, provided that the registers contain the same values.
The OBTAIN and INSTALL rule-array keywords control the operation of the verb.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSUAMKD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data _length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array _count * 8 bytes
share_index Input Integer 1 - 15
private_key_name Input String 64 bytes
certifying_key_name Input String 64 bytes
certificate_length Input Integer
certificate Input String certificate_length bytes
clone_info_encrypting_key_length In/Output Integer
clone_info_encrypting_key In/Output String clone_info_encrypting_key_length bytes
clone_info_length In/Output Integer
clone_info In/Output String clone_info_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
Operation (one required)
OBTAIN Generate and output a master-key share and other cloning information.
INSTALL Receive a master-key share and other cloning information.
Master-key register class (one, optional)
SYM-MK Operate with the symmetric (DES) master-key registers.
ASYM-MK Operate with the asymmetric (PKA) master-key registers.
No keyword Operate with both the SYM-MK and ASYM-MK master-key registers. This is the default.
share_index
The share_index parameter is a pointer to an integer variable containing the index number of the
share to be generated or received by the coprocessor.
private_key_name
The private_key_name parameter is a pointer to a string variable containing the name of the
coprocessor-retained private key used to sign the cloning information or recover the
cloning-information encrypting key.
certifying_key_name
The certifying_key_name parameter is a pointer to a string variable containing the name of the
coprocessor-retained public key used to verify the offered certificate.
certificate_length
The certificate_length parameter is a pointer to an integer variable containing the number of bytes of
data in the certificate variable.
certificate
The certificate parameter is a pointer to a string variable containing the public-key certificate that can
be validated using the public key identified with the certifying_key_name variable.
clone_info_encrypting_key_length
The clone_info_encrypting_key_length parameter is a pointer to an integer variable containing the
number of bytes of data in the clone_info_encrypting_key variable.
clone_info_encrypting_key
The clone_info_encrypting_key parameter is a pointer to a string variable containing the encrypted key
used to recover the cloning information.
clone_info_length
The clone_info_length parameter is a pointer to an integer variable containing the number of bytes of
data in the clone_info variable.
clone_info
The clone_info parameter is a pointer to a string variable containing the encrypted cloning information
(master-key share).
The IBM implementations of DES and PKA master keys are triple-length 168-bit, 24-byte values. The AES
and APKA master keys are 256-bit, 32-byte values.
AES and DES master keys are a symmetric master-key class of registers. APKA and PKA master keys are
an asymmetric master-key class of registers. Choose to process the AES, APKA, DES, or PKA master-key
register class by specifying the AES-MK, APKA-MK, SYM-MK, or ASYM-MK rule-array keyword. If none
of these keywords is specified, the verb performs the same operation on both the SYM-MK and ASYM-MK
classes (DES and PKA) of registers. For operations that query the default register-class contents, this
occurs only if the DES and PKA registers already contain the same values. This default mode of operation
is compatible with early versions of CCA, which used only a single master key to protect both DES and
PKA keys.
Tip: Before starting to load new master-key information, ensure that the new-master-key register is
cleared. Do this by using the CLEAR keyword in the rule array.
To form a master key from key parts in the new-master-key register, use the Master_Key_Process verb
several times to complete the following tasks:
v Clear the register, if it is not already clear.
v Load the first key part.
v Load any middle key parts, calling the verb once for each middle key part.
v Load the last key part.
If there is a value in the old-master-key register, this master key can also be used to decrypt an
enciphered working key. You can remove a prior master key from the coprocessor with the CLR-OLD
keyword. The contents of the old-master-key register are removed and subsequently only
current-master-key encrypted keys are usable.
For DES and PKA master-keys, the low-order bit in each byte of the key is used as parity for the
remaining bits in the byte. Each byte of the key part must contain an odd number of one bits. If this is not
the case, return code 0, reason code 702 (X'2BE') is issued. The product maintains odd parity on the
accumulated symmetric master-key value. AES and APKA master keys do not use parity bits.
Except in the IBM i environment, as part of the SET process, if a key-storage file exists, the header record
of each key-storage file is updated with the verification pattern of the newly set current master-key. The
IBM i environment does not have master-key verification records in the key-storage dataset.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNBMKP
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
key_part Input String 24 or 32 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
You can use the CLR-OLD keyword to cause the OMK register to be cleared. The status
response in the Cryptographic_Facility_Query verb, STATCCA or STATAES, shows the
condition of this register.
FIRST Specifies to load the first master-key-part to the NMK register.
MIDDLE Specifies to exclusive-OR the second, third, or other intermediate key_part into the value
currently in the NMK register.
LAST Specifies to exclusive-OR the last key_part into the value currently in the NMK register.
RANDOM Generates a random master-key value in the NMK register. This is not valid with AES-MK
and APKA-MK master keys.
SET Specifies to activate the new master key. This does the following:
1. Copies the value from the current-master-key (CMK) register to the OMK register.
2. Copies the value from the NMK register to the CMK register.
3. Clears the NMK register.
Note: An application system is responsible for keeping all of its keys in a usable form.
When a master key is changed (SET), the IBM 4765 and IBM 4764 implementations can
use an internal key that is enciphered by either the appropriate current master key or,
assuming that the CLR-OLD keyword was not used to clear it, the old master key. Before a
master key is changed a second time, it is important to first reencipher any keys enciphered
under the old master key to the new master key. Use the Key_Token_Change verb for
internal AES and DES key tokens, and the PKA_Key_Token_Change verb for internal PKA
key tokens and active trusted blocks.
key_part
The key_part parameter is a pointer to a string variable containing a cleartext key part that is used
when one of the keywords FIRST, MIDDLE, or LAST is specified. The value is either a 192-bit
(24-byte) DES key-part or a 256-bit (32-byte) AES or APKA key-part.
If the CLEAR, CLR-OLD, RANDOM, or SET keywords are used, the information in the variable is
ignored, but the variable must be declared.
Required commands
The Master_Key_Process verb requires the following commands to be enabled in the active role based on
the master-key class and master-key operation:
Related information
Table 9 provides a list of DES keys that are considered questionable.
Table 9. Questionable DES keys
Key strength Questionable DES keys
Weak X'01010101 01010101' X'1F1F1F1F 0E0E0E0E' X'E0E0E0E0 F1F1F1F1'
X'FEFEFEFE FEFEFEFE'
Semi-weak X'011F011F 010E010E' X'1FE01FE0 0EF10EF1' X'E0FEE0FE F1FEF1FE'
X'01E001E0 01F101F1' X'1FFE1FFE 0EFE0EFE' X'FE01FE01 FE01FE01'
X'01FE01FE 01FE01FE' X'E001E001 F101F101' X'FE1FFE1F FE0EFE0E'
X'1F011F01 0E010E01' X'E01FE01F F10EF10E' X'FEE0FEE0 FEF1FEF1'
Possibly X'01011F1F 01010E0E' X'1F1FE0E0 0E0EF1F1' X'E0E0FEFE F1F1FEFE'
semi-weak X'0101E0E0 0101F1F1' X'1F1FFEFE 0E0EFEFE' X'E0FE011F F1FE010E'
X'0101FEFE 0101FEFE' X'1FE001FE 0EF101FE' X'E0FE1F01 F1FE0E01'
X'011F1F01 010E0E01' X'1FE0E01F 0EF1F10E' X'E0FEFEE0 F1FEFEF1'
X'011FE0FE 01E0F1FE' X'1FE0FE01 0EF1FE01' X'FE0101FE FE0101FE'
X'011FFEE0 010EFEF1' X'1FFE01E0 E0FE01F1' X'FE011FE0 FE010EF1'
X'01E01FFE 01F10EFE' X'1FFEE001 0EFEF101' X'FE01E01F FE01F10E'
X'01E0E001 01F1F101' X'1FFEFE1F 0EFEFE0E' X'FE1F01E0 FE0E01F1'
X'01E0FE1F 01F1FE0E' X'E00101E0 F10101F1' X'FE1F1FFE FE0E0EFE'
X'01FE1FE0 01FE0EF1' X'E0011FFE F1010EFE' X'FE1FE001 FE0EF101'
X'01FEE01F 01FEF10E' X'E001FE1F F101FE0E' X'FEE0011F FEF1010E'
X'01FEFE01 01FEFE01' X'E01F01FE F10E01FE' X'FEE01F01 FEF10E01'
X'1F01011F 0E01010E' X'E01F1FE0 F10E0EF1' X'FEE0E0FE FEF1F1FE'
X'1F01E0FE 0E01F1FE' X'E01FFE01 F10EFE01' X'FEFE0101 FEFE0101'
X'1F01FEE0 0E01FEF1' X'E0E00101 F1F10101' X'FEFE1F1F FEFE0E0E'
X'1F1F0101 0E0E0101' X'E0E01F1F F1F10E0E' X'FEFEE0E0 FEFEF1F1'
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSUARNT
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Test selection (one required)
FIPS-RNT Perform the FIPS PUB 140-1 specified tests on the random number generation output.
KAT Perform the FIPS PUB 140-1 specified known-answer tests on DES encryption and
decryption, RSA encryption and decryption, and SHA-1 hashing.
The verbs listed in Table 10 are used to perform cryptographic functions and assist you in obtaining
key-token data structures. See Using verbs to perform cryptographic functions and obtain key-token data
structures on page 86 for detailed information on these verbs.
Table 10. Public administration services
Service
Verb Page Service Entry point location
| PKA_Key_Generate 87 Generates an external RSA or ECC CSNDPKG E
| public-private key-pair.
| PKA_Key_Import 92 Imports either an external RSA or ECC CSNDPKI E
| public-private key-pair, or an active external
| trusted block.
PKA_Key_Token_Build 95 Builds a PKA key-token. CSNDPKB S
| PKA_Key_Token_Change 103 Reenciphers either a private RSA or ECC CSNDKTC E
| key, or an internal trusted block, from
| encipherment with the old asymmetric
| master-key to encipherment with the
| current asymmetric master-key.
| PKA_Key_Translate 105 Translates a source external RSA CSNDPKT E
| key-token into a target external smart-card
| key token.
| PKA_Public_Key_Extract 108 Extracts a public key from a public-private CSNDPKX S
| RSA or ECC key-token and returns the key
| in a PKA public-key token.
| PKA_Public_Key_Hash_Register 110 Registers the hash value of an RSA CSNDPKH E
| public-key used later to verify an offered
| RSA public-key. See
| PKA_Public_Key_Register.
PKA_Public_Key_Register 112 Registers an RSA public-key used later to CSNDPKR E
verify an offered public-key. Registration
requires that a hash of the RSA public-key
has previously been registered within the
coprocessor. See
PKA_Public_Key_Hash_Register.
E=cryptographic engine, S=security API host software
Figure 3 shows the relationship among the services, the public-private key-token, and other data involved
with supporting digital signatures and symmetric (AES and DES) key exchange.
|
|
| PKA_Key_Token_Build
|
|
| (Skeleton)
|
| PKA_Key_Import PKA_Key_Generate
|
|
|
|
| Data
| PKA96 PUPR key token
| PU: Clear
| PR: e*MK(PR) One_Way_Hash
| or e*KEK(PR)
| or Clear
|
|
|
|
|
| Digital_Signature_Generate
| PKA_Public_Key_Extract
|
|
| e*MK.CV(K)
| Digital
| (AES or PU key token signature
| DES key)
|
|
| Symmetric_Key_Export Digital_Signature_Verify
| Symmetric_Key_Generate
|
|
| yes/no
|
| ePU(K),CV
| (Private key)
|
|
|
| Symmetric_Key_Import
| Designates verb
|
|
|
| e*MK.CV(K)
| Data structure
| (AES or DES key)
|
| Figure 3. PKA96 verbs with key-token flow
Key generation
You generate RSA or, beginning with Release 4.1, ECC public-private key-pairs using the
PKA_Key_Generate verb. You specify certain facts about the desired key in a skeleton key token that you
can create using the PKA_Key_Token_Build verb.
The PKA_Key_Generate verb either retains the generated RSA private-key within the coprocessor
(excluding ECC private keys), or the verb produces output which is the generated RSA private-key in one
of three forms, or the generated ECC private key in one of two forms, so that you can control where the
private key is deployed.
It is possible to request that the generated non-ECC RSA private-key be retained within the secure
cryptographic-engine using the RETAIN keyword on the PKA_Key_Generate verb. In this case, only the
public key is returned. Use the retained private key by referring to it with a key label which you specify in
the key-name section of the skeleton key-token.
Note: A retained private key cannot be copied or backed up; once deleted or destroyed, a retained key
cannot be recovered.
If you do not retain the RSA private-key within the coprocessor, you select how to receive the private key:
v Cleartext
Both the private and public keys are returned as clear text. This option requires that you provide
protection for the private key by means other than encryption within the key-generating step. With this
option, you can test or interface with other systems or applications that require the private key to be in
the clear.
v Enciphered by the local master-key
You can request that the key-generating service return the RSA private-key or OPK enciphered by the
PKA master-key or the ECC OPK enciphered by the APKA master-key, within the cryptographic engine.
Because there is no service available to re-encrypt the private key or OPK other than by the current or
a replacement master-key, the generated private key is effectively locked to the generating node, or
other nodes that you establish with the same master key. Generally these would be backup nodes or
parallel nodes for greater throughput.
v Enciphered by a transport key-encrypting-key (not valid with an ECC key)
Related reading: EXPORTER and IMPORTER key-encrypting transport keys are discussed in
Chapter 5, AES, DES, and HMAC symmetric-key management.
Because you can obtain the private key, it can be made functional on more than one cryptographic engine
and used for backup or additional throughput. Your administration procedures control where the key can
be used. The private key can be transported securely between nodes in its encrypted form. You can set up
one-way key distribution channels between nodes and lock the receiving transport key-encrypting key to
particular nodes so that you can be certain where the private key exists. This ability to replicate a key to
multiple nodes is especially important to high-throughput server systems and important for backup
processing purposes.
In systems with an access monitor, such as IBM z/OS Security Server RACF, the key name that you
associate with a private key gives you the ability to enforce restricted key usage. These systems can
determine whether a requesting process has the right to use the particular key name that is
cryptographically bound to the private key. You specify such a key name when you build the
skeleton_key_token in the PKA_Key_Token_Build verb.
For RSA keys, you decide whether the key should be returned in modular-exponent form or in
Chinese-Remainder Theorem (CRT) format. ECC keys are returned only in one form. Generally the CRT
form performs faster in services that use the private key. This decision is represented by the form of the
private key that you indicate in the skeleton_key_token. You can reuse an existing key-token having the
desirable properties, or you can build the skeleton_key_token with the PKA_Key_Token_Build verb.
Certain implementations such as the IBM System z (z/OS) server CMOS Cryptographic Coprocessor
feature (CCF) cannot employ a private key in the CRT form generated by the PKA_Key_Generate verb.
For RSA keys, you also decide if the public exponent should be valued to three, 216+1, or fully random.
Also, in the PKA_Key_Token_Build verb you can indicate that the key should be usable for both digital
signature signing and symmetric key exchange (KEY-MGMT), or you can indicate that the key should be
usable only for digital signature signing (SIG-ONLY), or only key decryption (KM-ONLY).
The key can be generated as a random value, or the key can be generated based on a seed derived from
regeneration data provided by the application program.
You can also have a newly generated RSA public-key certified by an RSA private-key held within the
coprocessor. You can obtain a self-signature, a signature from another key, or both. To obtain these
signatures or certificates, you must extend the skeleton key-token yourself because the
PKA_Key_Token_Build verb cannot do so.
The formats of the key tokens are described in PKA key tokens on page 585. The key tokens are a
concatenation of several sections with each section providing information pertaining to the key. All of the
described formats can be input to any version, but only selected formats are output by Version 2 and later
support.
Key import
To be secure and useful in services, a private key must be enciphered by a PKA or APKA master-key on
the CCA node where it is used. (Of course, an RSA private-key generated as a retained private-key is also
secure, but in this case PKA_Key_Import does not apply.) You can use the PKA_Key_Import verb to get
The public and private keys must be presented in an external PKA key-token (see PKA key tokens on
page 585). You can use the PKA_Key_Token_Build verb to structure the key into the proper token format.
You provide or identify the operational DES transport key (key-encrypting key) and the encrypted private
key with its associated public key to the import service. The service returns the RSA private-key or Object
Protection Key (OPK) encrypted under the current PKA master-key, or the private ECC OPK encrypted
under the APKA master-key, along with the public key.
The coprocessor is designed to generate and employ RSA CRT-form keys having p > q. When importing a
private key having q > p, the key is accepted. However, each time that an application uses such a key, it
incurs substantial overhead to recalculate the multiplicative inverse of the quantity U. See Table 100 on
page 592 for the components of an RSA CRT key.
After the preexisting PKA or APKA master-key has become the old master-key and the replacement
master-key has become the current master-key, use the PKA_Key_Token_Change verb to effect the
reencipherment of the private keys.
Arranging appropriate protection for the private key is a must. A CCA node can help ensure that the key
remains confidential. However, you must ensure that the master key and any transport keys are protected,
for example, through split-knowledge, dual-control procedures. Or, for an RSA key-pair, you can choose to
retain the private key in the secure cryptographic-engine.
Besides the confidentiality of the private key, you must also ensure that only authorized applications can
use the private key. You can hold the private key in application-managed storage and pass the key to the
cryptographic services as required. Generally, this limits the access other applications might have to the
Having the private key installed at multiple nodes enables you to provide increased service levels for
greater throughput, and to maintain operation when a primary node goes out of service. Having a private
key installed at more than one node increases the risk of someone misusing or compromising the key. You
have to weigh the advantages and disadvantages as you design your system or systems.
If the public-private key-token is used in verbs that only require the public key, the implementation might
attempt to recover the private key which in the usual case would fail (because normally the private key
should not be usable where use is being made of the public key).
The skeleton_key_token provided to the verb determines the following characteristics of the generated
key-pair:
v The key type: RSA or ECC
| v The RSA key length (modulus size) or ECC Brainpool or Prime curve size of p in bits
v The RSA public-key exponent: valued to 3, 216 + 1, or random. See Restrictions on page 88.
v Any RSA private-key optimization (Modulus-Exponent versus Chinese-Remainder Theorem format)
v Any signatures and signature-information that should be associated with the public key
An ECC key is always randomly generated by this verb. An RSA key is either randomly generated or
derived using regeneration data.
Normally an RSA key is randomly generated. By providing regeneration data for an RSA key, a seed can
be supplied so that the same value of the generated key can be obtained in multiple instances. This can
be useful in testing situations or where the regeneration data can be securely held for key generation. The
process for generating a particular key pair from regeneration data might vary between products.
Therefore, do not expect to obtain the same key pair for a given regeneration data string between
products.
The generated private-key can be returned in one of three forms for RSA and ECC:
v In cleartext form (CLEAR).
| v Enciphered by the CCA PKA master-key (MASTER) if it is an RSA key, or by an Object Protection Key
| (OPK) that is encrypted by the APKA master-key if it is an ECC key.
| v Enciphered by a transport (key-encrypting) key (XPORT).
| A private key enciphered by an EXPORTER transport key can be imported to a node where the
| corresponding IMPORTER key is installed, while one enciphered by an IMPORTER transport key can
| be imported to the generating node.
| For RSA, the transport key is an operational key-encrypting key in a fixed-length DES key-token.
| For ECC, the transport key is an operational key-encrypting key in a variable-length AES key-token.
| This option is not available for ECC keys in releases before Release 4.2.
Use the RETAIN rule-array keyword to cause the RSA private-key to be retained within the coprocessor.
Incorporate the key label to be used later to reference the newly generated key in the key name section of
the skeleton key-token. Later, use this label to employ the key in verbs such as
Digital_Signature_Generate, Symmetric_Key_Import, Master_Key_Distribution, SET_Block_Decompose,
and PKA_Decrypt. On output, the verb returns an external key-token containing the public key in the
generated_key_identifier variable. The generated_key_identifier variable returned by the verb does not
contain the private key.
Note: When using the RETAIN private-key encryption option, the key label supplied in the skeleton
key-token references the key storage within the coprocessor, and, in this case, must not reference
a record in the host-system PKA key-storage.
The rule-array keyword CLONE flags a generated and retained RSA private-key as usable in an engine
cloning process. Cloning is a technique for copying sensitive coprocessor information from one
coprocessor to another. (See Understanding and managing master keys on page 27.)
Tip: The verb returns a section X'06' RSA private-key token format when you request a
Modulus-Exponent internal key even though you have specified a type X'02' skeleton token.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
CSNDPKG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
regeneration_data_length Input Integer 0, 8 - 256
regeneration_data Input String regeneration_data_length bytes
skeleton_key_token_length Input Integer 3500
skeleton_key_token Input String skeleton_key_token_length bytes
| transport_key_identifier Input String 64 bytes
generated_key_identifier_length In/Output Integer 3500
generated_key_identifier In/Output String generated_key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Private-key form (one required)
CLEAR Returns the private key in cleartext.
| MASTER Enciphers the private key or OPK using the PKA master-key for an RSA key, or the OPK
| using the APKA master-key for an ECC key. The transport_key_identifier parameter should
| specify a null key-token.
RETAIN Retains the RSA private-key within the cryptographic engine and returns the RSA public-key
as specified by the generated_key_identifier parameter. The name presented in the
generated_key_identifier variable is used later to access the retained private key.
Note: A retained private key cannot be copied or backed up. Once deleted or destroyed, a
retained key cannot be recovered. Not valid with an ECC private key.
| XPORT Enciphers the private key under the key-encrypting key identified by the
| transport_key_identifier parameter. For an RSA key, this is an EXPORTER or IMPORTER
| transport key in a fixed-length operational DES key-token. For an ECC key, this is an
| EXPORTER or IMPORTER transport key in an operational variable-length AES key-token.
RETAIN option (one, optional). Valid only with the RETAIN keyword.
CLONE Flags, as usable, a retained private RSA key in a cryptographic engine cloning operation.
Regeneration data option (one, optional). Valid only with regeneration data. Release 4.1 or later.
regeneration_data_length
The regeneration_data_length parameter is a pointer to an integer variable containing the number of
bytes of data in the regeneration_data variable. This value must be 0 for an ECC key. For an RSA key,
this must be a value of 0, or in the range 8 - 256, inclusive.
If the value is 0, the generated keys are based on a random-seed value. If this value is between 8 -
256, the regeneration data is hashed to form a seed value used in the key generation process to
provide a means for recreating a public-private key pair.
regeneration_data
The regeneration_data parameter is a pointer to a string variable containing a value used as the basis
for creating a particular public-private key pair in a repeatable manner. The regeneration data is
hashed to form a seed value used in the key generation process and provides a means for recreating
a public-private key pair.
skeleton_key_token_length
The skeleton_key_token_length parameter is a pointer to an integer variable containing the number of
bytes of data in the skeleton_key_token variable. The maximum length is 3500 bytes.
skeleton_key_token
The skeleton_key_token parameter is a pointer to a string variable containing a skeleton key-token.
This information provides the characteristics for the ECC or RSA key-pair to be generated. A skeleton
key-token can be created using the PKA_Key_Token_Build verb.
transport_key_identifier
| The transport_key_identifier parameter is a pointer to a string variable containing an operational AES
| (Release 4.2 or later) or DES key-encrypting-key token, a null key-token, or a key label of such a key.
| Use an IMPORTER key to encipher a private key to be used at this node. Use an EXPORTER key to
| encipher a private key to be used at another node. Choose one of the following:
| v When generating an ECC key with the XPORT rule_array keyword (Release 4.2 or later), provide
| the variable-length symmetric IMPORTER or EXPORTER key-token to be used to wrap the
| generated ECC key. Key bit lengths of 128, 192, and 256 are supported. If this parameter points to
| a key label, specify rule-array keyword OKEK-AES to indicate that the AES key-storage dataset
| contains the key token.
| v When generating an RSA key with the XPORT rule_array keyword, provide the fixed-length DES
| IMPORTER or EXPORTER key-token to be used to wrap the generated RSA key. If this parameter
| points to a key label, specify rule-array keyword OKEK-DES to indicate that the DES key-storage
| dataset contains the key token.
| v If the XPORT rule_array keyword is not specified, specify a null key-token. If this parameter points
| to a key label, specify keyword OKEK-AES for an ECC key or keyword OKEK-DES for an RSA key.
generated_key_identifier_length
The generated_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the generated_key_identifier variable. The maximum length is 3500 bytes.
On output, and if the size is of sufficient length, the variable is updated with the actual length of the
generated_key_identifier variable.
generated_key_identifier
The generated_key_identifier parameter is a pointer to a string variable containing either a key label
Required commands
The PKA_Key_Generate verb requires the PKA96 PKA Key Generate command (offset X'0103') to be
enabled in the active role.
Also enable one of these commands in the hardware, depending on rule-array-keyword usage and the
content of the skeleton key-token:
v With the CLONE rule-array keyword, PKA Clone Key Generate (offset X'0204')
v With the CLEAR rule-array keyword, PKA Clear Key Generate (offset X'0205') when generating an RSA
key, or Generate ECC Keys in the Clear (offset X'0326') when generating an ECC key
To generate keys based on the value supplied in the regeneration_data variable, you must enable at least
one of these commands (not valid with ECC keys):
v When not using the RETAIN keyword, Permit Regeneration Data (offset X'027D')
v When using the RETAIN keyword, Permit Regeneration Data for Retained Keys (offset X'027E')
| The following access-control points are added beginning with Release 4.2:
| v To disable the wrapping of a stronger key with a weaker key, the Disallow Weak Key Wrap command
| (offset X'0328') must be enabled in the active role. This command affects multiple verbs. See Table 169
| on page 715.
| v To receive a warning when wrapping a key with a weaker key-encrypting key, enable the Warn when
| Wrapping Weak keys command (offset X'032C') in the active role. The Disallow Weak Key Wrap
| command overrides this command.
An RSA private key is enciphered under the PKA master-key. Beginning with Release 4.1, the private key
material of an ECC key-token is enciphered under a randomly-generated object protection key (OPK). The
OPK is itself enciphered under the APKA master-key. The result is returned in an internal PKA key-token
identified by the target_key_identifier parameter. The verb also updates the target_key_identifier_length
variable to the length of the returned token, or 0 if a key label was identified.
To import an external trusted block so that it can be used as input by the Remote_Key_Export verb:
v Identify the active external trusted block to be imported using the source_key_token parameter. Use the
Trusted_Block_Create verb with the ACTIVATE rule-array keyword to obtain the token.
v Use the transport_key_identifier parameter to identify the DES IMP-PKA key used to encipher the
confounder and triple-length MAC key contained within the trusted block.
The confounder and MAC key are enciphered under the asymmetric master-key and returned along with
the updated MAC value in an internal trusted block identified by the target_key_identifier parameter. The
verb also updates the target_key_identifier_length variable to the length of the returned token, or 0 if a key
label was identified.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
Format
Parameter name Direction Data type Data length or value
CSNDPKI
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
source_key_token_length Input Integer 3500
source_key_token Input String source_key_token_length bytes
| transport_key_identifier Input String 64 bytes
target_key_identifier_length In/Output Integer 3500
target_key_identifier In/Output String target_key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Token type (one, optional). Release 4.1 or later.
ECC Specifies that the key being imported is an ECC key.
RSA Specifies that the key being imported is an RSA key or a trusted block. This is the default.
Required commands
The PKA_Key_Import verb requires the PKA96 PKA Key Import command (offset X'0104') to be enabled in
the active role.
If the source_key_token parameter points to a trusted block, also enable the Convert Trusted Block from
External to Internal Form command (offset X'0311').
Other than a skeleton key-token prepared for use with the PKA_Key_Generate verb, every PKA key-token
contains a public-key value. A token optionally contains a private-key value.
See PKA key tokens on page 585 for a description of the key token formats. You can create RSA private
key tokens for section types:
X'08' Using the RSA-CRT keyword to obtain a token format for an RSA key usable with the
Chinese-Remainder Theorem (CRT) algorithm with an Object Protection Key (OPK)
X'02' Using the RSA-PRIV keyword to obtain a token format for an RSA key in Modulus-Exponent (M-E)
format
X'04' Using the RSA-PUBL keyword to obtain a token format for an RSA public-key
| Beginning with Release 4.1, RSA private-key tokens can also be created for this section type:
| X'09' Using the RSAMEVAR keyword to obtain a token format for a key in M-E format.
Format
Parameter name Direction Data type Data length or value
CSNDPKB
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
key_values_structure_length Input Integer 3500
key_values_structure Input String key_values_structure_length bytes
key_name_length Input Integer 0 or 64
key_name Input String key_name_length bytes
user_definable_associated_data_length Input Integer null pointer or 0 - 100
| user_definable_associated_data Input String user_definable_associated_data_length bytes
reserved_2_length Input Integer null pointer or 0
reserved_2 Input String null pointer
reserved_3_length Input Integer null pointer or 0
reserved_3 Input String null pointer
reserved_4_length Input Integer null pointer or 0
reserved_4 Input String null pointer
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Token type (one required)
ECC-PAIR Create a key token for an ECC public and private key-pair. Release 4.1 or later.
ECC-PUBL Create a key token for an ECC public-key. Release 4.1 or later.
RSA-CRT Create a key token for an RSA public-key and an RSA private-key in Chinese-Remainder Theorem
format with an OPK.
RSA-OPT Note: This keyword is not supported with Version 2 and later software.
RSA-PRIV Create a key token for an RSA public and private key pair in Modulus-Exponent format.
RSA-PUBL Create a key token for an RSA public key in Modulus-Exponent format.
RSAMEVAR Create a key token for an RSA public and private key pair in Modulus-Exponent format.
Translate control (one, optional). Not valid with token type ECC-PUBL or RSA-PUBL.
NO-XLATE Private key translation is not allowed. This is the default.
XLATE-OK Private key translation is allowed.
RSA key-usage control (one, optional). Not valid with token type ECC-PUBL or RSA-PUBL.
SIG-ONLY Selects a usage control to render the private key usable in digital-signature operations but not in
(DES) key import operations. This is the default.
KEY-MGMT Selects a usage control that allows an RSA private-key to be used in distribution of symmetric keys
and in digital-signature services.
KM-ONLY Selects a usage control to render the private key usable in (DES) key-import operations but not in
digital-signature operations.
key_values_structure_length
The key_values_structure_length parameter is a pointer to an integer variable containing the number
of bytes of data in the key_values_structure variable. The maximum length is 3500 bytes.
key_values_structure
The key_values_structure parameter is a pointer to a string variable containing a structure of the
lengths and data for the components of the key or keys. The contents of this structure are shown in
Table 11 on page 98, and sample data is described in Related information on page 100.
This value should be zero when preparing a skeleton key token for use with
the PKA_Key_Generate verb.
004 002 Length of the public exponent field, e, in bytes: eee.
This value should be zero when preparing a skeleton key token to generate
a random-exponent public key in the PKA_Key_Generate verb. This value
must not exceed 512.
006 002 Private exponent field length in bytes, ddd. This value can be zero indicating
that private key information is not provided. This value must not exceed 512.
008 nnn Modulus, n, integer value, 1 < n < 24096; n = pq for prime p and prime q.
8 + nnn eee Public exponent field, e, integer value, 1 < e < n, e must be odd. When you
are building a skeleton_key_token to control the generation of an RSA key
pair, the public key exponent can be one of three values: 3, 65537 (216+1),
or 0 (zero) to indicate that a full-random exponent should be generated. The
exponent field can be a null-length field when preparing a
skeleton_key_token.
8 + nnn + eee ddd Private exponent, d, integer value, 1 < d < n, d = e-1mod(p-1)(q-1).
RSA key-values structure, Chinese-Remainder Theorem form (RSA-CRT)
000 002 Length of the modulus in bits (512 - 4096).
002 002 Length of the modulus field, n, in bytes: nnn. This value must not exceed
512.
This value should be zero when preparing a skeleton_key_token for use with
the PKA_Key_Generate verb.
004 002 Length of the public exponent field, e, in bytes: eee.
This value should be zero when preparing a skeleton key token to generate
a random-exponent public key in the PKA_Key_Generate verb. This value
must not exceed 512.
006 002 Reserved, binary zero.
008 002 Length of the prime number field, p, in bytes: ppp. Should be zero in a
skeleton key-token. The maximum value of ppp+qqq is 512 bytes.
010 002 Length of the prime number field, q, in bytes: qqq. Should be zero in a
skeleton key-token. The maximum value of ppp+qqq is 512 bytes.
012 002 Length of the dp field, in bytes: rrr. Should be zero in a skeleton key-token.
The maximum value of rrr + sss is 512 bytes.
014 002 Length of the dq field, in bytes: sss. Should be zero in a skeleton key-token.
The maximum value of rrr + sss is 512 bytes.
016 002 Length of the U field, in bytes: uuu. Should be zero in a skeleton key-token.
The maximum length of U is 256 bytes.
018 nnn Modulus, n.
key_name_length
The key_name_length parameter is a pointer to an integer variable containing the number of bytes of
data in the optional key_name variable. If the length is zero, the key-name section is not included in
the target token. To include a key name, set the length to 64. For token type RSA-PUBL, the value
must be 0.
key_name
The key_name parameter is a pointer to a string variable containing the name of the key. The name of
the key can consist of alphanumeric characters, the pound sign (#), the at sign (@), the dollar sign ($),
and the period (.), and must begin with an alphabetic character. See Key-label content on page 390.
user_definable_associated_data_length
The user_definable_associated_data_length parameter is a pointer to an integer variable containing
the number of bytes of data in the user_definable_associated_data variable. For token type keyword
ECC-PAIR, the value must be 0 - 100. For all other token types, the value must be 0 or the parameter
must be a null pointer.
user_definable_associated_data
The user_definable_associated_data parameter is a pointer to a string variable containing the
associated data defined by the user that will be placed following the IBM associated data in the output
token. See Table 112 on page 597. Associated data is not confidential, but is protected by a key wrap
mechanism.
reserved_n_lengths
Each reserved_n_length parameter is a pointer to an integer variable containing the number of bytes
of data in the corresponding reserved_n variable. These length variables are reserved for future use,
and each variable should be set to a null pointer or zero.
reserved_n's
Each reserved_n parameter is a pointer to a string variable that is reserved for future use. Each
reserved_n parameter should be set to a null pointer.
token_length
The token_length parameter is a pointer to an integer variable containing the number of bytes of data
in the token variable. On output, the variable contains the length of the token returned in the token
variable. The maximum length is 3500 bytes.
token
The token parameter is a pointer to a string variable containing the assembled token returned by the
verb.
Related information
Samples for the key_values_structure are shown in Table 13 on page 101 and Table 14 on page 101, (and
see the note following the examples).
Table 14. Sample key-values structure data for ECC keys (Release 4.1 or later)
Length of Length of
| Length of private key d public key Q Key-values structure Structure
| ECC curve type prime p (bits) (bytes) (bytes) (hexadecimal) length (bytes)
192 0 0 0000 00C0 0000 0000 8
224 0 0 0000 00E0 0000 0000 8
Prime 256 0 0 0000 0100 0000 0000 8
384 0 0 0000 0180 0000 0000 8
521 0 0 0000 0209 0000 0000 8
Note: All values in the key_values_structure must be stored in big-endian format to ensure compatibility
among different computing platforms. Big-endian format specifies the high-order byte be stored at
the low address in the field.
Data stored by Intel architecture processors is normally stored in little-endian format. Little-endian format
specifies the low-order byte be stored in the low address in the field.
Required commands
None
Note: This verb is similar in function to the CSNBKTC Key_Token_Change verb used with CCA DES key
tokens.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Not all CCA implementations support this verb.
v ECC keys and the token type keywords (ECC and RSA) are not supported in releases before Release
4.1.
Format
Parameter name Direction Data type Data length or value
CSNDKTC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
key_identifier_length In/Output Integer 3500
key_identifier In/Output String key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
Keyword Meaning
Token type (one, optional)
ECC Specifies that the key being changed is an ECC key.
RSA Specifies that the key being changed is an RSA key or a trusted block. This is the default.
Reencipherment method (required)
RTCMK Changes an RSA private key or a trusted block from encipherment under the old PKA
master-key, to encipherment under the current PKA master-key. Beginning with Release 4.1,
also changes an OPK of an ECC private key from encipherment under the old APKA
master-key to encipherment under the current APKA master-key.
key_identifier_length
The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
of data in the key_identifier variable. On output, the variable contains the length of the key token
returned by the verb if a key token (not a key label) was specified. The maximum length is 3500 bytes.
key_identifier
The key_identifier parameter is a pointer to a string variable containing an internal RSA or ECC
key-token, or an active internal trusted block, or a key label of an internal RSA or ECC key-token
record, or an active internal trusted block RSA key-token record. The enciphered data within the RSA
key-token or trusted block is securely reenciphered under the current PKA master-key. Beginning with
Release 4.1, the enciphered OPK of an ECC private key-token is securely reenciphered under the
current APKA master-key.
Required commands
The PKA_Key_Token_Change verb requires the PKA96 Reencipher to Current Master Key command
(offset X'0102') to be enabled in the active role.
Note: Specification of an EXPORTER source transport key and an IMPORTER target transport key is not
allowed.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X
| IBM i X X X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v RSA M-E key tokens are not translated to the SCCOMCRT format.
v RSA CRT key tokens are not translated to the SCCOMME format.
v SCVISA supports only M-E keys. ACI Smart Chip Manager Product Suite, System Design Specification,
RSA Private Key Formats 2008-2009 by ACI Worldwide B.V. All rights reserved. Author: V. Kessels.
v The maximum modulus size for keys that will be translated into the SCVISA format is 2040 bits,
because the length field for that format is limited to one byte.
CSNDPKT
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
source_key_identifier_length Input Integer 3500
source_key_identifier Input String source_key_identifier_length
source_transport_key_identifier_length Input Integer 64
source_transport_key_identifier Input String source_transport_key_identifier_length bytes
target_transport_key_identifier_length Input Integer 64
target_transport_key_identifier Input String target_transport_key_identifier_length bytes
target_key_token_length In/Output Integer 3500
| target_key_token Output String target_key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Description
Smart card format (one required)
SCVISA Translate the key into the smart card Visa proprietary format.
SCCOMME Translate the key into the smart card Modulus-Exponent format.
SCCOMCRT Translate the key into the smart card Chinese-Remainder Theorem format.
See ACI smart card formats on page 630 for descriptions of the smart card formats.
source_key_identifier_length
The source_key_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the source_key_identifier variable. The maximum length is 3500 bytes.
source_key_identifier
| The source_key_identifier parameter is a pointer to a string variable containing either a key label
| identifying a PKA key-storage record for an RSA private-key, or an external RSA public-private
| key-token. The private key must be wrapped with a fixed-length DES key-encrypting key.
Required commands
The PKA_Key_Translate verb requires the following commands to be enabled in the active role based on
the keyword:
These commands must also be enabled to allow the key type combinations shown in this table:
Both the public key and the related private key must be present in the source PKA key-token. The source
RSA private-key can be in the clear or enciphered. The source ECC private-key can be in the clear.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
v ECC keys are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNDPKX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
source_key_identifier_length Input Integer 3500
source_key_identifier Input String source_key_identifier_length bytes
target_key_token_length In/Output Integer 3500
target_key_token Output String target_key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
Required commands
None
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
Format
Parameter name Direction Data type Data length or value
CSNDPKH
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
public_key_name Input String 64 bytes
| hash_data_length Input Integer 20 - 128
hash_data Input String hash_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
public_key_name
The public_key_name parameter is a pointer to a string variable containing the name under which the
registered public key is accessed.
hash_data_length
The hash_data_length parameter is a pointer to an integer variable containing the number of bytes of
data in the hash_data variable.
hash_data
The hash_data parameter is a pointer to a string variable containing the SHA-1 hash of an RSA
public-key certificate that is offered with the use of the PKA_Public_Key_Register verb. The format of
the public-key certificate is defined in RSA public-key certificate section on page 594.
Required commands
The PKA_Public_Key_Hash_Register verb requires the PKA Register Public Key Hash command (offset
X'0200') to be enabled in the active role.
Note: Currently the only supported use of a registered RSA public-key is for a CCA node cloning process.
The RSA public-key offered for registration must be contained in a PKA key-token that contains a
certificate section (see Table 103 on page 595). The public-key value contained in the certificate is the key
that is registered. A preregistered hash value over the certificate section, exclusive of the certificate
signature bits, is used to independently validate the offered key. See the PKA_Public_Key_Hash_Register
verb and PKA key tokens on page 585 for more information.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
Format
Parameter name Direction Data type Data length or value
CSNDPKR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
public_key_name Input String 64 bytes
public_key_certificate_length Input Integer
public_key_certificate Input String public_key_certificate_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 1.
Keyword Meaning
| Special usage (one required)
CLONE Indicates that the registered RSA public-key can be employed in a CCA node cloning process
provided that this usage was also asserted when the hash value was registered.
public_key_name
The public_key_name parameter is a pointer to a string variable containing the name under which the
registered public key is accessed.
public_key_certificate_length
The public_key_certificate_length parameter is a pointer to an integer variable containing the number
of bytes of data in the public_key_certificate variable.
public_key_certificate
The public_key_certificate parameter is a pointer to a string variable containing an RSA public-key to
be registered. The public key must be presented in a public-key certificate section. See RSA
public-key certificate section on page 594.
Required commands
The PKA_Public_Key_Register verb requires the PKA Public Key Register command (offset X'0201') to be
enabled in the active role.
If you specify the CLONE rule-array keyword, also enable the PKA Public Key Register with Cloning
command (offset X'0202').
This section explains how to determine the integrity of data. Determining data integrity involves
determining whether individual values of a string of bytes have been altered. Two techniques are
described:
v Hashing
v Digital signatures
Digital signatures use both hashing and RSA public-key cryptography. Beginning with Release 4.1, ECC
public-key cryptography support is added.
The following table describes verbs used in hashing and digital signature services. See Verbs used in
hashing and digital signature services on page 117 for a detailed description of the verbs.
Table 15. Hashing and digital signature services
Service
Verb Page Service Entry point location
Digital_Signature_Generate 118 This verb generates a digital signature. CSNDDSG E
Digital_Signature_Verify 122 This verb verifies a digital signature. CSNDDSV E
MDC_Generate 126 This verb generates a hash value using the CSNBMDG E
Modification Detection Code (MDC) one-way
function.
One_Way_Hash 134 This verb generates a hash value using CSNBOWH S/E
SHA-1, SHA-224, SHA-256, SHA-384,
SHA-512, Message Digest-5 (MD5), or
RIPEMD-160 one-way hashing functions.
E=cryptographic engine, S=security API host software
Note: Keys with a modulus length greater than 2048 bits are not supported in releases before Release
3.30.
Hashing
Data hashing functions have long been used to determine the integrity of a block of data. The application
of a hash function to a data string produces a quantity called a hash value (also referred to as a hash, a
message digest, or a fingerprint). The most common hashing functions produce hash values of 128 or 160
bits. Newer, stronger hash functions that produce hash values of 224, 256, 384, 512, or more bits are also
available. While many different strings supplied to a cryptographically-useful hashing function produce the
same hash value, it is computationally infeasible to determine a modification to a data string that results in
a desired hash-value.
Hash functions for data integrity applications have a one-way property: given a hash value, it is highly
improbable that a second data string can be found that hashes to the same value as the original.
Consequently, if a hash value for a string is known, you can compute the hash value for another string
115
suspected to be the same and compare the two hash values. If both hash values are identical, there is a
very high probability that the strings producing them are identical.
The CCA products provide support for the following hash functions:
Secure Hash Algorithms
FIPS 180-2 defines multiple secure hash algorithms. CCA products support these secure hash
algorithms, namely SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
| v SHA-1 produces a 20-byte, 160-bit hash value. SHA-1 is specified for use with the Digital
| Signature Standard (DSS).
v SHA-224 produces a 28-byte, 224-bit hash value.
v SHA-256 produces a 32-byte, 256-bit hash value.
v SHA-384 produces a 48-byte, 384-bit hash value.
v SHA-512 produces a 64-byte, 512-bit hash value.
| Notes:
| 1. Secure hash algorithms perform best on big-endian, general-purpose computers.
| 2. The SHA-1, SHA-256, SHA-384, and SHA-512 methods are specified in FIPS 180-2, August 1,
| 2002. The SHA-1 method was originally specified in FIPS 180-1, May 31, 1994. The MD5
| method is specified in RFC 1321, dated April 1992.
RIPEMD-160
| RIPEMD-160 is a 160-bit cryptographic hash function. It is intended to be used as a secure
| replacement for the 128-bit hash functions MD5 and RIPEMD. The RIPEMD-160 method is an
| outgrowth of the EU project RIPE (RACE Integrity Primitives Evaluation); further information can
| be found on the Internet under RIPEMD.
Message Digest-5 (MD5)
| MD5 is specified in the Internet Engineering Task Force RFC 1321 and produces a 16-byte,
| 128-bit hash value. This algorithm performs best on little-endian, general-purpose computers (for
| example, Intel). Note that SHA is usually preferred over MD5 if the application designers have a
| choice of algorithms.
Modification Detection Code (MDC)
MDC is based on the DES algorithm and produces a 16-byte, 128-bit hash value. This hashing
algorithm is considered quite strong. However, it performs rapidly only when supported by
DES-hardware units specifically designed for MDC. See Modification Detection Code calculation
on page 679 for a description of the MDC algorithm.
There are many different approaches to data integrity verification. In some cases, you can simply make
known the hash value for a data string. Anyone wanting to verify the integrity of the data would recompute
the hash value and compare the result to the known-to-be-correct hash value. In other cases, you might
want someone to prove to you that they possess a specific data string, in which case you could randomly
generate a challenge string, append the challenge string to the string in question, and hash the result. You
would then provide the other party with the challenge string, ask them to perform the same hashing
process, and return the hash value to you. This method forces the other party to rehash the data. When
the two hash values are the same you can be confident that the strings are the same, and the other party
actually possesses the data string, and not merely a hash value.
The hashing services described in this section allow you to divide a string of data into parts, and compute
the hash value for the entire string in a series of calls to the appropriate verb. This can be useful if it is not
possible to bring the entire string into memory at one time.
Anyone with access to the associated RSA or ECC public-key can verify the digital signature information
by performing the following steps:
1. Hash the data using the same hashing algorithm used to create the digital signature.
2. Decrypt the digital signature using the associated RSA or ECC public-key.
3. Compare the decrypted results to the hash value obtained from hashing the data.
4. An equal comparison confirms that the verified data is the same as the digitally signed data.
The Digital_Signature_Generate and the Digital_Signature_Verify verbs described in this section perform
the hash encrypting and decrypting operations. The requirements are:
v No one else should have access to the private key used to sign the data, and the use of the private key
must be controlled so that someone else cannot sign data as though they were you.
v The verifying party must have your associated RSA or ECC public-key. They assure themselves that
they do have your public key using one or more certificates from one or more Certification Authorities.
There is only one digital-signature hash formatting method available for using ECC keys.
The receiver of data signed using digital signature techniques can, in some cases, assert non-repudiation
of the data. Non-repudiation means that the originator of the digital signature cannot later deny having
originated the signature and, therefore, the data. The use of digital signatures in legally binding situations
is gaining favor as commerce is increasingly conducted through networked communications. The
techniques described in this section are the most common methods of digital signing.
The hash quantity can be created using the One_Way_Hash or the MDC_Generate verb.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v An RSA private-key flagged as a key-management-only key (in the private-key section, offset 50, valued
to X'C0') is not usable in this verb. An ECC private-key flagged as a key-agreement-only key (in the
private key section, offset 8, valued to X'C0') is not usable in this verb. See PKA_Key_Token_Build
(CSNDPKB) on page 95 and PKA_Key_Generate (CSNDPKG) on page 87.
v Starting with Release 3, the hash length is restricted to less than or equal to 36 bytes when using an
RSA private-key flagged as a key-management-capable key (in the private-key section, offset 50,
high-order bit on). You can override this restriction with the use of the Override DSG ZERO-PAD Length
Restriction command, offset X'030C'.
v Not all IBM implementations of this verb might use an optimized form of the RSA private-key, however,
the IBM 4765 and IBM 4764 can use this verb with an optimized RSA private-key in Chinese-Remainder
Theorem format.
v Not all CCA implementations use each digital-signature hash formatting method.
v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
v The modulus length of a key used with ANS X9.31 digital signatures must be one of 1024, 1280, 1536,
1792, 2048, or 4096 bits.
v ECC keys and the token algorithm keywords (ECDSA and RSA) are not supported in releases before
Release 4.1.
CSNDDSG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
PKA_private_key_identifier_length Input Integer 3500
PKA_private_key_identifier Input String PKA_private_key_identifier_length bytes
hash_length Input Integer 512
hash Input String hash_length bytes
signature_field_length In/Output Integer 512
signature_bit_length Output Integer
signature_field Output String signature_field_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Signature algorithm (one, optional). Release 4.1 or later.
ECDSA Specifies to generate an ECC digital signature.
RSA Specifies to generate an RSA digital signature. This is the default.
Digital-signature hash formatting method (one, optional). Not valid with ECDSA keyword.
ISO-9796 Specifies to format the hash according to the ISO/IEC 9796-1 standard and generates
the digital signature. This is the default. See Formatting hashes and keys in public-key
cryptography on page 694.
PKCS-1.0 Specifies to format the digital signature on the string supplied in the hash variable as
defined in the RSA PKCS #1 standard for block-type 00. The PKCS #1 v2.0 standard
no longer defines this signature scheme. See PKCS #1 hash formats on page 694.
PKCS-1.1 Specifies to format the digital signature on the string supplied in the hash variable as
defined in the RSA PKCS #1 v2.0 standard for the RSASSA-PKCS1-v1_5 signature
scheme. This was formerly known as block-type 01. See PKCS #1 hash formats on
page 694.
X9.31 Specifies to format the hash according to the ANS X9.31 standard and generates the
digital signature. See ANS X9.31 hash format on page 694.
Tips:
1. Use the MD5 or SHA-1 algorithms to create the hash for PKCS-1.0 and PKCS-1.1.
2. Use any method to obtain the hash for ISO-9796 and ZERO-PAD.
3. See Formatting hashes and keys in public-key cryptography on page 694 for a discussion of
hash formatting methods.
4. Use SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512 to obtain the hash for ECDSA.
PKA_private_key_identifier_length
The PKA_private_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the PKA_private_key_identifier variable. The maximum length is 3500
bytes.
PKA_private_key_identifier
The PKA_private_key_identifier parameter is a pointer to a string variable containing either a key label
identifying an RSA key-token in PKA key-storage or retained key-storage, or an internal public-private
RSA key-token.
Beginning with Release 4.1, this parameter can also point to a string variable containing either a key
label identifying an ECC key-token in PKA key-storage, or an internal public-private ECC key-token.
hash_length
The hash_length parameter is a pointer to an integer variable containing the number of bytes of data
in the hash variable. Beginning with Release 4.1, this value must be 20 for SHA-1, 28 for SHA-224, 32
for SHA-256, 48 for SHA-384, and 64 for SHA-512.
hash
The hash parameter is a pointer to a string variable containing the information to be signed.
Notes:
1. For ISO-9796, the information identified by the hash parameter must be less than or equal to
one-half of the number of bytes required to contain the modulus of the RSA key. This verb requires
the input text to be a byte multiple up to the correct maximum length.
2. For PKCS-1.0 or PKCS-1.1, the information identified by the hash parameter must be 11 bytes
shorter than the number of bytes required to contain the modulus of the RSA key, and should be
the Abstract Syntax Notation One (ASN.1) Basic Encoding Rules (BER) encoding of the hash
value.
| You can create the BER encoding of an MD5, SHA-1, or SHA-256 value by prepending the
| appropriate string to the hash value. See PKCS #1 hash formats on page 694.
Required commands
v The Digital_Signature_Generate verb requires the PKA96 Digital Signature Generate command (offset
X'0100') to be enabled in the active role.
v With the use of the Override DSG ZERO-PAD Length Restriction command (offset X'030C'), the
hash-length restriction does not apply when using ZERO-PAD formatting.
Provide the digital signature, the public key, an optional hash formatting method keyword, and the hash of
the data to be validated. The hash quantity can be created through use of the One_Way_Hash verb, or for
RSA, also the MDC_Generate verb. Beginning with Release 4.1, optionally provide a token-algorithm
keyword.
In addition to using RSA or ECC public keys that are contained in PKA key tokens, digital signatures can
be verified using RSA public keys that are contained in trusted blocks. This verification occurs regardless
of whether the block also contains rules to govern its use when generating or exporting keys with the
Remote_Key_Export (CSNDRKX) verb.
The digital-signature hash formatting method is selected through the use of a keyword in the rule array.
The supplied hash information is formatted and compared to the public-key-ciphered digital signature.
An optional trusted public key restriction can also be selected through the use of the TPK-ONLY keyword.
When this keyword is selected, the use of regular CCA RSA or ECC key tokens is rejected, and only the
use of a (trusted) RSA public-key contained in a trusted block (identified by the PKA_public_key_identifier
parameter) can be used to verify the digital signature. Use of the TPK-ONLY keyword assures that a
sensitive signature-verification is limited to operation with trusted public keys only.
If the digital signature is validated, the verb returns a return code of 0. If the digital signature is not
validated, and there are no other problems, the verb returns a return code of 4 and reason code of 429
(X'01AD').
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Not all CCA implementations support each digital-signature hash formatting method.
v The maximum public exponent is 17 bits for any key that has a modulus greater than 2048 bits.
v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
v ECC keys and the token algorithm keywords (that is, ECDSA and RSA) are not supported in releases
before Release 4.1.
CSNDDSV
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
PKA_public_key_identifier_length Input Integer 3500
PKA_public_key_identifier Input String PKA_public_key_identifier_length bytes
hash_length Input Integer 512
hash Input String hash_length bytes
signature_field_length Input Integer
signature_field Input String signature_field_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are shown below:
PKA_public_key_identifier_length
The PKA_public_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the PKA_public_key_identifier variable. The maximum length is 3500 bytes.
PKA_public_key_identifier
The PKA_public_key_identifier parameter is a pointer to a string variable containing an internal trusted
block or an RSA key-token, or the key label of an internal trusted block or an RSA key-token or
registered RSA public-token record. For ECC, the parameter is a pointer to a string variable containing
an ECC key-token, or the key label of an ECC key-token.
hash_length
The hash_length parameter is a pointer to an integer variable containing the number of bytes of data
in the hash variable.
hash
The hash parameter is a pointer to a string variable containing the hash information to be verified.
| Required commands
| The Digital_Signature_Verify verb requires the PKA96 Digital Signature Verify command (offset X'0101') to
| be enabled in the active role.
| If you have MDC values that were generated using a release before Release 3.30.05, corrective
| action might be required before using these values with Release 3.30 (or later) to validate data
| integrity. See Related information on page 128 for detailed information.
|
|
| Use the MDC_Generate verb to create a 128-bit hash value (Modification Detection Code) on a data string
| whose integrity you intend to confirm. After using this verb to generate an MDC, you can compare the
| MDC to a known value or communicate the value to another entity so that they can compare the MDC
| hash value to one that they calculate. The MDC_Generate verb enables you to perform the following
| tasks:
| v Specify the two-encipherment or four-encipherment version of the algorithm
| v Segment your text into a series of verb calls
| v Use the default or a keyed-hash algorithm
| For a description of the MDC calculations, see Modification Detection Code calculation on page 679.
| Specifying two or four encipherments: Four encipherments per algorithm round improve security; two
| encipherments per algorithm round improve performance. To specify the number of encipherments, use
| the MDC-2, MDC-4, PADMDC-2, or PADMDC-4 keyword with the rule_array parameter. Two
| encipherments create results that differ from four encipherments; ensure that the same number of
| encipherments are used to verify the MDC.
| Segmenting text: The MDC_Generate verb lets you segment text into a series of verb calls. If you can
| present all of the data to be hashed in a single invocation of the verb (32 MB) of data), use the rule array
| keyword ONLY. Alternatively, you can segment your text and present the segments with a series of verb
| calls. Use the rule array keywords FIRST and LAST for the first and last segments. If more than two
| segments are used, specify the rule_array keyword MIDDLE for the additional segments.
| Between verb calls, unprocessed text data and intermediate information from the partial MDC calculation is
| stored in the chaining_vector variable and the MDC key in the MDC variable. During segmented
| processing, the application program must not change the data in either of these variables.
| Keyed hash: The MDC_Generate verb can be used with a default key, or as a keyed-hash algorithm. A
| default key is used whenever the ONLY or FIRST segmenting and key control keywords are used. To use
| the verb as a keyed-hash algorithm, do the following:
| 1. On the first call to the verb, place the non-null key into the MDC variable.
| 2. Ensure that the chaining_vector variable is set to null (18 bytes of X'00').
| 3. Decide if the text will be processed in a single segment or multiple segments.
| v For a single segment of text, use the LAST keyword.
| v For multiple segments of text, begin with the MIDDLE keyword and continue using the MIDDLE
| keyword up to the final segment of text. For the final segment, use the LAST keyword.
| As with the default key, you must not alter the value of the MDC or chaining_vector variables between
| calls.
Format
Parameter name Direction Data type Data length or value
CSNBMDG
return_code Input Integer See Appendix A.
reason_code Input Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| text_length Input Integer 0
text Input String text_length bytes
rule_array_count Input Integer 0, 1, or 2
rule_array Input String array rule_array_count * 8 bytes
chaining_vector In/Output String 18 bytes
MDC In/Output String 16 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
text_length
The text_length parameter is a pointer to an integer variable containing the number of bytes of data in
the text variable. See Restrictions.
text
The text parameter is a pointer to a string variable containing the text for which the verb calculates the
MDC value.
Keyword Meaning
Segmenting and key control (one, optional)
ONLY Specifies that segmenting is not used and the default key is used. This is the
default.
FIRST Specifies the first segment of text, and use of the default key.
MIDDLE Specifies an intermediate segment of text, or the first segment of text and use of a
user-supplied key.
LAST Specifies the last segment of text, or that segmenting is not used, and use of a
user-supplied key.
Algorithm mode (one, optional)
MDC-2 Specifies two encipherments for each 8-byte block using MDC procedures. This is
the default.
MDC-4 Specifies four encipherments for each 8-byte block using MDC procedures.
PADMDC-2 Specifies two encipherments for each 8-byte block using PADMDC procedures.
PADMDC-4 Specifies four encipherments for each 8-byte block using PADMDC procedures.
chaining_vector
The chaining_vector parameter is a pointer to an 18-byte string variable the security server uses as a
work area to hold segmented data between verb invocations.
Important: When segmenting text, the application program must not change the data in this string
between verb calls to the MDC_Generate verb.
MDC
The MDC parameter is a pointer to a user-supplied MDC key or to a 16-byte string variable containing
the MDC value. This value can be the key that the application program provides. This variable is also
used to hold the intermediate MDC result when segmenting text.
Important: When segmenting text, the application program must not change the data in this string
between verb calls to the MDC_Generate verb.
Required commands
The MDC_Generate verb requires the Generate MDC command (offset X'008A') to be enabled in the
active role.
Related information
In releases before Release 3.30, it was discovered that the MDC_Generate verb produced incorrect MDC
values under certain conditions. If you have any MDC values generated using Release 3.30.04 or earlier,
read this section to determine what conditions produce incorrect MDC values. If necessary, take corrective
action as described below.
Audience: If you are an IBM System i, System p, or System x customer of the IBM CCA Support
Program who generated MDC values using the MDC_Generate (CSNBMDG) verb with Release 3.30.04 or
earlier, please read the following important information related to the integrity of your data.
Terminology: The following terminology is used to describe the conditions that produce incorrect MDC
values:
v Total text length (TTL). TTL is the total number of text bytes processed to calculate a final MDC value.
v Running text length (RTL). RTL is the total number of text bytes processed by all previous calls used to
calculate a final MDC value.
v Carryover length (COL). COL is the number of text bytes that could not be processed in the previous
call. The COL can range from 0 to 15 bytes and is stored in the chaining vector between calls.
v New text length (NTL). NTL is the carryover length plus the text length for the current call.
Notes:
1. An intermediate MDC calculation always operates on 8 bytes of text at a time. Any remaining text that
is not a multiple of 8 bytes gets passed in the chaining vector as carryover text.
2. A call with keyword FIRST must have a text length greater than or equal to 16 in order to calculate an
intermediate MDC value. If the text length is greater than or equal to 16, the COL is calculated as text
length modulo 8, otherwise the COL equals the text length. Any carryover text bytes get passed in the
chaining vector as carryover text to the next segment call.
3. A call with keyword MIDDLE calculates an intermediate MDC value if the text bytes to process (COL
plus text length) are greater than or equal to 16. If COL plus text length is less than 16, the text bytes
are carried over to the next call in the chaining vector. MIDDLE calls process text in multiples of 8 (for
example, 16, 24, 32). As with FIRST, the remaining text bytes (NTL modulo 8) get passed in the
chaining vector as carryover text to the next segment call.
4. An MDC value is final when calculated by keywords ONLY or LAST.
Examples:
1. Assume a text length of 19 for FIRST, 6 for MIDDLE, and 10 for LAST.
TTL = 19 + 6 + 10 = 35 bytes.
When FIRST is called, 16 of the 19 text bytes will be processed to produce an intermediate MDC. The
remaining 19 - 16 = 3 text bytes will be placed in the chaining vector.
When MIDDLE is called, RTL = 19, COL = 19 - 16 = 3, and NTL = COL + text length = 3 + 6 = 9 bytes
to process.
After the MIDDLE call completes, RTL = 19 + 6 = 25 and COL = 25 - 16 = 9. Because 16 bytes are
not available to be processed, the 9 text bytes will be placed in the chaining vector as carryover text.
LAST will process COL + text length = 9 + 10 = 19 bytes. The NTL for the LAST call is 19 bytes. If the
TTL is not a multiple of 8, use of a PADMDC-2 or PADMDC-4 method is required.
2. Assume a text length of 19 for FIRST, 25 for MIDDLE, and 12 for LAST.
TTL = 19 + 25 + 12 = 56 bytes.
When FIRST is called, 16 of the 19 text bytes will be processed to produce an intermediate MDC. The
remaining 19 - 16 = 3 text bytes will be placed in the chaining vector.
When MIDDLE is called, RTL = 19, COL = 19 - 16 = 3, and NTL = COL + text length = 3 + 25 = 28
bytes to process.
After the MIDDLE call completes, RTL = 19 + 25 = 44, COL = 28 modulo 8 = 4, and 28 4 = 24 bytes
will be used to produce an intermediate MDC. The 4 text bytes will be placed in the chaining vector as
carryover text.
LAST will process COL + text length = 4 + 12 = 16 bytes. The NTL for the LAST call is 16 bytes.
These text bytes will be used to produce the final MDC value.
WARNING: The integrity of any data processed up to the time that the intermediate MDC value is lost
cannot be confirmed.
Example:
MDC-2, MDC-4, PADMDC-2, or PADMDC-4
FIRST text length = 19, MIDDLE text length = 6, LAST text length greater than or equal to 0, an
incorrect MDC value is calculated.
Corrective action:
None. The intermediate MDC value calculated when keyword FIRST was used to process the 16 bytes
of text is lost. The integrity of these first 16 bytes of data cannot be confirmed.
Scenario 2 (pre-Release 3.30)
Error type: Padding error related to segmenting.
Keywords affected:
v Algorithm PADMDC-2, PADMDC-4
v Segmenting and key control LAST
The MDC value is calculated incorrectly whenever:
v LAST text length is equal to 0 and
v TTL is greater than or equal to 16 and
v TTL modulo 8 is equal to 0
Under the above conditions, 16 bytes of padding are incorrectly added to the text instead of the
required 8 bytes of padding.
Example:
PADMDC-2 or PADMDC-4
FIRST text length = 16, LAST text length = 0, an incorrect MDC value is calculated.
Corrective action:
Prior to migrating to Release 3.30.05 or later, recalculate each MDC value in the same manner used to
calculate the existing MDC value. If the newly calculated MDC value matches the older MDC value,
data integrity is confirmed. After all MDC values have been confirmed, migrate to the latest release and
recalculate each MDC value. Replace the old MDC values with the new ones.
Scenario 3 (pre-Release 3.30)
Error type: Padding error, not segmenting related.
Release 3.30.04 only problems: The following scenarios describe different situations where the
MDC_Generate (CSNBMDG) verb was found to produce incorrect MDC values. These scenarios apply to
Release 3.30.04 only.
Scenario 1 (Release 3.30 only)
Error type: Segmentation error, not padding related.
Keywords affected:
v Algorithm MDC-2, MDC-4, PADMDC-2, PADMDC-4
v Segmenting and key control MIDDLE
The MDC value is calculated incorrectly whenever:
v RTL is greater than or equal to 16 and
v MIDDLE is called with COL plus text length less than 16 and
v MIDDLE is called again
Under the above conditions, the first MIDDLE call causes a subsequent MIDDLE call to lose the
intermediate MDC value passed to it on input.
WARNING: The integrity of any data processed up to the time that the intermediate MDC value is lost
cannot be confirmed.
Example:
MDC-2, MDC-4, PADMDC-2, or PADMDC-4
FIRST text length = 19, MIDDLE text length = 6, subsequent MIDDLE and LAST text length greater
than or equal to 0, an incorrect MDC value is calculated. The intermediate MDC value calculated when
FIRST processed the 16 bytes of text is lost.
Corrective action:
None. The intermediate MDC value calculated when keyword FIRST was used to process the 16 bytes
of text is lost. The integrity of these first 16 bytes of data cannot be confirmed.
Scenario 2 (Release 3.30 only)
Error type: Padding error related to segmenting.
Keywords affected:
Provide all of the data to be hashed in a single call to the verb or provide the data to be hashed using
multiple calls. The keywords that you supply in the rule_array determine your intention.
For the MD5 and RIPEMD-160 hash algorithms, the verb hashes the text strings using software in the host
computer. For all of the other hash algorithms, the verb hashes the text strings using the coprocessor
hardware.
Note: Hashing can also be performed using the MDC_Generate (CSNBMDG) verb for the MDC-2,
MDC-4, PADMDC-2, and PADMDC-4 algorithm modes.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v If FIRST or MIDDLE calls are made, the text size must be greater than zero and a multiple of the
algorithm block size: 64 bytes.
v This verb requires that text to be hashed be a multiple of eight bits aligned in bytes. Only data that is a
byte multiple can be hashed.
| v Hash methods SHA-224 and SHA-256 are not supported in releases before Release 3.30.
| v Hash methods SHA-384 and SHA-512 are not supported in releases before Release 4.0.
Format
Parameter name Direction Data type Data length or value
CSNBOWH
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
text_length Input Integer
text Input String text_length bytes
chaining_vector_length Input Integer 128
chaining_vector In/Output String chaining_vector_length bytes
hash_length In/Output Integer 64
hash In/Output String hash_length bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are shown below:
Keyword Meaning
Hash method (one required)
MD5 Specifies the use of the MD5 method.
RPMD-160 Specifies the use of the RIPEMD-160 method.
SHA-1 Specifies the use of the SHA-1 method.
SHA-224 Specifies the use of the SHA-224 method. Release 3.30 or later.
SHA-256 Specifies the use of the SHA-256 method. Release 3.30 or later.
SHA-384 Specifies the use of the SHA-384 method. Release 4.0 or later.
SHA-512 Specifies the use of the SHA-512 method. Release 4.0 or later.
Segmenting control (one, optional)
FIRST Specifies the first in a series of calls to compute the hash; intermediate results are
stored in the hash variable.
MIDDLE Specifies that this is not the first nor the last in a series of calls to compute the
hash; intermediate results are stored in the hash variable.
LAST Specifies the last in a series of calls to compute the hash; intermediate results are
retrieved from the hash variable.
ONLY Specifies that this is the only call made to compute the hash. This is the default.
text_length
The text_length parameter is a pointer to an integer variable containing the number of bytes of data in
the text variable. The maximum length on IBM i systems is 64 MB 64 bytes, and on the other
systems is 32 MB 64 bytes.
Restriction: If FIRST or MIDDLE calls are made, the text size must be a multiple of the algorithm
block-size.
text
The text parameter is a pointer to a string variable containing the data on which the hash value is
computed.
chaining_vector_length
The chaining_vector_length parameter is a pointer to an integer variable containing the number of
bytes of data in the chaining_vector variable. The value must be 128.
chaining_vector
The chaining_vector parameter is a pointer to a string variable containing a work area used by this
verb. Application programs must not alter the contents of this variable between related FIRST,
MIDDLE, and LAST calls.
Beginning with Release 4.0, on output, this variable contains the number of bytes of data returned by
the verb in the hash variable.
hash
The hash parameter is a pointer to a string variable containing the hash value returned by the verb.
With use of the FIRST or MIDDLE keywords, the hash variable receives intermediate results.
Required commands
The One_Way_Hash verb requires the following commands to be enabled in the active role.
| The following table lists the basic AES, DES, and HMAC key-management verbs. See AES, DES, and
| HMAC key-management verbs on page 197 for a detailed description of the verbs. For information on
| TR-31 keys and the verbs used to perform basic symmetric-key management of the TR-31 DES functions,
| see Chapter 9, TR-31 symmetric-key management, on page 499, which is an extension of this chapter.
Table 16. Basic AES and DES key-management verbs
Service
Verb Page Service Entry point location
Clear_Key_Import 198 Enciphers a clear DES key under the DES master-key, and CSNBCKI E
updates or creates an internal fixed-length DES key-token for
a DATA key.
Control_Vector_Generate 200 Builds a DES control vector from keywords. CSNBCVG S
Control_Vector_Translate 203 Changes the control vector associated with a key in an CSNBCVT E
external fixed-length DES key-token.
Cryptographic_Variable_Encipher 205 Encrypts modest quantities of data using a unique key-class, CSNBCVE E
CVARENC. The service is used to prepare the mask-array
variables for the Control_Vector_Translate verb.
Data_Key_Export 207 Exports a DES DATA key and creates an external fixed-length CSNBDKX E
DES key-token that contains a null control vector.
Data_Key_Import 209 Imports a DES DATA key from an enciphered key or an CSNBDKM E
external fixed-length DES key-token into an internal
fixed-length DES key-token. An internal fixed-length DES
DATA key-token is either created or updated.
Diversified_Key_Generate 211 Generates a DES key, based on supplied information and a CSNBDKG E
key-generating key contained in an internal fixed-length DES
key-token. The generated key is stored into a suitable internal
fixed-length DES key-token.
| EC_Diffie-Hellman (Rel. 4.2 or 217 Creates a shared symmetric key with a pair of ECC (Elliptic CSNDEDH E
| later) Curve Cryptography) keys using the ECDH (Elliptic Curve
| Diffie-Hellman) protocol and the ANS X9.63 protocol static
| unified model key-agreement scheme.
Key_Encryption_Translate 224 Translates an encrypted fixed-length DES DATA key with an CSNBKET E
all-zero control vector from ECB mode to CBC mode, or from
CBC mode to ECB mode.
Key_Export 227 Exports a DES key and creates an external fixed-length DES CSNBKEX E
key-token.
137
Table 16. Basic AES and DES key-management verbs (continued)
Service
Verb Page Service Entry point location
Key_Generate 229 Generates a random AES or DES key or a random DES key CSNBKGN E
pair, enciphers the key, and updates or creates one or two
internal or external fixed-length DES key tokens.
| Key_Generate2 (Rel. 4.1 or later) 239 Generates a random AES or HMAC key, enciphers the key, CSNBKGN2 E
| and updates or creates one or two external or internal
| variable-length symmetric key tokens.
Key_Import 245 Imports a DES key from an enciphered key or an external CSNBKIM E
fixed-length DES key-token into an internal fixed-length DES
key-token. The internal fixed-length DES key-token is either
created or updated.
Key_Part_Import 247 Accumulates one or more parts of a DES key from CSNBKPI E
clear-key-part data and any previously accumulated key parts
recovered from an internal fixed-length DES key-token. The
user-provided and recovered clear key parts are
exclusive-ORed together and then encrypted using an internal
fixed-length DES key-token, either as a partial key or as the
final key.
| Key_Part_Import2 (Rel. 4.1 or 251 Accumulates one or more parts of an AES or HMAC key from CSNBKPI2 E
| later) clear-key-part data and any previously accumulated key parts
| recovered from an internal variable-length symmetric
| key-token. The user-provided and recovered clear key parts
| are exclusive-ORed together and then encrypted using an
| internal variable-length symmetric key-token, either as a partial
| or as the final key.
Key_Test 256 Generates or verifies the value of either an AES, APKA, DES, CSNBKYT E
or PKA master key register, a clear or encrypted AES key or
key part, or a clear or encrypted DES key or key part. A clear
AES key or key part can optionally be in an internal
fixed-length AES key-token. A clear DES key or key part
cannot be in a key token.
| Key_Test2 (Rel. 4.1 or later) 261 Generates or verifies the value of a clear or encrypted key or CSNBKYT2 E
| key part contained in an external or internal variable-length
| symmetric key-token, or a DES key or key part wrapped in an
| external TR-31 key block.
Key_Test_Extended 265 Same as Key_Test, except that in addition, CSNBKYTX E
Key_Test_Extended operates on an external DES key or key
part, and supports only clear keys that are contained in an
internal fixed-length AES key-token.
Key_Token_Build 270 Assembles an internal fixed-length AES key-token or an CSNBKTB S
external or internal fixed-length DES key-token from the
information provided.
Key_Token_Build2 (Rel. 4.1 or 275 Assembles an external or internal variable-length symmetric CSNBKTB2 S
later) key-token from the information provided.
Key_Token_Change 279 Reenciphers or reformats the key contained in an internal CSNBKTC E
fixed-length AES or DES key-token. Reencipher first recovers
the key from under the old master-key, then enciphers it under
the current master-key. Reformat is used to change the
key-wrapping method either to legacy ECB (WRAP-ECB) or
enhanced (WRAP-ENH). It recovers the key from under the
old or current master-key as needed, then reenciphers the key
using the same master key and specified key-wrapping
method.
Key_Token_Change2 (Rel. 4.1 or 281 Reenciphers the AES or HMAC key in an internal fixed or CSNBKTC2 E
later) variable-length symmetric key-token from encipherment under
the old AES symmetric master-key to the current AES
symmetric master-key.
Key_Token_Parse 283 Parses an external or internal fixed-length DES key-token and CSNBKTP S
provides the parsed information as individual variables.
The DES algorithm operates on 64 data-bits at a time: eight bytes of 8-bit-per-byte data. The results
produced by the algorithm are controlled by the value of a key that you supply. Each byte of the key
contains 7 bits of key information plus a parity bit (the low-order bit in the byte). The parity bit is set so that
there is an odd number of one bits for each key byte. The parity bits do not participate in the DES
algorithm.
| The HMAC algorithm operates on 64 data-bits at a time, and uses a key size of 80 - 2048 bits. There are
| no parity bits.
| The AES, DES, and HMAC algorithms are not secret. However, by using a secret key, the AES and DES
| algorithms can produce ciphertext that is impossible, for all practical purposes, to decrypt without knowing
| the secret key. The HMAC algorithm can produce a keyed hash MAC that can be used to authenticate
| both the source of a message and its integrity, provided that the key used is kept secret. The requirement
| to keep a key secret, and to have the key available at specific places and times, produces a set of
| activities known collectively as key management.
| Because the secrecy and reliability of AES-based, DES-based, and HMAC-based cryptography is strongly
related to the secrecy, control, and use of symmetric keys, the following aspects of key management are
important:
Securing a cryptographic facility or process
The hardware provides a secure, tamper-resistant environment for performing cryptographic
Your application programs should provide procedures to perform the following key-management activities:
v Generating and periodically replacing keys. A key should be used for a very limited period of time. This
might minimize the resulting damage should an adversary determine the value of a key.
v Archiving keys.
v Destroying keys and media used to distribute keys.
v Auditing the key generation, distribution, installation, archiving, and destruction processes.
v Reacting to unusual occurrences in the key-management process.
v Creating key-management controls.
Before an AES key or an HMAC key is removed from a CCA cryptographic facility for storage in AES
| key-storage or application storage, the key can be enciphered under a 256-bit AES master-key, or it can
| be formatted and enciphered under an RSA public-key.
Before a DES key is removed from a CCA cryptographic facility for storage in DES key-storage or in
application storage, the key is multiply-enciphered under a master key or another key-encrypting key. The
DES master key is a triple-length key composed of three 56-bit DES keys. The first and the second parts
of a DES master key (each 56-bit component) are required to be unique. For compatibility, the third part
can be the same as the first part, thus creating an effective double-length DES master-key.
| An AES key-encrypting key was introduced to CCA beginning with Release 4.2. AES KEKs are contained
| in a variable-length symmetric key-token. They can have a key length of 128, 192, or 256 bits.
An internal fixed-length or variable-length symmetric key-token can have no key, a partial key, or a
complete key. An exception to this is a fixed-length AES key-token, which cannot have a partial key. A
complete key that is enciphered under the master key is an operational key. The key is operational
because a cryptographic facility can use the master key to decipher it to obtain the original key-value. A
key that is enciphered under a KEK (other than the master key) is called an external key. Two types of
external symmetric keys are used at a cryptographic node:
| v An importable key (IM) is enciphered under an operational key-encrypting key (KEK) whose control
| vector or key usage attributes provide key-importing authority.
| v An exportable key (EX) is enciphered under an operational KEK whose control vector or key usage
| attributes provide key-exporting authority.
To thwart possible ECB-mode attacks, CCA has added support to more securely wrap Triple-DES keys.
The enhanced Triple-DES key-wrapping method complies with current cryptographic standards. This more
secure key-wrapping method is called the enhanced or WRAP-ENH method. The original method, which
uses Triple-DES with ECB mode, is called the legacy or WRAP-ECB method. Support for the enhanced
method is available beginning with Release 4.1. Due to the nature of the key bundling requirement,
single-length DES keys are not subject to the same security exposure as Triple-DES keys. For this reason,
the enhanced method will not be used to wrap single-length DES keys.
The added support made available for wrapping Triple-DES keys using the enhanced method attempts to
account for various key-exchange topology and exchange partners coping with importing and exporting
both legacy-wrapped keys and enhanced-wrapped keys. It also accounts for security of the system as well
as operational needs, including various enterprises requiring any combination of systems that have their
Triple-DES keys wrapped in only the legacy method, only the enhanced method, or both.
The following sections describe how the legacy and enhanced Triple-DES key wrapping methods work,
and how to use each verb to control which key-wrapping method is used.
Refer to Figure 4 on page 144. Internal and external DES key tokens each have their own coprocessor
configuration setting for the default key-wrapping method. When a coprocessor is initialized, CCA sets to
legacy (WRAP-ECB) the default key-wrapping methods for internal and external DES keys. Specify the
rule-array keyword CHGKEYWR to the Cryptographic_Facility_Control (CSUACFC) verb when a change of
default key-wrapping method is required. The verb_data variable for the CHGKEYWR operation
determines what setting is changed. and has four valid values as shown in Figure 4 on page 144. Each of
the four values of the verb_data variable requires its own access-control point to be enabled in the active
role.
Use the Cryptographic_Facility_Query (CSUACFQ) verb with rule-array keyword WRAPMTHD to obtain
the default key-wrapping configuration options for both internal and external DES keys.
DES flag byte 2: DES key tokens now have a flag byte 2 defined. This flag byte is used to support the
addition of a second key-wrapping method. It serves to distinguish between a key that has been wrapped
by the legacy method and one that has been wrapped by the enhanced method. See the structures
defined for DES internal and external key-tokens in Fixed-length DES key tokens on page 580. Also see
Table 92 on page 583 for a layout of flag byte 2. Notice that the flag byte has three integral bits defined
that differentiate the key-wrapping method for a given DES encrypted key. The bit pattern B'000x xxxx'
indicates that the key is wrapped using the legacy (WRAP-ECB) method. This value is defined so as to
not impact legacy-wrapped DES key tokens that had this byte previously reserved. Bit pattern B'001x xxxx'
indicates that the encrypted key is wrapped using the enhanced (WRAP-ENH) method.
Note: Single-length DES keys are always wrapped using the legacy method, even if flag byte 2 indicates
that it is wrapped by the enhanced method. Such a condition can occur whenever a call is made to
wrap a single-length DES key with the enhanced method. Rather than return an error, the verb
simply wraps the single-length key using the legacy method, and then marks the token as if it were
wrapped using the enhanced method.
Control vector bit 56: Control vector bit 56 has been defined to provide added control over a key that
has been wrapped using the more secure enhanced method. This bit has the designation ENH-ONLY for
"enhanced-only." See Figure 37 on page 658. A control vector with its ENH-ONLY bit set to B'1' restricts
the key from being wrapped by the weaker legacy method, after having been wrapped by the enhanced
Verbs that wrap DES keys and have a rule-array parameter can accept a translation control keyword that
causes control vector bit 56 to be turned on in any wrapped DES key tokens. The translation control
keyword and its meaning are shown in Table 17.
Table 17. DES translation control rule-array keyword
Keyword Definition
Translation control (optional). This is valid only with key-wrapping method WRAP-ENH or with USECONFG when the
default wrapping method is WRAP-ENH. This option cannot be used on a key with a control vector valued to binary
zeros. Release 4.1 or later.
ENH-ONLY Specifies to restrict the key from being wrapped with the legacy method once it has been
wrapped with the enhanced method. Set bit 56 (ENH-ONLY) of the control vector to B'1'.
Verbs that wrap DES keys and do not accept rule-array keywords must provide a skeleton key-token that
has the desired translation-control value already set in control vector bit 56. To build a skeleton key-token
that has the ENH-ONLY bit on, you can use the Key_Token_Build (CSNBKTB) verb with translation-control
keyword ENH-ONLY.
Notes:
1. When no key-wrapping method keyword is used, wrapping of the DES key is based on the
coprocessor configuration setting (USECONFG).
2. To use WRAP-ECB when the current default key-wrapping method configuration setting is
WRAP-ENH, the active role must have the verb-specific Allow Configuration Override with Keyword
command enabled.
3. To use WRAP-ENH when the current default key-wrapping method configuration setting is
WRAP-ECB, the active role must have the verb-specific Allow Configuration Override with Keyword
command enabled.
See Table 19 on page 147. These verbs always use the contents of their rule array to determine the
method of key wrapping. An exception is the Control_Vector_Translate (CSNBCVT) verb, which has a
rule-array parameter but does not accept key-wrapping method keywords. This verb takes its key-wrapping
method from flag byte 2 of the target key-token.
See Table 19 on page 147. If the target key-token is null, these verbs wrap the target key based on the
configuration default DES key-wrapping method. Otherwise, the target key is wrapped with the method
from flag byte 2 of the target key-token. You can use the Key_Token_Build (CSNBKTB) verb with
key-wrapping method keyword WRAP-ECB or WRAP-ENH to build such a token.
Another verb that bases its key-wrapping method on the contents of the target key-token is the
Control_Vector_Translate (CSNBCVT) verb. This verb has a rule array parameter, but does not support
key-wrapping method keywords. Instead, it always wraps the target key based on the method assigned in
flag byte 2 of the target key-token.
Note: Fixed-length AES keys are all DATA keys, and are not designed for specific purposes. If a
| fixed-length AES key has a control vector present, the control vector must be binary zeros.
| A control vector is cryptographically associated with a fixed-length DES key by being exclusive-ORed with
a DES master key or other DES key-encrypting key to form a key that is used to multiply-encipher or
multiply-decipher the DES key being associated with the control vector. This permanently binds the type
and use of the key to the key. Any change to the original control vector would result in later recovering an
altered key-value. If the control vector used to decipher a key is different from the control vector that was
used to encipher the same key, the correct clear key cannot be recovered. The key-encipherment
processes are described in detail at Understanding DES and RSA key encryption and decryption
processes on page 671.
After a DES key is multiply-enciphered, the originator of the key can ensure that the intended use of the
key is preserved by giving the key-encrypting key only to a system that implements the CCA control-vector
design and that is managed by an audited organization.
PIN keys and DES key-encrypting keys in CCA are double-length DES keys. A double-length DES key
consists of two (single-length) 56-bit DES keys that are used together as one key. The first half (left half)
of a double-length key, and all of a single-length key, are multiply-enciphered using the exclusive-OR of
the encrypting key and the control vector. The second half (right half) of a double-length key is
multiply-enciphered using the exclusive-OR of the encrypting key and a modification of the control vector;
the modification consists of the reversal of control vector bits 41 and 42.
Appendix C, CCA control-vector definitions and key encryption provides detailed information about the
construction of a control-vector value and the process for encrypting a CCA DES-key.
Figure 5 on page 149 shows the flow of cryptographic command processing in a cryptographic facility.
These keys are used to cipher text. In operational form and in external form, these keys are associated with a control
vector.
CIPHER Encipher, Decipher
ENCIPHER Encipher
DECIPHER Decipher
MAC class (data operation keys)
These keys are used to generate and verify a message authentication code (MAC). In operational form and in
external form, these keys are associated with a control vector.
MAC CVV_Generate, CVV_Verify, MAC_Generate, MAC_Verify,
Transaction_Validation
MACVER CVV_Verify, MAC_Verify, Transaction_Validation
DATA class (data operation keys)
These keys are used to cipher text and to produce and verify message authentication codes. In operational form,
these keys are always associated with a control vector. In external form, the DATA key-type keys are not usually
associated with a control vector.
DATA CVV_Generate, CVV_Verify, Encipher, Decipher, MAC_Generate, MAC_Verify
DATAC Encipher, Decipher
DATAM MAC_Generate, MAC_Verify
DATAMV MAC_Verify
Secure-messaging class (data operation keys)
These keys are used to encrypt keys or PINs. They are double-length keys. In operational form and in external form,
these keys are associated with a control vector.
SECMSG Diversified_Key_Generate, Secure_Messaging_for_Keys,
Secure_Messaging_for_PINs
Key-encrypting key class
These keys are used to cipher other keys. They are double-length keys. In operational form and in external form,
these keys are associated with a control vector.
EXPORTER Control_Vector_Translate, Data_Key_Export, Key_Encryption_Translate,
Key_Export, Key_Generate, Key_Translate, PKA_Key_Generate,
Remote_Key_Export, Secure_Messaging_for_Keys, Symmetric_Key_Generate
IMPORTER Control_Vector_Translate, Data_Key_Import, Key_Encryption_Translate,
Key_Generate, Key_Import, Key_Translate, PKA_Key_Generate,
PKA_Key_Import, Remote_Key_Export, Secure_Messaging_for_Keys,
Symmetric_Key_Generate
IMP-PKA PKA_Key_Import, Remote_Key_Export, Trusted_Block_Create
IKEYXLAT, OKEYXLAT Control_Vector_Translate, Key_Translate
These keys are used in the various financial-PIN processing commands. They are double-length keys. In operational
form and in external form, these keys are associated with a control vector.
PINGEN Clear_PIN_Generate, Clear_PIN_Generate_Alternate, Encrypted_PIN_Generate,
Encrypted_PIN_Verify
PINVER Encrypted_PIN_Verify
IPINENC Clear_PIN_Generate_Alternate, Encrypted_PIN_Translate,
Encrypted_PIN_Verify, PIN_Change/Unblock, Secure_Messaging_for_PINs
OPINENC Clear_PIN_Encrypt, Encrypted_PIN_Generate, Encrypted_PIN_Translate,
PIN_Change/Unblock
Key-generating-key class
These keys are used to derive keys. They are double-length keys. In operational form and external form, these keys
are associated with a control vector.
KEYGENKY Diversified_Key_Generate, Encrypted_PIN_Translate, Encrypted_PIN_Verify
DKYGENKY Diversified_Key_Generate, PIN_Change/Unblock
Cryptographic-variable class
These keys are used in the special verbs that operate with cryptographic variables and are single-length keys. In
operational form and in external form, these keys are associated with a control vector.
CVARENC Cryptographic_Variable_Encipher
CVARXCVL Control_Vector_Translate
CVARXCVR Control_Vector_Translate
By differentiating keys with a control vector, a given key-value can be multiply-enciphered with different
control vectors so as to impart different capabilities to copies of the key. This technique creates DES keys
having an asymmetric property.
Symmetric DES keys
A symmetric DES key can be used in two related processes. The cryptographic facility can interpret
the following key types as symmetric:
v CIPHER and DATA. A key with these key types can be used to both encipher and decipher data.
Note: Uppercase letters are used for DATA to distinguish the meaning from a more general sense
in which the term data keys means keys used for ciphering and for MAC. In this document,
DATA means keys with control vector bits 8 -15 valued to X'00'.
v MAC. A key with this key type can be used to create a message authentication code (MAC) and to
verify a trial MAC
Asymmetric DES keys
An asymmetric DES key is a key in a key pair in which the keys are used as opposites.
v ENCIPHER and DECIPHER. Used to only encrypt data versus only to decrypt data.
v MAC and MACVER. Used in generating (and verifying) a MAC versus only verifying a MAC.
v PINGEN and PINVER. Used in generating (and verifying) a personal identification number (PIN)
versus only verifying a PIN.
v OPINENC and IPINENC. Used to only encrypt a PIN block versus only to decrypt a PIN block.
Similarly, these unusual DES key types are paired for other opposite purposes:
v CVARENC and CVARXCVL
v CVARENC and CVARXCVR
Depending on the key type, a DES key can be single or double in length. A double-length key that has
different values in its left and right halves greatly increases the difficulty for an adversary to obtain the
clear value of the enciphered quantity. A double-length key that has the same values in its left and right
halves produces the same results as a single-length key and therefore has the strength of a single-length
key. See Table 22 on page 150 for a list of verbs that can use each data type.
Some verbs can create a default control-vector for a DES key type. For information about the values for
these control vectors, see Appendix C, CCA control-vector definitions and key encryption.
| Beginning with Release 4.1, CCA added support for HMAC keys in a newly defined variable-length
| symmetric key-token. This key token consists of a header, a wrapping information section, an associated
| data section, and an optional payload. See Variable-length symmetric key-token on page 614.
| If a payload is not present, the key token is a skeleton. A skeleton key-token does not contain a key. To
| build a skeleton key-token, use the Key_Token_Build2 verb and specify the desired key attributes. After it
| is built, use this key token as input to the Key_Generate2 verb or Key_Part_Import2 verb. These verbs
| update the key token with an enciphered key or key part. The Key_Token_Build2 verb can also build a key
| token that contains a clear key.
| If a payload is present in a variable-length symmetric key-token, it contains key material. The key material
| can be clear or encrypted. Not all key types support a clear key. If the key material is in the clear, the
| payload contains only the key. If the key material is encrypted, the payload contains the key and other
| information, including a hash of the associated data section. The enciphered hash value securely binds the
| unencrypted associated data to the key.
| The associated data section contains fields for type of algorithm for which the key can be used, key type,
| key usage, and key management. In addition to the algorithm and key type, the values of the key-usage
| and key-management fields further restrict the use of a key. Key usage and key management restrictions
| can be varied by using keywords when constructing a variable-length symmetric key-token with the
| Key_Token_Build2 verb. It is also possible to manually construct a variable-length symmetric key-token
| that is a skeleton or that contains a clear key.
| Beginning with release 4.2, CCA extended support for AES keys in the same variable-length symmetric
| key-token defined with Release 4.1. A variable-length HMAC key-token can have a key type of CIPHER,
| EXPORTER, or IMPORTER:
| v A CIPHER key can be used by the Symmetric_Algorithm_Decipher and Symmetric_Algorithm_Encipher
| verbs to decipher or encipher data using the AES algorithm.
| v An EXPORTER key can be used by the Symmetric_Key_Export verb to export an AES or HMAC key
| contained in an internal variable-length symmetric key-token, wrapped using the AESKW key-formatting
| method, and encrypted under the AES master-key, and return the key in an external variable-length
| symmetric key-token using key-formatting method AESKW, encrypted under an AES EXPORTER
| key-encrypting key.
| v An IMPORTER key can be used by this verb:
| The Symmetric_Key_Import2 verb can use an AES IMPORTER key-encrypting key to import an AES
| or HMAC key contained in an external variable-length symmetric key-token, wrapped using either the
| AESKW key-formatting method, and rewrap the key under the AES master-key in an internal
| variable-length symmetric key-token using key-formatting method AESKW.
| v An EXPORTER or IMPORTER key can be used by these verbs:
| The Key_Generate2 verb can use operational AES EXPORTER and IMPORTER key-encrypting keys
| to wrap external keys in a variable-length symmetric key-tokens.
| The Key_Test2 verb can use an AES EXPORTER or IMPORTER key-encrypting key to test the
| value of a key or key part contained in an external variable-length symmetric key-token.
| The Key_Translate2 verb can use AES EXPORTER and IMPORTER key encrypting keys to reformat
| or translate an AES or HMAC key contained in an external variable-length symmetric key-token into
| a different external variable-length symmetric key token.
| The Restrict_Key_Attribute verb can use an AES EXPORTER or IMPORTER key-encrypting key for
| lowering the export authority of a key in an external AES or HMAC variable-length symmetric
| key-token.
|
|
| Figure 6. Key_Token_Build2 keyword combinations for AES CIPHER keys
|
| Figure 7. Key_Token_Build2 keyword combinations for AES EXPORTER keys
|
| Figure 8. Key_Token_Build2 keyword combinations for AES IMPORTER keys
|
| Figure 9. Key_Token_Build2 keyword combinations for HMAC MAC keys
Figure 10 on page 161 shows the key-type, key subtype, and key-usage keywords that can be combined
in the Control_Vector_Generate verb and the Key_Token_Build verb to build a DES control vector. The left
column lists the key types, the middle column lists the subtype keywords, and the right column lists the
key-usage keywords that further define a control vector. Table 24 on page 162 describes the
control-vector-usage keywords.
For information about DES control-vector bits, see Appendix C, CCA control-vector definitions and key
encryption.
| SECMSGSMKEY
| DATAC SMPIN
| DATAM
| DATAMV
| KEYGENKYCLR8ENC
| IKEYXLAT UKPT
| OKEYXLAT
| IMPORTERNote 1
|
|
| OPIM
| IMEX
| IMIM
| IMPORT
| EXPORTERNote 1
|
|
| OPEX
| IMEX
| EXEX
| EXPORT
| XLATE
| PINVER
| PINGENNote 1
|
|
| CPINGEN
| CPINGENA
| EPINGEN
| EPINGENA
| EPINVER
| IPINENCNote 1 Note: NOSPEC
| is default
|
| CPINGENA NOSPEC
| EPINVER IBMPIN
| REFORMAT GBPPIN
| TRANSLAT IBMPINO NOOFFSET
| OPINENCNote 1 GBPPINO
| VISAPVV
| INBKPIN
| CPINENC Note:
| EPINGEN DOUBLE
| REFORMAT is default
| TRANSLAT
| DOUBLE
| Note 1: All keywords in the list below are KEYLN16
| defaults unless one or more keywords MIXED
| in the list are specified.
|
|
| Figure 10. Control_Vector_Generate and Key_Token_Build CV keyword combinations for fixed-length DES key tokens
A CCA variable-length symmetric key-token can contain a cleartext or enciphered key that is 80 - 2048 bits
in length, and other information pertaining to the key such as key usage and key management fields.
These key tokens can be null, internal, or external. Variable-length symmetric key tokens are not
supported in releases before Release 4.1.
A CCA fixed-length DES key-token can contain an encrypted single-length or double-length key, a control
vector, and other information pertinent to the key. DES key tokens can be null, internal, or external. An
internal key-token that is complete and ready for use is considered an operational key-token. In contrast,
an internal fixed-length DES key-token that has no control vector present, no key present, or has its
KEY-PART bit on in its control vector is not an operational key-token.
Key tokens can be stored in key storage and are accessed using a key label. The CCA API generally
permits an application to provide either a key token or a key label of an internal key-token, in which case
the parameter description is designated a key identifier. Key tokens, key labels, and key identifiers are
discussed in the following sections.
For detailed information about AES, DES, and variable-length symmetric key tokens, see Appendix B,
Data structures, on page 577.
The following describes in more detail the contents of AES and DES fixed-length key tokens:
| Key-token identifier
This identifies whether the fixed-length key token is for AES or DES. It also identifies if the key token is
an internal key-token, an external key-token, or a null key-token. AES currently does not use external
key tokens.
Flags
Flags are bit values that provide control information for using the key. For AES, the flags indicate if a
master-key verification pattern (MKVP) is present, if an enciphered or cleartext key is present, and if a
control vector (CV) is present. For DES, the flags indicate if an MKVP is present, if an enciphered key
is present, and if a CV is present. Beginning with Release 4.1, the flags also indicate the wrapping
method of the key in the key token.
LRC
| A longitudinal redundancy check is present in AES fixed-length key tokens that have an enciphered or
| cleartext key present. This checksum byte is valued to the exclusive-OR of each clear-key byte.
MKVP
A master-key verification pattern must be present if and only if the key token contains a key enciphered
You can use the Key_Token_Build verb to assemble a fixed-length internal AES or fixed-length external or
internal DES key-token, or use the Key_Token_Parse verb to disassemble a fixed-length DES key token.
| You can use the Key_Token_Build2 verb to assemble a variable-length symmetric key-token, or use the
| Key_Token_Parse2 verb to disassemble a variable-length symmetric key-token. You should keep in mind,
however, that the contents and format of key tokens are version and implementation sensitive. Key token
formats are described in Appendix B, Data structures, on page 577.
The cryptographic system uses key labels and internal and null AES key tokens as shown in Figure 12 on
page 167
|
| Figure 12. Use of fixed-length AES key tokens and key labels
The cryptographic system uses key labels and external, internal, and null fixed-length DES key tokens, as
shown in Figure 13 on page 168.
Figure 13. Use of fixed-length DES key tokens and key labels
An external fixed-length DES key-token is specified in a verb call using a key_token or key_identifier
parameter. An external key-token resides in application storage or key storage. These verbs produce or
modify an external fixed-length DES key-token:
v Control_Vector_Translate
v Data_Key_Export
v DES_Key_Record_Read
v Key_Export
v Key_Generate
v Key_Token_Build
An internal fixed-length DES key-token is specified in a verb call by using a key_token or key_identifier
parameter. These verbs produce or modify an internal fixed-length DES key-token:
v Clear_Key_Import
v Data_Key_Import
v Diversified_Key_Generate
v Key_Generate
v Key_Import
v Key_Part_Import
v Key_Token_Build
v Key_Token_Change
v Multiple_Clear_Key_Import
v Prohibit_Export
v Symmetric_Key_Generate
v Symmetric_Key_Import
Key labels
A key label serves as an indirect address for a key-token record in key storage. The security server uses a
key label to access key storage to retrieve or to store the key token. A key_identifier parameter can point
to either a key label or a key token. Key labels are discussed further at Key-label content on page 390.
Key identifiers
When a verb parameter is described as some form of a key_identifier, you can present either a key token
or a key label. The key label identifies a key-token record in key storage.
|
| Figure 14. Key-processing and key-storage verbs for keys in fixed-length AES key tokens
Figure 15 on page 172 shows DES key-processing and key-storage verbs and how they relate to key
parts, internal and external key tokens, and key storage. The Clear_Key_Import, Data_Key_Import,
CCA subsystems do not reveal the clear value of enciphered keys, and do provide significant control over
encrypted keys. Simple key-distribution is addressed by the Cryptographic Node Management (CNM)
utilitys capabilities to read and write encrypted keys from and to key storage and to process key parts with
support for dual control of the key parts. Application programs can use the key-processing and key-storage
verbs to implement a key-distribution system of your design.
Use the CNM utility, Multiple_Clear_Key_Import, Key_Test, and Key_Test_Extended verbs to install AES
keys and verify key installation. Use the CNM utility, Key_Part_Import, Clear_Key_Import,
Multiple_Clear_Key_Import, Key_Test, and Key_Test_Extended verbs to install DES keys and verify key
installation.
DES key parts are single or double in length, based on the type of key you are accumulating. Key-parts
are exclusive-ORed as they are accumulated. Thus, knowledge of a key-part value provides no knowledge
about the final key when it is composed of more than one part. An already-entered key-part is stored
outside the cryptographic facility enciphered under the DES master-key. When all the key parts are
accumulated, the KEY-PART bit (bit 44) is turned off in the DES key's control vector.
A master-part is loaded into the new-master-key register. The key part replaces the value in the
new-master-key register, or is exclusive-ORed with the existing contents of the register. In a separate
The access-control point commands to load master-key parts must be individually authorized by
appropriate bits being turned on in the active role. For AES, the commands are Load First AES Master
Key Part (offset X'0125') and Combine Intermediate AES Master Key Parts (offset X'0126'). For DES, the
commands are Load First Master Key Part (offset X'0018') and Combine Master Key Parts (offset X'0019').
| Use the Key_Test and Key_Test_Extended verbs to generate a verification pattern for AES and DES keys
| in fixed-length symmetric key tokens. For variable-length symmetric key tokens, or an external TR-31 key
| block, use the Key_Test2 verb.
| Note: Starting with Release 3.10, the Key_Test_Extended verb enables you to also operate on an
| external key.
The verification pattern can then be used to determine the equivalence of another key or a key part. An
| application program can use the Key_Test, Key_Test2, and Key_Test_Extended verbs to verify the
contents of an enciphered key, or an enciphered key-part. The CNM utility also includes services to
generate and use key and key-part verification patterns. With Release 3.10, the Key_Test and
Key_Test_Extended verbs optionally allow you to adjust the parity bits of a DES key prior to computing or
verifying the key-test pattern.
| Even though the value of the key or the key part is not known, a key, a key part, or the contents of a
| master-key register can be tested to ensure that it has a correct value. Provide the verification information
| to the individual who loads the key parts for the parts that should already be loaded. If the pattern does
| not verify, instruct the individual or application not to load an additional key part or not to set the master
| key. This procedure can ensure that only valid key parts are used.
In addition to the utilities that are supplied with the hardware, you can use the Key_Part_Import verb in an
application program to load DES keys from individual key parts.
Loading of key parts into the coprocessor with the Master_Key_Process and Key_Part_Import verbs or the
| CNM utility exposes the key parts to potential copying by unauthorized processes. If this exposure is a
| concern, randomly generate DES master keys within the coprocessor, or consider distribution of other
keys using public-key cryptographic techniques.
Note: Support for accumulating parts of an AES key is limited to the Master_Key_Process verb.
2. For DES, use the Random_Number_Generate_Long verb with the ODD rule-array keyword and a
random_number_length value of 8, 16, or 24 for the first clear key-part. For intermediate clear
key-parts, use the Random_Number_Generate_Long verb with the EVEN rule-array keyword and
the same random_number_length value. Use the Key_Part_Import verb to import parts of a
single-length or double-length cleartext key into an existing internal fixed-length DES key-token
that has the desired control vector. Use the Master_Key_Process verb to load 24-byte cleartext
parts into the DES new-master-key register.
Generate an enciphered key
| 1. For AES, use the Key_Generate or Key_Generate2 verb to generate a random AES key and
| return it in an internal fixed-length or variable-length AES key-token enciphered under the AES
| master key.
2. For DES, use the Key_Generate verb to generate a random DES key and return it in an internal
fixed-length DES key-token enciphered under the DES master key.
| 3. For HMAC, use the Key_Generate2 verb to generate a random HMAC key and return it in an
| internal variable-length HMAC key-token enciphered under the AES master-key.
4. To generate a single-length, double-length, or triple-length key enciphered under the MAC key
contained in a trusted block, use the Remote_Key_Export verb. See Generating keys with
Remote_Key_Export on page 187.
Generate an enciphered pair of keys
1. For AES fixed-length key tokens, all keys are DATA keys. Except for the AES master-key, there
are no AES key-encrypting keys. AES supports only the encryption and decryption of data. It is for
these reasons that the generation of a pair of enciphered AES keys is not supported.
2. For DES fixed-length key tokens, use the Key_Generate verb to generate a random DES key and
return two enciphered copies of the key in any combination of DES internal or external
fixed-length key tokens.
| 3. For AES or HMAC variable-length key tokens, use the Key_Generate2 verb to generate a random
| symmetric key and return two enciphered copies of the key in any combination of AES external or
| internal variable-length key tokens or HMAC external or internal variable-length key tokens.
Note: Keys can also be diversified from key-generating keys. See Diversifying DES keys on page 177.
Before generating a key, consider how the key is to be archived and recovered if unexpected events
occur. Before using the Key_Generate verb to generate a DES key, also consider the following aspects of
key processing:
v The use of the key determines the key type and can determine whether you create a fixed-length DES
key-token with the default control-vector or with your own updated control-vector that contains
non-default restrictions.
If you use Key_Generate to update a key token, first use the Control_Vector_Generate and
Key_Token_Build verbs to create the control vector and the key token, then use the Key_Generate verb
to generate the key and update the key token.
v Where and when the key is to be used determines the form of the key, whether the verb generates one
DES key or a key-pair, and whether the verb multiply-enciphers each DES key for operational, import,
or export use. The verb multiply-enciphers each key under a key that is formed by exclusive-ORing the
control vector in the new or updated key-token with one of the following keys:
The DES master key. This is the operational (OP) key form.
An IMPORTER key-encrypting key. This is the external, importable (IM) key form.
An EXPORTER key-encrypting key. This is the external, exportable (EX) key form.
If a DES key is to be used locally, it should be enciphered in the OP key form or IM key form. An IM
key form can be saved on external media and imported when its use is required. Saving a key locally in
the IM key form ensures that the key can be used if the DES master key is changed between the time
that the key was generated and the time that it is used. This enables you to maintain the IMPORTER
key-encrypting keys in operational form and to store keys that are not needed immediately on external
media.
If a DES key is to be used remotely (sent to another cryptographic node), it should be enciphered in the
EX key form under a local EXPORTER key. At the other node, the key is imported under the paired
IMPORTER key.
v Use the SINGLE keyword for a DES key that should be single length. Use the SINGLE-R keyword for a
double-length DES key that should perform as a single-length key. This is often required when such a
key is interchanged with a non-CCA system. Use the DOUBLE keyword for a double-length key.
Because the two halves are random numbers, it is unlikely that the result of the DOUBLE keyword will
produce two halves with the same 64-bit values.
A DES key that is enciphered under a key-encrypting key other than the DES master-key is called an
external key. Deciphering a DES operational key with the DES master key and enciphering the key under
a key-encrypting key is called a key-export operation. A key-export operation changes a DES operational
key to an external key and is performed in the cryptographic facility so that the clear value of the key to be
exported is not revealed.
Deciphering an external DES key with a key-encrypting key and enciphering the DES key under the local
DES master key is called a key-import operation. A key-import operation changes an external key to an
operational key.
The control vector for the transport key-encrypting key at the source node must specify the key as an
EXPORTER key. The control vector at the target node must specify the transport key-encrypting key as an
IMPORTER key. The key to be transported must be multiply-enciphered under an EXPORTER
key-encrypting key at the source node and multiply-deciphered under an IMPORTER key-encrypting key at
the target node. Figure 16 shows both the Key_Export and Key_Import operations. Data operation keys,
PIN keys, and key-encrypting keys can be transported in this manner. The control vector specifies what
kind of keys can be enciphered by a key-encrypting key. For more information, see Appendix C, CCA
control-vector definitions and key encryption, on page 655.
Use the Key_Export and Key_Import verbs to export and import keys with key types permitted by the
control vectors associated with the EXPORTER or IMPORTER keys. Users can use the Data_Key_Export
verb and the Data_Key_Import verb to export and import DATA keys. These verbs do not import and
export key-encrypting keys and PIN keys. Use the Remote_Key_Export verb to export keys with a variant
or a control vector contained in a trusted block using symmetric techniques (see Exporting DES keys with
Remote_Key_Export on page 184).
The DES key-encipherment processes are described in detail at Understanding DES and RSA key
encryption and decryption processes on page 671.
Operational DES key to DES imported | Operational
form of key be exported key form of key
at Node A at Node B
Key_Export Key_Import
Multiply- Multiply-
DES master key
decipher encipher DES master key
Exporter Multiply- Multiply- Importer
key-encrypting key
encipher decipher key-encrypting key
DES external
|key |
Several techniques for formatting the key to be distributed are in common use and are supported by the
verbs. The verbs support processing of default DATA keys. The Symmetric_Key_Generate and
Symmetric_Key_Import verbs can also be used to exchange a DES key-encrypting key. Use the
Remote_Key_Export verb to export keys with a variant or a control vector contained in a trusted block
using asymmetric techniques (see Exporting DES keys with Remote_Key_Export on page 184).
| Data keys can be exchanged with CCA and non-CCA implementations using two encryption/decryption
| schemes defined in the RSA PKCS #1 standard:
| v RSAES-OAEP. Two formatting methods are defined. One is defined in PKCS #1 v2.0, and the other is
| defined in PKCS #1 v2.1.
| v RSAES-PKCS1-v1_5 (formerly block-type 02 format). This formatting method is defined in PKCS #1
| v2.0.
Key-encrypting keys can be exchanged between CCA implementations using the PKA92 formatting
method. PKA92 is an OAEP formatting method.
The formatting methods are discussed in Formatting hashes and keys in public-key cryptography on
page 694.
In the current implementation, several methods of diversifying a key are supported: CLR8-ENC,
TDES-ENC, TDES-DEC, SESS-XOR, TDES-XOR, TDESEMV2 and TDESEMV4. The first two methods
triple-encrypt data using the generating_key to form the diversified key. The diversified key is then
multiply-enciphered by the DES master key modified by the control vector for the output key. The
TDES-DEC method is similar except that the data is triple-decrypted.
The SESS-XOR method provides a means for modifying an existing DATA, DATAC, MAC, DATAM, or
MACVER, DATAMV single-length or double-length key. The provided data is exclusive-ORed into the clear
value of the key. This form of key diversification is specified by several of the credit card associations.
The TDES-ENC and TDES-DEC methods permit the production of either another key-generating key, or a
final key. Control-vector bits 19 22 associated with the key-generating key specify the permissible type of
final key. (See DKYGENKY in Figure 37 on page 658.) Control-vector bits 12 14 associated with the
key-generating key specify if the diversified key is a final key or another in a series of key-generating keys.
Bits 12 14 specify a counter that is decreased by one each time the Diversified_Key_Generate verb is
used to produce another key-generating key. For example, if the key-generating key that you specify has
this counter set to B'010', then you must specify the control vector for the generated_key with a
DKYGENKY key type having the counter bits set to B'001' and specifying the same final key type in bits
19 22. Use of a generating_key with bits 12 14 set to B'000' results in the creation of the final key.
Thus you can control both the number of diversifications required to reach a final key, and you can closely
control the type of the final key.
The TDESEMV2, TDESEMV4, and TDES-XOR methods also derive a key by encrypting supplied data
including a transaction counter value received from an EMV smart card. The processes are described in
Note: To use AES or DES key-storage, the Compute Verification Pattern command (offset X'001D') must
first be authorized. This command is used to validate that the symmetric master-key used to
encipher keys within the key-storage file had the same value as the symmetric master-key in the
cryptographic facility when the key-storage file is opened.
These methods can also be used to transfer DES keys to another cryptographic system of any type, such
as a different kind of Hardware Security Module (HSM) in an IBM or non-IBM computer server. This
change is especially important to banks, because it replaces expensive human operations with network
transactions that can be processed quickly and inexpensively. This method supports a variety of
requirements, fulfilling the new needs of the banking community while simultaneously making significant
interoperability improvements to related cryptographic key-management functions.
For the purposes of this description, the ATM scenario will be used to illustrate operation of the new
methods. Other uses of this method are also valuable.
Remote key-loading
Remote key-loading refers to the process of installing DES encryption keys into a remotely located device
from a central administrative site. This encompasses two phases of key distributions.
v Distribution of initial key encrypting keys (KEKs) to a newly installed device. A KEK is a type of DES
encryption key that is used to encrypt other keys so they can be securely transmitted over unprotected
paths.
v Distribution of operational DES keys or replacement KEKs, enciphered under a KEK currently installed
in the device.
Once an ATM is in operation, the bank can install new keys as needed by sending them enciphered under
a KEK installed earlier. This is straightforward in concept, but the cryptographic architecture in ATMs is
often different from that of the host system sending the keys, and it is difficult to export the keys in a form
understood by the ATM. For example, cryptographic architectures often enforce key-usage restrictions in
which a key is bound to data describing limitations on how it can be used for encrypting data, for
encrypting keys, for operating on message authentication codes (MACs), and so forth. The encoding of
these restrictions and the method used to bind them to the key itself differs among cryptographic
architectures, and it is often necessary to translate the format to that understood by the target device
before a key can be transmitted. It is difficult to do this without reducing security in the system; typically it
is done by making it possible to arbitrarily change key-usage restrictions. The methods described here
provide a mechanism through which the system owner can securely control these translations, preventing
the majority of attacks that could be mounted by modifying usage restrictions.
A new data structure called a trusted block is defined to facilitate the remote key-loading methods. The
trusted block is the primary vehicle supporting these new methods.
Trusted block
The trusted block is the central data structure to support all remote key-loading functions. It provides great
power and flexibility, but this means that it must be designed and used with care in order to have a secure
system. This security is provided through several features of the design.
v Dual control is used to create a trusted block. Two separate individuals must cooperate in order to
create a usable block.
v The trusted block includes cryptographic protection that prevents any modification after it is created.
v A number of fields in the rules of a trusted block offer the ability to limit how the block is used, reducing
the risk of it being used in unintended ways or with unintended keys.
The trusted block is the enabler which requires secure approval for its creation, then enables the export or
generation of DES and TDES keys in a wide variety of forms as approved by the administrators who
created the trusted block. For added security, the trusted blocks themselves can be created on a separate
system, such as a System x server with an IBM 4764 Cryptographic Coprocessor, locked in a secure
room. The trusted block can subsequently be imported into the System z server where they will be used to
support applications.
There are two new CCA verbs to manage and use trusted blocks. They are Trusted_Block_Create
(CSNDTBC) and Remote_Key_Export (CSNDRKX). Trusted_Block_Create creates a trusted block, and
Remote_Key_Export uses a trusted block to generate or export DES keys according to the parameters in
the trusted block. The trusted block consists of a header followed by several sections. Some elements are
required, while others are optional.
Figure 17 on page 180 shows the contents of a trusted block. The elements shown in the table give an
overview of the structure and do not provide all of the details of a trusted block.
Modulus
Attributes
MAC key
MAC
MKVP
Activation/Expiration dates
Rule 1
Rule 2
Rules Rule 3
...
Rule N
Structure version information - This identifies the version of the trusted block structure. It is included so
that code can differentiate between this trusted block layout and others that could be developed in the
future.
Public key - This contains the RSA public key and its attributes. For distribution of keys to a remote ATM,
this will be the root certification key for the ATM vendor, and it will be used to verify the signature on
public-key certificates for specific individual ATMs. In this case, the trusted block will also contain rules that
will be used to generate or export symmetric keys for the ATMs. It is also possible for the trusted block to
be used simply as a trusted public key container, and in this case the public key in the block will be used
in general-purpose cryptographic functions such as digital signature verification. The public key attributes
contain information on key usage restrictions. This is used to securely control what operations will be
permitted to use the public key. If desired, the public key can be restricted to use for only digital signature
operations, or for only key-management operations.
Trusted block protection information - This section contains information that is used to protect the
trusted block contents against modification. According to the method in ISO 16609, a CBC-mode MAC is
calculated over the trusted block using a randomly-generated Triple-DES key, and the MAC key itself is
encrypted and embedded in the block. For the internal form of the block, the MAC key is encrypted with a
randomly chosen fixed-value variant of the PKA master key. For the external form, the MAC key is
encrypted with a fixed variant of a key-encrypting key. The MKVP field contains the master-key verification
Trusted block name - This field optionally contains a text string that is a name (key label) for the trusted
block. It is included in the block for use by an external system such as a host computer, and not by the
card itself. In System z, the label can be checked by RACF to determine if use of the block is authorized.
It is possible to disable use of trusted blocks that have been compromised or need to be removed from
use for other reasons by publishing a revocation list containing the key names for the blocks that must not
be used. Code in the host system could check each trusted block before it is used in the cryptographic
coprocessor, to ensure that the name from that block is not in the revocation list.
Expiration and activation dates - The trusted block can optionally contain an expiration date and an
activation date. The activation date is the first day on which the block can be used, and the expiration date
is the last day when the block can be used. If these dates are present, the date checking flag in the
trusted block will indicate whether the coprocessor should check the dates using its internal real-time
clock. In the case of a system that does set the coprocessor clock, checking would have to be performed
by an application program before using the trusted block. This is not quite as secure, but it is still valuable,
and storing the dates in the block itself is preferable to making the application store it somewhere else and
maintain the association between the separate trusted block and activation and expiration dates.
Application-defined data - The trusted block can hold data defined and understood only by the host
application program. This data is included in the protected contents of the trusted block, but it is not used
or examined in any way by the coprocessor. By including its own data in the trusted block, an application
can guarantee that the data is not changed in any way, because it is protected in the same way as the
other trusted block contents.
Rules - A variable number of rules can be included in the block. Each rule contains information on how to
generate or export a symmetric key, including values for variants to be used in order to provide keys in the
formats expected by systems with differing cryptographic architectures. Uses of the rules are described as
part of the sections covering key generation and export using the Remote_Key_Export verb. The table
below summarizes the required and optional values that are part of each rule.
The RKX key-token uses a special structure that binds the token to a specific trusted block, and enables
sequences of CSNDRKX calls to be bound together as if they were an atomic operation. This enables a
series of related key-management operations to be performed using the Remote_Key_Export verb. These
capabilities are made possible by incorporating the following three features into the RKX key-token
structure:
v The key is enciphered using a randomly-derived, fixed variant of the MAC key that is in the trusted
block. As a result, the enciphered key is protected against disclosure because the trusted block MAC
key is itself protected at all times.
v The structure includes the rule ID contained in the trusted block rule that was used to create the key. A
subsequent call to the CSNDRKX verb can use this key with a trusted block rule that references this
rule ID, effectively chaining use of the two rules together securely.
v A MAC is computed over the encrypted key and the rule ID, using the same MAC key that is used to
protect the trusted block itself. This MAC guarantees that the key and the rule ID cannot be modified
without detection, providing integrity and binding the rule ID to the key itself. In addition, the MAC will
only verify if the RKX key-token is used with the same trusted block that created the token, thus binding
the key to that specific trusted block.
The figure below shows a simplified conceptual view of the RKX key-token structure.
MAC
Administrator 1 Administrator 2
Inactive Active
This shows the two-step process which requires action by two different administrators in order to create an
external trusted block that can be used to import an internal trusted block that can be used to generate or
export DES keys according to the parameters defined in the trusted block. Trusted blocks are structures
that could be abused to circumvent security if an attacker could create them with undesirable settings, and
the requirement for two separate and properly authorized people makes it impossible for a single
dishonest employee to create such a block. A trusted block cannot be used for any operations until it is in
the active state. Any number of trusted blocks can be created in order to meet different needs of
application programs.
Active
RKX
Transport key
Validate
trusted block
Certificate
Validate parameter
against rules in
trusted block
The processing steps are simple at a high level, but there are many options and significant complexity in
the details.
v The trusted block itself is validated. This includes several types of validation.
Cryptographic validation using the MAC that is embedded in the block, in which the MAC key is
decrypted using the coprocessor's DES master key, and the MAC is then verified using that key. This
verifies that the block has not been corrupted or tampered, and it also verifies that the block is for
use with this coprocessor because it will only succeed if the master key is correct.
Consistency checking and field validation, in which the validity of the structure itself is checked, and
all values are verified to be within defined ranges.
Fields in the trusted block are checked to see if all requirements are met for use of this trusted block.
One check which is always required is to ensure that the trusted block is in the active state before
continuing. Another check, which is optional based on the contents of the trusted block, is to ensure
the operation is currently allowed by comparing the date of the coprocessor real-time clock to the
activation and expiration dates defined in the trusted block.
v Input parameters to the CSNDRKX verb are validated against rules defined for them within the trusted
block. For example:
The rule can restrict the length of the DES key to be exported.
The rule can restrict the control vector values for the DES key to be exported, so that only certain
key types can be exported with that rule.
v After the source key is decrypted, the rules embedded in the trusted block are then used to modify that
key to produce the desired output key value. For example, the trusted block can contain a variant to be
exclusive-ORed with the source key before that key is encrypted. Many non-IBM cryptographic systems
use variants to provide key separation to restrict a key from improper use.
v A key-check value (KCV) can be optionally computed for the source key. If the KCV is computed, the
trusted block allows for one of two key-check algorithms to be used:
1. Encrypting binary zeros with the key
2. Computing an MDC-2 hash of the key
The KCV is returned as an output of the CSNDRKX function.
v The source key, which could possibly be modified with a variant according to the rules in the trusted
block, is enciphered with the transport key. The rules can specify that the key be created in one of two
formats: (1) a fixed-length DES key-token, or (2) the new RKX key-token, described earlier. With proper
selection of rule options, the fixed-length DES key-token can create keys that can be used in non-CCA
systems. The key value can be extracted from the DES key-token resulting in a generic encrypted key,
with variants and other options as defined in the rule.
Two optional fields in the trusted block might modify the transport key before it is used to encrypt the
source key:
The trusted block can contain a DES control vector (CV) to be exclusive-ORed with the transport key
before that key is used to encrypt the source key. This exclusive-OR process is the standard way
CCA applies a CV to a DES key.
In addition to the CV described above, the trusted block can also contain a variant to be
exclusive-ORed with the transport key prior to its use.
If a variant and CV are both present in the trusted block, the variant is applied first, then the CV.
Active
RKX
Transport key
Validate
trusted block
Certificate
Validate parameter
against rules in
trusted block
For key generation, the CSNDRKX verb is called with the following main parameters:
v A trusted block, in the internal active state, which defines how the key generation operation is to be
processed, including values to be used for things such as variants to apply to the keys. The generated
key is encrypted by a variant of the MAC key contained in a trusted block.
v An optional public-key certificate which, if included, contains the certified public key for a specific ATM.
The certificate is signed with the ATM vendor's private key, and its corresponding public key must be
The processing steps are simple at a high level, but there are many options and significant complexity in
the details. Most of the processing steps are the same as those described above for key export.
Therefore, only those processing steps that differ are described below in detail.
v Validation of the trusted block and input parameters is done as described for export above.
v The DES or TDES key to be returned by the CSNDRKX verb is randomly generated. The trusted block
indicates the length for the generated key.
v The output key value is optionally modified by a variant as described above for export, and then
encrypted in the same way as for export using the transport key and optionally the public key in the
certificate parameter.
v The key check value (KCV) is optionally computed for the generated key using the same method as for
an exported key.
Trusted block
Transport key TBC Trusted block (external, active)
Option=ACTIVATE
Trusted block
Transport key DES-encrypted key
Source key RKX Asymmetric-encrypted key
Certificate Key check value
Importer key (if needed)
Trusted block
Transport key DES-encrypted key
Source key RKX Asymmetric-encrypted key
Certificate Key check value
Importer key (if needed)
It takes seven steps to produce these keys using the CSNDRKX verb. These steps use a combination of
five rules contained in a single trusted block. The rules in this example are referred to as GENERAT1,
GENERAT2, EXPORT1, EXPORT2, and EXPORT3.
1. Use CSNDRKX with rule ID "GENERAT1" to generate a TMK for use with the ATM. The key will be
output in two forms:
a. ePu(TMK): Encrypted under the ATM public key, supplied in the certificate parameter, CERT
b. RKX(TMK): As an RKX key-token, suitable for subsequent input to the CSNDRKX verb
2. Use CSNDRKX with rule ID "GENERAT2" to generate a key-encrypting key (KEK1) as an RKX
key-token, RKX(KEK1)
3. Use CSNDRKX with rule ID "GENERAT2" to generate a PIN key (PINKEY) as an RKX key-token:
RKX(PINKEY).
4. Use CSNDRKX with rule ID "EXPORT1 " to export KEK1 encrypted under the TMK as a fixed-length
DES key-token using a variant of zeros applied to the TMK. This produces eTMK(KEK1).
5. Use CSNDRKX with rule ID "EXPORT2 " to export PINKEY encrypted under KEK1 as a key token
using a variant of zeros applied to KEK1. This produces eKEK1(PINKEY).
6. Use CSNDRKX with rule ID "EXPORT3 " to export PINKEY under KEK2, an existing CCA
key-encrypting key on the local server. This produces eKEK2(PINKEY), with the control vector for a PIN
key.
7. Use CSNBKIM to import the PINKEY produced in step 6 into the local system as an operational key.
This produces eMK(PINKEY), a copy of the key encrypted under the local DES master key (MK) and
ready for use by CCA PIN API functions.
Following each rule section sample is a table that shows the most important inputs and outputs to the
CSNDRKX verb.
Table 26. Verb inputs and outputs for sample rule GENERAT1
CSNDRKX inputs CSNDRKX outputs
trusted_block_identifier (contains GENERAT1 rule) key_check_value (NONE)
certificate (CERT[Pu]) asym_encrypted_key [ePu(TMK)]
certificate_parms sym_encrypted_key_identifier [RKX(TMK)]
rule_id (ASCII "GENERAT1")
importer_key_identifier (NULL)
source_key_identifier (NULL)
extra_data
key_check_parameters
transport_key_identifier
Table 28. Verb inputs and outputs for sample rule GENERAT2
CSNDRKX inputs CSNDRKX outputs
trusted_block_identifier (contains GENERAT2 rule) First call:
certificate (NULL) key_check_value (NONE)
certificate_parms sym_encrypted_key_identifier [RKX(KEK1)]
rule_id (ASCII "GENERAT2") Second call
importer_key_identifier (NULL) key_check_value (NONE)
source_key_identifier (NULL) sym_encrypted_key_identifier [RKX(PINKEY)]
extra_data
key_check_parameters
transport_key_identifier
Table 30. Verb inputs and outputs for sample rule EXPORT1
CSNDRKX inputs CSNDRKX outputs
trusted_block_identifier (contains EXPORT1 rule) key_check_value (NONE)
certificate (NULL) sym_encrypted_key_identifier [CCA(eTMK(KEK1))]
certificate_parms
rule_id (ASCII "EXPORT1")
importer_key_identifier (NULL)
source_key_identifier [RKX(KEK1)]
extra_data
key_check_parameters
transport_key_identifier [RKX(TMK)]
Table 32. Verb inputs and outputs for sample rule EXPORT2
CSNDRKX inputs CSNDRKX outputs
trusted_block_identifier (contains EXPORT2 rule) key_check_value (NONE)
certificate (NULL) sym_encrypted_key_identifier [CCA(eKEK1(PINKEY))]
certificate_parms
rule_id (ASCII "EXPORT2")
importer_key_identifier (NULL)
source_key_identifier [RKX(PINKEY)]
extra_data
key_check_parameters
transport_key_identifier [RKX(KEK1)]
Security precautions
Be sure to refer to Appendix H, Observations on secure operations, on page 725.
In order to maintain a secure cryptographic environment, each cryptographic node must be audited on a
regular basis. This audit should be aimed at preventing inadvertent and malicious breaches of security.
Some of the things that should be audited are listed below:
v The same transport key should not be used as both an EXPORTER key and IMPORTER key on any
given cryptographic node. This would destroy the asymmetrical properties of the transport key.
v Enablement of the Encipher Under Master Key command (offset X'00C3') should be avoided.
v The Key_Part_Import verb can be used to enter key-encrypting keys and DES data keys into the
system. This verb provides for split knowledge (dual control) of keys by ensuring that no one person
knows the true value of a key. Each person enters part of a key and the actual key is not assembled
until the last key part is used. Neither the key nor the partial results of the key assembly appear in the
clear outside of the secure hardware. Note, however, that the clear key parts have passed through the
general purpose computer. Consider accumulating the parts on different machines or using public-key
cryptography in the key-distribution scheme.
v Be careful that the public key used in the Symmetric_Key_Generate and Symmetric_Key_Export verbs
is associated with a legitimate receiver of the exported keys.
Note: If the clear-key value does not have odd parity in the low-order bit of each byte, the reason_code
parameter presents a warning.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNBCKI
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
clear_key Input String 8 bytes
target_key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
clear_key
The clear_key parameter is a pointer to a string variable containing the clear value of the single-length
DES key being imported as a DATA key. The key is to be enciphered under the DES master-key.
Although not required, the low-order bit in each byte should provide odd parity for the other bits in the
byte.
target_key_identifier
The target_key_identifier parameter is a pointer to a string variable. If the input key-token in
application storage or DES key-storage is null, then a default internal fixed-length DES DATA
Required commands
The Clear_Key_Import verb requires the Encipher Under Master Key command (offset X'00C3') to be
enabled in the active role.
Note: A role with offset X'00C3' enabled can also use the Multiple_Clear_Key_Import verb with the DES
algorithm
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSNBCVG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_type Input String 8 bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
reserved Input String null pointer or XL8'00' variable
control_vector Output String 16 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_type
The key_type parameter is a pointer to a string variable containing a keyword for the DES key-type.
The keyword is 8 bytes in length, left-aligned, and padded on the right with space characters. Supply a
keyword from the following list:
1. CLR8-ENC must be coded in the rule array when the KEYGENKY key-type is coded.
2. SMKEY or SMPIN must be coded in the rule array when the SECMSG key-type is coded.
For definitions of these keywords, see Control vectors, key types, key-usage, and key-management
restrictions on page 147.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. For the valid combinations of keywords for the key type and the rule array, see Figure 10
on page 161. The rule_array keywords are shown below:
Notes:
1. Figure 37 on page 658 shows which control-vector bits are set for each of these keywords.
2. Most but not all key types have a default control vector. These default control vectors are shown in
Table 162 on page 657. With the exception of DATA keys, a default control vector is built whenever
no rule-array keywords are specified.
3. Figure 10 on page 161 shows the default keywords for each key type. For example, looking at
Figure 10 you can see the default rule-array keywords for a MAC or MACVER key are ANY-MAC,
SINGLE, and XPORT-OK.
4. The DATA key type has more than one default. The following describes how to build each default
DATA control vector (as shown in Table 162 on page 657):
v For internal single-length, specify no rule-array keywords, or specify SINGLE or KEYLN8.
Chapter 5. AES, DES, and HMAC symmetric-key management 201
v For internal double-length, specify DOUBLE, KEYLN16, or MIXED.
v For external single-length, use the Key_Token_Build verb and specify rule-array keywords of
EXTERNAL, DES, and either SINGLE, or KEYLN8.
v For external double-length, use the Key_Token_Build verb, specify rule-array keywords of
EXTERNAL, DES, and either DOUBLE, KEYLN16, or MIXED.
reserved
This reserved parameter is a pointer to a string variable. The parameter must either be a null pointer,
or a pointer to a variable of eight bytes of X'00'.
control_vector
The control_vector parameter is a pointer to a string variable containing the control vector returned by
the verb.
Required commands
None
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v This verb does not support version X'10' external DES key tokens (RKX key tokens).
Format
Parameter name Direction Data type Data length or value
CSNBCVT
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
KEK_key_identifier Input String 64 bytes
source_key_token Input String 64 bytes
array_key_left_identifier Input String 64 bytes
mask_array_left Input String 56 bytes
array_key_right_identifier Input String 64 bytes
mask_array_right Input String 56 bytes
rule_array_count Input Integer 0, 1, or 2
rule_array Input String array rule_array_count * 8 bytes
target_key_token In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
KEK_key_identifier
The KEK_key_identifier parameter is a pointer to a string variable containing an operational
fixed-length DES key-token or the key label of an operational fixed-length DES key-token record
containing the key-encrypting key. The control vector in the key token must specify the key type
IMPORTER, EXPORTER, IKEYXLAT, or OKEYXLAT.
Keyword Meaning
Parity adjustment (one, optional)
ADJUST Ensures that all target-key bytes have odd parity. This is the default.
NOADJUST Prevents the parity of the target key from being altered.
Key half processing mode (one, optional)
LEFT Causes an 8-byte source key, or the left half of a 16-byte source key, to be processed with the
result placed into both halves of the target key. This is the default.
RIGHT Causes the right half of a 16-byte source key to be processed with the result placed into only
the right half of the target key. The left half is copied unchanged (still encrypted) from the source
key into the left half of the target key.
BOTH Causes both halves of a 16-byte source key to be processed with the result placed into
corresponding halves of the target key. When you use the BOTH keyword, the mask array must
be able to validate the translation of both halves.
SINGLE Causes the left half of the source key to be processed with the result placed into only the left
half of the target. The right half of the target key is unchanged.
target_key_token
The target_key_token parameter is a pointer to a string variable containing an external fixed-length
DES key-token with the new control vector. This key token contains the key halves with the new
control vector.
Required commands
The Control_Vector_Translate verb requires the Translate Control Vector command (offset X'00D6') to be
enabled in the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The text length must be a multiple of eight bytes.
v The minimum length of text that the security server can process is 8 bytes and the maximum is 256
bytes.
CSNBCVE
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
c-variable_encrypting_key_identifier Input String 64 bytes
text_length Input Integer
plaintext Input String text_length bytes
initialization_vector Input String 8 bytes
ciphertext Output String text_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
c-variable_encrypting_key_identifier
The c-variable_encrypting_key_identifier parameter is a pointer to a string variable containing an
operational fixed-length DES key-token or a key label of an operational fixed-length DES key-token
record. The key token must contain a control vector that specifies a CVARENC key-type.
text_length
The text_length parameter is a pointer to an integer variable containing the length of the plaintext
variable and the ciphertext variable.
plaintext
The plaintext parameter is a pointer to is a string variable containing the plaintext to be encrypted.
initialization_vector
The initialization_vector parameter is a pointer to a string variable containing the 8-byte initialization
vector the verb uses in encrypting the plaintext.
ciphertext
The ciphertext parameter is a pointer to a string variable containing the ciphertext returned by the
verb.
Required commands
The Cryptographic_Variable_Encipher verb requires the Encipher Cryptovariable command (offset X'00DA')
to be enabled in the active role.
The verb overwrites the 64-byte target_key_token variable with an external fixed-length DES key-token
that contains the source key encrypted by the fixed-length DES EXPORTER key-encrypting key. Only a
DATA key can be exported. If the source key has a control vector valued to the default DATA control
vector, the target key is enciphered without any control vector (that is, an all-zero control vector), otherwise
the source-key control vector is also used with the target key.
A key with a default, double-length DATA control-vector is exported into a version X'01' external key-token.
Otherwise, keys are exported into a version X'00' external key token.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Unless you enable the Unrestrict Data Key Export command (offset X'0277'), having replicated
key-halves is not permitted to export a key having unequal key-halves. Key parity bits are ignored.
v This verb does not support version X'10' external DES key tokens (RKX key tokens).
v When bit 40 of a control vector is on, both halves of a double-length key are guaranteed to not be
identical. If bit 40 of the control vector in the key token identified by the source_key_identifier is on, it is
a control vector violation if bit 40 of the control vector contained in the key token identified by the
exporter_key_identifier is not also on.
Format
Parameter name Direction Data type Data length or value
CSNBDKX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
source_key_identifier Input String 64 bytes
exporter_key_identifier Input String 64 bytes
target_key_token Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Required commands
The Data_Key_Export verb requires the Data Key Export command (offset X'010A') to be enabled in the
active role.
By also specifying the Unrestrict Data Key Export command (offset X'0277'), you can permit a less secure
mode of operation that enables an equal key-halves EXPORTER key-encrypting-key to export a key
having unequal key-halves (key parity bits are ignored).
This verb does not adjust the parity of the source key.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
Format
Parameter name Direction Data type Data length or value
CSNBDKM
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
source_key_token Input String 64 bytes
importer_key_identifier Input String 64 bytes
target_key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
source_key_token
The source_key_token parameter is a pointer to a string variable containing the external fixed-length
DES key-token to be imported. Only a DATA key can be imported.
importer_key_identifier
The importer_key_identifier parameter is a pointer to a string variable containing the fixed-length DES
(IMPORTER) transport key-token or the key label of the fixed-length DES (IMPORTER) transport
key-token used to decipher the source key.
target_key_identifier
The target_key_identifier parameter is a pointer to a string variable containing a null fixed-length DES
key-token, an internal fixed-length DES key-token, or the key label of an internal fixed-length DES
key-token record or null fixed-length DES key-token record. The key token receives the imported key.
Required commands
The Data_Key_Import verb requires the Data Key Import command (offset X'0109') to be enabled in the
active role.
By also specifying the Unrestrict Data Key Import command (offset X'027C'), you can permit a less secure
mode of operation that enables an equal key-halves IMPORTER key-encrypting key to import a key having
unequal key-halves (key parity bits are ignored).
This verb is especially useful for creating diversified keys for operating with finance industry smart cards.
See Diversifying DES keys on page 177.
The verb generates the diversified key and updates the generated-token with this value by the following
procedure:
v Determines that it can support the process as requested by the rule-array keyword
v Recovers the key-generating key and checks the control vector for the appropriate key-type and the
specified usage in this verb
v Determines that the length of the generating key is appropriate to the specified process
v Determines that the control vector in the generated-token is permissible for the specified process
v Recovers the data-encrypting key and determines that the control vector is appropriate for the specified
process
v Decrypts the data as can be required by the specified process
v Generates the key appropriate to the specified process
v Adjusts the parity of the derived key to odd
v Returns the diversified key, multiply-enciphered by the master key modified by the control vector
Format
Parameter name Direction Data type Data length or value
CSNBDKG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, 3
rule_array Input String array rule_array_count * 8 bytes
generating_key_identifier In/Output String 64 bytes
data_length Input Integer
data Input String data_length bytes
data_decrypting_key_identifier Input String 64 bytes
generated_key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords follow.
The key selected by the generating_key_identifier must specify a KEYGENKY key-type also
with control vector bit 19 set to B'1'.
The key identified by the data_decrypting_key_identifier must identify a null DES key-token.
The key token identified by the generated_key_identifier variable must contain a control
vector that specifies a single-length key of one of these types: DATA, CIPHER, ENCIPHER,
DECIPHER, MAC, or MACVER.
TDES-ENC Specifies that 8 bytes or 16 bytes of clear (not encrypted) data shall be Triple-DES
encrypted with the generating key to create the generated key. If the
generated_key_identifier variable specifies a single-length key, then 8 bytes of clear data are
Triple-DES encrypted. If the generated_key_identifier variable specifies a double-length key,
then 16 bytes of clear data are Triple-DES encrypted in ECB mode.
The key selected by the generating_key_identifier must specify a DKYGENKY key-type that
has the appropriate control vector usage bits (bits 19 22) set for the desired generated
key.
Control vector bits 12 14 binary encode the key-derivation sequence level (DKYL7 down to
DKYL0, see DKYGENKY in Figure 37 on page 658). The final key is derived when bits 12
14 are B'000'. The verb verifies the incremental relationship between the value in
generated_key_identifier control vector and the generating_key_identifier control vector. Or
in the case when the generated_key_identifier is a null DES token, the appropriate counter
value is placed into the output key-token.
A key token identified by the generated_key_identifier variable that is not a null key-token
must contain a control vector that specifies a single-length or double-length key having a key
type consistent with the specification in bits 19 22 of the generating key.
TDES-DEC Specifies that 8 or 16 bytes of clear (not encrypted) data shall be Triple-DES decrypted with
the generating key to create the generated key. If the generated_key_identifier variable
specifies a single-length key, then 8 bytes of clear data are Triple-DES decrypted. If the
generated_key_identifier variable specifies a double-length key, then 16 bytes of clear data
are Triple-DES decrypted in ECB mode.
The key selected by the generating_key_identifier must specify a DKYGENKY key-type that
has the appropriate control vector usage bits (bits 19 22) set for the desired generated
key.
Control vector bits 12 14 binary encode the key-derivation sequence level (DKYL7 down to
DKYL0, see DKYGENKY in Figure 37 on page 658). The final key is derived when bits 12
14 are B'000'. The verb verifies the incremental relationship between the value in the
generated_key_identifier variable control-vector and the generating_key_identifier variable
control-vector. Or in the case when the generated_key_identifier variable is a null DES
key-token, the appropriate counter value is placed into the output key-token.
A key token identified by the generated_key_identifier variable that is not a null DES
key-token must contain a control vector that specifies a single-length or double-length key
having a key type consistent with the specification in bits 19 22 of the generating key.
The key token specified by the generating_key_identifier parameter must be of key type
DATA, DATAC, MAC, DATAM, MACVER, or DATAMV.
On input, the token identified by the generated_key_identifier parameter must identify a null
DES key-token. The control vector contained in the output key token identified by the
generated_key_identifier parameter is the same as the control vector contained in the key
token identified by the generating_key_identifier parameter.
Key-wrapping method (one, optional). Release 4.1 or later.
USECONFG Specifies to wrap the key using the configuration setting for the default wrapping method.
This is the default.
WRAP-ECB Specifies to wrap the key using the legacy wrapping method.
WRAP-ENH Specifies to wrap the key using the enhanced wrapping method.
Translation control (optional). This is valid only with key-wrapping method WRAP-ENH or with USECONFG when the
default wrapping method is WRAP-ENH. This option cannot be used on a key with a control vector valued to binary
zeros. Release 4.1 or later.
ENH-ONLY Specifies to restrict the key from being wrapped with the legacy method once it has been
wrapped with the enhanced method. Sets bit 56 (ENH-ONLY) of the control vector to B'1'.
generating_key_identifier
The generating_key_identifier parameter is a pointer to a string variable containing the
key-generating-key (DKYGENKY or KEYGENKY) key-token or key label of a key-token record.
data_length
The data_length parameter is a pointer to an integer variable containing the number of bytes of data in
the data variable.
data
The data parameter is a pointer to a string variable containing the information used in the
key-generation process. This can be clear or encrypted information based on the process rule
specified in the rule array. Currently this variable must contain clear data.
data_decrypting_key_identifier
The data_decrypting_key_identifier parameter is a pointer to a string variable containing the data
decrypting key-token or key label of a key-token record. The specified process dictates the class of
key. If the process rule does not support encrypted data, point to a null DES key-token. Currently this
variable must contain a 64-byte null key-token.
generated_key_identifier
The generated_key_identifier parameter is a pointer to a string variable containing the target internal
key-token or the key label of the target key-token record. Specify either an internal token or a skeleton
token containing the desired control vector of the generated key.
v For the CLR8-ENC, TDESEMV2, TDESEMV4, and TDES-XOR processes, a null token might not
be specified
v For the TDES-ENC or TDES-DEC processes, a null token might be specified
v For the SESS-XOR process, a null token must be specified.
Required commands
The Diversified_Key_Generate verb requires the following commands to be enabled in the active role
based on the keyword specified for the process rule:
When a key-generating key of key type DKYGENKY is specified with control vector bits (19 22) of
B'1111', the Generate Diversified Key (DALL with DKYGENKY Key Type) command (offset X'0290') must
also be enabled in the active role.
Note: A role with offset X'0290' enabled can also use the PIN_Change/Unblock verb with a DALL key.
When using the TDES-ENC or TDES-DEC modes, you can specifically enable generation of a
single-length key or a double-length key with equal key-halves (an effective single-length key) by enabling
the Enable DKG Single Length Keys and Equal Halves for TDES-ENC, TDES-DEC command (offset
X'0044').
| ECDH derives a shared secret value from a secret key owned by an Entity A and a public key owned by
| an Entity B, when the keys share the same elliptic curve domain parameters. Entity A can be either the
| initiator of a key-agreement transaction, or the responder in a scheme. If two entities both correctly
| perform the same operations with corresponding keys as inputs, the same shared secret value is
| produced.
| Both parties must create an ECC public-private key pair. See PKA_Key_Token_Build (CSNDPKB) on
| page 95 and PKA_Key_Generate (CSNDPKG) on page 87. A key can be internal or external, as well as
| encrypted or in the clear. Both keys must have the same elliptic curve domain parameters (curve type and
| key size):
| v Brainpool (key size 160, 192, 224, 256, 320, 384, or 512)
| v Prime (key size 192, 224, 256, 384, or 521)
| In addition to having the same elliptic curve domain parameters, the keys must have their key-usage field
| set to permit key establishment (either KEY-MGMT or KM-ONLY). See Table 112 on page 597.
| Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The NIST security strength requirements are enforced, with respect to ECC curve type (input) and
| derived key-length.
| CSNDEDH
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 1-5
| rule_array Input String array rule_array_count * 8 bytes
| private_key_identifier_length Input Integer 64 - 800
| private_key_identifier Input String private_key_identifier_length bytes
| private_KEK_key_identifier_length Input Integer 0, 64 - 900
| private_KEK_key_identifier Input String private_KEK_key_identifier_length bytes
| public_key_identifier_length In/Output Integer 64 - 800
| public_key_identifier In/Output String public_key_identifier_length bytes
| chaining_vector_length In/Output Integer 0
| chaining_vector In/Output String chaining_vector_length bytes
| party_info_length In/Output Integer 8 - 64
| party_info In/Output String party_info_length bytes
| key_bit_length Input Integer 64, 128, 192, or 256
| reserved_1_length In/Output Integer 0
| reserved_1 In/Output String reserved_1_length bytes
| reserved_2_length In/Output Integer 0
| reserved_2 In/Output String reserved_2_length bytes
| reserved_3_length In/Output Integer 0
| reserved_3 In/Output String reserved_3_length bytes
| reserved_4_length In/Output Integer 0
| reserved_4 In/Output String reserved_4_length bytes
| reserved_5_length In/Output Integer 0
| reserved_5 In/Output String reserved_5_length bytes
| output_KEK_key_identifier_length Input Integer 0, 64 - 900
| output_KEK_key_identifier Input String output_KEK_key_identifier_length bytes
| output_key_identifier_length In/Output Integer 64 - 900
| output_key_identifier In/Output String output_key_identifier_length bytes
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. Valid values are 1 - 5.
| rule_array
| The rule_array parameter is a pointer to a string variable containing an array of keywords. The
| keywords are 8 bytes in length and must be left-aligned and padded on the right with space
| characters. The rule_array keywords for this verb are shown below:
| Depending on curve type, each length of p in bits contained in the ECC private-key section and the ECC
| public-key section must have the following command enabled in the active role:
|| Curve type Length of prime p in bits Offset Command
| Brainpool 160 (X'00A0') X'0368' Allow Brainpool Curve 160
| 192 (X'00C0') X'0369' Allow Brainpool Curve 192
| 224 (X'00E0') X'036A' Allow Brainpool Curve 224
| 256 (X'0100') X'036B' Allow Brainpool Curve 256
| 320 (X'0140') X'036C' Allow Brainpool Curve 320
| 384 (X'0180') X'036D' Allow Brainpool Curve 384
| 512 (X'0200') X'036E' Allow Brainpool Curve 512
| Prime 192 (X'00C0') X'0363' Allow Prime Curve 192
| 224 (X'00E0') X'0364' Allow Prime Curve 224
| 256 (X'0100') X'0365' Allow Prime Curve 256
| 384 (X'0180') X'0366' Allow Prime Curve 384
| 521 (X'0209') X'0367' Allow Prime Curve 521
|
|
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
CSNBKET
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
kek_key_identifier_length Input Integer 64
kek_key_identifier In/Output String kek_key_identifier_length bytes
key_in_length Input Integer 16 or 64
key_in Input String key_in_length bytes
key_out_length In/Output Integer 16 or 64
key_out Output String key_out_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of return_code, reason_code, exit_data_length, and exit_data, see Parameters
common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Key translation method (one required)
CBCTOECB Specifies decryption of a 16-byte string and CCA encryption of the
resulting clear-key value as an external CCA DATA key.
ECBTOCBC Specifies decryption of a CCA DATA key and the CBC encryption
of the resulting clear key.
kek_key_identifier_length
The kek_key_identifier_length parameter is a pointer to an integer variable containing the length in
bytes of a fixed-length DES key-token. The value must be 64.
kek_key_identifier
The kek_key_identifier parameter is a pointer to a string variable containing the key-encrypting token,
or key label of a KEK key-token record.
key_in_length
The key_in_length parameter is a pointer to an integer variable containing the number of bytes of data
in the key_in variable. The value must be 16 for a CBCTOECD translation, or 64 for an ECBTOCBC
translation.
Required commands
The Key_Encryption_Translate verb requires the following commands to be enabled in the active role:
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Unless you enable the Unrestrict Reencipher from Master Key command (offset X'0276'), an
EXPORTER key-encrypting key having equal key-halves is not permitted to export a key having
unequal key-halves. Key parity bits are ignored.
v When bit 40 of a control vector is on, both halves of a double-length key are guaranteed to not be
identical. If bit 40 of the control vector in the key token identified by the source_key_identifier is on, it is
a control vector violation if bit 40 of the control vector contained in the key token identified by the
exporter_key_identifier is not also on.
CSNBKEX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_type Input String 8 bytes
source_key_identifier Input String 64 bytes
exporter_key_identifier Input String 64 bytes
target_key_token Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_type
The key_type parameter is a pointer to a string variable containing a keyword that specifies the key
type of the source key-token. The keyword is 8 bytes in length, and must be left-aligned and padded
on the right with space characters. The key_type keywords are shown below:
source_key_identifier
The source_key_identifier parameter is a pointer to a string variable containing the internal DES
source key-token or key label of a key-token record.
exporter_key_identifier
The exporter_key_identifier parameter is a pointer to a string variable containing the EXPORTER
key-encrypting-key token or key label of a key-token record.
target_key_token
The target_key_token parameter is a pointer to a string variable containing the external DES target
key-token.
Required commands
The Key_Export verb requires the Reencipher from Master Key command (offset X'0013') to be enabled in
the active role.
By also specifying the Unrestrict Reencipher from Master Key command (offset X'0276'), you can permit a
less secure mode of operation that enables an equal key-halves EXPORTER key-encrypting-key to export
a key having unequal key-halves (key parity bits are ignored).
The verb needs to know the key length and the key type for each copy of the key it produces. Each of
these can be specified explicitly with a parameter value, or you can indicate that the verb should
determine the length and type itself.
v A parameter key_length is used to specify the key length using keywords. There are keywords for
specific explicit key lengths, but you can set key_length to space characters to have the verb determine
the key length based on the key type. If the key length in an AES token is valid, but different from a
length specified explicitly by parameter key_length, the length in the token is overwritten with the
specified length. In this case, the verb returns a return code of 0 and a reason code of 2040 (X'7F8') to
notify you that the length in the API parameter did not match the length in the key token that you
provided.
Note: Certain types of CCA DES keys must be double length, for example, IMPORTER or EXPORTER
keys. In some situations, you need these keys to act as single length keys. In order to
accomplish this, specify the SINGLE-R keyword. This causes the generated key to have equal
left and right (replicated) key halves. A double-length DES key with replicated key halves
operates identically as a single-length key with that same key value.
v A key-type parameter for each output key-token is used to specify the type of the generated key for that
token. Keywords can be used to explicitly specify the key type, but the preferred method is to use the
keyword TOKEN, which specifies that the verb is to determine the key types by examining the key
tokens provided. The TOKEN method allows the specification of any control vector, while the explicit key
type keywords allows only the generation of keys with the default control vectors for each key type. For
DES keys, the verb determines the key type from the control vector in the token. For AES keys, the only
key type available is AESDATA.
The parameter key_form indicates whether you want one or two copies of the generated random key, and
the form of each copy. For DES keys, each key can either be in internal form encrypted under the DES
master key, in external form encrypted under an IMPORTER key-encrypting key, or in external form
encrypted under an EXPORTER key-encrypting key.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
Format
Parameter name Direction Data type Data length or value
CSNBKGN
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_form Input String 4 bytes
key_length Input String 8 bytes
key_type_1 Input String 8 bytes
key_type_2 Input String 8 bytes
KEK_key_identifier_1 Input String 64 bytes
KEK_key_identifier_2 Input String 64 bytes
generated_key_identifier_1 In/Output String 64 bytes
generated_key_identifier_2 In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_form
The key_form parameter is a pointer to a string variable containing a keyword. The keyword is 4 bytes
in length and must be left-aligned and padded on the right with space characters. The key_form
keywords and their usage are shown in Table 35 on page 231. One keyword is required.
A key_form keyword defines whether one or two copies of the key are generated, and what
key-encrypting key (KEK) is used to encipher each copy. It is comprised of one or two strings, two
characters each ("OP", "IM", or "EX"), where each two-character string indicates how each key should
be enciphered:
v The "OP" string requests an operational key. An operational key is enciphered under the master key
and returned in an internal key-token. It is immediately usable at the local node.
v The "IM" string requests an importable key. This key is enciphered with an IMPORTER KEK and
returned in an external key-token. It can be imported at the local node at a later time.
v The "EX" string requests an exportable key. This key is enciphered with an EXPORTER KEK and
returned in an external key-token. It is suitable for distribution to another cryptographic node.
key_length
The key_length parameter is a pointer to a string variable containing a keyword or space characters.
The variable is 8 bytes in length, and a keyword must be left-aligned and padded on the right with
space characters. The key_length parameter defines the length of the random AES or DES key for the
verb to generate and return encrypted under a KEK. The key_length values are shown in Table 36.
One value is required.
AES key lengths of 16, 24, and 32 bytes (128, 192, and 256 bits) are supported. DES key lengths of 8
bytes (single) and 16 bytes (double) are supported.
Table 36. Key_length values
key_length value Description
SINGLE Generates a single-length DES key (8 bytes). DES only.
KEYLN8 Synonym for SINGLE.
SINGLE-R Generates a double-length DES key (16 bytes) with replicated key halves, making an
effective single-length key. DES only.
DOUBLE Generates a double-length DES key (16 bytes). DES only
KEYLN16 For AES, generates a 16-byte (128-bit) key. For DES, synonym for DOUBLE.
KEYLN24 Generates a 24-byte (192-bit) key (AES only, Release 3.30 or later).
KEYLN32 Generates a 32-byte (256-bit) key (AES only, Release 3.30 or later).
8 space characters Determines the key length implicitly based on the key-token provided by the
generated_key_identifier_1 parameter. If a null key-token is provided, the length is the
default key length for the key_type keyword specified.
Key type AESDATA does not have a default key length. If the key token is not null, the
length of the key in the key token is used. Valid for AES and DES.
Notes:
1. A fixed-length DES key-token contains a control vector with a key-form field that specifies the length of the
key. A fixed-length AES key-token contains an explicit field in the token for the length of the key.
2. For DES, if the key token provided by the generated_key_identifier_1 parameter is not null, it is an error if
the length in the key token does not match the length specified by the key_length keyword.
3. A double-length DES key consists of two single-length DES keys (a left half and a right half). If both halves
are equal (ignoring parity bits), the key operates identically as a single-length DES key. Some types of CCA
DES keys must be double length, such as KEKs. The SINGLE-R keyword is provided for those situations
where you need these types of keys to act as single-length keys.
4. The key-form bits of a DES control vector can be set to guarantee that the key halves of a double-length key
are unique. See Key-form bits, 'fff' and 'FFF' on page 660. Guaranteed unique halves prevents an effective
single-length key from masquerading as a double-length key. This CCA implementation does not support the
keyword DOUBLE-O to generate double-length DES keys with guaranteed unique halves as some
implementations might. To generate a double-length DES key with guaranteed unique halves, provide a key
token with a control vector that has the required key-form bits set. Not all CCA implementations support
control vectors set for guaranteed unique halves.
Note: The generated_key_identifier_2 parameter is not used when generating only a single key and
should point to a null key-token.
Note: A role with offset X'00DB' enabled can also use the Remote_Key_Export verb.
Related information
This section provides additional information about the key_type and key_length parameters.
Key-type specifications: Generated DES keys are enciphered with a key encrypting key or the DES
master key, exclusive-ORed with the control vector associated with that copy of the generated key. (See
Understanding DES and RSA key encryption and decryption processes on page 671). Generated AES
keys are enciphered with the AES master key.
There are two methods for specifying the type of keys to be generated:
v Specify key-type keywords as described in Table 37 on page 236 and Table 38 on page 236.
v Use the AESTOKEN or TOKEN keyword and provide a key token with the necessary information, so
that the verb can determine the key type and key length. For DES keys, this information is obtained
from the control vector in the token. For AES keys, the key length is an explicit field within the token,
and the only key type is AESDATA.
Use of the key type keywords for DES keys generates default control-vector values. See Table 162 on
page 657. One or two keywords are examined depending on the value in the key_form variable. Table 37
on page 236 shows the key type keywords you can use to generate a single-key copy, which will use
default control vectors if you are generating a DES key. Table 38 on page 236 shows the key types you
can use to generate two copies of a key. An 'X' indicates a permissible key type for a given key form. An
'E' indicates that a special (Extended) command is required as those keys require special handling.
A single-length DES key with any permissible control vector value can be generated by specifying SINGLE
and OP. In this case, the verb uses the Generate Key command (offset X'008E').
If you use the TOKEN key-type keyword and encode a DES key-type in a control vector supplied in the
key token, remember that non-default control vector values for the key type can be employed. Certain key
Notes:
1. AESDATA is for AES keys only. All other key types are for DES keys only.
2. AESDATA is for Release 3.30 or later.
3. The DES key types marked with an '*' must be requested through the specification of a proper control vector in a
key token and the use of the TOKEN keyword.
| 4. An 'X' indicates a permissible key type for a given key form.
Table 38. Key_type and key_form keywords for a DES key pair
key_form
OPOP, OPIM, key_form key_form key_form
key_type_1 key_type_2 IMIM OPEX EXEX IMEX
DATA DATA X X X X
MAC MAC
MAC MACVER
MACVER MAC
DATAC * DATAC *
DATAM * DATAM *
DATAM * DATAMV *
DATAMV * DATAM *
CIPHER CIPHER
CIPHER DECIPHER
CIPHER ENCIPHER
DECIPHER CIPHER
DECIPHER ENCIPHER
ENCIPHER CIPHER
ENCIPHER DECIPHER
KEYGENKY * KEYGENKY *
DKYGENKY * DKYGENKY *
EXPORTER IMPORTER X X X
IMPORTER EXPORTER
EXPORTER IMP-PKA *
IMP-PKA * EXPORTER
EXPORTER IKEYXLAT
IKEYXLAT EXPORTER
IKEYXLAT OKEYXLAT
IMPORTER OKEYXLAT
OKEYXLAT IMPORTER
OKEYXLAT IKEYXLAT
PINGEN PINVER
PINVER PINGEN
Notes:
1. AES keys cannot be generated in pairs.
2. The key types marked with an '*' must be requested through the specification of a proper control-vector in a key token and the
use of the TOKEN keyword.
| 3. An 'X' indicates a permissible key type combination for a given key form. An 'E' indicates that a special (Extended) command is
| required as those keys require special handling.
Key-length specification: The key_length parameter is a pointer to a string variable that specifies the
length of the generated key. It contains either a keyword or eight space characters. The key length
specified must be consistent with the key length indicated by the token you supply. For DES keys, this
length is a field in the control vector. For AES keys, the length is an explicit field in the token.
Table 39 on page 238 shows the valid key lengths for each key type. An X indicates that a key length is
permitted for a key type and a D indicates the default key-length that the verb uses when you supply
eight space characters with the key_length parameter.
| Notes:
| 1. The DES key types marked with an '*' must be requested through the specification of a proper control-vector in a key token and
| the use of the TOKEN keyword.
| 2. An 'X' indicates that a key length is permitted for a key type.
| 3. A 'D' indicates the default key-length that the verb uses when you supply eight space characters with the key_length parameter.
| The verb can create default key tokens, update the key in existing key tokens, or complete skeleton key
| tokens. The Key_Token_Build2 verb can be used to build a skeleton key-token. See page 275.
| Beginning with Release 4.2, an access control point can be turned on to disallow the wrapping of a key
| with a weaker key-encrypting key. See Required commands on page 243.
| Note: Variable-length symmetric key tokens have an associated data section that contains clear data. This
| section is hashed and the hash value is cryptographically bound to its enciphered payload. See
| Variable-length symmetric key-token on page 614.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Token algorithm keyword AES and key form keywords EX, IM, OPEX, OPIM, IMIM, IMEX, and EXEX
| are not supported in releases before Release 4.2.
| v Support for external keys and key-encrypting keys is not available in releases before Release 4.2.
| v The Generate Key Set command (offset X'008C') and the Disallow Weak Key Wrap (offset X'0328')
| commands are not defined in releases before Release 4.2.
Format
Parameter name Direction Data type Data length or value
CSNBKGN2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2
rule_array Input String array rule_array_count * 8 bytes
| clear_key_bit_length Input Integer 128, 192, 256 (AES), 80 - 2048 (HMAC)
key_type_1 Input String 8 bytes
key_type_2 Input String 8 bytes
| key_name_1_length Input Integer 0 or 64
key_name_1 Input String key_name_1_length bytes
| key_name_2_length Input Integer 0 or 64
key_name_2 Input String key_name_2_length bytes
user_associated_data_1_length Input Integer 0 - 255
user_associated_data_1 Input String user_associated_data_1_length bytes
user_associated_data_2_length Input Integer 0 - 255
user_associated_data_2 Input String user_associated_data_2_length bytes
| KEK_key_identifier_1_length Input Integer See Appendix B.
KEK_key_identifier_1 Input String KEK_key_identifier_1_length bytes
| KEK_key_identifier_2_length Input Integer See Appendix B.
KEK_key_identifier_2 Input String KEK_key_identifier_2_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
The rule-array keywords are:
|| Keyword Meaning
| Algorithm for which the key can be used (one required)
| AES (Rel. 4.2 or later) Generate an AES key token.
| HMAC Generate an HMAC key token.
| Key form (one required)
| EX (Rel. 4.2 or later) Return one copy of the key enciphered under an exporter KEK.
| IM (Rel. 4.2 or later) Return one copy of the key enciphered under an importer KEK.
| OP Return one copy of the key enciphered under the AES master key.
| OPEX (Rel. 4.2 or later) Return two copies of the key, the first enciphered key under the AES master key
| and the second under an exporter key-encrypting key.
| OPIM (Rel. 4.2 or later) Return two copies of the key, the first enciphered key under the AES master key
| and the second under an importer key-encrypting key.
| OPOP Return two copies of the key, both enciphered under the AES master key.
| EXEX (Rel. 4.2 or later) Return two copies of the key, both enciphered under exporter key-encrypting
| keys.
| IMEX (Rel. 4.2 or later) Return two copies of the key, the first enciphered under an importer
| key-encrypting key, and the second under an exporter key-encrypting key.
| IMIM (Rel. 4.2 or later) Return two copies of the key, both enciphered under importer key-encrypting
| keys.
|
clear_key_bit_length
| The clear_key_bit_length parameter is a pointer to an integer variable containing the number of
| clear-key bits to randomly generate and return encrypted in the generated key or keys. If a generated
| key token has a key type of TOKEN, this value overrides any key length contained in the key token.
| The value can be 128, 192, and 256 for AES keys (Release 4.2 or later), and 80 - 2048 for HMAC
| keys.
key_type_1 and key_type_2
These parameters are pointers to 8-byte string variables, each containing a keyword that is left aligned
Required commands
| The Key_Generate2 verb requires the Generate2 Key command (offset X'00EA') to be enabled in the
| active role when one key is returned (key form EX, IM, or OP). When two keys are returned (key form
| OPOP, OPIM, IMIM, OPEX, EXEX, or IMEX), the verb requires the Generate2 Key Set command (offset
| X'00EB') to be enabled in the active role.
| The following access control points are added beginning with Release 4.2:
| v To disallow the wrapping of a key with a weaker key-encrypting key, enable the Disallow Weak Key
| Wrap command (offset X'0328') in the active role. This command affects multiple verbs. See Table 169
| on page 715.
| v To receive a warning when wrapping a key with a weaker key-encrypting key, enable the Warn when
| Wrapping Weak Keys command (offset X'032C') in the active role. The Disallow Weak Key Wrap
| command overrides this command.
| Related information
| Key type specifications: Generated keys returned in an internal key-token are enciphered with the AES
| master key, while generated keys returned in an external key-token are enciphered under an AES
| key-encrypting key.
| There are two methods for specifying the type of keys to be generated:
| v Specify key-type keywords as described in Table 40 on page 244 and Table 41 on page 244.
| v Use the TOKEN keyword and provide a key token to be updated or a skeleton key-token to be
| completed.
| One or two key type keywords are examined depending on the value of the key form rule-array keyword.
| Table 40 on page 244 shows the permissible key type and key form keyword combinations to generate a
| single copy of a key. Table 41 on page 244 shows the permissible key type and key form keyword
| combinations to generate two copies of a key.
| Notes:
| 1. An "X" indicates a permissible key type for a given key form.
| 2. Key type CIPHER is not supported in releases before Release 4.2.
| 3. Key forms EX and IM are not supported in releases before Release 4.2.
|
| Table 41. Key type and key form keywords for a pair of AES or HMAC keys
| Key form
| OPOP,
| OPIM,
| key_type_1 (key usage) key_type_2 (key usage) IMIM OPEX EXEX IMEX
| CIPHER (DECRYPT and ENCRYPT) CIPHER (DECRYPT and ENCRYPT) X X X X
| CIPHER (DECRYPT and ENCRYPT) CIPHER (DECRYPT)
| CIPHER (DECRYPT and ENCRYPT) CIPHER (ENCRYPT)
| CIPHER (DECRYPT) CIPHER (DECRYPT and ENCRYPT)
| CIPHER (DECRYPT) CIPHER (ENCRYPT)
| CIPHER (ENCRYPT) CIPHER (DECRYPT and ENCRYPT)
| CIPHER (ENCRYPT) CIPHER (DECRYPT)
| MAC (GENERATE and VERIFY) MAC (GENERATE and VERIFY)
| MAC (GENERATE and VERIFY) MAC (VERIFY)
| MAC (VERIFY) MAC (GENERATE and VERIFY)
| IMPORTER EXPORTER X X X
| EXPORTER IMPORTER
| Notes:
| 1. An "X" indicates a permissible key type and key usage combination for a given key form.
| 2. The key usage attributes shown are those that are required. Key usage attributes that are not shown are optional.
| 3. Key types CIPHER, EXPORTER, and IMPORTER are not supported in releases before Release 4.2.
| 4. Key forms EXEX, IMIM, and OPIM are not supported in releases before Release 4.2.
|
|
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Unless you enable the Unrestrict Reencipher to Master Key command (offset X'027B'), an IMPORTER
key-encrypting key having equal key-halves is not permitted to import a key having unequal key-halves.
Key parity bits are ignored.
Format
Parameter name Direction Data type Data length or value
CSNBKIM
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_type Input String 8 bytes
source_key_token Input String 64 bytes
importer_key_identifier Input String 64 bytes
target_key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_type
The key_type parameter is a pointer to a string variable containing an 8-byte keyword, left-aligned,
and padded on the right with space characters, that specifies the key type of the key to be imported.
In general, you should use the TOKEN keyword.
source_key_token
The source_key_token parameter is a pointer to a string variable containing the external CCA source
DES key-token. Ordinarily the source key-token is an external fixed-length DES key-token (the first
byte of the key-token data structure contains X'02'). However, if the first byte of the token is X'00', then
the encrypted source-key is taken from the data at offset 16 (X'10') in the source key-token structure.
importer_key_identifier
The importer_key_identifier parameter is a pointer to a string variable containing the key-token or key
label for the IMPORTER (transport) key-encrypting key.
target_key_identifier
The target_key_identifier parameter is a pointer to a string variable containing the internal target
fixed-length DES key-token or key label of a DES key-token record.
Required commands
The Key_Import verb requires the Reencipher to Master Key command (offset X'0012') to be enabled in
the active role.
By also enabling the Unrestrict Reencipher To Master Key command (offset X'027B'), you can permit a
less secure mode of operation that enables an equal key-halves IMPORTER key-encrypting key to import
a key having unequal key-halves (key parity bits are ignored).
On each call to Key_Part_Import (except COMPLETE, see below), specify 8 bytes or 16 bytes of clear-key
information based on the length of the key that you are accumulating. Align an 8-byte clear key in the
high-order (leftmost) bytes of a 16-byte field. Also specify an internal key-token in which the key
information is accumulated. The key token must include a control vector. The control vector defines the
length of the key, 8 or 16 bytes (single length or double length). The control vector must have the
KEY-PART bit set on. The verb returns the accumulated key information as a master-key-encrypted value
in the updated key-token.
Beginning with Release 4.1, an optional key-wrapping method and an optional translation-control setting
can be specified.
You can use the Key_Token_Build verb to create the internal key-token into which the first key-part is
imported.
On each call to Key_Part_Import, also specify a rule-array keyword to define the verb action: FIRST,
MIDDLE, LAST, ADD-PART, or COMPLETE.
v With the FIRST keyword, the verb requires that the input key-token be a skeleton. Each byte of the
8-byte or 16-byte key-part should have the low-order bit set such that the byte has an odd number of
one-bits, otherwise assuming no other problems, the verb returns reason code 2. Use of the FIRST
keyword requires that the Load First Key Part command be enabled in the access-control system.
v With the MIDDLE keyword, the verb exclusive-ORs the clear key-part with the (internally decrypted) key
value from the input key-token. Each byte of the 8-byte or 16-byte key-part should have the low-order
bit set such that the byte has an even number of one-bits. If any byte in the updated key has an even
number of one bits, and there are no other problems, the verb returns reason code 2. Use of the
MIDDLE keyword requires that the Combine Key Parts command be enabled in the access-control
system. The key-part bit remains on in the control vector of the updated key token returned from the
verb.
v With the LAST keyword, the verb exclusive-ORs the clear key-part with the (internally decrypted) key
value in the input key-token. Each byte of the 8-byte or 16-byte key-part should have the low-order bit
set such that the byte has an even number of one-bits. If any byte in the updated key has an even
number of one bits, and there are no other problems, the verb returns reason code 2. This use of the
LAST keyword requires that the Combine Key Parts command be enabled in the access-control system.
The key-part bit is set off in the control vector of the updated key token returned from the verb.
v With the ADD-PART keyword, the verb exclusive-ORs the clear key-part with the (internally decrypted)
key value in the input key-token. Each byte of the 8-byte or 16-byte key-part should have the low-order
bit set such that the byte has an even number of one-bits. If any byte in the updated key has an even
number of one bits, and there are no other problems, the verb returns reason code 2. Use of the
ADD-PART keyword requires that the Add Key Part command be enabled in the access-control system.
The key-part bit remains on in the control vector of the updated key token returned from the verb.
v With the COMPLETE keyword, the key-part bit is set off in the control vector of the updated key token
returned from the verb. Use of the COMPLETE keyword requires that the Complete Key Part command
be enabled in the access-control system. The 16-byte key_part variable must be declared but is
ignored.
Notes:
1. If your input creates a key value with one or more bytes with an even number of one bits, that is an
out-of-parity key, and the verb returns a reason-code value of 2. Many verbs check the parity of keys
and, if the key does not have odd parity in each key-byte, might return a warning or might terminate
without performing the requested operation. In general, out-of-parity DATA keys are tolerated.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNBKPI
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
key_part Input String 16 bytes
key_identifier In/Output String 64 bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
The rule_array keywords are shown below:
Keyword Meaning
Key part (one required)
FIRST Specifies that an initial key-part is provided. The verb returns this key-part encrypted by the
master key in the key token which you supplied.
ADD-PART Specifies that additional key-part information is provided. The verb exclusive-ORs the key part
into the key information held encrypted in the key token.
COMPLETE Specifies that the key-part bit shall be turned off in the control vector of the key rendering the
key fully operational. No key_part information is added to the key with this keyword.
MIDDLE Specifies that an intermediate key-part, which is neither the first key-part nor the last key-part, is
provided. The verb exclusive-ORs the key part into the key information held encrypted in the key
token. The command control point for this keyword is the same as that for the LAST keyword
and different from that for the ADD-PART keyword.
LAST Specifies that the last key-part is provided. The verb exclusive-ORs the key part into the key
information held encrypted in the key token. The key-part bit is turned off in the control vector.
Key-wrapping method (one, optional). Release 4.1 or later.
USECONFG Specifies to wrap the key using the configuration setting for the default wrapping method. This is
the default.
WRAP-ECB Specifies to wrap the key using the legacy wrapping method.
WRAP-ENH Specifies to wrap the key using the enhanced wrapping method.
key_part
The key_part parameter is a pointer to a string variable containing a clear DES key-part to be entered.
The key part might be either 8 or 16 bytes in length. For 8-byte keys, place the key part in the
high-order bytes of the 16-byte key-part field. The information in this variable must be defined but are
ignored by the coprocessor when you use the COMPLETE rule-array keyword.
key_identifier
The key_identifier parameter is a pointer to a string variable containing the internal fixed-length DES
key-token or a key label for an internal fixed-length DES key-token. The key token must not be null
and does supply the control vector for the partial key.
The Key_Part_Import verb enforces the key-halves restriction documented above when the Unrestrict
Combine Key Parts command (offset X'027A') is disabled in the active role. Enabling this command results
in less secure operation and is not recommended.
| On each call to Key_Part_Import2, specify the number of bits to use for the clear key-part. For keyword
| COMPLETE this number must be 0. Place the clear key-part left-aligned in the clear_key_part variable,
| and specify the number of bits of clear_key_part data using the clear_key_part_bit_length variable. For
| any number not a multiple or eight, any extraneous bits of clear_key_part data will be ignored when the
| verb encrypts the key. Also specify an internal variable-length symmetric key-token in which the key
| information is accumulated. Use the Key_Token_Build2 verb to create the key-token skeleton into which
| the first key part is imported. After the FIRST key part, each accumulated clear key-part must have the
| same clear-key bit length and the key token must have the key-management field 2 set to indicate that the
| key is incomplete. For key-part keyword FIRST, key-management field 2 is ignored and overwritten with
| the value determined by the split-knowledge keyword. ADD-PART and COMPLETE cause the
| key-management field 2 to be updated.
Here is a summary of the three scenarios for importing key parts, based on rule-array keywords,
key-management field 2, and access-control command:
Key-management Key-mangement
field 2 input field 2 output
Rule-array keyword(s) (high-order byte) (high-order byte) Required access control command
Scenario 1: Minimum three required parts
FIRST, MIN3PART Ignored B'1100 0000' Import Minimum Three Parts
ADD-PART B'1100 0000' B'1000 0000' Import Second of Three or More Parts
ADD-PART B'1000 0000' B'0100 0000' Import Last Minimum Required Part
ADD-PART B'0100 0000' B'0100 0000' Import Optional Part
COMPLETE B'0100 0000' B'0000 0000' Complete Import of Key Parts
Scenario 2: Minimum two required parts
FIRST, MIN2PART Ignored B'1000 0000' Import Minimum Two Parts
ADD-PART B'1000 0000' B'0100 0000' Import Last Minimum Required Part
ADD-PART B'0100 0000' B'0100 0000' Import Optional Part
COMPLETE B'0100 0000' B'0000 0000' Complete Import of Key Parts
Scenario 3: Minimum one required part
FIRST, MIN1PART Ignored B'0100 0000' Import Minimum One Part
ADD-PART B'0100 0000' B'0100 0000' Import Optional Part
COMPLETE B'0100 0000' B'0000 0000' Complete Import of Key Parts
Notes:
1. Any number of optional key parts can be imported; there is no maximum.
2. The user who imports the first key part sets the minimum number of required key parts for that key.
| 3. For keyword FIRST, the key token identified by the key_identifier parameter must be a skeleton
| key-token.
4. For keyword COMPLETE, the clear_key_part_bit_length variable must be zero.
On each call to Key_Part_Import2, also specify a rule-array keyword to define the verb action: FIRST,
ADD-PART, or COMPLETE.
v With the FIRST keyword, the verb requires that the input key-token be a skeleton. Use of the FIRST
keyword requires that one of the following access control commands be enabled in the access-control
system: Import Minimum Three Parts, Import Minimum Two Parts, or Import Minimum One Part.
v With the ADD-PART keyword, the verb exclusive-ORs the clear key-part with the (internally decrypted)
key value in the input key-token. The key token must have the key-management bit set to indicate that
the key is not complete. Use of the ADD-PART keyword requires that the Import Second of Three or
More Parts, Import Last Minimum Required Part, or Import Optional Part command be enabled in the
access-control system. The key remains incomplete in the updated key token returned from the verb.
v With the COMPLETE keyword, the key key-management bit is changed from not complete to complete,
and the key becomes complete and fully operational. Use of the COMPLETE keyword requires that the
Complete Import of Key Parts command be enabled in the access-control system. The
clear_key_part_bit_length variable must be set to zero.
Note: You can enforce a dual-control, split-knowledge security policy by employing the FIRST,
ADD-PART, and COMPLETE keywords. See Required commands on page 255. With the FIRST
keyword, one of the three split-knowledge keywords is required. The ADD-PART and COMPLETE
keywords ensure a separation of responsibilities between someone who can add key-part
information and someone who can declare that appropriate information has been accumulated in a
key. Consider using the Key_Test2 verb to ensure that a correct key-value has been accumulated
prior to using the COMPLETE option to mark the key as fully operational.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
CSNBKPI2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2 or 3
rule_array Input String array rule_array_count * 8 bytes
| clear_key_part_bit_length Input Integer 0; 128, 192, or 256 (AES); 80 - 2048 (HMAC)
clear_key_part Input String (clear_key_part_bit_length + 7) / 8 bytes
| key_identifier_length In/Output Integer See Appendix B.
key_identifier In/Output String key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2 if it is not the FIRST key part, or 3 if it is the FIRST
key part.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
| Note: Unlike the Key_Part_Import verb, which requires the first key to be incomplete (that is, for the
| KEY-PART bit to be on) for keyword FIRST, Key_Part_Import2 does not require the first key to
| be incomplete. It instead overwrites the key-completeness bits of key-management field 2
| based on the split-knowledge keyword
clear_key_part_bit_length
The clear_key_part_bit_length parameter is a pointer to an integer variable containing the number of
clear-key bits in the clear_key_part variable. For keywords FIRST and ADD-PART, this value must be
| 128, 192, or 256 for an AES key, and 80 - 2048 for an HMAC key. This value must be zero for
key-part keyword COMPLETE.
clear_key_part
| The clear_key_part parameter is a pointer to a string variable containing the key to be imported. When
| the clear_key_bit_length variable is not a multiple of 8, left align the clear_key_part value in the
| variable. Any extra bits are ignored when the key is encrypted.
key_identifier_length
The key_identifier_length parameter is a pointer to a string variable containing the number of bytes of
data in the key_identifier variable. If the key_identifier variable contains a key label, the length must be
64. Otherwise, the length must be large enough to hold the input key token and to receive the
expected output key token. On output, the value of this variable is updated to contain the actual length
of the key_identifier imported by the verb.
key_identifier
The key_identifier parameter is a pointer to a string variable containing an internal variable-length
| symmetric key-token or a key label identifying a key-storage record for such a token. If a key label
identifies a key record in AES key-storage, the returned key token replaces any key token associated
with that label. If the first byte of the identified string does not indicate a key label (that is, not in the
range X'20' - X'FE'), and the variable is of sufficient length to receive the result, then the key token is
returned in the identified variable.
Key-management field 2
Rule-array keyword (high-order byte) on input Offset Access control command
FIRST and MIN3PART Ignored X'0297' Import Minimum Three Parts
FIRST and MIN2PART Ignored X'0298' Import Minimum Two Parts
FIRST and MIN1PART Ignored X'0299' Import Minimum One Part
ADD-PART B'1100 0000' X'029A' Import Second of Three or More Parts
B'1000 0000' X'029B' Import Last Minimum Required Part
B'0100 0000' X'029C' Import Optional Part
COMPLETE B'0100 0000' X'029D' Complete Import of Key Parts
See also Key_Test_Extended (CSNBKYTX) on page 265 for operating on external AES and DES keys
and key parts.
The verb supports testing of AES, APKA, DES, and PKA master keys, AES or DES clear keys or key
parts, and enciphered AES or DES keys or key parts (see Restrictions on page 257). Rule array
keywords are used to specify information about the source key that is not implicit from other verb
parameters.
When testing a master key, you use two sets of rule array keywords to indicate what key to test:
1. The AES-MK, APKA-MK, ASYM-MK, and SYM-MK master-key selector keywords select whether to
test the AES, APKA, PKA (asymmetric), or DES (symmetric) master key. Not specifying a master-key
selector keyword indicates that the DES (symmetric) and PKA (asymmetric) master keys (SYM-MK
and ASYM-MK) have the same value, and that you want to test that value.
2. The KEY-KM, KEY-NKM, and KEY-OKM key or key-part rule keywords select among the
current-master-key register, the new-master-key register, and the old-master-key register.
Several key test algorithms are supported by the verb. See Cryptographic key-verification techniques on
page 677. Some are implicitly selected based on the type of key you are testing, while others are optional
and selected by specifying a verification process rule keyword. With the verification process rule, you can:
1. Specify the ENC-ZERO keyword to encrypt a block of binary zeros with the specified key. The verb
returns the leftmost 32 bits of the encryption result as the verification pattern. The block that is
encrypted consists of 16 bytes of binary zeros for AES keys, and 8 bytes for DES and Triple-DES
keys. For AES, this method is valid only with the CLR-A128, CLR-A192, CLR-A256, and TOKEN
keywords. For DES, this method is valid only with the KEY-CLR, KEY-CLRD, KEY-ENC, and
KEY-ENCD keywords.
2. Specify the MDC-4 keyword to compute a 16-byte verification pattern using the MDC-4 algorithm. This
keyword is valid only when computing the verification pattern for a DES (symmetric) or PKA
(asymmetric) master key.
3. Specify the SHA-1 keyword to compute the KVP using the SHA-1 hashing method. This keyword is
valid only when computing the KVP for the DES (symmetric) or PKA (asymmetric) master-key.
4. Specify the SHA-256 keyword to compute the KVP using the SHA-256 hashing method. This keyword
is valid only when computing the KVP for an AES key or an AES-MK and APKA-MK master-key.
| Note: For historical reasons, the verification information is passed in two 8-byte variables pointed to by
| the value_1 and value_2 parameters. The GENERATE option uses these variables for output, and
| the VERIFY option uses these variables as input. For VERIFY, the verb returns a warning of return
| code 4, reason code 1 if the information provided in these variables does not match the calculated
| values.
| Table 42 on page 257 describes the use of the value_1 and value_2 variables for each of the available
| verification-process rules.
| DES and Triple-DES keys reserve the low-order bit of each byte for parity. If parity is used, the low-order
bit is set so that the total number of '1' bits in the byte is odd. Parity adjustment keywords ADJUST and
NOADJUST allow you to control how the Key_Test verb handles the parity bits. Keyword NOADJUST,
which is the default, specifies not to alter the parity bit values in any way. Keyword ADJUST specifies to
modify the low-order bit of each byte as necessary for odd parity. This is done on the cleartext value of the
key before the verification pattern is computed. The parity adjustment is performed only on a temporary
copy of the key within the card, and does not affect the key value in the key_identifier parameter.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
CSNBKYT
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2, 3, 4, or 5
rule_array Input String array rule_array_count * 8 bytes
key_identifier Input String 64 bytes
| value_1 In/Output String 8 bytes
| value_2 In/Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2, 3, 4, or 5.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are shown below:
Keyword Meaning
Process rule (one required)
GENERATE Generate a verification pattern for the specified key or key part.
VERIFY Verify that a verification pattern matches the specified key or key part.
Key or key-part rule (one required)
CLR-A128 (Rel. 3.30 Process a 128-bit AES clear key or clear key-part
or later)
CLR-A192 (Rel. 3.30 Process a 192-bit AES clear key or clear key-part
or later)
CLR-A256 (Rel. 3.30 Process a 256-bit AES clear key or clear key-part
or later)
KEY-CLR Process a single-length DES clear key or clear key-part.
KEY-CLRD Process a double-length DES clear key or clear key-part.
KEY-ENC Process a single-length DES enciphered key or enciphered key-part supplied in a key
token.
KEY-ENCD Process a double-length DES enciphered key or enciphered key-part supplied in a key
token.
KEY-KM Process the master key in the current-master-key register.
KEY-NKM Process the master key in the new-master-key register, which can be an incomplete key
if all key parts have not been loaded.
KEY-OKM Process the master key in the old-master-key register.
key_identifier
The key_identifier parameter is a pointer to a string variable containing an internal fixed-length AES or
DES key-token, a key label that identifies an internal fixed-length key-token record in AES or DES
key-storage, or a clear key. This parameter should point to a null DES key-token for rule-array
keywords KEY-KM, KEY-NKM, and KEY-OKM.
The key token contains the key or the key part used to generate or verify the KVP.
When you specify the KEY-CLR keyword, the clear key or clear key-part must be stored in bytes 0 - 7
of the key identifier. When you specify the KEY-CLRD keyword, the clear key or clear key-part must
be stored in bytes 0 - 15 of the key_identifier variable. When you specify the KEY-ENC or the
KEY-ENCD keyword, the enciphered key or enciphered key-part must be in a fixed-length DES
key-token.
Required commands
The Key_Test verb requires the Compute Verification Pattern command (offset X'001D') to be enabled in
the active role.
| The verb supports a GENERATE option in which it computes and returns a key verification pattern (KVP)
| for a specified key based on a KVP calculation algorithm keyword. The verb also supports a VERIFY
| option, based on the same KVP calculation algorithm keyword, in which it verifies that a passed KVP is
| correct for the specified key. Neither the KVP nor the verification process reveal any information about the
| value of the tested key, other than equivalency of two key values. Several KVP calculation algorithms are
| supported.
| Rule array keywords are used to specify information about the target key that is not implicit from other
| verb parameters.
Format
Parameter name Direction Data type Data length or value
CSNBKYT2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 2, 3, 4, or 5
rule_array Input String array rule_array_count * 8 bytes
key_identifier_length Input Integer See Appendix B.
key_identifier Input String key_identifier_length bytes
KEK_key_identifier_length Input Integer 0
KEK_key_identifier Input String KEK_key_identifier_length bytes
| reserved_length In/Output Integer 0
| reserved In/Output String reserved_length bytes
| key_verification_pattern_length In/Output Integer 8
key_verification_pattern In/Output String key_verification_pattern_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 2, 3, 4, or 5.
| Note: Currently only one verification pattern method is supported. This method has a pattern length of
| 8 bytes. For VERIFY, this value must be 8 on input and is not updated on output. For
| GENERATE, this value must be at least 8 and is updated to 8 on output.
key_verification_pattern
| The key_verification_pattern parameter is a pointer to a string variable containing the binary
| verification pattern. For GENERATE, the verb returns the generated verification pattern in this variable.
| For VERIFY, the verb verifies the verification pattern in this variable.
Required commands
The Key_Test2 verb requires the Compute Verification Pattern command (offset X'001D') to be enabled in
the active role.
| For verification rule keyword ENC-ZERO together with algorithm keyword AES, the Compute ENC-ZERO
| Verification Pattern for AES command (offset X'0021') must be enabled in the active rule. This command is
| not required for DES.
The verb supports testing of AES, APKA, DES, and PKA master keys, AES clear keys or key parts, and
enciphered AES or DES keys or key parts (see Restrictions on page 257). Rule array keywords are used
to specify information about the source key that is not implicit from other verb parameters.
When testing a master key, you use two sets of rule array keywords to indicate what key to test:
1. The AES-MK, APKA-MK, ASYM-MK, and SYM-MK master-key selector keywords select whether to
test the AES, APKA, PKA (asymmetric), or DES (symmetric) master key. Not specifying a master-key
selector keyword indicates that the DES (symmetric) and PKA (asymmetric) master keys (SYM-MK
and ASYM-MK) have the same value, and that you want to test that value.
2. The KEY-KM, KEY-NKM, and KEY-OKM key or key-part rule keywords select among the
current-master-key register, the new-master-key register, and the old-master-key register.
Several key test algorithms are supported by the verb. See Cryptographic key-verification techniques on
page 677. Some are implicitly selected based on the type of key you are testing, while others are optional
and selected by specifying a verification process rule keyword. With the verification-process rule, you can:
| 1. Specify the ENC-ZERO keyword to encrypt a block of binary zeros with the specified key. The verb
| returns the leftmost 32 bits of the encryption result as the KVP. The block that is encrypted consists of
| 16 bytes of binary zeros for AES keys, and 8 bytes for DES and Triple-DES keys. For AES, this
| method is valid only with the TOKEN keyword. For DES, this method is valid only with the KEY-ENC
| and KEY-ENCD keywords.
| 2. Specify the MDC-4 keyword to compute a 16-byte KVP using the MDC-4 algorithm. This keyword is
| valid only when computing the KVP pattern for a DES (symmetric) or PKA (asymmetric) master key.
3. Specify the SHA-1 keyword to compute the KVP using the SHA-1 hashing method. This keyword is
valid only when computing the KVP for the DES (symmetric) or PKA (asymmetric) master-key.
4. Specify the SHA-256 keyword to compute the KVP using the SHA-256 hashing method. This keyword
is valid only when computing the KVP for an AES key or an AES-MK and APKA-MK master-key.
| Note: For historical reasons, the verification information is passed in two 8-byte variables pointed to by
| the value_1 and value_2 parameters. The GENERATE option uses these variables for output, and
| the VERIFY option uses these variables as input. For VERIFY, the verb returns a warning of return
| code 4, reason code 1 if the information provided in these variables does not match the calculated
| values.
| Table 43 on page 266 describes the use of the value_1 and value_2 variables for each of the available
| verification-process rules.
| DES and Triple-DES keys reserve the low-order bit of each byte for parity. If parity is used, the low-order
| bit is set so that the total number of '1' bits in the byte is odd. Parity adjustment keywords ADJUST and
| NOADJUST allow you to control how the verb handles the parity bits. Keyword NOADJUST, which is the
| default, specifies not to alter the parity bit values in any way. Keyword ADJUST specifies to modify the
| low-order bit of each byte as necessary for odd parity. This is done on the cleartext value of the key before
| the verification pattern is computed. The parity adjustment is performed only on a temporary copy of the
| key within the card, and does not affect the key value in the key_identifier parameter.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
CSNBKYTX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2, 3, 4, or 5
rule_array Input String array rule_array_count * 8 bytes
key_identifier Input String 64 bytes
| value_1 In/Output String 8 bytes
| value_2 In/Output String 8 bytes
kek_key_identifier Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2, 3, 4, or 5.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are shown below:
Required commands
The Key_Test_Extended verb requires the Compute Verification Pattern command (offset X'001D') to be
enabled in the active role.
Internal fixed-length AES key tokens can contain either a clear key or an enciphered key, while
fixed-length DES key tokens can contain only an enciphered key. You either specify that the verb build a
completed key-token with a key value you provide, or build a skeleton key-token that does not have a key
value. A typical use of a skeleton key-token is so that it can be supplied to the Key_Generate verb, which
then updates the key token with an enciphered key that the verb randomly generates.
When building an AES skeleton-key token, Key_Token_Build sets the clear-key bit length value (offset 56)
in the token, even though it does not contain a key. This enables the Key_Generate verb to use this value
to determine what key size to generate. The verb also sets the AES key-token LRC checksum byte (offset
7) to binary zeros.
| A control vector includes data that defines the key type of a key. All fixed-length AES key tokens have a
| key type of DATA, and an AES control vector, if present, is always valued to binary zeros. Other than a
| key type, AES control vectors contain no other data such as key-usage, key-length, or key subtype. A DES
| control vector, in addition to a key type, includes data that defines key-usage values, a key-length
| specification, and in some cases a key subtype, a key subtype extension, or both. See Appendix C, CCA
| control-vector definitions and key encryption, on page 655.
Note: An external version X'01' DES key-token contains a double-length DATA key with a control vector of
binary zeros. In this case, the key length is located at offset 59 and not in the key-form bits of the
control vector.
The verb always includes a control vector as part of the output key-token. For AES keys, the verb sets the
control vector value in the key-token to binary zeros. For DES keys, the verb can include a control vector
you supply, or it can build the control vector based on the key type and keywords in the rule array related
to the control vector.
This verb does not perform cryptographic services on any key value. You cannot use this verb to change a
key or to change the control vector related to a key.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v AES key types and keywords are not supported in releases before Release 3.30.
v Version 1 software used a smaller master-key verification pattern, called the master-key version number.
Beginning with Version 2, the verb interface changed to accept an 8-byte verification pattern identified
by the master_key_verification_pattern parameter.
v This verb does not support version X'10' external DES key tokens (RKX key tokens).
v The WRAP-ECB, WRAP-ENH, and ENH-ONLY rule-array keywords are not supported in releases
before Release 4.1.
CSNBKTB
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_token Output String 64 bytes
key_type Input String 8 bytes
rule_array_count Input Integer
rule_array Input String array rule_array_count * 8 bytes
key_value Input String 16, 24, or 32 bytes
reserved_1* Input void * integer valued to 0
reserved_2 Input Integer null pointer or 0
token_data_1 Input String null pointer (DES), or XL8'00' (DES), or 1 byte (AES)
control_vector Input String 16 bytes
reserved_4 Input String null pointer or XL8'00'
reserved_5 Input Integer null pointer or 0
reserved_6 Input String null pointer or 8-space variable
master_key_verification_pattern Input String 8 bytes
*
Previous implementations used the reserved_1 parameter to point to a four-byte integer or string that
represented the master-key version number. Beginning with Version 2, the CCA Support Program requires
this parameter to point to a four-byte value equal to binary zero.
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_token
The key_token parameter is a pointer to a string variable containing the assembled key-token.
DATA CLRAES
For information about key types, see Appendix C, CCA control-vector definitions and key encryption,
on page 655.
Specify the USE-CV keyword to indicate the key type should be obtained from the control_vector
variable.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Token type (one required)
EXTERNAL Specifies to build an external key-token. Valid only for DES keys.
INTERNAL Specifies to build an internal key-token. Valid for both AES and DES keys.
Token algorithm (one, optional)
AES (Rel. 3.30 or Specifies to build an AES key-token. If the CLRAES key_type keyword is specified, this is
later) the default.
DES Specifies to build a DES key-token. If the CLRAES key_type keyword is not specified, this
is the default.
Key status (one, optional)
KEY Specifies to build the key token with the key variable identified by the key_value parameter.
NO-KEY Specifies to build the key token without a key value. This is the default.
Key length (one required for AES, one optional for DES)
SINGLE Specifies that the key length is single (valid only for DES keys).
KEYLN8 Same as SINGLE.
DOUBLE Specifies that the key is either a replicated single-length key (both key halves equal), or a
double-length key with two different 8-byte values (valid only for DES keys).
KEYLN16 AES keys: Specifies that the key length is 16 bytes (128 bits). DES keys: Same as
DOUBLE.
MIXED Same as DOUBLE.
KEYLN24 Specifies that the key length is 24 bytes (192 bits) - valid only for AES keys and only for
Release 3.30 or later.
KEYLN32 Specifies that the key length is 32 bytes (256 bits) - valid only for AES keys and only for
Release 3.30 or later.
key_value
This parameter is a pointer to a string variable containing the enciphered key or AES clear-key value
which is placed into the key field of the key token when you use the KEY rule-array keyword.
The length of this variable depends on the type of key that is provided. The length is 16 bytes for DES
keys. A single-length DES key must be left-aligned and padded on the right with eight bytes of X'00'.
For a clear AES key, the length is 16 bytes for KEYLN16, 24 bytes for KEYLN24, and 32 bytes for
KEYLN32. An enciphered AES key is 32 bytes.
token_data_1
This parameter is unused for DES keys and cleartext AES keys. In either of those cases it must either
be a null pointer or point to a string variable containing eight bytes of binary zeros.
For encrypted AES keys, this parameter is a pointer to a one-byte string variable containing the LRC
value for the key passed in the key_value parameter. See Internal fixed-length AES key tokens on
page 578 for an explanation of LRC values. The verb copies this LRC into the LRC field of the key
token. Note that the verb automatically computes the LRC for a cleartext AES key and stores it in the
key token.
control_vector
This parameter is a pointer to a string variable. If you specify the CV keyword in the rule array, the
contents of this variable are copied to the control vector field of the fixed-length DES key-token. The
contents of this variable are ignored for AES keys.
master_key_verification_pattern
This parameter is a pointer to a string variable containing the master-key verification pattern of the
master key used to encipher the key in the internal key-token. The contents of the variable are copied
into the MKVP field of the key token when keywords INTERNAL and KEY are specified, and key_type
keyword CLRAES is not specified.
Required commands
None
| The Key_Token_Build2 verb cannot assemble a usable key-token that contains an enciphered key. It can,
| however, assemble an internal AES or HMAC key-token that has a clear key, usable for a limited number
| of services.
This is a host-only verb and it does not use the cryptographic coprocessor. As such, it does not perform
cryptographic services on any key value.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Key types EXPORTER and IMPORTER do not allow clear keys.
| v External key tokens are not supported in releases before Release 4.2.
| v The following rule-array keywords are not supported in releases before Release 4.2:
| Token identifier EXTERNAL
| Algorithm AES
| Key types CIPHER, EXPORTER, or IMPORTER
| Encrypt key-usage control ENCRYPT and DECRYPT
| Generate key-usage control GENERATE and VERIFY
| EXPORTER key-usage control EXPORT, TRANSLAT, GEN-OPEX, GEN-IMEX, GEN-EXEX, and
| GEN-PUB
| IMPORTER key-usage control IMPORT, TRANSLAT, GEN-OPIM, GEN-IMEX, GEN-IMIM, and
| GEN-PUB
| User-defined extension control UDX-ONLY, UDX-001, UDX-010, and UDX-100
| Key-usage mode CBC, ECB, CFB, OFB, GCM, and XTS
| Key-usage wrap algorithm WR-DES, WR-AES, WR-HMAC, WR-RSA, and WR-ECC
| Key-usage wrap class WR-DATA, WR-KEK, WR-PIN, WRDERIVE, and WR-CARD
| DES-key export control NOEX-DES and XPRT-DES
| AES-key export control NOEX-AES and XPRT-AES
| RSA-key export control NOEX-RSA and XPRT-RSA
CSNBKTB2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 4
rule_array Input String array rule_array_count * 8 bytes
| clear_key_bit_length Input Integer 0; 128, 192, or 256 (CIPHER); 80 - 2048 (MAC)
clear_key_value Input String clear_key_bit_length / 8 bytes
| key_name_length Input Integer 0 or 64
key_name Input String key_name_length bytes
user_associated_data_length Input Integer 0 - 255
user_associated_data Input String user_associated_data_length bytes
token_data_length Input Integer 0
token_data Input String token_data_length bytes
reserved_length Input Integer 0
reserved Input String reserved_length bytes
| target_key_token_length In/Output Integer See Appendix B.
target_key_token Output String target_key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The minimum value is 4.
rule_array
| The rule_array parameter is a pointer to a string variable containing an array of keywords. The
| keywords are 8 bytes in length, and are left-aligned and padded on the right with space characters.
| The returned rule array keywords express the contents of the token.
|| Keyword Meaning
| Header section
| Token identifier (one required)
| INTERNAL Build an internal variable-length symmetric key-token.
| EXTERNAL (Rel. Build an external variable length key-token.
| 4.2 or later)
| Wrapping information section
| Key status (one, optional)
| NO-KEY Build the key token without a key value. This creates a skeleton key token that can later be
| supplied to the Key_Generate2 verb. This is the default.
| KEY-CLR Build the key token with a clear key, CIPHER and MAC key types only.
Required commands
None
Beginning with Release 4.1, the verb can be used to reformat a key in an internal fixed-length AES or DES
key-token from its current key-wrapping method to the specified key-wrapping method. A reformat does not
change the master key used.
Note: Previous implementations of IBM CCA products had additional capabilities with this verb such as
deleting key records and key tokens in key storage. Also, use of a wildcard (*) was supported in
those implementations.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v AES is not supported in releases before Release 3.30.
v The REFORMAT reencipherment method is not supported in releases before Release 4.1.
v The USECONFG, WRAP-ECB, WRAP-ENH, and ENH-ONLY rule-array keywords are not supported in
releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNBKTC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, 3, or 4
rule_array Input String array rule_array_count * 8 bytes
key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1, 2, 3, or 4.
Keyword Description
Algorithm (one, optional). These keywords are not supported in releases before Release 3.30.
AES Specifies that the key token is for an AES key.
DES Specifies that the key token is for a DES key. This is the default.
Reencipherment method (one required)
REFORMAT (Rel. Reenciphers a key from its current key-wrapping method to the specified key-wrapping
4.1 or later) method. The master key used to reencipher the key is the same master key used to wrap
the original key.
RTCMK Reenciphers a key that is now enciphered under the old master key to encipherment under
the current master key. If the key is already enciphered with the current master key, the verb
returns a positive response (return code 0, reason code 0) and does not change the key
token.
Key-wrapping method (one, optional). Release 4.1 or later.
USECONFG Specifies to wrap the key using the configuration setting for the default wrapping method.
This keyword is ignored for AES keys. This is the default.
WRAP-ECB Specifies to wrap the key using the legacy wrapping method. This keyword is ignored for
AES keys.
WRAP-ENH Specifies to wrap the key using the enhanced wrapping method. Valid only for DES keys.
Translation control (optional). This is valid only with wrapping method WRAP-ENH or with USECONFG when the
default wrapping method is WRAP-ENH. This option cannot be used on a key with a control vector valued to
binary zeros. Release 4.1 or later.
ENH-ONLY Specifies to restrict the key from being wrapped with the legacy wrapping method once it
has been wrapped with the enhanced wrapping method. Sets bit 56 (ENH-ONLY) of the
control vector to B'1'.
key_identifier
The key_identifier parameter is a pointer to a string variable containing the internal fixed-length AES or
DES key-token or the key label of an internal fixed-length AES or DES key-token record.
Required commands
The Key_Token_Change verb requires the following commands:
If the WRAP-ECB translation-control keyword is specified and the key in the input key token is wrapped by
the enhanced wrapping method (WRAP-ENH), the verb requires the Enable Translation from New to Old
Format in KTC and KTR2 command (offset X'0147') to be enabled. An active role with offest X'0147'
enabled can also use the Key_Translate2 verb to translate a key from the enhanced key-wrapping method
to the less-secure legacy method.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Rule-array keyword AES is not supported in releases before Release 4.2.
Format
Parameter name Direction Data type Data length or value
CSNBKTC2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2
rule_array Input String array rule_array_count * 8 bytes
key_identifier_length In/Output Integer See Appendix B.
key_identifier In/Output String key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
The rule-array keywords are:
key_identifier_length
| The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
| of data in the key_identifier variable. On input, this variable contains the number of bytes for the
| key_identifier buffer, and must be large enough to hold the key token or key label. On output, this
| variable contains the number of bytes of data returned in the key_identifier variable.
key_identifier
| The key_identifier parameter is a pointer to a string variable containing an internal variable-length
| symmetric key-token, or a key label of such a key in AES key-storage. The enciphered data within the
| token is securely reenciphered under the current master-key.
Required commands
The Key_Token_Change2 verb requires the Reencipher to Current Master Key2 command (offset X'00F1')
to be enabled in the active role in order to use keyword RTCMK.
The verb returns some of the key-token information in a set of variables identified by individual parameters
and the remaining key-token information as keywords in the rule array.
Control-vector information is returned in keywords found in the rule array when the verb can fully parse the
control vector. Supported keywords are shown in Figure 10 on page 161. Otherwise, the verb returns
return code 4, reason code 2039 (X'7F7').
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v This verb does not support version X'10' external DES (RKX) key tokens.
Format
Parameter name Direction Data type Data length or value
CSNBKTP
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_token Input String 64 bytes
key_type Output String 8 bytes
| rule_array_count In/Output Integer 3 - 50
rule_array Output String array rule_array_count * 8 bytes
key_value Output String 16 bytes
master_key_version_number Output Integer (version X'03' internal token only)
reserved_2 Output Integer Can be a null pointer.
reserved_3 Output String 8 bytes
control_vector Output String 16 bytes
reserved_4 Output String 8 bytes
reserved_5 Output Integer Can be a null pointer.
reserved_6 Output String 8 bytes
master_key_verification_pattern Output String 8 bytes (version X'00' internal token only)
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_token
The key_token parameter is a pointer to a string variable in application storage containing an external
or internal key-token to be disassembled.
key_type
The key_type parameter is a pointer to a string variable containing a keyword defining the key type.
The keyword is 8 bytes in length and must be left-aligned and padded on the right with space
characters. Valid key_type keywords are shown below:
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. This value must be a minimum of 3 and should be at least 20.
On input, specify the maximum number of usable array elements that are allocated. On output, the
verb sets the value to the number of keywords returned to the application.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords that
expresses the contents of the key token. The keywords are 8 bytes in length and are left-aligned and
padded on the right with space characters. The rule_array keywords are:
Keyword Meaning
Token type (one returned)
EXTERNAL Specifies an external fixed-length DES key-token.
INTERNAL Specifies an internal fixed-length DES key-token.
Key status (one returned)
KEY Indicates the key token contains a key. The key_value variable contains the key.
NO-KEY Indicates the key token does not contain a key.
Key-wrapping method (one returned). Release 4.1 or later.
WRAP-ECB The wrapping method for this key is legacy.
WRAP-ENH The wrapping method for this key is enhanced.
Control-vector (CV) status (one returned)
CV The key token specifies that a control vector is present. The verb sets the control_vector
variable with the value of the control vector found in the key token.
NO-CV The key token does not specify the presence of a control vector. The verb sets the
control_vector variable to space characters.
Control-vector keywords
See Figure 10 on page 161 for the key-usage keywords that can result with a given key type.
Required commands
None
| The key_token input parameter specifies the external or internal key token to disassemble. The verb
| returns some of the key-token information in a set of variables identified by individual parameters, and
| returns the remaining information as keywords in the rule array.
| The key-usage field and key-management field information is returned in keywords found in the rule array
| when the verb can fully parse the fields. See the rule_array parameter on page 288 for a table of
| supported keywords. If the token cannot be parsed successfully, the verb returns a warning using reason
| code 2039 X'7F7'). If a warning or error occurs during processing, the verb updates all of the count and
| length variables with a value of zero.
| Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| CSNBKTP2
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| key_token_length Input Integer See Appendix A.
| key_token Input String key_token_length bytes
| key_type Output String 8 bytes
| rule_array_count In/Output Integer 3 - 50
| rule_array Output String array rule_array_count * 8 bytes
| key_material_state Output Integer 0, 1, 2, or 3
| payload_bit_length In/Output Integer See Appendix B.
| payload Output String payload_bit_length / 8 bytes
| key_verification_pattern_type Output Integer 0, 1, or 2
| key_verification_pattern_length In/Output Integer 16
| key_verification_pattern Output String key_verification_pattern_length bytes
| key_wrapping_method Output Integer 0, 2, or 3
| key_hash_algorithm Output Integer 0, 1, 2, 4, or 8
| key_name_length In/Output Integer 0 or 64
| key_name Output String key_name_length bytes
| TLV_data_length In/Output Integer 0
| TLV_data Output String TLV_data_length bytes
| user_associated_data_length In/Output Integer 255
| user_associated_data Output String user_associated_data_length bytes
| reserved_length In/Output Integer 0
| reserved Output String reserved_length bytes
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| key_token_length
| The key_token_length parameter is a pointer to an integer variable containing the number of bytes of
| data in the key_token variable.
| key_token
| The key_token parameter is a pointer to a string variable containing an external or internal
| variable-length symmetric key-token to be disassembled. This parameter must not point to a key label.
| key_type
| The key_type parameter is a pointer to a string variable containing a keyword for the key type of the
| input key. The keyword is 8 bytes in length and is left-aligned and padded on the right with space
| characters. Valid key_type keywords are shown below:
|| CIPHER EXPORTER
| IMPORTER MAC
|
| If an error occurs while processing the input token, all output lengths will be updated to zero and an error
| will be returned.
| Required commands
| None
| Note: This verb has been deprecated. New applications should use Key_Translate2 instead of this verb.
| See Key_Translate2 (CSNBKTR2) on page 296.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v This verb does not support version X'10' external fixed-length DES (RKX) key tokens.
CSNBKTR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
input_key_token Input String 64 bytes
input_KEK_key_identifier Input String 64 bytes
output_KEK_key_identifier Input String 64 bytes
output_key_token Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
input_key_token
The input_key_token parameter is a pointer to a string variable containing an external fixed-length
DES key-token. The key token contains the key to be reenciphered (translated).
input_KEK_key_identifier
The input_KEK_key_identifier parameter is a pointer to a string variable containing the operational
fixed-length DES key-token or the key label of an operational fixed-length DES key-token record. The
key token contains the key-encrypting key used to decipher the key. It must contain a control vector
that specifies an IMPORTER or IKEYXLAT key type. The control vector for an IMPORTER key must
have the XLATE bit set to B'1'.
output_KEK_key_identifier
The output_KEK_key_identifier parameter is a pointer to a string variable containing the operational
fixed-length DES key-token or the key label of an operational fixed-length DES key-token record. The
key token contains the key-encrypting key used to encipher the key. It must contain a control vector
that specifies an EXPORTER or OKEYXLAT key type. The control vector for an EXPORTER key must
have the XLATE bit set to B'1'.
output_key_token
The output_key_token parameter is a pointer to a string variable containing an external fixed-length
DES key-token. The key token contains the reenciphered key.
Required commands
The Key_Translate verb requires the Translate Key command (offset X'001F') to be enabled in the active
role.
| Reformat recovers a key from an input key-token, and places a copy of the key in a key token whose
| format differs in some way from the input key-token. An external output key is wrapped under the same
| key-encrypting key that was used to wrap the external input key.
| v Only DES keys can be reformatted in releases before Release 4.2. By specifying optional rule-array
| keywords for key-wrapping method and translation control, an external fixed-length DES key-token can
| be changed from one key-wrapping mode to another (that is, from legacy to enhanced, or from
| enhanced to legacy). The output key is returned in a different external fixed-length DES key-token. The
| same DES key-encrypting key used to unwrap the input key is used to wrap the output key.
| v Beginning with Release 4.2, an AES key can be reformatted. Specifically, an operational fixed-length
| AES key-token (older version X'04'), which always has a key type of DATA, can be reformatted into an
| operational variable-length AES key-token (newer, more secure version X'05') with a key type of
| CIPHER.
| Conversely, an operational variable-length AES key-token with a key type of CIPHER can be
| reformatted into a less secure operational fixed-length AES key-token.
| An internal version X'04' key-token is wrapped using the DES master key, while an internal X'05'
| key-token is wrapped using the more secure AES master key. Although the two AES keys are wrapped
| with different master keys, both remain operational within the same system.
| Translate recovers a key from an input key-token and places a copy of the key in a key token that does
| not differ from the input key-token. The copied key is translated by wrapping it under a different
| key-encrypting key than was used to wrap the input key.
| v Only DES keys can be translated in releases before Release 4.2. The input key must be in an external
| fixed-length DES key-token, and the output key is returned in a different external fixed-length DES
| key-token, wrapped under a different DES key-encrypting key.
| v Beginning with Release 4.2, AES keys and HMAC keys contained in external variable-length symmetric
| key tokens can be translated. A copy of the input key is returned in an identical key token, except that
| the copied key is wrapped using a different AES key-encrypting key.
| Table 44 on page 297 shows the input key tokens that are required and the output key tokens that are
| returned for a given combination of algorithm and reencipherment keywords.
| Notes:
| 1. The purpose of an AES REFORMAT is to convert internal AES keys between older version X'04' and newer
| version X'05' key-token formats. AES keys wrapped in version X'05' key tokens are more secure.
| 2. The purpose of a DES REFORMAT is to change the encipherment of an external DES key from one
| key-wrapping mode to another (that is, from legacy to enhanced, or from enhanced to legacy), without changing
| the encrypting key.
| 3. The purpose of a TRANSLAT is to change the encipherment of an external AES, DES, or HMAC key to a
| different key-encrypting key, without otherwise changing the key token.
|
| Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Clear keys are not supported.
| v Token algorithm keywords AES, DES, and HMAC are not supported in releases before Release 4.2.
| v Reencipherment keyword TRANSLAT is not supported in releases before Release 4.2.
| v AES key encrypting keys are not supported in releases before Release 4.2
Format
Parameter name Direction Data type Data length or value
CSNBKTR2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 0, 1, 2, 3, or 4
rule_array Input String array rule_array_count * 8 bytes
| input_key_token_length Input Integer 64
input_key_token Input String input_key_token_length bytes
| input_KEK_key_identifier_length Input Integer 64
input_KEK_key_identifier Input String input_KEK_key_identifier_length bytes
| output_KEK_key_identifier_length Input Integer 64
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
| The rule_array_count is a pointer to an integer variable containing the number of elements in the
| rule_array variable. The value must be 0, 1, 2, 3, or 4.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are a 8 bytes in length and must be left-aligned and padded on the right with space
characters.
The rule_array keywords are:
|| Keyword Meaning
| Token algorithm (one, optional). Release 4.2 or later.
| AES Specifies that the input key is an AES key.
| DES Specifies that the input key is a DES key. This is the default.
| HMAC Specifies that the input key is an HMAC key.
| Reencipherment (one, optional)
| REFORMAT Specifies to change the key token in some way, without changing the encipherment of an
| external key to a different key-encrypting key. Not valid for HMAC.
| TRANSLAT (Rel. Specifies to change the encipherment of an external key to a different key-encrypting key,
| 4.2 or later) without otherwise changing the key token.
| Key-wrapping method (one, optional for DES; not allowed for any other token algorithm)
| USECONFG Specifies to wrap the key using the configuration setting for the default wrapping method.
| This is the default.
| WRAP-ECB Specifies to wrap the key using the legacy wrapping method.
| WRAP-ENH Specifies to wrap the key using the enhanced wrapping method.
| Translation control (optional). This is valid only with key wrapping method WRAP-ENH or with USECONFG when
| the default wrapping method is WRAP-ENH. This option cannot be used on a key with a control vector valued to
| binary zeros.
| ENH-ONLY Specifies to restrict the key from being wrapped with the legacy wrapping method once it
| has been wrapped with the enhanced wrapping method. Sets bit 56 (ENH-ONLY) of the
| control vector to B'1'.
|
input_key_token_length
| The input_key_token_length parameter is a pointer to an integer variable containing the number of
| bytes of data in the input_key_token variable.
input_key_token
| The input_key_token parameter is a pointer to a string variable containing a symmetric key-token to be
| reformatted or translated. See Table 44 on page 297.
| Required commands
| The Key_Translate2 verb requires the following commands to be enabled in the active role:
|| Rule-array keyword Offset Command
| REFORMAT X'014B' Translate Key2 (REFORMAT)
| REFORMAT X'032A' Disallow Translation from an AES X'05' to an AES X'04' Token
| (Rel. 4.2 or Note: Enable this command to prevent CIPHER keys, which are in
| later) variable-length AES key tokens (newer version X'05') and wrapped under
| the AES master-key, from being reformatted into DATA keys, which are in
| fixed-length AES key tokens (older version X'04') and wrapped under the
| less-secure DES master-key. This command overrides offset X'014B'.
| TRANSLAT (Rel. 4.2 or X'0149' Translate Key2
| later)
| WRAP-ECB or X'014A' Allow Configuration Override with Keyword in KTR2
| WRAP-ENH
| WRAP-ECB X'0147' Enable Translation from New to Old Format in KTC and KTR2
| Note: This command applies only when the input key is wrapped by the
| enhanced method, WRAP-ENH.
|
|
Format
Parameter name Direction Data type Data length or value
CSNBCKM
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
clear_key_length Input Integer 8, 16, 24, or 32
clear_key Input String clear_key_length bytes
key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are shown below:
clear_key_length
The clear_key_length parameter is a pointer to an integer variable containing the number of bytes of
data in the clear_key variable.
If the algorithm is DES, the value must be:
v 8 for a single-length DES key
v 16 for a double-length Triple-DES key
If the algorithm is AES, the value must be:
v 16 for a 128-bit AES key
v 24 for a 192-bit AES key
v 32 for a 256-bit AES key
clear_key
The clear_key parameter is a pointer to a string variable containing the cleartext key to be imported.
key_identifier
On input, the key_identifier parameter is a pointer to a string variable containing a null key-token, an
internal fixed-length AES or DES DATA key-token, or a key label of a null key-token or internal
fixed-length AES or DES DATA key-token.
On output, the key token is updated with the specified cleartext key, enciphered under the appropriate
master key. A null key-token is updated with a default key-token for a DATA key.
Required commands
The Multiple_Clear_Key_Import verb requires the following commands to be enabled in the active role
based on the algorithm:
Note: A role with offset X'00C3' can also use the Clear_Key_Import verb.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v A key-usage flag bit (see offset 050 in the private-key section) must be on to permit use of the private
key in the decryption of a symmetric key.
v The RSA private-key modulus size (key size) is limited by the function control vector to accommodate
potential governmental export and import regulations. The verb enforces this restriction.
v The ZERO-PAD rule-array keyword is supported only for clear private keys contained in external RSA
tokens. This prevents the verb from being used to unwrap an object that is encrypted with a protected
key, such as a DES key wrapped by an encrypted RSA private-key.
v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
Format
Parameter name Direction Data type Data length or value
CSNDPKD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
source_encrypted_key_length Input Integer 512
source_encrypted_key Input String source_encrypted_key_length bytes
data_structure_length Input Integer 0
data_structure In/Output String data_structure_length bytes
private_key_identifier_length Input Integer 3500
private_key_identifier Input String private_key_identifier_length bytes
clear_target_key_length In/Output Integer 512
clear_target_key Output String clear_target_key_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Recovery method (required)
| PKCS-1.2 Specifies that the key is formatted as defined in the RSA PKCS #1 v2.0 standard for the
| RSAES-PKCS1-v1_5 encryption/decryption scheme. Formerly known as the block-type 02
| method. See PKCS #1 hash formats on page 694.
| ZERO-PAD Decrypts the source_encrypted_key variable and places the result right-aligned in the
clear_target_key variable. The decrypted value is the same length as the modulus. As
required, high-order bits are set to zero.
Note: Supported only for clear RSA private keys.
source_encrypted_key_length
The source_encrypted_key_length parameter is a pointer to an integer variable containing the number
of bytes of data in the source_encrypted_key variable. The maximum length is 512.
source_encrypted_key
The source_encrypted_key parameter is a pointer to a string variable containing the input key to be
decrypted.
data_structure_length
The data_structure_length parameter is a pointer to an integer variable containing the number of bytes
of data in the data_structure variable. This value must be 0.
data_structure
The data_structure parameter is a pointer to a string variable. This variable is currently ignored.
private_key_identifier_length
The private_key_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the private_key_identifier variable. The maximum length is 3500 bytes.
private_key_identifier
The private_key_identifier parameter is a pointer to a string variable containing the RSA private-key in
a PKA key-token, or the label of an RSA private-key in a PKA key-token record, used to decrypt the
source key.
clear_target_key_length
The clear_target_key_length parameter is a pointer to an integer variable containing the number of
bytes of data in the clear_target_key variable. On input, this variable specifies the maximum
permissible length of the result. On output, this verb updates the variable to indicate the length of the
returned key. The maximum length is 512.
clear_target_key
The clear_target_key parameter is a pointer to a string variable containing the decrypted (clear) key
returned by this verb.
Required commands
The PKA_Decrypt verb requires the PKA Decipher Key Data command (offset X'011F') to be enabled in
the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNDPKE
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
clear_source_data_length Input Integer 512
clear_source_data Input String clear_source_data_length bytes
data_structure_length Input Integer 0
data_structure Input String data_structure_length bytes
public_key_identifier_length Input Integer 3500
public_key_identifier Input String public_key_identifier_length bytes
target_data_length In/Output Integer 512
target_data Output String target_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Format method (one required)
| PKCS-1.2 Specifies that the key is formatted as defined in the RSA PKCS #1 v2.0 standard for the
| RSAES-PKCS1-v1_5 encryption/decryption scheme. Formerly known as the block-type 02
| method. See PKCS #1 hash formats on page 694.
ZERO-PAD Places clear_source_data variable in the low-order bit positions of a bit string of the same
length as the modulus. As required, high-order bits are set to zero. Encrypts the resulting
bit-string with the public key.
clear_source_data_length
| The clear_source_data_length parameter is a pointer to an integer variable containing the number of
| bytes of data in the clear_source_data variable. When using the PKCS-1.2 keyword the maximum
| length is 501, and for ZERO-PAD, the maximum length is 512, with a 4096-bit RSA public-key.
clear_source_data
The clear_source_data parameter is a pointer to a string variable containing the input data to be
encrypted.
data_structure_length
The data_structure_length parameter is a pointer to an integer variable containing the number of bytes
of data in the data_structure variable. This value must be 0.
data_structure
The data_structure parameter is a pointer to a string variable. This variable is currently ignored.
public_key_identifier_length
The public_key_identifier_length parameter is a pointer to an integer variable containing the number of
bytes of data in the public_key_identifier variable. The maximum length is 3500 bytes.
public_key_identifier
| The public_key_identifier parameter is a pointer to a string variable containing the RSA public-key in a
| PKA key-token, or the label of such a key in PKA key-storage, used to encrypt the clear source data.
target_data_length
The target_data_length parameter is a pointer to an integer variable containing the number of bytes of
data in the target_data variable. On input, this variable specifies the maximum permissible length of
the result. On output, this verb updates the variable to indicate the length of the returned data. The
maximum output length is 512. The data length is the same as the size of the public-key modulus.
target_data
The target_data parameter is a pointer to a string variable containing the encrypted data returned by
the verb. The returned encrypted target_data variable is the same length as the public-key modulus.
Required commands
The PKA_Encrypt verb requires the PKA Encipher Clear Key command (offset X'011E') to be enabled in
the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v This verb does not change the export control bit for TR-31 (CV bit 57).
Format
Parameter name Direction Data type Data length or value
CSNBPEX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_identifier In/Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_identifier
The key_identifier parameter is a pointer to a string variable containing the internal fixed-length DES
key-token, or the key label of an internal fixed-length DES key-token record.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v This verb does not support version X'10' external DES key tokens (RKX key tokens).
| v This verb does not change the export control bit for TR-31 (CV bit 57).
Format
Parameter name Direction Data type Data length or value
CSNBPEXX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
source_key_token In/Output String 64 bytes
KEK_key_identifier Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
source_key_token
The source_key_token parameter is a pointer to a string variable containing an external fixed-length
DES key-token.
Required commands
The Prohibit_Export_Extended verb requires the Lower Export Authority, Extended command (offset
X'0301') to be enabled in the active role.
You specify whether the random number is 56 bits with the low-order bit in each of the 8 bytes adjusted
for even or for odd parity, or 64 bits without parity adjustment. The verb returns the random number in an
8-byte string variable.
Because the Random_Number_Generate verb uses cryptographic processes, the quality of the output is
better than that which higher-level language compilers typically supply.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNBRNG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
form Input String 8 bytes
random_number Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
form
The form parameter is a pointer to a string variable containing a keyword to select the characteristic of
the random number. The keyword is 8 bytes in length and must be left-aligned and padded on the
right with space characters. The form keywords are:
random_number
The random_number parameter is a pointer to a string variable containing the random number
returned by the verb.
Required commands
The Random_Number_Generate verb requires the Generate Key command (offset X'008E') to be enabled
in the active role.
Because the Random_Number_Generate_Long verb uses cryptographic processes, the quality of the
output is better than that which higher-level language compilers typically supply.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X
| IBM i X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSNBRNGL
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
seed_length Input Integer 0
seed Input String seed_length bytes
random_number_length In/Output Integer 1 - 8192 on input (also 0 on output)
random_number Output String random_number_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length, and must be left-aligned and padded on the right with space
characters.
seed_length
The seed_length parameter is a pointer to an integer variable containing the number of bytes in the
seed variable. The value must be 0.
seed
The seed parameter is a pointer to a string variable containing a seed value. A seed can be supplied
so that the same value of the random number can be obtained in multiple instances. This can be
useful in testing situations. This variable is currently unused.
random_number_length
The random_number_length parameter is a pointer to an integer variable containing the number of
bytes in the random_number variable. On input, the minimum value is 1 and the maximum value is
8192.
Use this variable to specify the number of random bytes that the verb is to return. On output, this
variable contains the number of bytes returned by the verb in the random_number variable.
random_number
The random_number parameter is a pointer to a string variable containing the random number
generated.
Required commands
None
Generating and exporting DES keys: This verb uses a trusted block to generate or export DES keys.
To create a trusted block, see Trusted_Block_Create (CSNDTBC) on page 353. It accepts as input
parameters a trusted block, a public-key certificate and certificate parameters, a transport key, a rule ID to
identify the appropriate rule section to be used within a trusted block, an importer key, a source key,
optional extra data that can be used as part of the OAEP key-wrapping process, and key-check
parameters used to calculate an optional key-check value.
The verb validates all input parameters for generate and export operations. After the verb performs the
input parameter validation, the remaining steps depend on whether the generate option or the export
option is specified in the selected rule of the trusted block.
The following is a high-level description of the remaining processing steps for generate and export.
Processing steps for generate operation: The verb performs these steps for the generate operation:
1. Generates a random value for the generated key, K. The generated key length specified by the
selected rule determines the key length.
2. Exclusive-ORs the output key variant with the randomly generated key K from the previous step if the
selected rule contains a common export key parameters subsection and the output key variant length
is greater than zero. Adjusts the result to have valid DES key parity.
3. Continues with Final processing steps common to generate and export operations on page 320.
Processing steps for export operation: The verb performs these steps for the export operation:
| 1. If the trusted block Common Export Key Parameters subsection is not present, return an error.
| 2. If the trusted block Source Key Rule Reference subsection is not present and the source_key input
| parameter is an RKX key-token, return an error.
| 3. If input source_key_length variable equals 0, return an error.
| 4. If the trusted block Transport Key Rule Reference subsection exists, return an error if either of these
| conditions is true:
| v The transport_key_identifier input parameter does not identify an RKX token.
| v The Rule ID in the RKX key-token identified by the transport_key_identifier parameter is not equal
| to the rule ID in the Transport Key Rule Reference subsection.
| 5. If the trusted block Transport Key Variant subsection exists, return an error if either of these
| conditions is true:
| v The length of the transport key obtained from the transport_key_identifier variable is greater than
| the length of Variant in the Transport Key Variant Reference subsection.
| v The Symmetric Encrypted Output Key Format Flag equals RKX key-token format.
| Note: Transport keys are not used for symmetric encrypted output keys that are RKX key-tokens.
| 6. Verify that the source key token length is:
| v 0 if the trusted block's selected Rule section Generate/Export flag equals B'0' (generate key).
| v 64 if the trusted block's selected Rule section Generate/Export flag equals B'1' (export key).
| 7. Obtain the length of the source key from the source key identifier. Verify that the length of the source
| key is greater than or equal to Export Key Minimum Length and is less than or equal to Export Key
| Maximum Length in the trusted block's selected rule section's Common Export Key Parameters
| subsection.
| 8. Verify that the length of the source key is less than or equal to the Output Key Variant Length in the
| Common Export Key Parameters subsection if the output key variant length is nonzero.
| 9. Recover the clear value of the source key in the input source key identifier key block:
| Final processing steps common to generate and export operations: At this point, the source key is
| used from Step 2 in Processing steps for generate operation on page 317, or from Step 13 in
| Processing steps for export operation on page 317:
| 1. Based on the symmetric encrypted output key-format flag of the selected rule, returns the encrypted
| result in the token identified by the sym_encrypted_key_identifier parameter by completing the
| following steps:
| v The MKVP in the trusted block's Protection Information subsection of the Information section is
| compared with the PKA master keys' MKVP. If the comparison is successful,
| v The MAC key that resides within the trusted block is recovered. The recovered MAC key is then
| used to encrypt the source key.
| v An RKX key-token is constructed with the encrypted source key, and the rule ID from the trusted
| block's Rule section.
| v The recovered MAC key is used to compute the MAC over the newly constructed RKX key-token.
| The MAC is then appended to the RKX key-token.
| 2. Based on the asymmetric encrypted output key-format flag of the selected rule, returns the encrypted
| result in the token identified by the asym_encrypted_key_identifier parameter by completing the
| following steps. If the asymmetric encrypted output key format is NONE, no asymmetric encrypted
| output will be generated.
| v Verify certificate digital signature
| If input certificate_length variable is nonzero, use the public key identified by the
| trusted_block_identifier parameter to verify the digital signature embedded in the certificate as
| follows:
| Verify that the certificate length does not exceed the maximum allowed.
| Verify root public key exists, which is located in the Trusted RSA Public Key section of the key
| token identified by the trusted_block_identifier parameter. Return an error if the Trusted RSA
| Public Key section is not found.
| Create the certificates hash:
| - Verify root public key modulus length. Return an error if modulus length in the Trusted RSA
| Public Key section is greater than the maximum modulus length allowed by the FCV.
| - Verify root public key exponent. Return an error if the public exponent of the Trusted RSA
| Public Key section is an even number.
| - Generate an RSA key token.
| a. Copy the root public key exponent and length located in Trusted RSA Public Key section
| X'11' into an RsaKeyTokenPublic key.
| b. Copy the root public key modulus bit length located in Trusted RSA Public Key section
| X'11' into an RsaKeyTokenPublic key.
| c. Copy the root public key modulus and byte length located in Trusted RSA Public Key
| section X'11' into an RsaKeyTokenPublic key.
| Hash the data in the certificate:
| Create hash of the data pointed to by certificate base + certificate_parms offset 028 decimal, for
| a length of certificate_parms "length of data to be hashed" at offset 032 decimal, using hashing
| algorithm specified by the certificate_parms "hashing algorithm identifier" at offset 024 decimal.
| Only the SHA-1 algorithm will be supported initially. Create the BER encoded form of the hash.
| Generate comparative hash:
| Generate comparative hash using the certificate's digital signature pointed to by certificate base +
| certificate_parms offset 016 decimal for a length of certificate_parms offset 020 decimal, and the
| built RSA internal token. Create the PKCS 1.0 or 1.1 format (depending upon the
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v AES keys are not supported by this verb.
v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
v The maximum public exponent is 17 bits for any key that has a modulus greater than 2048 bits.
CSNDRKX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
trusted_block_identifier_length Input Integer 0 - 3500
trusted_block_identifier Input String trusted_block_identifier_length bytes
certificate_length Input Integer 0 - 5000
certificate Input String certificate_length bytes
certificate_parms_length Input Integer 36
certificate_parms Input String certificate_parms_length bytes
transport_key_identifier_length Input Integer 0 or 64
transport_key_identifier Input String transport_key_identifier_length bytes
rule_id_length Input Integer 8
rule_id Input String rule_id_length bytes
importer_key_identifier_length Input Integer 0 or 64
importer_key_identifier Input String importer_key_identifier_length bytes
source_key_identifier_length Input Integer 0 or 64
source_key_identifier Input String source_key_identifier_length bytes
asym_encrypted_key_length In/Output Integer 512
asym_encrypted_key Output String asym_encrypted_key_length bytes
sym_encrypted_key_identifier_length In/Output Integer 64
sym_encrypted_key_identifier Output String sym_encrypted_key_identifier_length bytes
extra_data_length Input Integer
extra_data Input String extra_data_length bytes
key_check_parameters_length Input Integer 0
key_check_parameters Input String key_check_parameters_length bytes
key_check_value_length In/Output Integer 0 - 16
key_check_value Output String key_check_value_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable. This variable is currently ignored.
trusted_block_identifier_length
The trusted_block_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the trusted_block_identifier variable. The maximum length is 3500 bytes.
Note: After the hash is computed over the certificate data specified by offsets 28 and 32, the hash is
ASN.1 BER encoded by prepending these bytes:
| Note: If the select rule's asymmetric output format is NONE, the certificate_parms_length variable is
| ignored.
certificate_parms
The certificate_parms parameter is a pointer to a string variable containing a structure for identifying
the location and length of values within the public-key certificate pointed to by the certificate
parameter.
If the value of the certificate_length variable is 0, then the information in this variable is ignored but the
variable must be declared.
The format of the certificate_parms variable is defined in Table 45 on page 324.
Note: The modulus, exponent, and signature values can have bit lengths that are not multiples of 8;
each of these values is right-aligned and padded on the left with 0 bits to make it an even
number of bytes in length.
transport_key_identifier_length
The transport_key_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the transport_key_identifier variable. The length must be 0 or 64 bytes.
transport_key_identifier
The transport_key_identifier parameter is a pointer to a string variable containing a KEK key-token, or
a key label of a KEK key-token record. The KEK is either an internal fixed-length DES key-token (key
type IMPORTER or EXPORTER), or an external version X'10' (RKX) DES key-token. It is used to
encrypt a key exported by the verb.
When the symmetric encrypted output key format flag of the selected rule indicates return an RKX
key-token, this parameter is ignored and should have a length of 0.
If this parameter points to a DES key-token:
v The token must be of key type IMPORTER or EXPORTER
v If the source_key_identifier parameter identifies an internal DES key-token, the token must be of
key type EXPORTER
rule_id_length
The rule_id_length parameter is a pointer to an integer variable containing the number of bytes of data
in the rule_id variable. The length must be 8 bytes.
rule_id
The rule_id parameter is a pointer to a string variable that identifies the rule in the trusted block to be
used to control key generation or export. The trusted block can contain multiple rules, each of which is
identified by a unique rule ID value.
importer_key_identifier_length
The importer_key_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the importer_key_identifier variable. The length must be 0 or 64 bytes.
324 CCA Basic Services October 14, 2011
importer_key_identifier
The importer_key_identifier parameter is a pointer to a string variable containing an IMPORTER KEK
key-token or a label of an IMPORTER KEK key-token record. This KEK is used to decipher the key
pointed to by the source_key_identifier parameter.
The importer_key_identifier variable is ignored if the verb is used to generate a new key, or the
source_key_identifier variable contains either an RKX key token or an internal fixed-length DES
key-token.
source_key_identifier_length
The source_key_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the source_key_identifier variable. The length must be 0 or 64 bytes.
source_key_identifier
The source_key_identifier parameter is a pointer to a string variable containing a fixed-length DES
key-token or a label of a fixed-length DES key-token record. The key token contains the key to be
exported, and must meet one of these criteria:
v It is a single-length or double-length external DES key-token
v It is a single-length or double-length internal DES key-token
v It is a single-length, double-length, or triple-length RKX key-token
Notes:
1. If the key token is a CCA DES key-token, its XPORT-OK control vector bit (bit 17) must be 1, or
the export will not be allowed.
2. If a DES key-token has three 8-byte key parts, the parts are considered unique if any two of the
three key parts differ.
asym_encrypted_key_length
The asym_encrypted_key_length parameter is a pointer to an integer variable containing the number
of bytes of data in the asym_encrypted_key variable. On output, the variable is updated with the actual
length of the asym_encrypted_key variable. The input length must be at least the length of the
modulus in bytes of the public-key in the certificate variable.
asym_encrypted_key
The asym_encrypted_key parameter is a pointer to a string variable containing a generated or
exported clear key returned by the verb. The clear key is encrypted by the public (asymmetric) key
provided by the certificate variable.
sym_encrypted_key_identifier_length
The sym_encrypted_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the sym_encrypted_key_identifier variable. On output, the variable is
updated with the actual length of the sym_encrypted_key_identifier variable. The input length must be
at least 64 bytes.
sym_encrypted_key_identifier
The sym_encrypted_key_identifier parameter is a pointer to a string variable. On input, the
sym_encrypted_key_identifier variable must either contain a key label of a fixed-length DES key-token
record or an RKX key-token record, or be filled with binary zeros. On output, the verb produces a
fixed-length DES key-token or an RKX key-token, depending on the value of the symmetric encrypted
output key format value of the rule section within the trusted_block_identifier variable. The key token
produced contains either a generated or exported key encrypted using the key-encrypting key provided
by the transport_key_identifier variable.
v If the output is an external fixed-length DES key-token:
1. If a common export key parameters subsection (X'0003') is present in the selected rule, the CV
is copied from the subsection into the output CCA DES key-token. Otherwise, the CV is copied
from source key-token.
Note: The RSA-OAEP format is specified as part of the rule in the trusted block.
key_check_parameters_length
The key_check_parameters_length parameter is a pointer to an integer variable containing the number
of bytes of data in the key_check_parameters variable. The length must be 0.
key_check_parameters
Reserved for future use.
key_check_value_length
The key_check_value_length parameter is a pointer to a string variable containing the number of bytes
of data in the key_check_value variable. On output, and if the field is of sufficient length, the variable
is updated with the actual length of the key_check_value variable.
key_check_value
The key_check_value parameter is a pointer to a string variable containing the result of the key-check
algorithm chosen in the rule section of the selected trusted block. See Encrypt zeros DES-key
verification algorithm on page 679 and Modification Detection Code calculation on page 679.
When the selected key-check algorithm is to encrypt an 8-byte block of binary zeros with the key, and
the generated or exported key is:
v Single length
1. A value 0, 1, or 2 is considered insufficient space to hold the output encrypted result and the
verb returns an error
2. A value of 3 returns the leftmost 3 bytes of the encrypted result if the key_check_value_length
variable is 3 or more, else an error is returned
3. A value of 4 - 8, inclusive, returns the leftmost 4 bytes of the encrypted result if the
key_check_value_length variable is 4 or more, else an error is returned
Required commands
The Remote_Key_Export verb requires the Generate or Export a Key for Use By a Non-CCA Node
command (offset X'0312') to be enabled in the active role.
The verb also requires the Replicate Key command (offset X'00DB') to be enabled to replicate a
single-length source key (either from a fixed-length DES key-token or an RKX key-token). If authorized,
key replication occurs if all of the following are true:
1. The key token returned using the sym_encrypted_key_identifier parameter is a fixed-length DES
key-token, as defined in the rule section identified by the rule_id parameter
2. The rule section identified by the rule_id parameter has a common export key parameters subsection
defined, and the control vector in the subsection is 16 bytes in length with key-form bits of B'010' for
the left half and B'001' for the right half (see Key-form bits, 'fff' and 'FFF' on page 660)
3. The token identified by the source_key_identifier parameter is single length, and is either a fixed-length
DES key-token or an RKX key-token.
Note: A role with X'00DB' enabled can also use the Key_Generate verb with the SINGLE-R key-length
keyword.
| This verb deprecates the Prohibit_Export and Prohibit_Export_Extended verbs, and should be used for all
| new applications.
| The use of this verb requires an awareness of the different export control attributes in the key
| management fields or control vector of each key token. The following table describes these attributes:
|| Attribute Parse keyword Meaning
| AES or HMAC variable-length symmetric key token
| Key-management field 1, high-order byte
| B'1xxx xxxx' XPRT-SYM Allow export using symmetric key.
| B'0xxx xxxx' NOEX-SYM Prohibit export using symmetric key.
| B'x1xx xxxx' XPRTUASY Allow export using unauthenticated asymmetric key.
| B'x0xx xxxx' NOEXUASY Prohibit export using unauthenticated asymmetric key.
| B'xx1x xxxx' XPRTAASY Allow export using authenticated asymmetric key.
| B'xx0x xxxx' NOEXAASY Prohibit export using authenticated asymmetric key.
| Key-management field 1, low-order byte, symmetric:
| B'0xxx xxxx' XPRT-DES Allow export using DES key.
| B'1xxx xxxx' NOEX-DES Prohibit export using DES key.
| B'x0xx xxxx' XPRT-AES Allow export using AES key.
| B'x1xx xxxx' NOEX-AES Prohibit export using AES key.
| Key-management field 1, low-order byte, asymmetric
| B'xxxx 0xxx' XPRT-RSA Allow export using RSA key.
| B'xxxx 1xxx' NOEX-RSA Prohibit export using RSA key.
| DES fixed-length key-token
| Control vector bit 17
| B'1' XPORT-OK Allows the key to be exported by any export verb except for
| NOT31XPT restriction.
| B'0' NO-XPORT Prohibits the key from being exported by any export verb.
| Control vector bit 57
| B'0' T31XPTOK Allows the key to be exported by the Key_Export_to_TR31 verb,
| provided XPORT-OK attribute is set.
| B'1' NOT31XPT Prohibits the key from being exported by the Key_Export_to_TR31
| verb.
|
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The following rule array keywords are not supported in releases before Release 4.2:
| Token algorithm keywords AES and DES
| Export control for AES or HMAC keywords NOEX-AES, NOEX-DES, and NOEX-RSA
| Export control for DES keywords CCAXPORT and NOT31XPT
| KEK identifier rule keywords IKEK-AES, IKEK-DES, and IKEK-PKA
| v External key tokens are not supported in releases before Release 4.2. The KEK_key_identifier_length
| variable must be 0.
CSNBRKA
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 1-9
rule_array Input String array rule_array_count * 8 bytes
key_identifier_length In/Output Integer 64
key_identifier In/Output String key_identifier_length bytes
| KEK_key_identifier_length Input Integer 0, 64
KEK_key_identifier Input String KEK_key_identifier_length bytes
| opt_parameter1_length Input Integer 0
| opt_parameter1 Input String opt_parameter1_length bytes
| opt_parameter2_length Input Integer 0
| opt_parameter2 Input String opt_parameter2_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 1 - 9.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
The rule-array keywords are:
|| Keyword Meaning
| Token algorithm (one required)
| AES (Rel. 4.2 or Specifies to lower the export authority of an AES key. A key in a fixed-length AES key-token
| later) is not supported.
| DES (Rel. 4.2 or Specifies to lower the export authority of a DES key.
| later)
| HMAC Specifies to lower the export authority of an HMAC key.
| DES key-token: Use this keyword to set CV bit 17 = B'0' (NO-XPORT) and CV bit 27 = B'1'
| (NOT31XPT). This is the default if no export control for DES keywords are used.
| Export control for AES or HMAC (one or more, optional). Not valid for DES.
| NOEX-SYM Prohibits the key from being exported using a symmetric key.
| NOEXUASY Prohibits the key from being exported using an unauthenticated asymmetric key.
| NOEXAASY Prohibits the key form being exported using an authenticated asymmetric key (for example,
| an RSA key in a trusted block token).
| NOEX-AES (Rel. Specifies to prohibit export using AES key.
| 4.2 or later)
| NOEX-DES (Rel. Specifies to prohibit export using DES key.
| 4.2 or later)
| NOEX-RSA (Rel. Specifies to prohibit export using RSA key.
| 4.2 or later)
| Export control for DES (one, optional). All keywords in this group are default if no keyword provided. Only valid
| for DES. Release 4.2 or later.
| CCAXPORT For DES internal tokens, set CV bit 17 = B'0' to prohibit any export of the key.
| NOT31XPT For DES internal tokens, set CV bit 57 = B'1' to prohibit TR-31 export of the key.
| KEK identifier rule (only valid if KEK_identifier_length variable is greater than 0; required if KEK identifier is a key
| label and the key in key storage is an RSA KEK, otherwise optional if KEK passed). Release 4.2 or later.
| IKEK-AES The inbound key-encrypting key for the external key is an AES KEK. Not valid for DES. This
| is the default for AES and HMAC.
| IKEK-DES The inbound key-encrypting key for the external key is a DES KEK. Valid only for DES. This
| is the default for DES.
| IKEK-PKA The inbound key-encrypting key for the external key is an asymmetric key. Required if an
| RSA transport key is used (that is, the key being changed is wrapped using the PKOAEP2
| method). Not valid for DES.
|
key_identifier_length
The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
of data in the key_identifier variable on output.
key_identifier
| The key_identifier parameter is a pointer to a string variable containing an internal CCA variable-length
| symmetric key-token, or a label of such a key in key storage. Beginning with Release 4.2, this
| parameter can also point to a key token or a key label of an external CCA variable-length symmetric
| key-token, or a key token or key label of an external or internal fixed-length DES key token.
KEK_key_identifier_length
| The KEK_key_identifier_length parameter is a pointer to an integer variable containing the number of
| bytes of data in the KEK_key_identifier variable. In releases before Release 4.2, the value must be
| zero. In Release 4.2 or later, set the value to zero if the input key is in an internal key-token, and set
| the value to greater than or equal to 64 if the input key is in an external key-token. If the variable
| contains a key label, set the value to 64.
Required commands
The Restrict_Key_Attribute verb requires the following commands to be enabled in the active role:
| For an RSA-enciphered output key, the key is returned as an opaque data buffer or in an external
| variable-length symmetric key-token. If the key is returned as an opaque data buffer, the
| Symmetric_Key_Import verb can be used along with the associated RSA private-key to import the key
| back into an operational symmetric key-token. If the key is returned in an external variable-length
| symmetric key-token, the Symmetric_Key_Import2 verb can be used along with the associated RSA
| private-key to import the key.
| For an AES-enciphered output key, the key is returned in an external variable-length symmetric key-token.
| The Symmetric_Key_Import2 verb can be used along with its associated AES IMPORTER key-encrypting
| key to import the key. The usage attributes of the IMPORTER key must allow IMPORT.
| The source key must be a complete symmetric key contained in a fixed-length or variable-length
| key-token, encrypted under an AES or DES master key. Fixed length keys are limited to a key type of
| DATA. Variable length keys have no key type limitations. Table 46 shows the source key tokens that are
| valid:
| Table 46. Symmetric_Key_Export source key tokens
| Internal fixed-length symmetric key-token key Internal variable-length symmetric key-token
| Algorithm type key type
| AES DATA (Release 3.30 or later) CIPHER, EXPORTER, or IMPORTER (Release
| 4.2 or later)
| DES DATA
| HMAC MAC (Release 4.1 or later)
|
| Different methods are supported for formatting the output key. Not all of these methods are available for
| each supported source key-token. The AESKW key-formatting method uses an AES EXPORTER
| key-encrypting key to wrap the output key before returning it in an external variable-length symmetric
| key-token. The other key formatting methods each use a different scheme to format the key before it is
| enciphered using an asymmetric RSA public-key. The formatted and enciphered key is returned as an
| opaque data buffer, and is not in a key token.
| Table 47 on page 334 shows which key-formatting methods can be used for each type of input key-token,
| along with a description of the enciphered key returned:
| Notes:
| 1. AESKW is not supported in releases before release 4.2, and PKOAEP2 is not supported in releases before 4.1.
| 2. For keywords PKCS-1.2, PKCSOAEP, and PKOAEP2, see PKCS #1 hash formats on page 694.
| 3. The RSA PKCS #1 v2.0 standard for the RSAES-PKCS1-v1_5 encryption/decryption scheme is formerly known
| as block-type 02 format.
| 4. PKCSOAEP and PKOAEP2 are the only key formatting methods that use a hash method. PKCSOAEP and
| PKOAEP2 can specify either SHA-1 or SHA-256. PKOAEP2 can also specify SHA-384 or SHA-512.
|
Format
Parameter name Direction Data type Data length or value
CSNDSYX
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
source_key_identifier_length Input Integer 3500
source_key_identifier Input String source_key_identifier_length bytes
| transport_key_identifier_length Input Integer 3500
| transport_key_identifier Input String transport_key_identifier_length bytes
| enciphered_key_length In/Output Integer 3500
| enciphered_key Output String enciphered_key_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
| Algorithm (one, optional). Release 3.30 or later. See Table 46 on page 333.
| AES Specifies to export an AES key.
| DES Specifies to export a DES key.
| HMAC (Rel. 4.1 Specifies to export an HMAC key.
| or later)
| Key-formatting method (one required). See Table 47 on page 334.
| AESKW (Rel. 4.2 Specifies to return the key formatted using the AESKW method. The AESKW payload that
| or later) contains the key is encrypted by the AES EXPORTER key-encrypting key provided as the
| transport key, and returned in an external variable-length symmetric key-token. Valid only
| with the AES or HMAC algorithms.
| PKCS-1.2 Specifies to return the key formatted using the RSAES-PKCS1-v1_5 encryption/decryption
| scheme defined in the RSA PKCS #1 v2.0 standard. The formatted key is encrypted by the
| RSA public-key provided as the transport key and returned as an opaque data buffer, not in
| a key token. Valid only with the AES or DES algorithms, and only for a DATA key in a
| fixed-length symmetric key-token.
| PKCSOAEP Specifies to return the key formatted using the RSAES-OAEP encryption/decryption scheme
| defined in the RSA PKCS #1 v2.0 standard. The formatted key is encrypted by the RSA
| public-key provided as the transport key and returned as an opaque data buffer, not in a key
| token. Valid only with the AES or DES algorithms, and only for a DATA key in a fixed-length
| symmetric key-token. A hash method keyword is optional when this keyword is specified.
| PKOAEP2 (Rel. Specifies to return the key formatted using the RSAES-OAEP encryption/decryption scheme
| 4.1 or later) defined in the RSA PKCS #1 v2.1 standard. The PKOAEP2 payload containing the formatted
| key is encrypted by the RSA public-key provided as the transport key and returned in an
| external variable-length symmetric key-token. Valid only with the AES or HMAC algorithms.
| A hash method keyword is required when this keyword is specified.
| ZERO-PAD Specifies to return the key formatted by right-aligning the key and padding it on the left with
| bits valued to zero up to the modulus size of the RSA key. The formatted key is encrypted
| by the RSA public-key provided as the transport key and returned as an opaque data buffer,
| not in a key token. Valid only with the AES or DES algorithms, and only for a DATA key in a
| fixed-length symmetric key-token.
| Hash method (one optional for PKCSOAEP; one required for PKOAEP2; not allowed for any other
| key-formatting method).
| SHA-1 Specifies to use the SHA-1 hash method to calculate the OAEP message hash. Only valid
| with key-formatting method PKCSOAEP or PKOAEP2. This is the default for key-formatting
| method PKCSOAEP.
| SHA-256 Specifies to use the SHA-256 hash method to calculate the OAEP message hash. Only valid
| with key-formatting method PKCSOAEP or PKOAEP2.
| SHA-384 Specifies to use the SHA-384 hash method to calculate the OAEP message hash. Only valid
| with key-formatting method PKOAEP2.
| SHA-512 Specifies to use the SHA-512 hash method to calculate the OAEP message hash. Only valid
| with key-formatting method PKOAEP2.
Required commands
The Symmetric_Key_Export verb requires the following commands to be enabled in the active role based
on the key-formatting method and the algorithm:
Key-formatting
method Algorithm Offset Command
| AESKW (Rel. AES X'0327' Export AES Key (AESKW)
4.2 or later)
PKCSOAEP or AES X'0130' Export AES Key (PKCSOAEP or PKCS-1.2)
PKCS-1.2
DES X'0105' Symmetric Key Export PKCS-1.2/OAEP
ZERO-PAD AES X'0131' Export AES Key (ZERO-PAD)
DES X'023E' ZERO-PAD Symmetric Key Export
PKOAEP2 HMAC X'00F5' Export HMAC key (PKOAEP2)
The following access control points are added beginning with Release 4.2:
| v To disallow the wrapping of a key with a weaker key-encrypting key, enable the Disallow Weak Key
| Wrap command (offset X'0328') in the active role. This command affects multiple verbs. See Table 169
| on page 715.
v To receive a warning when wrapping a key with a weaker key-encrypting key, enable the Warn when
Wrapping Weak Keys command (offset X'032C') in the active role. The Disallow Weak Key Wrap
command overrides this command.
Rule array keywords define the length of the generated key, how the RSA-enciphered key will be
enciphered, and the type of symmetric key used to encipher generated DES keys. Beginning with Release
4.1, they also specify the key-wrapping method and translation control.
DATA keys can be generated for both AES and DES. DES DATA keys can be single or double in length,
and are generated with the default DATA control vector as defined in Table 162 on page 657. AES DATA
keys can be 128, 192, or 256 bits in length. One copy of the key is returned in the variable identified by
the local_enciphered_key parameter.
| For AES keys, this copy is enciphered under the AES master key. For DES keys, this copy is enciphered
| under either the DES master key or under an IMPORTER or EXPORTER key-encrypting key. Also for DES
| keys, if you do not specify a null key-token, you must supply either the single-length or double-length
| default DATA control vector in a key token.
| The second copy of the key is formatted using the method specified and enciphered with an RSA public
| key. The enciphered formatted key is returned in the variable identified by the
| rsa_enciphered_key_identifier parameter. On input, you must specify a null key-token. Use one of these
| keywords to choose how the generated key is formatted prior to RSA encryption:
PKCSOAEP
| Formats the key as defined in the RSA PKCS #1 v2.0 standard for the RSAES-OAEP
| encryption/decryption scheme. See PKCS #1 hash formats on page 694.
PKCS-1.2
| Formats the key as defined in the RSA PKCS #1 v2.0 standard for the RSAES-PKCS1-v1_5
| encryption/decryption scheme. See PKCS #1 hash formats on page 694.
ZERO-PAD
| The generated key value is padded on the left with zero bits up to the modulus size of the RSA key
before it is encrypted.
Note: A node environment identifier (EID) value must have been established prior to use of the
PKA92 keyword. Use the Cryptographic_Facility_Control verb to set the EID.
NL-EPP-5
With this keyword, the verb generates a DES key-encrypting key and returns two copies of the key.
The verb enciphers one key copy using the key encipherment techniques defined by certain OEM
equipment See Encrypting a key-encrypting key in the NL-EPP-5 format on page 675. On input, the
RSA_enciphered_key_token variable must contain an internal fixed-length DES key-token that
contains a control vector for an IMPORTER key-encrypting key.
The control vector for the local key is taken from a DES key-token that must be present on input in
the local_enciphered_key_identifier parameter or in the key token identified by the key label in that
parameter.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The permissible key length of the RSA public key is limited by the value specified in the function control
vector for RSA encipherment of keys.
v AES is not supported in releases before Release 3.30.
v Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
v The maximum public exponent is 17 bits for any key that has a modulus greater than 2048 bits.
v The USECONFG, WRAP-ECB, WRAP-ENH, and ENH-ONLY keywords are not supported in releases
before Release 4.1.
| v Rule-array keywords SHA-1 and SHA-256 are not supported in releases before Release 4.2.
CSNDSYG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 1, 2, 3, 4, 5, 6, or 7
rule_array Input String array rule_array_count * 8 bytes
key_encrypting_key_identifier Input String 64
RSA_public_key_identifier_length Input Integer 3500
RSA_public_key_identifier Input String RSA_public_key_identifier_length bytes
local_enciphered_key_identifier_length In/Output Integer 64
local_enciphered_key_identifier In/Output String local_enciphered_key_identifier_length bytes
RSA_enciphered_key_identifier_length In/Output Integer 3500
RSA_enciphered_key_identifier In/Output String RSA_enciphered_key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 1, 2, 3, 4, 5, 6, or 7.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are shown below:
key_encrypting_key_identifier
| The key_encrypting_key_identifier parameter is a pointer to a string variable containing the operational
| fixed-length DES key token or the key label of such a key in DES key-storage, with the key-encrypting
Required commands
The Symmetric_Key_Generate verb requires the following commands to be enabled in the active role
based on the key-formatting method and possibly the algorithm:
| In addition, use of the WRAP-ECB or WRAP-ENH key-wrapping method keywords requires the Allow
| Configuration Override with Keyword in SYG (offset X'013E') to be enabled in Release 4.1 or later.
Choose one of the following key-formatting methods for the verb to use, depending on how the
RSA-enciphered key is formatted:
v PKCSOAEP, PKCS-1.2, or ZERO-PAD to recover an AES or a DES default DATA key
v PKA92 to recover any DES keys of type DATA, MAC, MACVER, KEYGENKY, EXPORTER, OKEYXLAT,
PINGEN, PINVER, IPINENC, or OPINENC
Optionally choose an algorithm keyword for which type of key to import (Release 3.30 or later).
AES key lengths of 16, 24, and 32 bytes are supported (Release 3.30 or later). DES key lengths of 8
(single-length DES) and 16 (double-length Triple-DES) are supported.
| Note: Enciphered AES keys are always imported into enciphered key tokens. The verb never imports an
| enciphered AES key into a clear AES key token.
| Note: This implementation imports DES keys that are formatted according to the PKA92
| scheme, but does not provide a means for enciphering these key types other than
| DATA in the PKA92 format. This extension to CCA is considered nonstandard, and
| might not be present in other CCA implementations.
3. An optional keyword to select the method used to wrap the key (Release 4.1 or later).
4. An optional keyword, used together with the WRAP-ENH key-wrapping method, to restrict the
wrapping of the key to enhanced only (Release 4.1 or later).
| v The RSA-enciphered key, containing the formatted and enciphered symmetric AES or DES key to be
| imported.
v The RSA private-key to use to recover the AES or DES key to be imported, either as an internal PKA
key-token or as a key label that identifies an internal key-token in PKA key-storage.
v A target key identifier of either a null key-token, an internal fixed-length AES or DES key-token, or a key
label of a null key token or internal fixed-length AES or DES key-token. This key token is updated with
the imported key token.
| 1. Null key-token. The verb creates an internal fixed-length symmetric key-token from a null
key-token.
For AES keys, the control vector is set to binary zeros.
For RSA-enciphered DES keys enciphered under a key-formatting method of PKCSOAEP,
PKCS-1.2, or ZERO-PAD, the control vector in the null key-token is updated with the contents of
a default single-length or double-length DATA key-token, based on the length of the recovered
key. See Table 162 on page 657.
For RSA-enciphered DES keys enciphered under a key-formatting method of PKA92, the control
vector in the null key-token is updated with the contents of the control vector recovered from the
RSA_enciphered_key variable.
2. Internal key-token. Provide an existing internal fixed-length AES or DES key-token to be updated
with the enciphered value of the clear key.
| Fixed-length AES keys have a null or no control vector, hence no key-usage control information.
| All fixed-length AES keys are DATA keys. The length of the key found in the decrypted
| information must match the length of the clear-key bit length field of the key token.
For RSA-enciphered DES keys enciphered under a key-formatting method of PKCSOAEP,
PKCS-1.2, or ZERO-PAD, the control vector of the internal key-token must match the default
value for a single-length or double-length DATA key corresponding to the key length found in the
decrypted information. See Table 162 on page 657.
For RSA-enciphered DES keys enciphered under a key-formatting method of PKA92, the control
vector of the internal key-token must match the contents of the control vector recovered from the
RSA_enciphered_key variable.
3. Key label. Use a key label to identify either a null key-token or an internal key-token in AES or DES
key-storage for the verb to retrieve and update. For AES, identify by name a key token in AES
key-storage. For DES, identify a null or internal key-token in DES key-storage.
Format
Parameter name Direction Data type Data length or value
CSNDSYI
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, 3, or 4
rule_array Input String array rule_array_count * 8 bytes
RSA_enciphered_key_length Input Integer 3500
RSA_enciphered_key Input String RSA_enciphered_key_length bytes
RSA_private_key_identifier_length Input Integer 3500
RSA_private_key_identifier Input String RSA_private_key_identifier_length bytes
target_key_identifier_length In/Output Integer 64
target_key_identifier In/Output String target_key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
Algorithm (one, optional). These keywords are not supported in releases before Release 3.30.
AES Specifies to import an AES key.
DES Specifies to import a DES key. This is the default.
Key-formatting method (one required)
| PKCSOAEP Specifies that the RSA-enciphered key is formatted as defined in the RSA PKCS #1 v2.0 standard
| for the RSAES-OAEP encryption/decryption scheme. See PKCS #1 hash formats on page 694.
| PKCS-1.2 Specifies that the RSA-enciphered key is formatted as defined in the RSA PKCS #1 v2.0 standard
| for the RSAES-PKCS1-v1_5 encryption/decryption scheme. See PKCS #1 hash formats on page
| 694.
| ZERO-PAD Specifies that the RSA-enciphered key is formatted by padding the key on the left with binary
| zeros to the modulus length of the RSA key before the key is encrypted.
PKA92 Specifies that the RSA-enciphered key is formatted with the PKA92 method. See PKA92 key
format and encryption process on page 674. Only used for DES keys of type DATA, MAC,
MACVER, KEYGENKY, EXPORTER, OKEYXLAT, PINGEN, PINVER, IPINENC, and OPINENC.
Note: This method is not supported for AES keys.
| Hash method (when PKCSOAEP is specified, one optional).
| SHA-1 Specifies to use the SHA-1 method to calculate the OAEP message hash. This is the default.
| SHA-256 Specifies to use the SHA-256 method to calculate the OAEP message hash.
Key-wrapping method (one, optional). Release 4.1 or later.
USECONFG Specifies to wrap the key using the configuration setting for the default wrapping method. This
keyword is ignored for AES keys. This is the default.
WRAP-ECB Specifies to wrap the key using the legacy wrapping method. This keyword is ignored for AES
keys.
WRAP-ENH Specifies to wrap the key using the enhanced wrapping method. Valid only for DES keys.
Translation control (optional). This is valid only with key-wrapping method WRAP-ENH or with USECONFG when
the default wrapping method is WRAP-ENH. This option cannot be used on a key with a control vector valued to
binary zeros. Release 4.1 or later.
ENH-ONLY Specifies to restrict the key from being wrapped with the legacy wrapping method once it has
been wrapped with the enhanced wrapping method. Sets bit 56 (ENH-ONLY) of the control vector
to B'1'.
RSA_enciphered_key_length
The RSA_enciphered_key_length parameter is a pointer to an integer variable containing the number
of bytes of data in the RSA_enciphered_key variable. The maximum length is 3500 bytes.
RSA_enciphered_key
The RSA_enciphered_key parameter is a pointer to a string variable containing the symmetric key
being imported.
RSA_private_key_identifier_length
The RSA_private_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the RSA_private_key_identifier variable. The maximum length is 3500
bytes.
Required commands
The Symmetric_Key_Import verb requires the following commands to be enabled in the active role based
on the key-formatting method, the algorithm, and possibly the key type:
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The following rule-array keywords are not supported in releases before Release 4.2:
| Token algorithm AES
| Key-formatting method AESKW
Format
Parameter name Direction Data type Data length or value
CSNDSYI2
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2
rule_array Input String array rule_array_count * 8 bytes
| enciphered_key_length Input Integer 3500
| enciphered_key Input String enciphered_key_length bytes
| transport_key_identifier_length Input Integer 3500
| transport_key_identifier Input String transport_key_identifier_length bytes
| key_name_length Input Integer 0 or 64
| key_name Input String key_name_length bytes
| target_key_identifier_length In/Output Integer See Appendix B.
target_key_identifier Output String target_key_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Required commands
| The Symmetric_Key_Import2 verb requires the following commands to be enabled in the active role:
|| Key-formatting method Token algorithm keyword Offset Command
| keyword
| AESKW (Rel. 4.2 or later) AES X'0329' Import AES Key (AESKW)
| HMAC
| PKOAEP2 AES (Rel. 4.2 or later) X'00FD' Import AES Key (PKOAEP2
| HMAC X'00F4' Import HMAC Key (PKOAEP2)
|
| The following access-control points are added beginning with Release 4.2:
| v To disallow the wrapping of a stronger key with a weaker key, the Disallow Weak Import command
| (offset X'032B') must be enabled in the active role (Release 4.2 or later). This command affects multiple
| verbs. See Table 169 on page 715.
| v To receive a warning against the wrapping of a stronger key with a weaker key, the Warn When
| Wrapping Weak Keys command (offset X'032C') must be enabled in the active role. The Disallow Weak
| Import command overrides this command.
Trusted blocks are an integral part of a remote key-loading process. They contain various items, some of
which are optional, and some of which can be present in different forms. Tokens are composed of
concatenated sections. For a detailed description of a trusted block, including its format and field values,
see Trusted blocks on page 600.
Creating an external trusted block: Create an active external trusted block in two steps:
1. Create an inactive external trusted block using the INACTIVE rule-array keyword. This step requires
the Create a Trusted Block in Inactive Form command (offset X'030F') to be enabled in the active role.
2. Complete the creation process by activating (promoting) an inactive external trusted block using the
ACTIVE rule-array keyword. This step requires the Activate an Inactive Trusted Block command (offset
X'0310') to be enabled in the active role. Changing an external trusted block from inactive to active
effectively approves the trusted block for further use
The creation of an external trusted block typically takes place in a highly secure environment. Use the
PKA_Key_Import verb to import an active external trusted block into the desired node. The imported
internal trusted block can then be used as input to the Remote_Key_Export verb to generate or export
DES keys.
Create an inactive external trusted block: To create an inactive external trusted block, use a
rule_array_count of 1 and a rule_array keyword of INACTIVE. Identify the input trusted block using the
input_block_identifier parameter, and set the input_block_identifier_length variable to the length of the key
label or the key token of the input block. The input block can be any one of these forms:
v An uninitialized trusted block. The trusted block is complete except that it does not have MAC
protection.
v An inactive trusted block. The trusted block is external, and it is in inactive form. MAC protection is
present due to recycling of an existing inactive trusted block.
v An active trusted block. The trusted block is internal or external, and it is in active form. MAC protection
is present due to recycling of an existing active trusted block.
Note: The MAC key is replaced with a new MAC key, and any RKX key-token created with the input
trusted block cannot be used with the output trusted block.
The verb randomly generates a confounder and triple-length MAC key, and uses a variant of the MAC key
to calculate an ISO 16609 CBC-mode Triple-DES MAC of the trusted block contents. To protect the MAC
key, the verb encrypts the confounder and MAC key using a variant of an IMP-PKA key (see Table 162 on
page 657). The calculated MAC and the encrypted confounder and MAC key are embedded in the output
trusted block. Use the transport_key_identifier parameter to identify the key token that contains the
IMP-PKA key.
On input, set the trusted_block_identifier_length variable to the length of the key label or at least the size
of the output trusted block. The output trusted block is returned in the key-token identified by the
trusted_block_identifier parameter, and the verb updates the trusted_block_identifier_length variable to the
size of the key token if a key label is not specified.
Create an active external trusted block: To create an active external trusted block, use a rule_array_count
of 1 and a rule_array keyword of ACTIVE. Identify the input trusted block using the input_block_identifier
Use the transport_key_identifier parameter to identify the key token that contains the IMP-PKA key.
On input, set the trusted_block_identifier_length variable to the length of the key label or at least the size
of the output trusted block. The verb returns an error if the input trusted block is not valid. Otherwise, it
changes the flag in the trusted block information section from the inactive state to the active state,
recalculates the MAC, and embeds the updated MAC value in the output trusted block.
The output trusted block is returned in the key-token identified by the trusted_block_identifier parameter,
and the verb updates the trusted_block_identifier_length variable to the size of the key token if a key label
is not specified.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNDTBC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
input_block_identifier_length Input Integer 3500
input_block_identifier Input String input_block_identifier_length bytes
transport_key_identifier Input String 64 bytes
trusted_block_identifier_length In/Output Integer 3500
trusted_block_identifier Output String trusted_block_identifier_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
Operation (one required)
INACTIVE Create an external trusted block, based on the input_block_identifier variable, and set the
active flag to B'0'. This makes the trusted block unusable in any other CCA services.
ACTIVATE Create an external trusted block, based on the token identified by the input_block_identifier
parameter, and change the active flag from B'0' to B'1'. This makes the trusted block usable
in other CCA services.
input_block_identifier_length
The input_block_identifier_length parameter is a pointer to an integer variable containing the number
of bytes in the input_block_identifier variable. The maximum length is 3500 bytes.
input_block_identifier
The input_block_identifier parameter is a pointer to a string variable containing a trusted block
key-token or the key label of a trusted block key-token that has been built according to the format
specified in Trusted blocks on page 600. The trusted block key-token will be updated by the verb and
returned in the trusted_block_identifier variable.
When the operation is INACTIVE, the trusted block can have MAC protection (for example, due to
recycling of an existing trusted block), but typically it does not.
transport_key_identifier
The transport_key_identifier parameter is a pointer to a string variable containing an operational
fixed-length DES key-token or the key label of an operational fixed-length DES key-token record. The
key token must be of type IMP-PKA.
An IMP-PKA key type is an IMPORTER key-encrypting key with only its IMPORT key-usage bit (bit 21)
on; its other key-usage bits (IMEX, OPIM, IMIM, and XLATE) must be off. See Table 162 on page 657.
Note: An IMP-PKA control vector can be built using the Control_Vector_Generate verb with a key type
of "IMPORTER" and a rule_array keyword of IMPORT.
trusted_block_identifier_length
The trusted_block_identifier_length parameter is a pointer to an integer variable containing the number
of bytes of data in the trusted_block_identifier variable. The maximum length is 3500 bytes.
The output trusted block token can be up to seven bytes longer than the input trusted block token due
to padding.
trusted_block_identifier
The trusted_block_identifier parameter is a pointer to a string variable containing a trusted block token
or a label of a trusted block token returned by the verb.
Required commands
The Trusted_Block_Create verb requires the following commands to be enabled in the active role based
on the keyword specified for the operation rule:
The following table lists the data confidentiality and data integrity verbs. See Data confidentiality and data
integrity verbs on page 359 for a description of these verbs.
Table 48. Data confidentiality and data integrity verbs
Service
Verb Page Service Entry point location
Decipher 360 Deciphers data using a DES key. CSNBDEC E
Encipher 363 Enciphers data using a DES key. CSNBENC E
HMAC_Generate (Rel. 4.1 or 366 Generate a keyed hash message CSNBHMG E
later) authentication (HMAC) code.
HMAC_Verify (Rel. 4.1 or later) 369 Verifies an HMAC. CSNBHMV E
MAC_Generate 372 Generates a message authentication code CSNBMGN E
(MAC).
MAC_Verify 375 Verifies a MAC. CSNBMVR E
| Symmetric_Algorithm_Decipher 378 Deciphers data using an AES key in cleartext CSNBSAD E
| form (no key token), or in cleartext or
| enciphered form contained within a
| fixed-length or variable-length AES key-token.
| Symmetric_Algorithm_Encipher 383 Enciphers data using an AES key in cleartext CSNBSAE E
| form (no key token), or in cleartext or
| enciphered form contained within a
| fixed-length or variable-length AES key-token.
E=cryptographic engine
Note: See Chapter 4, Hashing and digital signatures, on page 115 for information about other ways to
ensure data integrity.
1. CCA implementations always encipher DES keys and PIN blocks with Triple-DES.
357
| If you know that your data is always in multiples of 8 bytes, you can request the use of the DES Cipher
Block Chaining (CBC) mode of encryption. In this mode, the enciphered result of encrypting one block of
plaintext is exclusive-ORed with the subsequent block of plaintext prior to enciphering the second block.
This process is repeated through the processing of your plaintext. The process is reversed in decryption.
See Ciphering methods on page 681.
If some portion of the ciphertext is altered, the CBC decryption of that block and the subsequent block
does not recover the original plaintext. Other blocks of plaintext are correctly recovered. CBC encryption is
used to disguise patterns in your data that could be seen if each data block was encrypted by itself.
In general, data to be ciphered is not a multiple of 8 bytes. In this case, a strategy for the last block of
data must be adopted. The Encipher and Decipher verbs can also be used with the ANS X9.23 mode of
encryption. In X9.23 encryption, at least 1 byte of data and up to 8 bytes of data are always added to the
end of your plaintext. The last of the added bytes is a binary value equal to the number of added bytes.
The ANS X9.23 process ensures that the enciphered data is always a multiple of 8 bytes as required for
CBC encryption. In X9.23 decryption, the padding is removed from the decrypted plaintext.
Whenever the first block of plaintext has a predictable value, it is important to modify the first block of data
prior to encryption to deny an adversary a known plaintext-ciphertext pair. There are two common
approaches:
v Use an initialization vector
v Prepend your data with 8 bytes of random data, called an initial text sequence
An initialization vector is exclusive-ORed with the first block of plaintext prior to encrypting the result. The
initialization vector is exclusive-ORed with the decryption of the first block of ciphertext to correctly recover
the original plaintext. You must have a means of passing the value of the initialization vector from the
encryption process to the decryption process. A common solution to the problem is to pass the initialization
vector as an encrypted quantity during key agreement between the encrypting and decrypting processes.
You specify the value of an initialization vector when you invoke the Encipher and Decipher verbs.
If the procedure for agreeing on a key does not readily result in passing of an encrypted quantity that can
serve as the initialization vector, then you can add 8 bytes of random data to the start of your plaintext. Of
course, the decrypting process must remove this initial text sequence as it recovers your plaintext. An
initialization vector valued to binary 0 is used in this case.
The key used to encrypt or decrypt your data is specified in a key token. The control vector for the key
must be of the general class DATA or CIPHER-class (control vector bits 8 to 15 equal to X'00' or X'03',
respectively). In addition to the class of key defined in CV bits 8 to 14, CV bit 18 must also be on to
encipher data while CV bit 19 must also be on to decipher data. See Appendix C, CCA control-vector
definitions and key encryption. DATA keys can participate in both enciphering and using MAC, while
CIPHER-class keys only perform in ciphering operations.
If an invocation of the Encipher of the Decipher verb includes an initialization vector value, use the
keyword INITIAL. If there is more data that is a logical extension of preceding data, you can use the
keyword CONTINUE. In this case, the initialization vector value is not used, but the enciphered value of
the last block of data from a prior ciphering verb is taken from the chaining_vector save area that you
must provide with each use of the ciphering verbs. Each portion of the data must be a multiple of 8 bytes
and you must use the CBC encryption mode. You can use X9.23 keyword with the final invocation of the
ciphering verbs if your processes use this method to accommodate data that can be other than a multiple
of 8 bytes.
This section includes the MAC verbs. For information on using hashing or digital signatures to ensure the
integrity of data, see Chapter 4, Hashing and digital signatures.
The MAC_Generate and MAC_Verify verbs support four variations of DES-based message authentication
(see MAC calculation methods on page 689). These methods are:
1. ANS X9.9 Option 1, binary data (same as ANS X9.19 Basic Procedure and ISO/IEC 9797-1, MAC
Algorithm 1). This method requires a single-length key. This is the default method used for a
single-length key.
2. ANS X9.19 Optional Procedure (same as ISO/IEC 9797-1, MAC Algorithm 3). This method requires a
double-length key. This is the default method used for a double-length key.
3. ISO 16609 Triple-DES (same as ISO/IEC 9797-1, MAC Algorithm 1 using Triple-DES/ANS X9.52). This
method requires a double-length key.
4. EMVMAC (single-length key) or EMVMACD (double-length key). These methods are the same as ANS
X9.9 Option 1 and ANS X9-19 Optional Procedure, respectively, except with a message padding
technique employed with EMV smart card messages.
Both the DATA class and the MAC or MACVER key types can be used. Control vector bit 20 (MAC
generate) must be on for keys used in the MAC_Generate verb. Control vector bit 21 (MAC verify) must
be on for keys used in the MAC_Verify verb.
You can employ MAC values with 4-byte, 6-byte, or 8-byte lengths (32, 48, or 64 bits) by using the
MACLEN4, MACLEN6, or MACLEN8 keywords in the rule array. MACLEN4 is the default.
When generating or verifying a 32-bit MAC, exchange the MAC in one of these ways:
v Binary, in 4 bytes (the default method)
v 8 hexadecimal characters, invoked using the HEX-8 keyword
v 8 hexadecimal characters with a space character between the fourth and fifth hex characters, invoked
using the HEX-9 keyword
For details about MAC services, see MAC_Generate (CSNBMGN) on page 372 and MAC_Verify
(CSNBMVR) on page 375.
In each procedure call, a segmenting-control keyword indicates whether the call contains the first, middle,
or last unit of segmented data; the chaining_vector parameter specifies the work area that the verb uses.
The default segmenting-control keyword ONLY specifies that segmenting is not used.
Performance can be enhanced by aligning the start of the plaintext and ciphertext variables on 4-byte
boundaries.
DATA, DATAC, CIPHER, and DECIPHER key types can be used. Both DES and Triple-DES are performed
based on the length of the key. For additional information about the ciphering verbs, see Ensuring data
confidentiality on page 357.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The starting address of plaintext cannot begin within the ciphertext variable.
v The text_length variable is restricted to a maximum length of 32 MB 8 bytes, and to 64 MB 8 bytes
in the IBM i environment.
| v The installed function control vector regulates the maximum data ciphering capability to DES or
| Triple-DES.
Format
Parameter name Direction Data type Data length or value
CSNBDEC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_identifier Input String 64 bytes
text_length In/Output Integer
ciphertext Input String text_length bytes
initialization_vector Input String 8 bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
chaining_vector In/Output String 18 bytes
plaintext Output String text_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Deciphering method (one, optional)
CBC Specifies Cipher Block Chaining. The data must be a multiple of 8 bytes. This is the default.
X9.23 Specifies Cipher Block Chaining with 1 - 8 bytes of padding. This is compatible with the
requirements in ANS Standard X9.23.
ICV (one, optional)
| INITIAL Specifies that this is either the first request of a sequence of chained requests, or the only
| request. The value identified by the initialization_vector parameter is used as input to decipher
| the first block of data. This must be the same value that was previously used to produce the
| ciphertext. The value identified by the chaining_vector parameter is ignored on input, and is
| updated with data required for the next subsequent chained request, if any. This is the default.
| CONTINUE Specifies that the request is part of a sequence of chained requests and is not the first (initial)
| request in the sequence. The value identified by the chaining_vector parameter is used as
| input to decipher the next block of ciphertext data, and is updated with data required for the
| next subsequent chained request, if any. The value identified by the initialization_vector
| parameter is ignored.
| This keyword is not valid with the X9.23 deciphering method keyword.
Decryption process (one, optional)
| DES Specifies use of the DES ciphering algorithm. If an adapter cannot use DES general
| data-decipherment, the verb is rejected. This is the default.
| CDMF Specifies use of the CDMF ciphering algorithm. This keyword is no longer implemented.
Important: Application programs must not alter the contents of this variable between related INITIAL
and CONTINUE calls.
plaintext
The plaintext parameter is a pointer to a string variable containing the plaintext returned by the verb.
The starting address of plaintext variable cannot begin within the ciphertext variable. The verb
updates the text_length variable to the length of the plaintext when it returns. The length is different
when padding is removed.
Required commands
The Decipher verb requires the Decipher command (offset X'000F') to be enabled in the active role.
The returned ciphertext can be as many as 8 bytes longer than the plaintext due to padding. Ensure the
ciphertext variable is large enough to receive the returned data.
Performance can be enhanced by aligning the start of the plaintext and ciphertext variables on 4-byte
boundaries.
DATA, DATAC, CIPHER, and ENCIPHER key types can be used. Both DES and Triple-DES are performed
based on the length of the key. For additional information about the ciphering verbs, see Ensuring data
confidentiality on page 357.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The text_length variable is restricted to a maximum length of 32 MB - 8 bytes and to 64 MB 8 bytes in
the IBM i environment.
| v The installed function control vector regulates the maximum data ciphering capability to DES or
| Triple-DES.
Format
Parameter name Direction Data type Data length or value
CSNBENC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_identifier Input String 64 bytes
text_length In/Output Integer
plaintext Input String text_length bytes
initialization_vector Input String 8 bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
pad_character Input Integer 0 - 255
chaining_vector In/Output String 18 bytes
ciphertext Output String updated text_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Enciphering method (one, optional)
CBC Specifies Cipher Block Chaining. The data must be a multiple of 8 bytes. This is the default.
X9.23 Specifies Cipher Block Chaining with 1 - 8 bytes of padding. This is compatible with the
requirements in ANS Standard X9.23.
ICV (one, optional)
| INITIAL Specifies that this is either the first request of a sequence of chained requests, or the only
| request. The value identified by the initialization_vector parameter is used as input to encipher
| the first block of data. This must be the same value that is later used to recover the plaintext.
| The value identified by the chaining_vector parameter is ignored on input, and is updated with
| data required for the next subsequent chained request, if any. This is the default.
| CONTINUE Specifies that the request is part of a sequence of chained requests and is not the first (initial)
| request in the sequence. The value identified by the chaining_vector parameter is used as
| input to encipher the next block of plaintext data, and is updated with data required for the next
| subsequent chained request, if any. The value identified by the initialization_vector parameter is
| ignored.
| This keyword is not valid with the X9.23 enciphering method keyword.
Encryption process (one, optional)
| DES Specifies use of the DES ciphering algorithm. If an adapter does not support DES general data
| encipherment, the verb is rejected. This is the default.
| CDMF Specifies use of the CDMF ciphering algorithm. This keyword is no longer implemented.
pad_character
The pad_character parameter is a pointer to an integer variable containing a value used as a padding
character. The value must be 0 255. When you use the X9.23 count byte and padding bytes as
required.
Important: Application programs must not alter the contents of this variable between related INITIAL
and CONTINUE calls.
ciphertext
The ciphertext parameter is a pointer to a string variable containing the enciphered text returned by
the verb. The starting address of the ciphertext variable cannot begin within the plaintext variable. The
returned ciphertext might be up to 8 bytes longer than the plaintext because of padding. The verb
updates the text_length variable to the length of the ciphertext when it returns. The length is different
when padding is added.
Required commands
The Encipher verb requires the Encipher command (offset X'000E') to be enabled in the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The message_length variable must be less than 32 MB minus 8 bytes. The maximum length on IBM i
systems is 64 MB minus 64 bytes.
Format
Parameter name Direction Data type Data length or value
CSNBHMG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2 or 3
rule_array Input String array rule_array_count * 8 bytes
key_identifier_length Input Integer 800
key_identifier Input String key_identifier_length bytes
message_text_length Input Integer Minimum is 8. For the maximum, see Restrictions.
message_text Input String message_text_length bytes
chaining_vector_length Input Integer 128
chaining_vector In/Output String chaining_vector_length bytes
MAC_length In/Output Integer 64
MAC Output String MAC_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2 or 3.
Keyword Meaning
Token algorithm (one required)
HMAC Specifies to use the HMAC algorithm to generate a MAC.
Hash method (one required)
SHA-1 Specifies to use the SHA-1 hash method.
SHA-224 Specifies to use the SHA-224 hash method.
SHA-256 Specifies to use the SHA-256 hash method.
SHA-384 Specifies to use the SHA-384 hash method.
SHA-512 Specifies to use the SHA-512 hash method.
Segmenting control (one, optional)
ONLY Specifies that this is the only data from the application program. The application program does
not use segmenting. This is the default.
FIRST Specifies that this is the first segment of data from the application program.
MIDDLE Specifies that this is an intermediate segment of data from the application program.
LAST Specifies that this is the last segment of data from the application program.
key_identifier_length
The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
of data in the key_identifier variable.
key_identifier
| The key_identifier parameter is a pointer to a string variable containing an operational HMAC key in a
| variable-length symmetric key-token or a key label identifying such a key in key-storage. The key is
| used to generate the keyed-hash message authentication code. A MAC key type that can be used for
| generate is required.
message_text_length
The message_text_length parameter is a pointer to an integer variable containing the number of bytes
of data in the message_text variable.
message_text
The message_text parameter is a pointer to a string variable containing the text of the message that
the hardware uses to calculate the MAC.
chaining_vector_length
The chaining_vector_length parameter is a pointer to an integer variable containing the number of
bytes of data in the chaining_vector variable. The value must be 128.
chaining_vector
The chaining_vector parameter is a pointer to a string variable containing a work area the security
server uses to carry segmented data between procedure calls.
Important: Application programs must not alter the contents of this variable between related FIRST,
MIDDLE, and LAST calls.
MAC_length
The MAC_length parameter is a pointer to an integer variable containing the number of bytes of data
Required commands
The HMAC_Generate verb requires the following commands to be enabled in the active role:
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X
| IBM i X
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The message_length variable must be less than 32 MB minus 8 bytes. The maximum length on IBM i
systems is 64 MB minus 64 bytes.
Format
Parameter name Direction Data type Data length or value
CSNBHMV
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 2 or 3
rule_array Input String array rule_array_count * 8 bytes
key_identifier_length Input Integer 800
key_identifier Input String key_identifier_length bytes
message_text_length Input Integer Minimum is 8. For maximum, see Restrictions
message_text Input String message_text_length bytes
chaining_vector_length Input Integer 128
chaining_vector In/Output String chaining_vector_length bytes
MAC_length Input Integer 64
MAC Input String MAC_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 2 or 3.
Keyword Meaning
Token algorithm (one required)
HMAC Specifies to use the HMAC algorithm to verify a MAC.
Hash method (one required)
SHA-1 Specifies to use the SHA-1 hash method.
SHA-224 Specifies to use the SHA-224 hash method.
SHA-256 Specifies to use the SHA-256 hash method.
SHA-384 Specifies to use the SHA-384 hash method.
SHA-512 Specifies to use the SHA-512 hash method.
Segmenting control (one, optional)
ONLY Specifies that this is the only data from the application program. The application program does
not use segmenting. This is the default.
FIRST Specifies that this is the first segment of data from the application program.
MIDDLE Specifies that this is an intermediate segment of data from the application program.
LAST Specifies that this is the last segment of data from the application program.
key_identifier_length
The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
of data in the key_identifier variable.
key_identifier
| The key_identifier parameter is a pointer to a string variable containing an operational variable-length
| HMAC key-token, or a key label identifying such a key in AES key storage. The key is used to verify
| the keyed-hash message authentication code. A MAC key type is required. The key must have usage
| that can be used for verify.
message_text_length
The message_text_length parameter is a pointer to an integer variable containing the number of bytes
of data in the message_text variable.
message_text
The message_text parameter is a pointer to a string variable containing the text of the message that
the hardware uses to calculate the MAC.
chaining_vector_length
The chaining_vector_length parameter is a pointer to an integer variable containing the number of
bytes of data in the chaining_vector variable. The value must be 128.
chaining_vector
The chaining_vector parameter is a pointer to a string variable containing a work area the security
server uses to carry segmented data between procedure calls.
Important: Application programs must not alter the contents of this variable between related FIRST,
MIDDLE, and LAST calls.
MAC_length
The MAC_length parameter is a pointer to an integer variable containing the number of bytes of data
in the MAC variable.
Required commands
The HMAC_Verify verb requires the following commands to be enabled in the active role:
Performance can be enhanced by aligning the start of the text variable on a 4-byte boundary.
Specify the MAC ciphering method through the choice of a rule-array keyword. There are defaults based
on the use of a single-length or double-length key.
EMVMAC and EMVMACD
EMV message authentication processes. See the EMV 4.0 Book 2, Annex A1.2 for information
about this form of MAC generation. The verb extends the text provided with X'80' and the
minimum number (0...7) bytes of X'00' for the extended message to be a multiple of 8 bytes in
length. The MAC is computed based on ISO/IEC 9797-1, MAC Algorithm 1 or MAC Algorithm 3,
depending on key length. When specifying a single-length key, use EMVMAC. When specifying a
double-length key, use EMVMACD.
Note: The EMV specification permits the MAC to be 4 - 8 bytes in length. The MAC_Verify verb
only uses MAC lengths of 4, 6, and 8 bytes.
TDES-MAC
ANS X9.9 Option 1 (binary data) procedure using ISO 16609 CBC-mode Triple-DES (TDES)
encryption of the data. See Triple-DES ciphering algorithms on page 685. Uses a double-length
key.
X9.9-1 ANS X9.9 Option 1 (binary data) procedure, by default when a single-length key is provided. This
is the same as ANS X9.19 Basic Procedure and ISO/IEC 9797-1, MAC Algorithm 1.
X9.19OPT
ANS X9.19 Optional Procedure, by default when a double-length key is provided. This is the same
as ISO/IEC 9797-1, MAC Algorithm 3.
Any of these DES key types can be used: DATA, DATAM, or MAC.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The text_length variable must be at least 8 bytes. The maximum length on IBM i systems is 64 MB
minus 8 bytes, and on other systems the maximum length is 32 MB minus 8 bytes.
CSNBMGN
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_identifier Input String 64 bytes
text_length Input Integer 8
text Input String text_length bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
chaining_vector In/Output String 18 bytes
MAC Output String 4, 6, 8, or 9 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_identifier
The key_identifier parameter is a pointer to a string variable containing an operational key-token or the
key label of an operational key-token record. Use a key type of DATA (CV bit 21 on), DATAM,
DATAMV, MAC, or MACVER. The DATA, MAC, and MACVER keys can be either single length or
double length.
text_length
The text_length parameter is a pointer to an integer variable containing the number of bytes of data in
the text variable.
text
The text parameter is a pointer to a string variable containing the text that the hardware uses to
calculate the MAC.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
chaining_vector
The chaining_vector parameter is a pointer to a string variable containing a work area the security
server uses to carry segmented data between procedure calls.
Important: Application programs must not alter the contents of this variable between related FIRST,
MIDDLE, and LAST calls.
MAC
The MAC parameter is a pointer to a string variable containing the resulting MAC returned by the verb.
The value is left-aligned in the variable. Allocate a variable large enough to receive the resulting MAC
value.
Required commands
The MAC_Generate verb requires the Generate MAC command (offset X'0010') to be enabled in the
active role.
Performance can be enhanced by aligning the start of the text variable on a 4-byte boundary.
Specify the MAC process through the choice of a rule-array keyword. There are defaults based on the use
of a single-length or double-length key.
EMVMAC and EMVMACD
EMV message authentication procedure. See the EMV 4.0 Book 2, Annex A1.2, for information
about this form of MAC verification. The verb extends the text provided with X'80' and the
minimum number (0...7) bytes of X'00' for the extended message to become a multiple of 8 bytes
in length. The MAC is computed based on ISO/IEC 9797-1, MAC Algorithm 1 or MAC Algorithm 3,
depending on key length. When specifying a single-length key, use EMVMAC. When specifying a
double-length key, use EMVMACD.
Note: The EMV specification permits the MAC to be 4 - 8 bytes in length. This verb only supports
MAC lengths of 4, 6, and 8 bytes.
TDES-MAC
ANS X9.9 Option 1 (binary data) procedure using ISO 16609 CBC-mode Triple-DES (TDES)
encryption of the data. See Triple-DES ciphering algorithms on page 685. Uses a double-length
key.
X9.9-1 ANS X9.9 Option 1 (binary data) procedure, by default when a single-length key is provided. This
is the same as ANS X9.19 Basic Procedure and ISO/IEC 9797-1, MAC Algorithm 1.
X9.19OPT
ANS X9.19 Optional Procedure, by default when a double-length key is provided. This is the same
as ISO/IEC 9797-1, MAC Algorithm 3.
Any of these DES key types can be used: DATA (CV bit 21 on), DATAM, DATAMV, MAC, or MACVER.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The text_length variable must be at least 8 bytes. The maximum length on IBM i systems is 64 MB
minus 8 bytes, and on other systems the maximum length is 32 MB minus 8 bytes.
CSNBMVR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_identifier Input String 64 bytes
text_length Input Integer 8
text Input String text_length bytes
rule_array_count Input Integer 0, 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
chaining_vector In/Output String 18 bytes
MAC Input String 9 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_identifier
The key_identifier parameter is a pointer to a string variable containing an operational key token or the
key label of an operational key-token record. Use a key type of DATA (CV bit 21 on), DATAM,
DATAMV, MAC, or MACVER. The DATA, MAC, and MACVER keys can be either single length or
double length.
text_length
The text_length parameter is a pointer to an integer variable containing the number of bytes of data in
the text variable.
text
The text parameter is a pointer to a string variable containing the text the hardware uses to calculate
the MAC.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
chaining_vector
The chaining_vector parameter is a pointer to a string variable containing a work area the security
server uses to carry segmented data between procedure calls.
Important: Application programs must not alter the contents of this variable between related FIRST,
MIDDLE, and LAST calls.
MAC
The MAC parameter is a pointer to a string variable containing the trial MAC. Ensure that this
parameter is a pointer to a 9-byte string variable, because 9 bytes are always sent to the security
server. The MAC value must be left-aligned in the variable. The verb verifies the MAC if you specify
the ONLY or LAST keyword for the segmenting control.
Required commands
The MAC_Verify verb requires the Verify MAC command (offset X'0011') to be enabled in the active role.
The AES key used to decipher the data can either be 16, 24, or 32 bytes (128, 192, or 256 bits) in length.
The key can be supplied to the verb in any of three forms:
1. A cleartext key consisting of only the key bytes, not contained in a key token
| 2. A cleartext key contained in an internal fixed-length or, beginning with Release 4.2, a variable-length
| AES key-token
| 3. An encrypted key contained in an internal fixed-length or, beginning with Release 4.2, a variable-length
| AES key-token, where the key is wrapped (encrypted) with the AES master key
Format
Parameter name Direction Data type Data length or value
CSNBSAD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, 3, or 4
rule_array Input String array rule_array_count * 8 bytes
| key_identifier_length Input Integer 16, 24, 32, or 64
key_identifier Input String key_identifier_length bytes
key_parms_length Input Integer 0
key_parms Input String key_parms_length bytes
block_size Input Integer 16
initialization_vector_length Input Integer 0 or 16
initialization_vector Input String initialization_vector_length bytes
chain_data_length In/Output Integer 32
chain_data In/Output String chain_data_length bytes
ciphertext_length Input Integer multiple of block_size
ciphertext Input String ciphertext_length bytes
cleartext_length In/Output Integer ciphertext_length minus pad byte count
cleartext In/Output String cleartext_length bytes
optional_data_length Input Integer 0
optional_data Input String optional_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1, 2, 3, or 4.
Keyword Meaning
Algorithm identifier (one required)
AES Specifies use of the Advanced Encryption Standard (AES) as the encryption algorithm.
The block size for AES is 16 bytes, and the key length is 16, 24, or 32 bytes. AES is the
only algorithm currently supported by this verb.
Processing rule (one, optional)
CBC Specifies encryption in Cipher Block Chaining mode. The cleartext length must be a
multiple of the block size. This is the default value.
ECB Specifies encryption in Electronic Code Book mode. The cleartext length must be a
multiple of the block size.
PKCS-PAD Specifies that the cleartext was padded on the right with 1 - 16 bytes of pad characters,
| making the padded text a multiple of the block size, before the data was enciphered in
| Cipher Block Chaining mode. Each pad character is valued to the number of pad
characters added.
The output cleartext is stripped of any pad characters and the cleartext length is 1 - 16
bytes less than the ciphertext length.
Key rule (one, optional)
KEY-CLR Specifies that the key_identifier parameter points to a cleartext AES key. Only the key
value is permitted; the key is not contained in a key token. This is the default value.
KEYIDENT Specifies that the key_identifier parameter points to an internal AES key-token or the
label of an internal key-token in AES key-storage.
ICV selection (one, optional)
INITIAL Specifies that this is either the first request of a sequence of chained requests, or the
only request. The initialization vector is used as input to decipher the first block of data,
and must be the same value used to encipher the ciphertext. The chain data buffer is
updated with output that is used as input to subsequent chained requests. This is the
default.
CONTINUE Specifies that the request is part of a sequence of chained requests and is not the first
(initial) request in the sequence. The chain data is used as input to decipher the next
block of data. The chain data buffer is updated with output that is used as input to
subsequent chained requests.
This keyword is not valid with the ECB processing rule keyword.
key_identifier_length
| The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
| of data in the key_identifier variable. This value must be 16, 24, 32, or greater than or equal to 64.
key_identifier
The key_identifier parameter is a pointer to a string variable containing either a cleartext AES key or
the internal key-token or a label for an internal key-token record in AES key-storage. This is the key
used to decipher the data pointed to by the ciphertext parameter.
| For rule-array keyword KEY-CLR, a 16-byte, 24-byte, or 32-byte clear AES key is required. For
| rule-array keyword KEYIDENT, a fixed-length or, beginning with Release 4.2, a variable-length internal
| AES key-token or key label for such a key in AES key-storage is required.
Required commands
The Symmetric_Algorithm_Decipher verb requires the Decipher Data Using AES command (offset X'012B')
to be enabled in the active role.
The AES key used to encipher the data can either be 16, 24, or 32 bytes (128, 192, or 256 bits) in length.
The key can be supplied to the verb in any of three forms:
1. A cleartext key consisting of only the key bytes, not contained in a key token
| 2. A cleartext key contained in an internal fixed-length or, beginning with Release 4.2, a variable-length
| AES key-token
| 3. An encrypted key contained in an internal fixed-length or, beginning with Release 4.2, a variable-length
| AES key-token, where the key is wrapped (encrypted) with the AES master key
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNBSAE
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1, 2, 3, or 4
rule_array Input String array rule_array_count * 8 bytes
| key_identifier_length Input Integer 16, 24, 32, or 64
key_identifier Input String key_identifier_length bytes
key_parms_length Input Integer 0
key_parms Input String key_parms_length bytes
block_size Input Integer 16
initialization_vector_length Input Integer 0 or 16
initialization_vector Input String initialization_vector_length bytes
chain_data_length In/Output Integer 32
chain_data In/Output String chain_data_length bytes
cleartext_length Input Integer multiple of block_size
cleartext Input String cleartext_length bytes
ciphertext_length In/Output Integer cleartext_length plus pad bytes
ciphertext In/Output String ciphertext_length bytes
optional_data_length Input Integer 0
optional_data Input String optional_data_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
Algorithm identifier (one required)
AES Specifies use of the Advanced Encryption Standard (AES) as the encryption algorithm.
The block size for AES is 16 bytes, and the key length is 16, 24, or 32 bytes. AES is the
only algorithm currently supported by this verb.
Processing rule (one, optional)
CBC Specifies encryption in Cipher Block Chaining mode. The cleartext length must be a
multiple of the block size. This is the default value.
ECB Specifies encryption in Electronic Code Book mode. The cleartext length must be a
multiple of the block size.
PKCS-PAD Specifies padding of the cleartext on the right with 1 to 16 bytes of pad characters,
making the padded text a multiple of the block size. Each pad character is valued to the
number of pad characters added. The ciphertext length must be large enough to include
| the added pad characters. The padded cleartext is enciphered in Cipher Block Chaining
| mode.
Key rule (one, optional)
KEY-CLR Specifies that the key_identifier parameter points to a cleartext AES key. Only the key
value is permitted; the key is not contained in a key token. This is the default value.
KEYIDENT Specifies that the key_identifier parameter points to an internal AES key-token or the
label of an internal key-token in AES key-storage.
ICV selection (one, optional)
INITIAL Specifies that this is either the first request of a sequence of chained requests, or the
only request. The initialization vector is used as input to encipher the first block of data.
The chain data buffer is updated with output that is used as input to subsequent chained
requests. This is the default.
CONTINUE Specifies that the request is part of a sequence of chained requests and is not the first
(initial) request in the sequence. The chain data is used as input to encipher the next
block of data. The chain data buffer is updated with output that is used as input to
subsequent chained requests.
This keyword is not valid with the ECB processing rule keyword.
key_identifier_length
| The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes
| of data in the key_identifier variable. This value must be 16, 24, 32, or greater than or equal to 64.
key_identifier
The key_identifier parameter is a pointer to a string variable containing either a cleartext AES key or
the internal key-token or a label for an internal key-token record in AES key-storage. This is the key
used to encipher the data pointed to by the cleartext parameter. For rule-array keyword KEY-CLR, a
16-byte, 24-byte, or 32-byte clear AES key is required. For rule-array keyword KEYIDENT, a
| fixed-length or, beginning with Release 4.2, a variable-length internal AES key-token or key label for
| such a key in AES key-storage is required.
Required commands
The Symmetric_Algorithm_Encipher verb requires the Encipher Data Using AES command (offset X'012A')
to be enabled in the active role.
389
Key labels and key-storage management
Use the verbs described in this section to manage AES, DES, and PKA key-storage. The CCA software
manages key storage as an indexed repository of key records. Access key storage using a key label with
verbs that have a key-label or key-identifier parameter.
There are several independent key-storage systems that can be used to manage records for AES key
records, DES key records, and PKA key records:
AES key-storage Holds null and internal AES key tokens
DES key-storage Holds null, internal, and external DES key tokens
PKA key-storage Holds null PKA key tokens, and both internal and external public and
private RSA key tokens. Beginning with Release 4.1, also holds internal
ECC key tokens.
Also, public and private RSA keys can be retained within the coprocessor. Public RSA keys are loaded into
the coprocessor through use of the PKA_Public_Key_Hash_Register and PKA_Public_Key_Register verbs.
Private RSA keys are generated and optionally retained within the coprocessor using the
PKA_Key_Generate verb. Depending on the other uses for coprocessor storage, between 75 and 150
keys can normally be retained within the coprocessor.
A key-storage file must be initialized before any records are created. Prior to storing a key token in key
storage, a key-storage record must be created using the AES_Key_Record_Create,
DES_Key_Record_Create, or PKA_Key_Record_Create verb.
Individual key tokens can be read using the AES_Key_Record_Read, DES_Key_Record_Read, and
PKA_Key_Record_Read verbs or written using the AES_Key_Record_Write, DES_Key_Record_Write, and
PKA_Key_Record_Write verbs.
Key-label content
Use a key label to identify a record in key storage managed by a CCA implementation. The key label must
be left-aligned in the 64-byte string variable used as input to the verb. Some verbs use a key label while
others use a key identifier. Calls that use a key identifier accept either a key token or a key label.
The alphabetic and numeric characters and the period should be encoded in the normal character set
for the computing platform that is in use, either ASCII or EBCDIC.
Notes:
1. Some CCA implementations accept the characters a - z and fold these to their uppercase
equivalents, A - Z. For compatibility reasons, only use the uppercase alphabetic characters.
2. Some implementations internally transform the EBCDIC encoding of a key label to an ASCII string.
Also, the label might be put in tokenized form by dropping the periods and formatting each name
token into 8-byte groups, padded on the right with space characters.
Some verbs accept a key label containing a wildcard represented by an asterisk (*). (X'2A' in ASCII; X'5C'
in EBCDIC). When a verb permits the use of a wildcard, the wildcard can appear as the first character, as
the last character, or as the only character in a name token. Any of the name tokens can contain a
wildcard.
Examples of key labels that are not valid include the following:
Key-storage verbs
Use any of the following verbs to add or update an existing key token in the record:
v AES_Key_Record_Delete
v AES_Key_Record_Write
v Key_Generate
v Key_Generate2 (Release 4.1 or later)
v Key_Part_Import2 (Release 4.1 or later)
v Key_Token_Change
v Key_Token_Change2 (Release 4.1 or later)
v Key_Translate2 (Release 4.1 or later)
v Restrict_Key_Attribute (Release 4.1 or later)
v Symmetric_Key_Generate
v Symmetric_Key_Import
v Symmetric_Key_Import2 (Release 4.1 or later)
Notes:
1. To delete a key record from AES key-storage, use the AES_Key_Record_Delete verb.
2. AES key-storage records are stored in the external key-storage dataset defined by the CSUAESDS
environment variable.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Variable-length symmetric key tokens are not supported in releases before Release 4.1.
CSNBAKRC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
key_token_length Input Integer 0 or 64
key_token Input String key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. This verb
does not use keywords.
key_label
The key_label parameter is a pointer to a string variable containing the key label of the AES
key-record to be created.
key_token_length
The key_token_length parameter is a pointer to an integer variable containing the number of bytes of
data in the key_token variable. If the value of the key_token_length variable is zero, a record with a
null AES key-token is created.
key_token
The key_token parameter is a pointer to a string variable containing the key token being written to
AES key-storage.
Required commands
The AES_Key_Record_Create verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Identify a task with the rule_array keyword, and the key record or records with the key_label parameter. To
identify multiple records, use a wildcard (*) in the key label.
Note: AES key-storage records are stored in the external key-storage dataset defined by the CSUAESDS
environment variable.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Variable-length symmetric key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNBAKRD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
Keyword Meaning
Task (one, optional)
TOKEN-DL Deletes a key token from a key record in AES key-storage, overwriting it with a null AES or
variable-length symmetric key-token. This is the default.
LABEL-DL Deletes an entire key record, including the key label, from AES key-storage.
key_label
The key_label parameter is a pointer to a string variable containing the key label of a key-token record
or records in AES key-storage. Use a wildcard (*) in the key_label variable to identify multiple records
in key storage.
Required commands
The AES_Key_Record_Delete verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
The verb creates the AES key-record-list dataset and returns the name of the dataset and the length of the
dataset name to the calling application. The verb also returns the name of the security server where the
dataset is stored. This dataset has a header record, followed by 0 to n detail records, where n is the
number of key records with matching key labels. For information about the header and detail records, see
Key-record-list datasets and records on page 637.
AIX and Linux users should refer to the IBM 4764 PCI-X Cryptographic Coprocessor CCA Support
Program Installation Manual for information concerning the location of the AES key-record-list directory.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Variable-length symmetric key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNBAKRL
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
dataset_name_length Output Integer 64
dataset_name Output String dataset_name_length bytes
security_server_name Output String 8 bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. This verb
currently does not use keywords.
key_label
The key_label parameter is a pointer to a string variable containing a key record or key records in AES
key-storage. Use a wildcard (*) to identify multiple records in key storage.
dataset_name_length
The dataset_name_length parameter is a pointer to an integer variable containing the number of bytes
of data returned by the verb in the dataset_name variable. The maximum returned length is 64 bytes.
dataset_name
The dataset_name parameter is a pointer to a string variable containing the name of the dataset
returned by the verb. The dataset contains the AES key-record information.
Note: The dataset name returned by this verb is defined by the CSUAESLD environment variable.
The verb returns the dataset name as a fully qualified file specification (for example, C:\Program
Files\IBM\4764\KEYS\AESLIST\KYRLTnnn.LST on a Windows system), where nnn is the numeric
portion of the name. This value increases by one every time you use this verb. When this value
reaches 999, it resets to 001.
Note: When the verb stores a key-record-list dataset, it overlays any older dataset with the same
name.
security_server_name
The security_server_name parameter is a pointer to a string variable. The information in this variable
is not currently used, but the variable must be declared.
Required commands
The AES_Key_Record_List verb requires the Compute Verification Pattern command (offset X'001D') to be
enabled in the active role.
Note: AES key-storage records are stored in the external key-storage dataset defined by the CSUAESDS
environment variable.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Variable-length symmetric key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNBAKRR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
key_token_length In/Output Integer 0 (output) or 64
key_token Output String key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. This verb
currently does not use keywords.
Required commands
The AES_Key_Record_Read verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNBAKRW
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
key_token_length Input Integer 64
key_token Input String key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
Keyword Meaning
Processing option (one, optional)
CHECK Specifies that the record is written only if a record of the same label in AES key-storage
contains a null key-token. This is the default.
OVERLAY Specifies that the record is overwritten regardless of the current content of the record in AES
key-storage.
key_label
The key_label parameter is a pointer to a string variable containing the key label that identifies the
record in AES key-storage where the key token is to be written.
key_token_length
The key_token_length parameter is a pointer to an integer variable containing the number of bytes of
data in the key_token variable. This value must be 64.
key_token
The key_token parameter is a pointer to a string variable containing the AES or variable-length
symmetric key-token to be written into AES key-storage.
Required commands
The AES_Key_Record_Write verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Note: DES key-storage records are stored in the external key-storage dataset defined by the CSUDESDS
environment variable.
After creating a DES key-record, any of the following verbs update a key token in the record:
v Clear_Key_Import
v DES_Key_Record_Delete
v DES_Key_Record_Write
v Data_Key_Import
v Diversified_Key_Generate
v Key_Generate
v Key_Import
v Key_Part_Import
v Key_Token_Change
v Multiple_Clear_Key_Import
v Remote_Key_Export
v Symmetric_Key_Generate
v Symmetric_Key_Import
To delete a key record from DES key-storage, use the DES_Key_Record_Delete verb.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNBKRC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_label Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Required commands
The DES_Key_Record_Create verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Identify a task with the rule_array keyword, and the key record or records with the key_label parameter. To
identify multiple records, use a wildcard (*) in the key label.
Note: DES key-storage records are stored in the external key-storage dataset defined by the CSUDESDS
environment variable.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNBKRD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are eight bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
key_label
The key_label parameter is a pointer to a string variable containing the key label of a key-token record
or records in DES key-storage. Use a wildcard (*) in the key_label variable to identify multiple records
in key storage.
Required commands
The DES_Key_Record_Delete verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Specify the key records to be listed using the key_label variable. To identify multiple key records, use the
wildcard (*) in the key label.
Notes:
1. To list all the labels in key storage, specify the key_label parameter with *, *.*, *.*.*, and so forth, up
to a maximum of seven name tokens (*.*.*.*.*.*.*).
2. DES key-storage records are stored in the external key-storage dataset defined by the CSUDESDS
environment variable.
The verb creates the DES key-record-list dataset and returns the name of the dataset and the length of
the dataset name to the calling application. This dataset has a header record, followed by 0 to n detail
records, where n is the number of key records with matching key labels. For information about the header
and detail records, see Key-record-list datasets and records on page 637.
AIX and Linux users should refer to the IBM 4764 PCI-X Cryptographic Coprocessor CCA Support
Program Installation Manual for information concerning the location of the DES key-record-list directory.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNBKRL
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_label Input String 64 bytes
dataset_name_length Output Integer 64
dataset_name Output String dataset_name_length bytes
security_server_name Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Note: The dataset name returned by this verb is defined by the CSUDESLD environment variable.
The verb returns the dataset name as a fully qualified file specification (for example, C:\Program
Files\IBM\4764\KEYS\DESLIST\KYRLTnnn.LST on a Windows system), where nnn is the numeric
portion of the name. This value increases by one every time you use this verb. When this value
reaches 999, it resets to 001.
Note: When the verb stores a key-record-list dataset, it overlays any older dataset with the same
name.
security_server_name
The security_server_name parameter is a pointer to a string variable. The information in this variable
is not currently used, but the variable must be declared.
Required commands
The DES_Key_Record_List verb requires the Compute Verification Pattern command (offset X'001D') to be
enabled in the active role.
Note: DES key-storage records are stored in the external key-storage dataset defined by the CSUDESDS
environment variable.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSNBKRR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_label Input String 64 bytes
key_token Output String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_label
The key_label parameter is a pointer to a string variable containing the key label of the key-token
record to be read from DES key-storage.
key_token
The key_token parameter is a pointer to a string variable containing a copy of the key-token record to
be read from DES key-storage.
Required commands
The DES_Key_Record_Read verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNBKRW
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
key_token Input String 64 bytes
key_label Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
key_token
The key_token parameter is a pointer to a string variable containing the internal key-token to be
written into DES key storage.
key_label
The key_label parameter is a pointer to a string variable containing the key label that identifies the
record in DES key storage where the key token is to be written.
Required commands
The DES_Key_Record_Write verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
After creating a PKA key-record, use any of the following verbs to add or update a key token in the record:
v PKA_Key_Import
v PKA_Key_Generate
v PKA_Key_Record_Delete
v PKA_Key_Record_Write
v PKA_Key_Token_Change
Notes:
1. To delete a key record from PKA key-storage, use the PKA_Key_Record_Delete verb.
2. PKA key-storage records are stored in the external key-storage dataset defined by the CSUPKADS
environment variable.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v ECC key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNDKRC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
key_token_length Input Integer 3500
key_token Input String key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Required commands
The PKA_Key_Record_Create verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Identify the task with the rule_array keyword, and the key record or key records with the key_label
parameter. To identify multiple records, use a wildcard (*) in the key label.
Note: PKA key-storage records are stored in the external key-storage dataset defined by the CSUPKADS
environment variable.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNDKRD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
Keyword Meaning
Task (one, optional)
TOKEN-DL Deletes a key token from a key record in PKA key-storage, overwriting it with a null PKA
key-token. This is the default.
LABEL-DL Deletes an entire key record, including the key label, from PKA key-storage.
key_label
The key_label parameter is a pointer to a string variable containing the key label of a key-token record
or records in PKA key-storage. Use a wildcard (*) in the key_label variable to identify multiple records
in key storage.
Required commands
The PKA_Key_Record_Delete verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Specify the key records to be listed using the key_label variable. To identify multiple key records, use the
wildcard (*) in a key label.
Notes:
1. To list all the labels in key storage, specify the key_label parameter with *, *.*, *.*.*, and so forth, up
to a maximum of seven name tokens (*.*.*.*.*.*.*).
2. PKA key-storage records are stored in the external key-storage dataset defined by the CSUPKADS
environment variable.
The verb creates the PKA key-record-list dataset and returns the name of the dataset and the length of the
dataset name to the calling application. The verb also returns the name of the security server where the
dataset is stored. This dataset has a header record, followed by 0 to n detail records, where n is the
number of key records with matching key labels. For information about the header and detail records, see
Key-record-list datasets and records on page 637.
AIX and Linux users should refer to the IBM 4764 PCI-X Cryptographic Coprocessor CCA Support
Program Installation Manual for information concerning the location of the PKA key-record-list directory.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v ECC key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNDKRL
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
dataset_name_length Output Integer 64
dataset_name Output String dataset_name_length bytes
security_server_name Output String 8 bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. This verb
currently does not use keywords.
key_label
The key_label parameter is a pointer to a string variable containing a key record or key records in
PKA key-storage. Use a wildcard (*) to identify multiple records in key storage.
dataset_name_length
The dataset_name_length parameter is a pointer to an integer variable containing the number of bytes
of data returned in the dataset_name variable. The maximum returned length is 64 bytes.
dataset_name
The dataset_name parameter is a pointer to a string variable containing the name of the dataset
returned by the verb. The dataset contains the PKA key-record information.
Note: The dataset name returned by this verb is defined by the CSUPKALD environment variable.
The verb returns the dataset name as a fully qualified file specification (for example, C:\Program
Files\IBM\4764\KEYS\PKALIST\KYRLTnnn.LST on a Windows system), where nnn is the numeric
portion of the name. This value increases by one every time you use this verb. When it reaches 999,
the value is reset to 001.
Note: When the verb stores a key-record-list dataset, it overlays any older dataset with the same
name.
security_server_name
The security_server_name parameter is a pointer to a string variable. The information in this variable
is not currently used, but the variable must be declared.
Required commands
The PKA_Key_Record_List verb requires the Compute Verification Pattern command (offset X'001D') to be
enabled in the active role.
The returned key token can be null. In this event, the key_length variable contains a value of 8 and the
key-token variable contains 8 bytes of X'00' beginning at offset 0 (see Null key tokens on page 578).
Note: PKA key-storage records are stored in the external key-storage dataset defined by the CSUPKADS
environment variable.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v ECC key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNDKRR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
key_token_length In/Output Integer 3500
key_token Output String key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. This verb
currently does not use keywords.
Required commands
The PKA_Key_Record_Read verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v ECC key tokens are not supported in releases before Release 4.1.
Format
Parameter name Direction Data type Data length or value
CSNDKRW
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
key_label Input String 64 bytes
key_token_length Input Integer 3500
key_token Input String key_token_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
Keyword Meaning
Processing option (one, optional)
CHECK Specifies that the record is written only if a record of the same label in PKA key-storage
contains a null key-token. This is the default.
OVERLAY Specifies that the record is overwritten regardless of the current content of the record in PKA
key-storage.
key_label
The key_label parameter is a pointer to a string variable containing the key label that identifies the key
record in PKA key-storage where the key token is to be written.
key_token_length
The key_token_length parameter is a pointer to an integer variable containing the number of bytes of
data in the key_token variable. The maximum length is 3500 bytes.
key_token
The key_token parameter is a pointer to a string variable containing the RSA or ECC key-token to be
written into PKA key-storage.
Required commands
The PKA_Key_Record_Write verb requires the Compute Verification Pattern command (offset X'001D') to
be enabled in the active role.
Both public and private keys can be retained within the cryptographic engine using verbs such as
PKA_Key_Generate and PKA_Public_Key_Register. A list of retained keys can be obtained using the
Retained_Key_List verb.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
Parameter name Direction Data type Data length or value
CSNDRKD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes or null pointer
key_label Input String 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0.
rule_array
The rule_array parameter should be a null address pointer.
key_label
The key_label parameter is a pointer to a string variable containing the key label of a PKA key-record
that has been retained within the cryptographic engine. The use of a wildcard in the key_label variable
is not permitted.
Specify the keys to be listed using the key_label_mask variable. To identify multiple keys, use a wildcard
(*) in the mask. Only labels with matching characters to those in the mask up to the first * is returned. To
list all retained key labels, specify a mask of an *, followed by 63 space characters. For example, if the
cryptographic engine has retained key labels a.a, a.a1, a.b.c.d, and z.a, and you specify the mask a.*, the
verb returns a.a, a.a1 and a.b.c.d. If you specify a mask of a.a*, the verb returns a.a and a.a1.
To retain PKA keys within the coprocessor, use the PKA_Key_Generate and the
PKA_Public_Key_Register verbs. To delete retained keys from the coprocessor, use the
Retained_Key_Delete verb.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
| Format
Parameter name Direction Data type Data length or value
CSNDRKL
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0
rule_array Input String array rule_array_count * 8 bytes
key_label_mask Input String 64 bytes or null pointer
retained_keys_count In/Output Integer
key_labels_count In/Output Integer
key_labels Output String array key_labels_count * 64 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value currently must be 0.
Required commands
The Retained_Key_List verb requires the List Retained Key command (offset X'0230') to be enabled in the
active role.
Table 50 lists the verbs described in this section. See Financial services support verbs on page 437 for a
detailed description of each verb.
Table 50. Financial services support verbs
Service
Verb Page Service Entry point location
Clear_PIN_Encrypt 438 Formats a PIN into a PIN block and produces CSNBCPE E
the PIN block as an encrypted quantity.
425
Table 50. Financial services support verbs (continued)
Service
Verb Page Service Entry point location
Secure_Messaging_for_Keys 481 Securely incorporates a key into a text block CSNBSKY E
that is then encrypted (for use with EMV
smart cards).
Secure_Messaging_for_PINs 484 Securely incorporates a PIN block into a text CSNBSPN E
block that is then encrypted (for use with
EMV smart cards).
SET_Block_Compose 489 Creates a SET-protocol RSA-OAEP block CSNDSBC E
that DES encrypts.
SET_Block_Decompose 492 Decomposes the RSA-OAEP block that DES CSNDSBD E
decrypts.
Transaction_Validation 496 Generates and verifies American Express CSNBTRV E
Card Security Codes (CSC).
E=cryptographic engine
Note: In this section, automated teller machine (ATM) can also mean a point-of-sale device, an enhanced
teller terminal, or a programmable workstation.
A financial PIN is used to authorize personal financial transactions for a customer who uses an automated
teller machine or point-of-sale device. A financial PIN is similar to a password except that a financial PIN
consists of decimal digits and is normally a cryptographic function of an associated account number. With
the financial PIN verbs you can specify PINs that range from 4 16 digits in length. (A financial PIN is
usually 4 digits in length.)
The financial PIN verbs form a complete set of verbs that you can use in various combinations to process
financial PINs. The verb relationships and primary inputs and outputs are depicted in Figure 23 on page
428. You use these verbs for the following tasks:
v Provide security for the PINs by using encrypted PIN-blocks with these capabilities:
Encryption of a clear PIN in various PIN-block formats
Generation of random PIN values and encryption of these in various PIN-block formats
Verification of a PIN. The PIN block is decrypted as part of the verification service.
Reencrypting a PIN-block under another key with optional, integral changing of the PIN-block format
v Use multiple PIN calculation methods
v Use multiple PIN block formats and PIN extraction methods
v Use ANS X9.24 derived unique-key-per-transaction (UKPT) PIN-block encryption
v Provide the following services:
Create encrypted PIN blocks for transmission
Generate institution-assigned PINs
Generate an offset or a Visa PIN-validation value (PVV)
Create encrypted PIN blocks for a PIN-verification database
Change the PIN-block encrypting key or the PIN-block format
Verify PINs
Normally, a customer inserts a magnetic-stripe card and enters a trial PIN into an ATM to identify himself.
The ATM does the following:
1. Obtains account information and other information from the magnetic stripe on the card.
To verify a PIN, a program normally uses one of the following two methods:
v PIN-calculation method. In this method, the program calls the PIN verification verb that decrypts the trial
PIN block, extracts the trial PIN from the PIN block, recalculates the account-number-based PIN,
adjusts this value with any offset, compares the resulting value to the trial PIN, and returns the result of
the comparison.
v PIN-database method. In this method, the encrypted PIN-block that contains the correct customer-PIN is
stored in a PIN-verification database. Upon receipt of an encrypted trial-PIN block, the program calls a
verb to translate (decipher, then encipher) the trial PIN block to the format and key used for the
encrypted PIN-block in the PIN-verification database. The two encrypted PIN-blocks can then be
compared for equality.
In general, a PIN can be assigned by an institution or selected by a customer. Some PIN calculation
methods use the institution-assigned or customer-selected PIN to calculate another value that is stored on
the magnetic stripe of the account-holder's card or in a database and that is used in the PIN-verification
process.
The Clear_PIN_Generate verb uses a PIN-generating key and an account number to create an A-PIN
according to the PIN-calculation method selected through a rule-array keyword. See PIN calculation
methods on page 697. Certain calculation methods also accept a C-PIN value and return an O-PIN
calculated from the coprocessor-generated A-PIN value.
The Encrypted_PIN_Generate verb uses a PIN-generating key and an account number to create an A-PIN
according to the PIN-calculation method selected through a rule-array keyword. The verb formats the
A-PIN value into a PIN block as specified in the input control information. The PIN block is returned
encrypted by the supplied OPINENC-type key.
The Clear_PIN_Encrypt verb accepts a clear PIN value and formats the input into a PIN block. The result
is encrypted and returned. This verb can also randomly generate PIN values and return these as
encrypted PIN blocks. This function is useful when an institution wants to distribute initial PIN values to
customers.
The Encrypted_PIN_Verify verb accepts an account number and PIN-verifying or PIN-generating key to
internally produce an A-PIN. For certain methods, the verb also accepts an O-PIN so that it can produce
the correct value that a customer must enter to access his account. The final input, an encrypted T-PIN
block, is decrypted, the customer-entered trial PIN is extracted from the block and compared to the
calculated value; equality is indicated by the return code (and reason code) values. Return code 0
indicates the PIN is validated while return code 4 indicates that the trial PIN failed validation.
The Encrypted_PIN_Translate verb is used to change the key used later to decrypt or compare the PIN
block. The verb can also extract the PIN from one PIN-block format and insert the PIN into another
PIN-block format before reencryption. This service is useful when transferring PIN blocks from one domain
to another.
Note: The ISO-3 PIN-block format is not supported in releases before Release 3.30.
The non-PIN digits can also add variability to a PIN block. Varying the value of the non-PIN digits in a PIN
block is a security measure used to create a large number of different encrypted PIN-blocks, even though
there are typically only 10 000 PIN values in use. To enhance the security of a clear PIN during PIN
processing, the verbs generally operate with encrypted PIN-blocks. The PIN verbs provide high-level
services that typically insert or extract PIN values to or from a PIN block.
The following verbs receive clear PINs from your application program or return clear PINs to your program.
None of the other PIN verbs reveals a clear PIN.
v Clear_PIN_Generate
v Clear_PIN_Encrypt
When your application program supplies a clear PIN to a verb or receives a clear PIN from a verb, ensure
that adequate access controls and auditing are provided to protect this sensitive data. Also recognize that
exhaustive use of certain verbs such as Encrypted_PIN_Verify and Clear_PIN_Generate_Alternate can
reveal the value of a PIN. Therefore, if production level keys are available in a system, be sure that you
have usage controls and auditing in effect to detect inappropriate usage of these verbs.
Using specific key types and key-usage bits to help ensure PIN security
The control vectors that are associated with obtaining and verifying PINs enable you to minimize certain
security exposures. The class of keys designated PINGEN operates in the verbs that create and validate
PIN values, whereas the PINVER class operates only in those verbs that validate a PIN. Reduce your
exposure to fraud by limiting the availability of the PINGEN keys to those applications and times when it is
legitimate to create new PIN values. Use the PINVER key class to validate PINs. You can also further
Those verbs that encrypt a PIN block require the encrypting key to be of the class OPINENC, output
PIN-block encrypting key. Those verbs that decrypt a PIN block require the encrypting key to be of the
class IPINENC, input PIN-block encrypting key. The actual input and output key values are the same, but
the use of two different types of control vectors aids in defeating certain insider attacks that might enable
redirection of encrypted PIN values to an unintended service to the attacker's benefit. You can also turn off
selected bits in the default OPINENC and IPINENC control vectors to limit those verbs in which a given
key can operate to further reduce exposure to insider fraud.
Point-of-sale terminals that accept a customer's PIN often use the UKPT mechanism specified in ANS
X9.24 to ensure that tampering with the device does not reveal keys used to encrypt previous PIN
encryptions. With the Encrypted_PIN_Translate and Encrypted_PIN_Verify verbs, you can process PIN
blocks encrypted according to ANS X9.24. In these cases you supply the base key and a current-key
serial number (CKSN). The verb derives the appropriate key to decrypt or encrypt the PIN block when a
Single-DES method is specified. If a Triple-DES method is specified, it employs the algorithm specified in
ANS X9.52.
Note: The Clear_PIN_Generate_Alternate (CSNBCPA) verb always outputs four digits rather than padding
the output with binary zeros to the length of the PIN when the Visa PVV PIN-calculation method is
used.
The data array is a 48-byte string made up of three consecutive 16-byte character strings. Each element
must be 16 bytes in length, uppercase, left-aligned, and padded on the right with space characters. Some
PIN calculation methods and verbs do not use all three elements. However, all three elements must be
declared.
Data array with IBM-PIN, IBM-PINO, NL-PIN-1, and GBP-PIN: When using the IBM-PIN, the IBM-PINO,
the NL-PIN-1, and GBP-PIN methods, the data array contains elements for a decimalization table and
validation data. For some verbs, it also includes a clear PIN or an offset to a clear PIN.
v decimalization_table
The first element in the data array for a PIN-calculation method provides the decimalization table, which
is 16 characters. The characters are used to map the hexadecimal digits (X'0' to X'F') of the encrypted
validation data to decimal digits (X'0' - X'9').
Notes:
1. To avoid errors when using the IBM 3624 PIN-block format, do not include a decimal digit that is
also used as a pad digit in the decimalization table. For information about using a pad digit, see
PIN profile on page 433.
| 2. Use a decimalization table of 0123456789012345 for NL-PIN-1.
v validation_data
The second element in the data array for a PIN-calculation method provides from 1 - 16 characters of
account data, which can be the customers account number or other identifying number. If necessary,
the application program must left-align the validation data and pad on the right with space characters to
a length of 16 bytes. While normally the validation data consists of numeric-decimal characters, the
Clear_PIN_Generate_Alternate, Encrypted_PIN_Generate, and Encrypted_PIN_Verify verbs have been
updated to accept any hexadecimal character (0 - 9, A - F).
v clear_PIN, offset_data, or reserved
The third element in the data array provides an O-PIN value. If an O-PIN is not used in the verb or
method, then this should be 16 space characters.
Data array with the Visa PVV PIN-calculation method: When using the Visa PVV PIN-calculation
method, the data array consists of the transaction_security_parameter, the PVV, and one reserved
element.
v transaction_security_parameter
Data array for the InterBank PIN-calculation method: When using the InterBank PIN-calculation
method with certain verbs, the data array consists of one element, the transaction_security_parameter, for
transaction security data. The other two elements are reserved.
v transaction_security_parameter
The first element in the data array for the InterBank PIN-calculation method provides
transaction-security data. Specify 16 numeric characters that include the following:
Eleven (rightmost) digits of PAN data, excluding the check digit. For information about a PAN, see
Personal account number on page 436.
A constant, 6.
A one-digit key index selector value from 1 6.
Three numeric characters of validation data.
v reserved
The second and third elements in the data array for the InterBank PIN-calculation method are reserved.
These two elements each point to a 16-byte variable in application storage. The information in these
elements is ignored, but the elements must be declared.
When deriving the unique key according to the ANS X9.24 UKPT process, the verbs also require you to
supply the CKSN. The CKSN is supplied as an extension of the PIN profile.
PIN profile
A PIN_profile variable normally consists of three basic elements. It sometimes includes a fourth 24-byte
CKSN extension. The three basic elements identify the PIN-block format, the level of format control, and
any pad digit. Generally, you can code the basic PIN_profile variable as a constant in your application.
Each element is an 8-byte character string in an array, which is the equivalent of a single 24-byte string
that is organized as three 8-byte fields. The elements must be 8 bytes in length, uppercase, and,
depending on the element, either left-aligned or right-aligned and padded with space characters.
Depending on the verb and the PIN-block format, all three elements might not be used. However, all three
elements (that is, all 24 bytes) must be declared.
PIN-block format: The PIN-block format is the first element in a PIN_profile variable. Specify the format
using one of these keywords, left-aligned and padded on the right with space characters:
Note: The ISO-3 PIN-block format is not supported in releases before Release 3.30.
Format control enforcement: The format-control level is the second element in a PIN profile. For the
IBM 4765 and IBM 4764, this element must be set to NONE followed by four space characters.
Pad digit: The pad digit is the third element in a PIN profile. Certain PIN-block formats require a pad
digit when a PIN is either formatted, extracted, or both, as discussed in Table 54 on page 434. The pad
digit for PIN formatting column indicates the values that the verb uses when it creates a PIN block. The
pad digit for PIN extraction column indicates the values that the verb uses when it extracts a PIN from a
PIN block.
When required, specify the pad digit as a character from the character set 0 - 9 and A - F. The pad digit
must be uppercase, right-aligned in the 8-byte element, with 7 preceding space characters. When a pad
digit is not required, specify 8 space characters.
Note: For the IBM 3621 PIN-block format, the pad digit should be a non-decimal character (from C'A' -
C'F'). The 3624 PIN-block format depends on the fact that the pad digit is not the same as a PIN
digit. If they are the same, unpredictable results can occur. For this reason, do not use a decimal
digit for the pad digit. If you use a decimal digit for the pad digit, you also limit the range of possible
PINs.
If you use a decimal digit for the pad digit, ensure that you do not include the decimal digit in the
decimalization table. For information about the decimalization table, see PIN verb data_array variable on
page 432.
Table 54. Pad-digit specification by PIN-block format
PIN-block format Pad digit for PIN formatting Pad digit for PIN extraction
3624 X'0' - X'F' X'0' - X'F'
ISO-0 X'F' The pad-digit specification is ignored.
ISO-1 The pad-digit specification is ignored. The pad-digit specification is ignored.
ISO-2 The pad-digit specification is ignored. The pad-digit specification is ignored.
ISO-3 Random X'A' - X'F' The pad-digit specification is ignored.
EMV-PIN-change The pad-digit specification is ignored. The pad-digit specification is ignored.
Note: The ISO-3 PIN-block format is not supported in releases before Release 3.30.
Current key serial number: When a PIN block is encrypted with a derived, unique key, the 24-byte
PIN_profile variable is extended from 24 bytes to 48 bytes to include the CKSN extension. The CKSN is
left-aligned within the extension and padded with 4 bytes of X'00'.
PIN-extraction methods
Before a verb can process a formatted and encrypted PIN, the verb must decrypt the PIN block and
extract the PIN from the PIN block. The PIN verbs can use multiple PIN-extraction methods. The valid
PIN-extraction method depends on the PIN-block format.
You can specify a PIN-extraction method or use the default method for the PIN-block format. To specify a
PIN-extraction method, use a keyword in the rule_array variable for the verb.
Table 55 shows the keywords for the PIN-extraction methods that are valid for each PIN-block format.
When only one PIN-extraction method is valid, the keyword is the default value. When more than one
method is valid, the first keyword is the default value.
Table 55. PIN-extraction method keywords by PIN-block format
PIN-block format PIN-extraction method keywords (used in the rule array)
3624 HEXDIGIT
PADDIGIT
PADEXIST
PINLEN04 PINLEN16
ISO-0 PINBLOCK
ISO-1 PINBLOCK
ISO-2 PINBLOCK
ISO-3 PINBLOCK
Note: The ISO-3 PIN-block format is not supported in releases before Release 3.30.
Table 56 summarizes the verbs affected by the Enhanced PIN Security Mode command and describes the
effect that the command has when the command is enabled.
Table 56. Verbs affected by enhanced PIN security mode
PIN-block format PIN processing changes (when Enhanced PIN
and PIN-extraction Security Mode command, offset X'0313', is
method Verbs affected enabled)
3621 or 3624 Clear_PIN_Generate_Alternate PIN extraction determines the PIN length by scanning
format and Encrypted_PIN_Translate from right to left until a digit, not equal to the pad
PADDIGIT Encrypted_PIN_Verify digit, is found. The minimum PIN length is set at four
PIN_Change/Unblock digits, so scanning ceases one digit after the position
of the 4th PIN digit in the block. (No changes are
made for any PIN-extraction method other than
PADDIGIT.)
3621 or 3624 Clear_PIN_Encrypt PIN formatting does not examine the PIN, in the
format and Encrypted_PIN_Generate output PIN block, to see if it contains the pad digit.
PADDIGIT Encrypted_PIN_Translate (No changes are made for any PIN-extraction method
other than PADDIGIT.)
For the ISO-0 and ISO-3 (Release 3.30 or later) PIN-block formats, the PIN verbs use a PAN to format
and extract a PIN. You specify the PAN with a PAN_data parameter for the verb. You must specify the
PAN in character format in a 12-byte field. Each digit in the PAN must be from 0 - 9. The actual PAN might
be more than 12 digits, but the PIN verbs use only 12 digits for the PAN. Depending on the PIN-block
format, the verbs use the rightmost 12 digits or the leftmost 12 digits.
Note: When using the ISO-0 or ISO-3 PIN-block format, use the rightmost 12 digits of the PAN, excluding
the check digit.
Both Visa and MasterCard employ the same process for creating a card security code. Visa calls their
card security code a card-verification value (CVV). MasterCard calls theirs a card validation code (CVC).
CCA uses the term CVV generically.
The CVV value can be encoded in track 2 (CVV1 or CVC1) or might be printed, but not embossed, on a
credit card (CVV2 or CVC2). Look for a 3, 4, or 5 character code that might be indent-printed in the card's
signature panel following the card number on the back of a credit card. This code is sometimes requested
in a card-not-present transaction.
The process used to generate a CVV is described in CVV and CVC card-verification method on page
706.
American Express employs its own proprietary process for creating a card security code. American
Express calls their card security code a card identification number (CID).
CCA can generate and verify a CID using the Transaction_Validation (CSNBTRV) verb.
You can use the Clear_PIN_Encrypt verb to create an encrypted PIN-block for transmission. With the
RANDOM keyword, you can also have the verb generate random PIN numbers. This can be useful when
you supply PIN numbers to a bank-card manufacturer.
Note: A clear PIN is a sensitive piece of information. Ensure that your application program and system
design provide adequate protection for any clear-PIN value.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
CSNBCPE
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
PIN_encrypting_key_identifier Input String 64 bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
clear_PIN Input String 16 bytes
PIN_profile Input String array 3 * 8 bytes
PAN_data Input String 12 bytes
sequence_number Input Integer 99999
encrypted_PIN_block Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
PIN_encrypting_key_identifier
The PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an operational
key-token or a key label of an operational key-token. The key token contains the key that encrypts the
PIN block. The control vector in the internal key token must specify an OPINENC key type and have
the CPINENC bit (CV bit 18) set to B'1'.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
PIN source (one, optional)
ENCRYPT Causes the verb to use the PIN value contained in the clear_PIN variable. This is the
default.
RANDOM Causes the verb to use a randomly generated PIN value. The length of the PIN is based on
the value in the clear_PIN variable. Value the clear PIN to 0 and use as many digits as the
desired random PIN. Pad the remainder of the clear_PIN variable on the right with space
characters.
clear_PIN
The clear_PIN parameter is a pointer to a string variable containing the clear PIN. The PIN value must
be left-aligned and padded on the right with space characters.
Required commands
The Clear_PIN_Encrypt verb requires the Format and Encrypt PIN command (offset X'00AF') to be
enabled in the active role.
An enhanced PIN security mode is available for formatting an encrypted PIN-block into IBM 3621 or 3624
format using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits;
no other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN
Security Mode command (offset X'0313') in the active role.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
|
CSNBPGN
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
PIN_generating_key_identifier Input String 64 bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
PIN_length Input Integer 4 - 16
PIN_check_length Input Integer 4 - 16
data_array Input String array 3 * 16 bytes
returned_result Output String 16 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
PIN_generating_key_identifier
The PIN_generating_key_identifier parameter is a pointer to a string variable containing an operational
key-token or a key label of an operational key-token record. The key token contains the
PIN-generation key and must contain a control vector that specifies the PINGEN key type and has the
CPINGEN bit (CV bit 18) set to B'1'.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. This value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
PIN-calculation method (one required)
IBM-PIN Specifies that the IBM 3624 PIN-calculation method is to be used to generate a PIN.
IBM-PINO Specifies that the IBM 3624 PIN-offset calculation method is to be used to generate a PIN
offset.
PIN_length
The PIN_length parameter is a pointer to an integer variable containing the number of digits of the
PIN. It is a value from 4 - 16.
PIN_check_length
The PIN_check_length parameter is a pointer to an integer variable from 4 16 containing the length
of the PIN offset. The verb uses the PIN-check length if you specify the IBM-PINO keyword for the
PIN-calculation method. Otherwise, ensure that this parameter is a pointer to a 4-byte variable in
application storage. This variable must be declared.
Note: The PIN_check_length variable must be less than or equal to the PIN length.
Element Description
decimalization_table This element contains the decimalization table of 16 characters (0 9) that are used
to convert the hexadecimal digits (X'0' X'F') of the encrypted validation data to
decimal digits (X'0' X'9').
validation_data This 16-byte element contains 1 16 characters of account data. The data must be
left-aligned and padded on the right with spaces.
clear_PIN When using the IBM-PINO keyword, this 16-byte element contains the clear
customer-selected PIN. This value must be left-aligned and padded on the right with
spaces.
returned_result
The returned_result parameter is a pointer to a string variable containing the result returned by the
verb. The result is left-aligned and padded on the right with space characters.
Required commands
The Clear_PIN_Generate verb requires the Generate Clear 3624 PIN command (offset X'00A0') to be
enabled in the active role.
| Beginning with Release 4.2, whenever the Use Only Valid Decimalization Tables command (offset X'0356')
| is enabled in the active role, the decimalization_table element of the data_array value must match one of
| the PIN decimalization tables that are in the active state on the coprocessor. Use of this command
| provides improved security and control for PIN decimalization tables. See the
| Cryptographic_Facility_Control verb for information on managing PIN decimalization tables on the
| coprocessor.
You supply the customer PIN, known as a C-PIN, as an encrypted PIN-block. The verb performs the
following functions:
v Decrypts a PIN block.
v Extracts a customer-selected or institution-assigned PIN.
v Generates an A-PIN from the input account number, PIN-generating key, and so forth.
v Computes an O-PIN from the C-PIN and the A-PIN; the O-PIN is returned in the clear.
Note: To generate an O-PIN from a clear C-PIN, see the Clear_PIN_Generate verb.
Format
Parameter name Direction Data type Data length or value
CSNBCPA
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output Integer exit_data_length bytes
inbound_PIN_encrypting_key_identifier Input String 64 bytes
PIN_generating_key_identifier Input String 64 bytes
input_PIN_profile Input String array 3 * 8 bytes
PAN_data Input String 12 bytes
encrypted_PIN_block Input String 8 bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
PIN_check_length Input Integer 4 - 16
data_array Input String array 3 * 16 bytes
returned_result Output String 16 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
inbound_PIN_encrypting_key_identifier
The inbound_PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an
operational key-token or a key label of an operational key-token record. The key token contains the
key that decrypts the PIN-block C-PIN. The control vector in the key token must specify the IPINENC
key type and have the CPINGENA bit (CV bit 20) set to B'1'1.
PIN_generating_key_identifier
The PIN_generating_key_identifier parameter is a pointer to a string variable containing an operational
Note: When using the ISO-0 or ISO-3 PIN-block format, use the 12 rightmost PAN digits, excluding
the check digit.
encrypted_PIN_block
The encrypted_PIN_block parameter is a pointer to a string variable containing the encrypted
PIN-block of the customer-selected C-PIN value.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters.
The first element in the rule array must specify one of the keywords that indicates the PIN-calculation
method, as shown in Table 57.
Table 57. Clear_PIN_Generate_Alternate rule_array keywords (first element)
PIN-calculation method Meaning
IBM-PINO Specifies that the IBM 3624 PIN-offset calculation method is to be
used. PINGEN NOOFFSET bit (CV bit 37) must not be set.
NL-PIN-1 Specifies that the Netherlands PIN-1 calculation method is to be
used.
VISA-PVV Specifies that the Visa PVV PIN-calculation method is to be used.
The second element in the rule array must specify one of the keywords that indicates a PIN-extraction
method, as shown in Table 58 on page 447. For more information about extraction methods, see
PIN-extraction methods on page 435.
Notes:
1. In the table, the PIN-block format keyword is the keyword that you specify in the input_PIN_profile
variable.
2. If the PIN-block format enables you to choose the PIN-extraction method. If you specify a
rule_array_count of 1, the PIN-extraction method keyword that is listed first in the following table is
the default.
PIN_check_length
The PIN_check_length parameter is a pointer to an integer variable from 4 - 16 containing the number
of digits of PIN information that the verb should check. The verb uses the PIN_check_length
parameter if you specify the IBM-PINO keyword for the PIN-calculation method. Otherwise, ensure
that this parameter points to a 4-byte variable in application storage. The information in this variable is
ignored, but this variable must be declared.
Note: The PIN_check_length variables should be less than or equal to the PIN length. If the
PIN_check_length variable is greater than the PIN length, the PIN_check_length variable will be
set to the PIN length.
The length of the PIN offset in the returned result is determined by the value that the
PIN_check_length parameter identifies. The security server shortens the PIN offset.
data_array
The data_array parameter is a pointer to a string variable containing three 16-byte character strings,
which are equivalent to a single 48-byte string. The values in the data array depend on the
PIN-calculation method. Each element is not always used, but you must always declare a complete
48-byte data array.
| When using the IBM-PINO or NL-PIN-1 keyword, identify the following elements in the data array as:
Element Description
decimalization_table This element contains the decimalization table of 16 characters (0 9) that are used
to convert the hexadecimal digits (X'0' X'F') of the enciphered validation data to
decimal digits (X'0' X'9').
validation_data This 16-byte element contains 1 16 characters of account data. The data must be
left-aligned and padded on the right with space characters.
reserved_3 The information in this element is ignored, but the 16-byte element must be declared.
When using the VISA-PVV keyword, identify the following elements in the data array. For more
information about transaction security data for the Visa PVV PIN-calculation method, see Visa
PIN-validation value PIN-calculation method on page 700.
returned_result
The returned_result parameter is a pointer to a string variable containing the clear O-PIN returned by
the verb. The 16-byte result is left-aligned and padded on the right with space characters.
The length of the PIN offset in the returned result is determined by the value that the
PIN_check_length variable specifies.
Required commands
The Clear_PIN_Generate_Alternate verb requires the commands shown in the following table to be
enabled in the active role based on the keyword specified for the PIN calculation methods.
An enhanced PIN security mode is available for extracting PINs from a 3621 or 3624 encrypted PIN-block
using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a
minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To activate this
mode, enable the Enhanced PIN Security Mode command (offset X'0313') in the active role.
Beginning with Release 4.1, enable the Enforce ANS X9.8 PIN Rules command (offset X'0350') in the
active role to accept only an input_PIN_profile variable that contains a PIN-block format of ISO-0 or ISO-3.
Note: A role with offset X'0350' enabled also affects access control of the Encrypted_PIN_Translate and
the Secure_Messaging_for_PINs verbs.
| Beginning with Release 4.2, whenever the Use Only Valid Decimalization Tables command (offset X'0356')
| is enabled in the active role, the decimalization_table element of the data_array value must match one of
| the PIN decimalization tables that are in the active state on the coprocessor. Use of this command
| provides improved security and control for PIN decimalization tables. See the
| Cryptographic_Facility_Control verb for information on managing PIN decimalization tables on the
| coprocessor. The VISA-PVV PIN-calculation method does not have a decimalization_table element and is
| therefore not affected by this command.
The verb generates a CVV that is based on the information you specify with the PAN_data, the
expiration_date, and the service_code parameters. The verb uses the key-A and key-B keys to
cryptographically process this information. For details about the CVV process, see CVV and CVC
card-verification method on page 706.
The verb returns the five-byte variable specified by the CVV_value parameter. If the requested CVV is
shorter than five characters, the CVV is left-aligned and padded on the right with space characters.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v A double-length key is not supported in releases before Release 4.2.
CSNBCSG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0, 1, or 2
rule_array Input String array rule_array_count * 8 bytes
PAN_data Input String 16 or 19 bytes
expiration_date Input String 4 bytes
service_code Input String 3 bytes
CVV_key-A_identifier Input String 64 bytes
CVV_key-B_identifier Input String 64 bytes
CVV_value Output String 5 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
PAN-data length (one, optional)
PAN-13 Specifies that the length of the PAN data is 13 bytes. This is the default.
PAN-16 Specifies that the length of the PAN data is 16 bytes.
PAN-19 Specifies that the length of the PAN data is 19 bytes.
CVV length (one, optional)
CVV-1 Specifies the length of the CVV to be returned is 1 character. This is the default.
CVV-2 Specifies the length of the CVV to be returned is 2 characters.
CVV-3 Specifies the length of the CVV to be returned is 3 characters.
CVV-4 Specifies the length of the CVV to be returned is 4 characters.
CVV-5 Specifies the length of the CVV to be returned is 5 characters.
PAN_data
The PAN_data parameter is a pointer to a string variable containing PAN data in character format. The
PAN is the account number as defined for the track-2 magnetic-stripe standards. If you specify either
the PAN-13 or PAN-16 keyword, 16 bytes are sent to the coprocessor. A 13-character PAN must be
left aligned in the 16-byte variable. If you specify the PAN-19 keyword, 19 bytes are sent to the
coprocessor.
Required commands
The CVV_Generate verb requires the Generate CVV command (offset X'00DF') to be enabled in the active
role.
| The CVV_Generate and CVV_Verify verbs use the CVV algorithm to generate and verify card security
| codes required by Visa (CVV) and MasterCard (CVC). Previously, these verbs only accepted as input two
| single-length MAC-capable keys. Beginning with Release 4.2, these verbs will additionally accept as input
| a double-length MAC or MAC-capable DATA key that contains key-A as the left half of the key, and key-B
| as the right half of the key. The double-length key must be usable with either the CVV_Generate verb, the
| CVV_Verify verb, or both.
| The CVV_Key_Combine verb allows combining most pairs of single-length DES keys that formerly
| functioned as a separate key-A and key-B into one double-length CVVKEY-A key. The CVVKEY-A attribute
| in the control vector is now changed to mean single-length CVV key containing key-A or double-length
| CVV key containing key-A and key-B.
| Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v Input key-A and input key-B cannot have different export control bits (CV bit 17 and 57); these bits must
| match. Use the Prohibit_Export verb to change XPORT-OK to NO-XPORT (CV bit 17), or the
| Restrict_Key_Attribute verb to change T31XPTOK to NOT31XPT (CV bit 57, newly defined in Release
| 4.2). These two bits get propagated to the output key-token.
| Format
| Parameter name Direction Data type Data length or value
| CSNBCKC
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 0, 1, or 2
| rule_array Input String array rule_array_count * 8 bytes
| key_a_identifier_length Input Integer 64
| key_a_identifier Input String key_a_identifier_length bytes
| key_b_identifier_length Input Integer 64
| key_b_identifier Input String key_b_identifier_length bytes
| output_key_identifier_length Input Integer 64
| output_key_identifier In/Output String output_key_identifier_length bytes
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| Required commands
| The CVV_Key_Combine verb requires the CVV Key Combine command (offset X'0155') to be enabled in
| the active role.
| In addition, these commands are required to be enabled in the active role, depending on the key-wrapping
| method keyword:
|| Keyword Offset Command
| WRAP-ECB X'0156' CVV Key Combine - Allow Wrapping Override Keywords
| WRAP-ENH
|
| One additional restriction is related to combining the key-A and key-B pair of keys when there are mixed
| types. To permit the combination of mixed key types into a single set of types (ANY-MAC, CVVKEY-A,
| CVVKEY-B, and DATA), enable the CVV Key Combine - Permit Mixed Key Types command (offset
| X'0157') in the active role. See the table below for when this command is required:
|| Input key-B
| Input key-A ANY-MAC CVVKEY-A CVVKEY-B DATA
| ANY-MAC Always returns Invalid combination, Only returns Only returns
| double-length control vector conflict double-length double-length
| CVVKEY-A key CVVKEY-A key if CVVKEY-A key if
| X'0157' enabled X'0157' enabled
| CVVKEY-A Only returns Invalid combination, Always returns Only returns
| double-length control vector conflict double-length double-length
| CVVKEY-A key if CVVKEY-A key CVVKEY-A key if
| X'0157' enabled, else X'0157' enabled
| access error
| CVVKEY-B Invalid combination Invalid combination Invalid combination Invalid combination
| DATA Only returns Invalid combination, Only returns Always returns
| double-length control vector conflict double-length double-length
| CVVKEY-A key if CVVKEY-A key if CVVKEY-A key
| X'0157' enabled, else X'0157' enabled, else
| access error access error
|
|
The verb generates a CVV value internal to the coprocessor based on the information you specify with the
PAN_data, the expiration_date, and the service_code parameters. The verb uses the key-A and key-B
keys to cryptographically process this information. The internal value is compared to that which you
provide and the result is returned to you in a return-code value. For details about the CVV process, see
CVV and CVC card-verification method on page 706.
Based on your use of the CVV_n rule-array keywords, the internal CVV value is truncated to fewer
characters and padded on the right with space characters. The internal CVV value is then compared to the
five-character value that you specify with the CVV_value parameter. The result of this comparison is
indicated in the return code.
The verb returns the results of the comparison in the return_code variable. If the return code is 0, the
values correctly compared. If the CVV values do not match, the return code is set to 4 (and the reason
code is set to B'1').
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v A double-length key is not supported in releases before Release 4.2.
CSNBCSV
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0, 1, or 2
rule_array Input String array rule_array_count * 8 bytes
PAN_data Input String 16 or 19 bytes
expiration_date Input String 4 bytes
service_code Input String 3 bytes
CVV_key-A_identifier Input String 64 bytes
CVV_key-B_identifier Input String 64 bytes
CVV_value Input String 5 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0, 1, or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
PAN-data length (one, optional)
PAN-13 Specifies that the length of the PAN data is 13 bytes. This is the default.
PAN-16 Specifies that the length of the PAN data is 16 bytes.
PAN-19 Specifies that the length of the PAN data is 19 bytes.
CVV length (one, optional)
CVV-1 Specifies that the length of the CVV to be verified is 1 character. This is the default.
CVV-2 Specifies that the length of the CVV to be verified is 2 characters.
CVV-3 Specifies that the length of the CVV to be verified is 3 characters.
CVV-4 Specifies that the length of the CVV to be verified is 4 characters.
CVV-5 Specifies that the length of the CVV to be verified is 5 characters.
PAN_data
The PAN_data parameter is a pointer to a string variable containing the PAN data in character format.
The PAN is the account number as defined for the track-2 magnetic-stripe standards. If you specify
either the PAN-13 or PAN-16 keyword, 16 bytes are sent to the coprocessor. A 13-character PAN must
be left aligned in the 16-byte variable. If you specify the PAN-19 keyword, 19 bytes are sent to the
coprocessor.
Required commands
The CVV_Verify verb requires the Verify CVV command (offset X'00E0') to be enabled in the active role.
To format the PIN, the verb uses one of the following PIN-block formats:
v IBM 3624
v ISO-0 (same as ANS X9.8, VISA-1, and ECI-1)
v ISO-1 (same as ECI-4)
v ISO-2
v ISO-3 (Release 3.30 or later)
You can use the Encrypted_PIN_Generate verb to generate a PIN and create an encrypted PIN-block for
transmission or for later use in a PIN verification database.
To generate and format a PIN and encrypt the PIN block, specify the following information:
v An internal key-token or a key label of an internal key-token record that contains the PIN-generating key
with the PIN_generating_key_identifier parameter. The control vector in the key token must specify the
PINGEN key-type and have the EPINGEN bit (CV bit 20) set to B'1'.
v An internal key-token or a key label of an internal key-token record that contains the key to be used to
encrypt the PIN block with the outbound_PIN_encrypting_key_identifier parameter. The control vector in
the key token must specify the OPINENC key-type and have the EPINGEN bit (CV bit 19) set to B'1'.
v One for the number of rule_array elements with the rule_array_count variable.
v The PIN-calculation method with a keyword in the rule_array variable.
v The length of the PIN for those PIN calculation methods with variable-length PINs in the PIN_length
variable. Otherwise, the variable should be 0.
v A decimalization table and account validation data with the data_array parameter. For information about
a decimalization table and PIN calculation methods, see PIN calculation methods on page 697. For
information about the data-array variable, see PIN verb data_array variable on page 432.
v A PIN profile that specifies the format of the PIN block to be created, the level of format control, and
any pad digit with the output_PIN_profile parameter. For more information about the PIN profile, see
PIN-block formats on page 700.
v One of the following with the PAN_data parameter:
When using the ISO-0 or ISO-3 PIN-block format, specify a PAN. For information about a PAN, see
Personal account number on page 436.
When using another PIN-block format, specify a 12-byte area in application storage. The information
in the variable is not used, but the variable must be declared.
v With the sequence_number variable, specify a positive integer value.
v An 8-byte variable for the encrypted PIN with the encrypted_PIN_block parameter.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The ISO-3 PIN-block format is not supported in releases before Release 3.30.
Format
Parameter name Direction Data type Data length or value
CSNBEPG
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
PIN_generating_key_identifier Input String 64 bytes
outbound_PIN_encrypting_key_identifier Input String 64 bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
PIN_length Input Integer
data_array Input String 16 bytes * 3
PIN_profile Input String array 3 * 8 bytes
PAN_data Input String 12 bytes
sequence_number Input Integer
encrypted_PIN_block Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
PIN_generating_key_identifier
The PIN_generating_key_identifier parameter is a pointer to a string variable containing an operational
key-token or a key label of an operational key-token record. The key token contains the
PIN-generating key and must contain a control vector that specifies a PINGEN key type and has the
EPINGEN bit (CV bit 20) set to B'1'.
outbound_PIN_encrypting_key_identifier
The outbound_PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an
Keyword Meaning
| PIN-calculation method (one required)
IBM-PIN Specifies that the IBM 3624 PIN-calculation method is to be used to generate a PIN.
GBP-PIN Specifies that the IBM German Bank Pool Institution PIN-calculation method is to be used to
generate a PIN.
INBK-PIN Specifies that the InterBank PIN-calculation method is to be used to generate a PIN.
PIN_length
The PIN_length parameter is a pointer to an integer variable containing the PIN length for those
PIN-calculation methods with variable-length PINs. Otherwise, the variable should be valued to 0.
data_array
The data_array parameter is a pointer to a string variable containing three 16-byte character strings,
which are equivalent to a single 48-byte string. The values in the data array depend on the keyword
for the PIN-calculation method. Each element is not always used, but you must always declare a
complete data array, see PIN verb data_array variable on page 432.
The numeric characters in each 16-byte string must be from 1 - 16 bytes in length, uppercase,
left-aligned, and padded on the right with space characters. The verb converts the space characters to
zeros.
PIN_profile
The PIN_profile parameter is a pointer to a string variable containing the PIN profile including the
PIN-block format. See PIN profile on page 433.
PAN_data
The PAN_data parameter is a pointer to a string variable containing 12 digits of PAN data. The verb
uses this parameter if the PIN profile specifies ISO-0 or ISO-3 for the PIN-block format. Otherwise,
ensure that this parameter is a pointer to a 4-byte area in application storage. The information in this
variable is ignored, but this variable must be declared.
Note: When using the ISO-0 or ISO-3 keywords, use the 12 rightmost digits of the PAN data,
excluding the check digit.
sequence_number
The sequence_number parameter is a pointer to an integer variable containing a value greater than or
equal to zero.
encrypted_PIN_block
The encrypted_PIN_block parameter is a pointer to a string variable containing the encrypted
PIN-block returned by the verb.
An enhanced PIN security mode is available for formatting an encrypted PIN block into IBM 3621 or 3624
format using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits,
and a minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To
activate this mode, enable the Enhanced PIN Security Mode command (offset X'0313') in the active role.
| Beginning with Release 4.2, whenever the Use Only Valid Decimalization Tables command (offset X'0356')
| is enabled in the active role, the decimalization_table element of the data_array value must match one of
| the PIN decimalization tables that are in the active state on the coprocessor. Use of this command
| provides improved security and control for PIN decimalization tables. See the
| Cryptographic_Facility_Control verb for information on managing PIN decimalization tables on the
| coprocessor. The INBK-PIN PIN-calculation method does not have a decimalization_table element and is
| therefore not affected by this command.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
Format
Parameter name Direction Data type Data length or value
CSNBPTR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
input_PIN_encrypting_key_identifier Input String 64 bytes
output_PIN_encrypting_key_identifier Input String 64 bytes
input_PIN_profile Input String array 24 or 48 bytes
input_PAN_data Input String 12 bytes
input_PIN_block Input String 8 bytes
rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
output_PIN_profile Input String array 24 or 48 bytes
output_PAN_data Input String 12 bytes
sequence_number Input Integer 99999
output_PIN_block Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Note: When using the ISO-0 or ISO-3 PIN-block format, use the 12 rightmost digits of PAN, excluding
the check digit.
input_PIN_block
The input_PIN_block parameter is a pointer to a string variable containing the encrypted PIN-block.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. This value must be 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
If the PIN-extraction method is not chosen by default, another element in the rule array must
specify one of the keywords that indicates a PIN-extraction method as listed in Table 60. For
more information about extraction methods, see PIN-extraction methods on page 435.
Unique key per transaction (one, optional)
UKPTIPIN Specifies the use of UKPT input-key derivation and PIN-block decryption, Single-DES
method.
UKPTOPIN Specifies the use of UKPT output-key derivation and PIN-block encryption, Single-DES
method.
UKPTBOTH Specifies the use of UKPT key-derivation and PIN-block ciphering for both input and output
processing, Single-DES method.
DUKPT-IP Specifies the use of UKPT input-key derivation and PIN-block decryption, Triple-DES
method.
DUKPT-OP Specifies the use of UKPT output-key derivation and PIN-block encryption, Triple-DES
method.
DUKPT-BH Specifies the use of UKPT key-derivation and PIN-block ciphering for both input and output
processing, Triple-DES method.
PIN-extraction method (one, optional)
output_PIN_profile
The output_PIN_profile parameter is a pointer to a string variable containing three 8-byte character
strings with information defining the PIN-block format, and, optionally, an additional 24 bytes containing
the output CKSN extension. The strings are equivalent to 24-byte or 48-byte strings.
output_PAN_data
The output_PAN_data parameter is a pointer to a string variable containing the personal account
Note: When using the ISO-0 or ISO-3 PIN-block format, use the 12 rightmost digits of PAN, excluding
the check digit.
sequence_number
The sequence_number parameter is a pointer to an integer variable containing the sequence number.
Ensure that this parameter is a pointer to an integer variable valued to 99999.
output_PIN_block
The output_PIN_block parameter is a pointer to a string variable containing the reenciphered and,
optionally, reformatted PIN-block returned by the verb.
Required commands
The Encrypted_PIN_Translate verb requires the commands shown below to be enabled in the active role
based on the keyword specified for translation or reformatting and the format control in the PIN profile. You
should enable only those commands that are required.
The Encrypted_PIN_Translate verb also requires the Unique Key Per Transaction, ANS X9.24 command
(offset X'00E1') to be enabled if you employ UKPT processing.
Note: A role with offset X'00E1' enabled can also use the Encrypted_PIN_Verify verb with UKPT
processing.
An enhanced PIN security mode is available for extracting PINs from a 3621 or 3624 encrypted PIN-block
and formatting an encrypted PIN block into IBM 3621 or 3624 format using the PADDIGIT PIN-extraction
method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of 4 is
enforced; no other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced
PIN Security Mode command (offset X'0313') in the active role.
The verb returns an error indicating that the PAD digit is not valid if all of these conditions are met:
1. The Enhanced Security Mode command is enabled in the active role
2. The output PIN profile specifies 3621 or 3624 as the PIN-block format
3. The output PIN profile specifies a decimal digit (0 - 9) as the PAD digit
Beginning with Release 4.1, three new commands are added (offsets X'0350', X'0351', and X'0352').
These three commands affect how PIN processing is performed as described below:
1. Enable the Enforce ANS X9.8 PIN Rules command (offset X'0350') in the active role to apply additional
restrictions to PIN processing as follows:
v Do not translate or reformat a non-ISO PIN block into an ISO PIN block. Specifically, do not allow
an IBM 3624 PIN-block format in the output_PIN_profile variable when the PIN-block format in the
input_PIN_profile variable is not IBM 3624.
v Constrain use of ISO-2 PIN blocks to offline PIN verification and PIN change operations in
integrated circuit card environments only. Specifically, do not allow ISO-2 input or output PIN blocks.
Note: A role with offset X'0350' enabled also affects access control of the
Clear_PIN_Generate_Alternate and Secure_Messaging_for_PINs verbs.
2. Enable the Allow Change of PAN with ANS X9.8 PIN Rules command (offset X'0351') in the active role
to override the restriction to not allow a change of PAN data. This override is applicable only when
either the Enforce ANS X9.8 PIN Rules command (offset X'0350') or the Enforce ANS X9.8 PIN Rules
and Disallow use of Non-ISO PINs command (offset X'0352') or both are enabled in the active role.
This override is to support account number changes in issuing environments. Offset X'0351' has no
effect if neither offset X'0350' nor offset X'0352' is enabled in the active role.
Note: A role with offset X'0351' enabled also affects access control of the
Secure_Messaging_for_PINs verb.
3. Enable the Enforce ANS X9.8 PIN Rules and Disallow use of Non-ISO PINs command (offset X'0352')
in the active role to apply a more restrictive variation of the Enforce ANS X9.8 PIN Rules command
(offset X'0350'). In addition to the previously described restrictions of offset X'0350', this command also
restricts the input_PIN_profile and the output_PIN_profile to contain only ISO-0, ISO-1, and ISO-3 PIN
block formats. Specifically, the IBM 3624 PIN-block format is not allowed with this command. Offset
X'0352' overrides offset X'0350'.
Note: A role with offset X'0352' enabled also affects access control of the
Secure_Messaging_for_PINs verb.
Format
Parameter name Direction Data type Data length or value
CSNBPVR
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
PIN_encrypting_key_identifier Input String 64 bytes
PIN_verifying_key_identifier Input String 64 bytes
PIN_profile Input String array 24 or 48 bytes
PAN_data Input String 12 bytes
encrypted_PIN_block Input String 8 bytes
rule_array_count Input Integer 1, 2, or 3
rule_array Input String array rule_array_count * 8 bytes
PIN_check_length Input Integer 4 - 16
data_array Input String array 3 * 16 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
PIN_encrypting_key_identifier
The PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an operational
key-token or a key label of an operational key-token record.
If you do not use the UKPT process, the key token must contain the input PIN-block encrypting key to
be used to decrypt the input PIN-block. The control vector in the key token must specify the IPINENC
key-type with EPINVER bit (CV bit 19) set to B'1'.
If you use the UKPT process for the input PIN-block, specify the base derivation key as a KEYGENKY
key-type with the UKPT bit (CV bit 18) set to B'1'.
Note: When using the ISO-0 or ISO-3 PIN-block format, use the 12 rightmost PAN digits, excluding
the check digit.
encrypted_PIN_block
The encrypted_PIN_block parameter is a pointer to a string variable containing the encrypted
PIN-block.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1, 2, or 3.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
| PIN-calculation method (one required)
IBM-PIN Specifies to use the IBM 3624 PIN-calculation method.
IBM-PINO Specifies to use the IBM 3624 PIN-offset PIN calculation method.
| NL-PIN-1 Specifies to use the Netherlands PIN-1 calculation method.
GBP-PIN Specifies to use the IBM German Bank Pool Institution PIN-calculation method.
VISA-PVV Specifies to use the Visa PVV PIN-calculation method.
VISAPVV4 Specifies to use the Visa PVV PIN-calculation method. Acceptable PINs must be exactly four
digits in length.
INBK-PIN Specifies to use the InterBank PIN-calculation method.
Unique key per transaction (one, optional)
UKPTIPIN Specifies the use of UKPT input-key derivation and PIN-block decryption, Single-DES method.
DUKPT-IP Specifies the use of UKPT input-key derivation and PIN-block decryption, Triple-DES method.
PIN-extraction method (one, optional)
PIN_check_length
The PIN_check_length parameter is a pointer to an integer variable containing the number of digits of
PIN information that the verb should verify. The verb uses the value in the variable if you specify the
IBM-PIN or IBM-PINO keyword for the PIN-calculation method. The specified number of digits is
selected from the low order (right side) of the PIN. Ensure that this parameter always points to an
integer variable in application storage.
Note: The PIN check length must be less than or equal to the PIN length and in the range from 4 -
16.
data_array
The data_array parameter is a pointer to a string variable containing three 16-byte character strings,
which are equivalent to a single 48-byte string. The values you specify in the data array depend on the
PIN-calculation method. Each element is not always used, but you must always declare a complete
48-byte data array.
| When using the IBM-PIN, IBM-PINO, GBP-PIN, or NL-PIN-1 keyword, identify the following elements
in the data array.
Element Description
decimalization_table This element contains the decimalization table of 16 characters (0 9) that are used
to convert the hexadecimal digits (X'0' - X'F') of the encrypted validation data to
decimal digits (X'0' - X'9').
validation_data This 16-byte element contains 1 - 16 characters of account data. The data must be
left-aligned and padded on the right with space characters. (To conform with industry
practice, any hexadecimal character can be specified.)
| offset data When using the IBM-PINO or NL-PIN-1 keyword, this 16-byte element contains the
offset data that must be left-aligned and padded on the right with space characters.
The PIN length specifies the number of digits that are processed for the IBM-PINO or
| NL-PIN-1 PIN-calculation method. When using the IBM-PIN or GBP-PIN keyword, this
element is ignored, but must be declared.
When using the VISA-PVV or VISAPVV4 keywords, identify the following elements in the data array.
For more information about these elements, and transaction security data for the Visa PVV
PIN-calculation method, see Visa PIN-validation value PIN-calculation method on page 700.
When using the INBK-PIN keyword, identify the following elements in the data array. For more
information about these elements and transaction security data for the InterBank PIN-calculation
method, see InterBank PIN-calculation method on page 700.
Element Description
transaction_security_parameter This element contains 16 numeric characters that include the following:
v Eleven (rightmost) digits of PAN data
v A constant of 6
v A one-digit key index selector from 1 6
v Three numeric characters of validation data
reserved_2 The information in this element is ignored, but the 16-byte element
must be declared.
reserved_3 The information in this element is ignored, but the 16-byte element
must be declared.
Required commands
The Encrypted_PIN_Verify verb requires the following commands to be enabled in the active role, based
on the keyword specified for the PIN calculation methods.
The Encrypted_PIN_Verify verb also requires the Unique Key Per Transaction, ANS X9.24 command
(offset X'00E1') to be enabled in the active role if you employ UKPT processing.
Note: A role with offset X'00E1' enabled can also use the Encrypted_PIN_Translate verb with UKPT
processing.
An enhanced PIN security mode is available for extracting PINs from a 3621 or 3624 encrypted PIN-block
using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a
minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To activate this
mode, enable the Enhanced PIN Security Mode command (offset X'0313') in the active role.
| Beginning with Release 4.2, whenever the Use Only Valid Decimalization Tables command (offset X'0356')
| is enabled in the active role, the decimalization_table element of the data_array value must match one of
| the PIN decimalization tables that are in the active state on the coprocessor. Use of this command
| provides improved security and control for PIN decimalization tables. See the
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The ISO-3 PIN-block format is not supported in releases before Release 3.30.
CSNBPCU
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
authentication_key_identifier_length
The authentication_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the authentication_key_identifier variable. The value must be 64.
authentication_key_identifier
The authentication_key_identifier parameter is a pointer to a string variable containing an operational
key-token or a key label of an operational key-token record. The key token contains the MAC-MDK
key used to diversify the data to form the authentication value. The control vector for this key must
specify a DKYGENKY key type with DKYL0 (level-0), and DMAC or DALL permissions. Both halves of
this double-length key must be unique. See Figure 37 on page 658.
encryption_key_identifier_length
The encryption_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the authentication_key_identifier variable. The value must be 64.
encryption_key_identifier
The encryption_key_identifier parameter is a pointer to a string variable containing an operational
key-token or a key label of an operational key-token record. The key token contains the ENC-MDK key
used to diversify the data to form the output PIN-block encryption key. The control vector for this key
must specify a DKYGENKY key type with DKYL0 (level-0), and DMPIN or DALL permissions. Both
halves of this double-length key must be unique.
diversification_data_length
The diversification_data_length parameter is a pointer to an integer variable containing the number of
bytes of data in the diversification_data variable. With the TDES-XOR keyword, use a length of 10 or
18. With the TDESEMV2 and TDESEMV4 keywords, use a length of 10, 18, 26, or 34.
diversification_data
The diversification_data parameter is a pointer to a string variable. This data is used in the generation
of the authentication value and the PIN-block encryption key. Form the variable by concatenating two
or three values:
v The first 8 or 16 bytes of data contains the value used to form the smart-card-specific authentication
value and the PIN-block encryption key.
v The next two bytes of data contain the 16-bit ATC counter used to further diversify the ENC-MDK
key to form the session key used to encrypt the output PIN block. The high-order counter bit is in
the left-most counter byte.
v When using the TDESEMV2 or TDESEMV4 tree-based diversification process, you can concatenate
an optional 16-byte Initial Value. (Otherwise the verb substitutes 16 bytes of X'00'.)
new_reference_PIN_key_identifier_length
The new_reference_PIN_key_identifier_length parameter is a pointer to an integer variable containing
the number of bytes of data in the new_reference_PIN_key_identifier variable. The value must be 64.
Required commands
The PIN_Change/Unblock verb requires the following commands to be enabled in the active role based on
the permissible key-type, IPINENC or OPINENC, used in the decryption of the input PIN blocks.
When a MAC-MDK or an ENC-MDK of key type DKYGENKY is specified with control vector bits (19 22)
of B'1111', the Generate Diversified Key (DALL with DKYGENKY Key Type) command (offset X'0290')
must also be enabled in the active role.
Note: A role with offset X'0290' enabled can also use the Diversified_Key_Generate verb with a DALL
key.
An enhanced PIN security mode is available for extracting PINs from a 3621 or 3624 encrypted PIN-block
using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a
minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To activate this
mode, enable the Enhanced PIN Security Mode command (offset X'0313') in the active role.
Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
CSNBSKY
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0 or 1
rule_array Input String array rule_array_count * 8 bytes
input_key_identifier Input String 64 bytes
key_encrypting_key_identifier Input String 64 bytes
secmsg_key_identifier Input String 64 bytes
cleartext_length Input Integer Multiple of 8, 4096
cleartext Input String cleartext_length bytes
initialization_vector Input String 8 bytes
key_offset Input Integer (0 is at the start of the cleartext)
key_field_length Input Integer key length, such as 8 or 16
enciphered_text Output String cleartext_length bytes
output_chaining_vector Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 0 or 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Enciphering mode (one, optional)
TDES-CBC Use CBC mode to encipher the cleartext. This is the default.
TDES-ECB Use ECB mode to encipher the cleartext.
input_key_identifier
The input_key_identifier parameter is a pointer to a string variable containing the encrypted-token or
the label of an encrypted-token record. You can identify any type of key, provided the XPORT-OK
control-vector bit is on (bit 17). You can also specify an external DATA key with an all-zero control
vector.
key_encrypting_key_identifier
The key_encrypting_key_identifier parameter is a pointer to a string variable containing the operational
IMPORTER or EXPORTER key-token or the label of an operational IMPORTER or EXPORTER
key-token record to decipher an external input_key_identifier. You can also specify a key label of a
DES key-storage record for such a key. For an internal-form input key, specify a null key-token.
Required commands
The Secure_Messaging_for_Keys verb requires the Secure Messaging for Keys command (offset X'0273')
to be enabled in the active role.
Format
Parameter name Direction Data type Data length or value
CSNBSPN
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 0, 1, or 2
rule_array Input String array rule_array_count * 8 bytes
input_PIN_block Input String 8 bytes
PIN_encrypting_key_identifier Input String 64 bytes
input_PIN_profile Input String 3 * 8 bytes
input_PAN_data Input String 12 bytes
secmsg_key_identifier Input String 64 bytes
output_PIN_profile Input String 3 * 8 bytes
output_PAN_data Input String 12 bytes
cleartext_length Input Integer multiple of 8, 4096
cleartext Input String cleartext_length bytes
initialization_vector Input String 8 bytes
PIN_offset Input Integer (0 is at the start of the cleartext)
PIN_offset_field_length Input Integer 8
enciphered_text Output String cleartext_length bytes
output_chaining_vector Output String 8 bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
Keyword Meaning
Enciphering mode (one, optional)
TDES-CBC Use CBC mode to encipher the cleartext. This is the default.
TDES-ECB Use ECB mode to encipher the cleartext.
PIN encryption (one, optional)
CLEARPIN Do not encrypt the PIN block prior to encrypting the complete text message. This is the default.
SELFENC Copy the PIN-block self-encrypted to the clear PIN block within the unencrypted output
message. See PIN-block self-encryption on page 709.
input_PIN_block
The input_PIN_block parameter is a pointer to a string variable containing the encrypted input
PIN-block.
PIN_encrypting_key_identifier
The PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an operational
fixed-length DES key-token or the key label of an operational fixed-length DES key-token record. The
key is used to decipher the input PIN-block and must be an IPINENC key-type.
input_PIN_profile
The input_PIN_profile parameter is a pointer to a string variable containing three 8-byte character
strings with information defining the input PIN-block format. Valid PIN-block formats are ISO-0, ISO-1,
ISO-2, and ISO-3 with this verb.
input_PAN_data
The input_PAN_data parameter is a pointer to a string variable containing the input PAN data. The
verb uses the PAN data when it must output the PIN in a different PIN-block format and the input
format is ISO-0 or ISO-3. You supply the 12 rightmost PAN digits, excluding the check digit.
secmsg_key_identifier
The secmsg_key_identifier parameter is a pointer to a string variable containing an operational
fixed-length DES key-token, or the key label of an operational fixed-length DES key-token record. The
control vector must specify a SECMSG type key with the SMPIN control-vector bit (CV bit 19) set to
B'1'.
output_PIN_profile
The output_PIN_profile parameter is a pointer to a string variable containing three 8-byte character
strings with information defining the output PIN-block format. You can use PIN-block formats ISO-0,
ISO-1, ISO-2, and ISO-3 with this verb.
output_PAN_data
The output_PAN_data parameter is a pointer to a string variable containing the PAN data. The verb
uses the PAN data when it must output the PIN in a different PIN-block format and the output format is
ISO-0 or ISO-3. You supply the 12 rightmost PAN digits, excluding the check digit.
cleartext_length
The cleartext_length parameter is a pointer to an integer variable containing the number of bytes in
the cleartext variable. The value must be a multiple of 8, and less than or equal to 4096.
Required commands
The Secure_Messaging_for_PINs verb requires the Secure Messaging for PINs command (offset X'0274')
to be enabled in the active role.
Beginning with Release 4.1, three new commands are added (offsets X'0350', X'0351', and X'0352').
These three commands affect how PIN processing is performed as described below:
1. Enable the Enforce ANS X9.8 PIN Rules command (offset X'0350') in the active role to apply additional
restrictions to PIN processing as follows:
v Constrain use of ISO-2 PIN blocks to offline PIN verification and PIN change operations in
integrated circuit card environments only. Specifically, do not allow ISO-2 input or output PIN blocks.
v Do not reformat a PIN-block format that includes a PAN into a PIN-block format that does not
include a PAN.
v Do not allow a change of PAN data. Specifically, when performing translations between PIN block
formats that both include PAN data, do not allow the input_PAN_data and output_PAN_data
variables to be different from the PAN data enciphered in the input PIN block.
Note: A role with offset X'0350' enabled also affects access control of the
Clear_PIN_Generate_Alternate and Encrypted_PIN_Translate verbs.
2. Enable the Allow Change of PAN with ANS X9.8 PIN Rules command (offset X'0351') in the active role
to override the restriction to not allow a change of PAN data. This override is applicable only when
either the Enforce ANS X9.8 PIN Rules command (offset X'0350') or the Enforce ANS X9.8 PIN Rules
and Disallow use of Non-ISO PINs command (offset X'0352') or both are enabled in the active role.
This override is to support account number changes in issuing environments. Offset X'0351' has no
effect if neither offset X'0350' nor offset X'0352' is enabled in the active role.
Note: A role with offset X'0351' enabled also affects access control of the Encrypted_PIN_Translate
verb.
3. Enable the Enforce ANS X9.8 PIN Rules and Disallow use of Non-ISO PINs command (offset X'0352')
in the active role to apply a more restrictive variation of the Enforce ANS X9.8 PIN Rules command
(offset X'0350'). In addition to the previously described restrictions of offset X'0350', this command also
Note: A role with offset X'0352' enabled also affects access control of the Encrypted_PIN_Translate
verb.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The maximum data block that can be supplied for DES encryption is the limit as expressed by the
Encipher verb. See Encipher (CSNBENC) on page 363.
Format
Parameter name Direction Data type Data length or value
CSNDSBC
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1
rule_array Input String array rule_array_count * 8 bytes
block_contents_identifier Input String 1 byte
XData_string_length Input Integer 94
XData_string Input String XData_string_length bytes
data_to_encrypt_length In/Output Integer
data_to_encrypt Input String data_to_encrypt_length bytes
data_to_hash_length Input Integer
data_to_hash Input String data_to_hash_length bytes
initialization_vector Input String 8 bytes
RSA_public_key_identifier_length Input Integer 3500
RSA_public_key_identifier Input String RSA_public_key_identifier_length bytes
DES_key_block_length In/Output Integer 0
DES_key_block In/Output String DES_key_block_length bytes
RSA-OAEP_block_length In/Output Integer 128
RSA-OAEP_block In/Output String RSA-OAEP_block_length bytes
chaining_vector In/Output String 18 bytes
DES_encrypted_block Output String updated data_to_encrypt_length bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of elements
in the rule_array variable. The value must be 1.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length and must be left-aligned and padded on the right with space
characters. The rule_array keywords are:
Keyword Meaning
Block type (required)
SET1.00 Specifies that the structure of the RSA-OAEP encrypted block is
defined by the SET protocol.
block_contents_identifier
The block_contents_identifier parameter is a pointer to a string variable containing a binary value that
is copied into the block contents (BC) field of the SET DB data block. The BC field indicates what data
is carried in the actual data block (ADB) and the format of any extra data in the XData_string variable.
XData_string_length
The XData_string_length parameter is a pointer to an integer variable containing the number of bytes
of data in the XData_string variable. The maximum length is 94 bytes.
XData_string
The XData_string parameter is a pointer to a string variable containing extra encrypted data within the
OAEP-processed and RSA-encrypted block. If the Xdata_string_length variable is 0, this parameter is
ignored but must still be declared.
data_to_encrypt_length
The data_to_encrypt_length parameter is a pointer to an integer variable containing the number of
bytes of data in the data_to_encrypt parameter. The maximum length is the same limit as for the
Encipher verb. On output, and if the field is of sufficient length, the variable is updated with the actual
length of the DES-encrypted data block.
data_to_encrypt
The data_to_encrypt parameter is a pointer to a string variable containing the data to be
DES-encrypted with a single-use 64-bit DES key generated by this service. The data is first padded by
this service.
data_to_hash_length
The data_to_hash_length parameter is a pointer to an integer variable containing the number of bytes
of data in the data_to_hash variable.
The hash value is an optional part of the OAEP block. No hash value is computed or inserted into the
OAEP block if the data_to_hash_length variable is 0.
data_to_hash
The data_to_hash parameter is a pointer to a string variable containing the data that is to be hashed
and included in the OAEP block.
If the data_to_hash_length variable is not zero, a SHA-1 hash value of the data_to_hash variable is
included in the OAEP block.
Required commands
The SET_Block_Compose verb requires the Compose SET Block command (offset X'010B') to be enabled
in the active role.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The maximum data block that can be supplied for DES decryption is the limit as expressed by the
Decipher verb. See Decipher (CSNBDEC) on page 360.
v The ISO-3 PIN-block format is not supported in releases before Release 3.30.
Format
Parameter name Direction Data type Data length or value
CSNDSBD
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
RSA-OAEP_block_length Input Integer 128
RSA-OAEP_block Input String RSA-OAEP_block_length bytes
DES_encrypted_data_block_length In/Output Integer
DES_encrypted_data_block Input String DES_encrypted_data_block_length bytes
initialization_vector Input String 8 bytes
RSA_private_key_identifier_length Input Integer 3500
RSA_private_key_identifier Input String RSA_private_key_identifier_length bytes
DES_key_block_length In/Output Integer 0, 64, or 128
DES_key_block In/Output String DES_key_block_length bytes
block_contents_identifier Output String 1 byte
XData_string_length In/Output Integer 94
XData_string Output String XData_string_length bytes
chaining_vector In/Output String 18 bytes
data_block Output String DES_encrypted_data_block_length bytes
hash_block_length In/Output Integer 20
hash_block Output String hash_block_length bytes
See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
Keyword Meaning
Block type (required)
SET1.00 Specifies that the structure of the RSA-OAEP encrypted block is defined by the SET 1.00
protocol.
PIN-block encryption (optional)
PINBLOCK Specifies that the OAEP block contains PIN information in the XDATA field, including an ISO-0
or ISO-3 format PIN-block.
The PIN block is encrypted using an IPINENC or OPINENC key that is contained in the
DES_key_block variable. The PIN information and the encrypted PIN-block are returned in the
XData_string variable.
RSA-OAEP_block_length
The RSA-OAEP_block_length parameter is a pointer to an integer variable containing the number of
bytes of data in the RSA-OAEP_block variable. This value must be 128 bytes.
RSA-OAEP_block
The RSA-OAEP_block parameter is a pointer to a string variable containing the RSA-OAEP block.
DES_encrypted_data_block_length
The DES_encrypted_data_block_length parameter is a pointer to an integer variable containing the
number of bytes of data in the DES_encrypted_data_block variable. The maximum length is the same
limit as for the Decipher verb. On output, the variable is updated with the actual length of the
decrypted data with padding removed.
DES_encrypted_data_block
The DES_encrypted_data_block parameter is a pointer to a string variable containing the
DES-encrypted data block.
initialization_vector
The initialization_vector parameter is a pointer to a string variable containing the initialization vector
the verb uses with the input data.
RSA_private_key_identifier_length
The RSA_private_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the RSA_private_key_identifier variable. The maximum length is 3500
bytes.
RSA_private_key_identifier
The RSA_private_key_identifier parameter is a pointer to a string variable containing the PKA96 RSA
key-token or the key label of the PKA96 RSA key-token with the RSA private-key used to perform the
RSA decryption of the OAEP block.
Required commands
The SET_Block_Decompose verb requires the Decompose SET Block command (offset X'010C') to be
enabled in the active role.
Two additional commands must be enabled in the active role when encrypting PIN data with this verb:
v When using an IPINENC type key, SET PIN Encrypt with IPINENC (offset X'0121').
v When using an OPINENC type key, SET PIN Encrypt with OPINENC (offset X'0122').
The Transaction_Validation verb generates and verifies transaction values based on information from the
transaction and a cryptographic key. You select the validation method, and a mode, either the generate or
verify mode, through rule-array keywords.
| For the American Express process, the control vector supplied with the cryptographic key must indicate a
| single-length or double-length MAC or MACVER class. The control vector bits 0 - 3 can be B'0000'
| (ANY-MAC). Alternatively, you can ensure that a key is used only for the American Express CSC process
| by specifying a MAC or a MACVER-class key with control vector bits 0 - 3 valued to B'0100' (AMEX-CSC).
| The MAC generate bit must be on (CV bit 20 = B'1') if you request CSC generation and the MAC verify bit
| (CV bit 21 = B'1') must be on if you request verification. For more information about control vectors, see
| Appendix C, CCA control-vector definitions and key encryption, on page 655.
The verb returns the validation within the return code. A return code of 0 indicates the transaction has
been validated, and return code 4 indicates the transaction has not been validated.
Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX X X X X
| IBM i X X X
| Red Hat Enterprise Linux X X
| SUSE Linux Enterprise Server X X X X
| Windows X X
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The transaction_info and validation_values variables cannot exceed 256 bytes in length. CSC codes
must be 19 bytes in length.
Format
Parameter name Direction Data type Data length or value
CSNBTRV
return_code Output Integer See Appendix A.
reason_code Output Integer See Appendix A.
exit_data_length In/Output Integer 0
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer 1 or 2
rule_array Input String array rule_array_count * 8 bytes
transaction_key_identifier_length Input Integer 64
transaction_key_identifier Input String transaction_key_identifier_length bytes
transaction_info_length Input Integer 19
transaction_info Input String transaction_info_length bytes
validation_values_length In/Output Integer 3, 4, 5, or 12
validation_values In/Output String validation_values_length bytes
Parameters
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
Parameters common to all verbs on page 9.
rule_array_count
The rule_array_count parameter is a pointer to an integer variable containing the number of the
rule-array elements in the rule_array variable. The value must be 1 or 2.
rule_array
The rule_array parameter is a pointer to a string variable containing an array of keywords. The
keywords are 8 bytes in length, left-aligned, and padded on the right with space characters, as shown
in the following table:
Keyword Meaning
Mode (one, optional)
VERIFY Specifies verification of the value presented in the validation_values variable. (This is the
default when the CSC-3, CSC-4, or CSC-5 keywords are used.)
GENERATE Specifies generation of transaction_validation values. (This is the default when the CSC-345
keyword is used.)
American Express card security codes (one required with VERIFY)
CSC-3 3-digit card security code (CSC) located on the signature panel (the default), VERIFY implied.
CSC-4 4-digit CSC located on the front of the card, VERIFY implied.
CSC-5 5-digit CSC located on the magnetic stripe, VERIFY implied.
American Express card security codes (required with GENERATE)
CSC-345 Generates 3-byte, 4-byte, 5-byte values when given an account number and an expiration date,
GENERATE implied.
transaction_key_identifier_length
The transaction_key_identifier_length parameter is a pointer to an integer variable containing the
number of bytes of data in the transaction_key_identifier variable. The value must be 64.
transaction_key_identifier
| The transaction_key_identifier parameter is a pointer to a string variable containing a key token of a
| single-length or double-length MAC or MACVER class key or a key label of a key-token record of such
| a key.
transaction_info_length
The transaction_info_length parameter is a pointer to an integer variable containing the length of the
transaction_info variable. For American Express CSC codes, this length must be 19.
transaction_info
The transaction_info parameter is a pointer to a string variable containing the concatenation of the
4-byte expiration date (in the format of YYMM) and the 15-byte American Express account number.
Provide the information in character format.
validation_values_length
The validation_values_length parameter is a pointer to an integer variable containing the length of the
validation_values variable.
validation_values
The validation_values parameter is a pointer to a string variable containing American Express CSC
values. The data is output for GENERATE and input for VERIFY.
Required commands
The Transaction_Validation verb requires the listed commands to be enabled in the active role, depending
on the operation and card security code specified:
| The TR-31 key block is a format defined by the ANS Standards Committee to support interchange of
| symmetric keys in a secure manner and with key attributes included in the exchanged data. Currently, this
| format supports only DES keys. AES keys are not supported.
| TR-31 is a Technical Report. This is different from a standard, which is a mandatory set of rules that must
| be followed. A Technical Report is not mandatory, but provides guidance to those who are using the
| standards. In this case, TR-31 is a companion to the standard X9.24-1, which defines requirements for key
| management performed using symmetric key techniques. TR-31 shows a method that complies with the
| various requirements that are defined in X9.24-1, and because no other specific method has been defined
| by the standards committee, the TR-31 method is becoming the apparent standard through which financial
| organizations will exchange keys.
| Prior to TR-31, there were problems with the interchange of symmetric keys. In the banking environment, it
| is very important that each symmetric key have a specific set of attributes attached to it, specifying such
| things as the cryptographic operations for which that key can be used. CCA implements these attributes in
| the form of the control vector (CV), but other vendors implement attributes in their own proprietary ways.
| Thus, if you are exchanging keys between CCA systems, you can securely pass the attributes using CCA
| functions and data structures. If, however, that same key were sent to a non-CCA system, there would be
| no secure way to do that. This is because the two cryptographic architectures have no common key format
| that could be used to pass both the key and its attributes. As a result, the normal approach has been to
| strip the attributes and send just the encrypted key, then attach attributes again at the receiving end.
| The above scenario has major security problems because it allows an insider to obtain the key without its
| designated attributes. The insider can then attach other attributes to it, thereby compromising the security
| of the system. For example, assume the exchanged key is a key-encrypting key (KEK). The attributes of a
| KEK should restrict its use to key management functions that are designed to prevent exposure of the
| keys that the KEK is used to encrypt. If that KEK is transmitted without any attributes, an attacker on the
| inside can turn the key into a type used for data decryption. Such a key can then be used to decipher all
| of the keys that were previously protected using the KEK. It is clearly very desirable to have a way of
| exchanging keys that prevents this modification of the attributes. TR-31 provides such a method.
| The TR-31 key block has a set of defined key attributes. These attributes are securely bound to the key so
| that they can be transported together between any two systems that both understand the TR-31 format.
| This is much of the reason for its gain in popularity. There are two supported cryptographic methods for
| protecting the key block. The original version of TR-31 defined a method that encrypted the key field in
| CBC mode and computed a TDES MAC over the header and key field. The encryption and MAC
| operations used different keys, created by applying predefined variants to the input key block protection
| key. This method is identified by a Key Block Version ID value of "A" (X'41'). An update to TR-31 adds a
| more modern method, identified by a Key Block Version ID value of "B" (X'42') or "C" (X'43'). The "B"
| method uses an authenticated encryption scheme and uses cryptographic key derivation methods to
| produce the encryption and MAC keys. The "C" method is exactly the same as the "A" method in terms of
| wrapping keys. However, the field values are expected to conform to the updated standard.
| Not surprisingly, TR-31 uses some key attributes that are different from those in the CCA control vector. In
| some cases, there is a one-to-one correspondence between CCA and TR-31 attributes. For these cases,
| conversion is simple and straightforward. In other cases, the correspondence is one-to-many or
| many-to-one and the application program must provide information to help the CCA verbs decide how to
499
| perform the translation between CCA and TR-31 attributes. There are also CCA attributes that simply
| cannot be represented using TR-31. CCA keys with those attributes are not eligible for conversion to
| TR-31 format.
| Beginning with Release 4.2, CCA adds support for the management of DES keys using TR-31. Table 62
| lists the verbs described in this section. See TR-31 symmetric key management verbs for a detailed
| description of the verbs.
| Table 62. TR-31 symmetric key management verbs
| Service
| Verb Page Service Entry point location
| Key_Export_to_TR31 501 Exports a CCA external or internal fixed-length symmetric CSNBT31X E
| key-token, converting it into an external X9 TR-31 key block
| format.
| TR31_Key_Import 528 Imports an external X9 TR-31 key block, converting it into a CSNBT31I E
| CCA external or internal fixed-length symmetric key-token.
| TR31_Key_Token_Parse 551 Parses the information from the standard predefined fields of CSNBT31P S
| the TR-31 key block header without importing the key.
| TR31_Optional_Data_Build 555 Constructs the optional blocks of a TR-31 key block, one CSNBT31O S
| block at a time.
| TR31_Optional_Data_Read 558 Obtains the contents of any optional fields of a TR-31 key CSNBT31R S
| block header.
| E=cryptographic engine, S=security API host software
|
|
| TR-31 symmetric key management verbs
|
| The Key_Export_to_TR31 verb is analogous to the Key_Export verb, except that Key_Export_to_TR31
| accepts an external or internal fixed-length DES key-token as input instead of only an internal fixed-length
| DES key-token, and it translates the key to an external non-CCA format instead of an external fixed-length
| DES key-token. The purpose of both verbs is to export a DES key to another party.
| An external-to-external translation would not normally be called an export or import operation. Instead, it
| would be called a key translation, and would be handled by a verb such as Key_Translate2. For practical
| reasons, the export of an external CCA DES key-token to external TR-31 format is supported by the
| Key_Export_to_TR31 verb, and the import of an external TR-31 key block to an external CCA DES
| key-token is supported by the TR31_Key_Import verb.
| Note that the Key_Export_to_TR31 verb does not support the translation of an external key from
| encipherment under one key-encrypting key to encipherment under a different key-encrypting key. When
| converting an external DES key to an external TR-31 format, the key-encrypting key used to wrap the
| external source key must be the same as the one used to wrap the TR-31 key block. If a translation of an
| external DES key from encipherment under one key-encrypting to a different key-encrypting key is desired,
| use the Key_Translate or Key_Translate2 verbs.
| Both CCA and TR-31 define key attributes that control key usage. In both cases, the usage information is
| securely bound to the key so that the attributes cannot be changed in unintended or uncontrolled ways.
| CCA maintains its DES key attributes in a control vector (CV), while a TR-31 key block uses fields: key
| usage, algorithm, mode of use, and exportability.
| Each attribute in a CCA control vector falls under one of these categories:
| 1. There is a one-to-one correspondence between the CV attribute and the TR-31 attribute. For these
| attributes, conversion is straightforward.
| 2. There is not a one-to-one correspondence between the CV attribute and the TR-31 attribute, but the
| attribute can be automatically translated when performing this export operation.
| 3. There is not a one-to-one correspondence between the CV attribute and the TR-31 attribute, in which
| case a rule-array keyword has been defined to specify which attribute is to be used in the TR-31 key
| block.
| 4. Item (1), (2), or (3) applies, but there are some attributes that are lost completely on translation (for
| example, key-generating bits in key-encrypting keys).
| 5. None of the above applies, because the key type, its attributes, or both simply cannot be reasonably
| translated into a TR-31 key block.
| The control vector is always checked for compatibility with the TR-31 attributes. It is an error if the
| specified TR-31 attributes are in any way incompatible with the control vector of the input key. In addition,
| access control points are defined that can be used to restrict the permitted attribute conversions.
| The TR-31 key block has a header that can contain optional blocks. Optional blocks become securely
| bound to the key by virtue of the MAC on the TR-31 key block. The opt_blocks parameter is provided to
| allow a complete and properly formatted optional block structure to be included as part of the TR-31 key
| block that is returned by the verb. The TR31_Optional_Data_Build (CSNBT31O) verb can be used to
| construct an optional block structure, one optional block at a time.
| To include a copy of the control vector from the DES source key in an optional block of the TR-31 key
| block, specify the ATTR-CV or INCL-CV control vector transport control keyword in the rule array. If either
| optional keyword is specified, the verb copies the single-length or double-length control vector field from
| the source key into the optional data field of the TR-31 header. The TR31_Key_Import verb can later
| extract this data and use it as the control vector for the CCA key that it creates when importing the TR-31
| key block. This provides a way to use TR-31 for transport of CCA keys and to make the CCA key have
| identical control vectors on the sending and receiving nodes.
| The ATTR-CV and INCL-CV keywords both cause the control vector to be included in a TR-31 optional
| block, but each has a different purpose:
| ATTR-CV
| Causes a copy of the control vector to be included, but both the TR-31 usage and mode of use fields
| in the non-optional part of the TR-31 key block header are set to IBM proprietary values. These
| values, described in TR-31 optional block data on page 629, indicate that the usage and mode
| information are specified in the control vector of the optional block and not in the TR-31 header. The
| restrictions imposed by the setting of the relevant access control points are bypassed, and any CCA
| key can be exported as long as the export control fields in the control vector allow it.
| INCL-CV
| Causes a copy of the control vector to be included as additional detail. The resulting attributes set in
| the non-optional part of the TR-31 key block header are identical to not using either keyword except
| that the value for the number of optional blocks is increased by one. The export operation is still
| subject to the restrictions imposed by the settings of the relevant access control points.
| Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v The only proprietary values for the TR-31 header fields supported by this verb are those defined and
| used by IBM CCA when carrying a control vector in an optional block in the header.
| v AES is not currently supported for TR-31 key blocks.
| v The export will be prohibited if the CCA key does not have attributes XPORT-OK (CV bit 17 = B'1') and
| T31XPTOK (CV bit 57 = B'1').
| CSNBT31X
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 2, 3, 4, or 5
| rule_array Input String array 8 * rule_array_count bytes
| key_version_number Input String 2 bytes
| key_field_length Input Integer
| source_key_identifier_length Input Integer 64
| source_key_identifier Input String source_key_identifier_length bytes
| unwrap_kek_identifier_length Input Integer 0
| unwrap_kek_identifier Input String unwrap_kek_identifier_length bytes
| wrap_kek_identifier_length Input Integer 64
| wrap_kek_identifier Input String wrap_kek_identifier_length bytes
| opt_blocks_length Input Integer
| opt_blocks Input String opt_blocks_length bytes
| tr31_key_block_length In/Output Integer
| tr31_key_block Output String tr31_key_block_length bytes
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 2, 3, 4 or 5.
| rule_array
| The rule_array parameter is a pointer to a string variable containing an array of keywords. The
| keywords are 8 bytes in length and must be left-aligned and padded on the right with space
| characters. The rule_array keywords for this verb are shown below:
|| Keyword Meaning
| Key block protection method (one required). Specifies which version of the TR-31 key block to use for exporting the
| CCA DES key. The version defines the method by which the key block is cryptographically protected and the content
| and layout of the block.
| VARXOR-A Specifies to use the Key Variant Binding Method 2005 Edition. Corresponds to TR-31 Key
| Block Version ID of "A" (X'41').
| VARDRV-B Specifies to use the Key Derivation Binding Method 2010 Edition. Corresponds to TR-31 Key
| Block Version ID of "B" (X'42').
| VARXOR-C Specifies to use the Key Variant Binding Method 2010 Edition. Corresponds to TR-31 Key
| Block Version ID of "C" (X'43').
| Notes:
| 1. These are the base keys from which derived unique key per transaction (DUKPT) initial keys are derived for
| individual devices such as PIN pads.
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be the following:
| "B0" BDK base derivation key.
| 3. KEYGENKY keys are double length only.
|
|
|
| Notes:
| 1. PIN encryption keys are used to protect PIN blocks. PIN verification keys are used to generate or verify a PIN
| using a particular PIN-calculation method for that key type.
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be one of the following:
| "P0" PIN encryption
| "V0" PIN verification, KPV, other algorithm
| Usage "V0" is intended to be a PIN-calculation method "other" than those defined for "V1" or "V2".
| Because CCA does not have a PIN-calculation method of "other" defined, it maps usage "V0" to the
| subtype extension of NO-SPEC (CV bits 0 - 3 = B'0000'). Be aware that NO-SPEC allows any method,
| including "V1" and "V2", and that this mapping is suboptimal.
| "V1" PIN verification, IBM 3624
| "V2" PIN verification, Visa PVV
| 3. Mode must be one of the following:
| "E" Encrypt/wrap only
| This restricts PIN encryption keys to encrypting a PIN block. May be used to create or reencipher an
| encrypted PIN block (for key-to-key translation).
| "D" Decrypt/unwrap only
| This restricts PIN encryption keys to decrypting a PIN block. Generally used in a PIN translation to
| decrypt the incoming PIN block.
| "N" No special restrictions (other than restrictions implied by the key usage)
| This is used by several vendors for a PIN generate or PIN verification key when the key block version ID
| is "A".
| "G" Generate only
| This is used for a PINGEN key that may not perform a PIN verification. This is the only mode available
| when the control vector in the CCA key-token (applicable when INCL-CV keyword is not provided) does
| NOT have the EPINVER control vector bit on.
| "V" Verify only
| This is used for PIN verification only. This is the only mode available when the control vector in the CCA
| key-token (applicable when INCL-CV is not provided) ONLY has the EPINVER control vector usage bit
| on (CV bits 18 - 22 = B'00001').
| "C" Both generate and verify (combined)
| This is the only output mode available for TR-31 when any of the CCA key-token PIN generating bits are
| on in the control vector (CPINGENA, EPINGENA, EPINGEN, or CPINGENA) in addition to the EPINVER
| bit.
|
|
| Notes:
| 1. EMV/chip issuer master-key keys are used by the chip cards to perform cryptographic operations or, in some
| cases, to derive keys used to perform operations. In CCA, these are (a) diversified key-generating keys (key type
| DKYGENKY), allowing derivation of operational keys, or (b) operational keys. Note that in this context, "master
| key" has a different meaning than for CCA. These master keys, also called KMCs, are described by EMV as DES
| master keys for personalization session keys. They are used to derive the corresponding chip card master keys,
| and not typically used directly for cryptographic operations other than key derivation. In CCA, these are usually
| key generating keys with derivation level DKYL1 (CV bits 12 - 14 = B'001'), used to derive other key generating
| keys (the chip card master keys). For some cases, or for older EMV key derivation methods, the issuer master
| keys could be level DKYL0 (CV bits 12 - 14 = B'000').
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be one of the following:
| "E0" Application cryptograms
| "E1" Secure messaging for confidentiality
| "E2" Secure messaging for integrity
| "E3" Data authentication code
| "E4" Dynamic numbers
| "E5" Card personalization
| 3. EMV support in CCA is quite different than TR-31 support, and CCA key types do not match TR-31 types.
| 4. DKYGENKY keys are double length only.
|
| key_version_number
| The key_version_number parameter is a pointer to a string variable containing two numeric ASCII
| bytes that are copied into the key version number field of the output TR-31 key block. Use a value of
| "00" (X'3030') if no key version number is needed.
| This value is ignored If the key identified by the source_key_identifier parameter contains a partial key,
| that is, the KEY-PART bit (CV bit 44) is on in the control vector. When a partial key is passed, the verb
| sets the key version number field in the TR-31 key block to "c0" (X'6330'). According to TR-31, this
| value indicates that the TR-31 key block contains a component of a key (key part).
| key_field_length
| The key_field_length parameter is a pointer to an integer variable containing the length of the key field
| that is encrypted in the TR-31 block. The length must be a multiple the DES cipher block size, which is
| eight. It must also be greater than or equal to the length of the cleartext key passed using the
| source_key_identifier parameter plus the length of the key length field (two bytes) that precedes this
| key in the TR-31 block. For example, if the source key is a double-length TDES key (its length is 16
| bytes), then the key field length must be greater than or equal to (16 + 2) bytes, and must also be a
| multiple of 8. This means that the minimum key_field_length in this case would be 24.
| Note: This parameter is not expected to allow for ASCII encoding of the encrypted data stored in the
| key field according to the TR-31 specification. For example, when a value of 24 is passed here,
| following the minimum example above, the length of the final ASCII-encoded encrypted data in
| the key field in the output TR-31 key block is 48 bytes.
| source_key_identifier_length
| The source_key_identifier_length parameter is a pointer to an integer variable containing the length in
| bytes of the source_key_identifier variable. The value must be 64.
| source_key_identifier
| The source_key_identifier parameter is a pointer to a string variable containing either the key label for
| the source key or the key token containing the source key. The source key is the key that is to be
| exported. The key must be a CCA fixed-length DES internal or external key-token. If the source key is
| an external token, an identifier for the KEK that wraps the source key must be identified by the
| unwrap_kek_identifier parameter. TR-31 currently only supports DES and TDES keys. AES is not
| supported.
| unwrap_kek_identifier_length
| The unwrap_kek_identifier_length parameter is a pointer to an integer variable containing the length in
| bytes of the unwrap_kek_identifier variable. The value must be greater than or equal to 0. A null
| key-token can have a length of 1. Set this value to 64 for a key label or a KEK.
| unwrap_kek_identifier
| The unwrap_kek_identifier parameter is a pointer to a string variable containing either the key label for
| the source key KEK or the key token containing the source key KEK when the source key is an
| external CCA key token, and a NULL key token otherwise. The source key KEK can also be the
| wrapping key for the key that is to be exported if the wrap_kek_identifier is not specified. The source
| key KEK must be a CCA internal DES KEK token of type EXPORTER or OKEYXLAT.
| Note: ECB-mode wrapped DES keys (CCA legacy wrap mode) cannot be used to wrap or unwrap
| TR-31 "B" or "C" key blocks that have or will have "E" exportability, because ECB-mode does
| not comply with ANS X9.24 Part 1.
| wrap_kek_identifier_length
| The wrap_kek_identifier_length parameter is a pointer to an integer variable containing the length in
| bytes of the wrap_kek_identifier variable. Set this value to 64.
| wrap_kek_identifier
| The wrap_kek_identifier parameter is a pointer to a string variable containing an operational
| fixed-length DES key-token with a key type of EXPORTER or OKEYXLAT to use for wrapping the
| output TR-31 key block, a null key token, or a key label of such a key in DES key-storage. If the
| identified key token is not null, the key token must have the same key that is in the key-token
| identified by the unwrap_kek_identifier parameter. If it is null, then the key identified by the
| unwrap_kek_identifier parameter is also used for wrapping the output TR-31 key block.
| Note: ECB-mode wrapped DES keys (CCA legacy wrap mode) cannot be used to wrap or unwrap
| TR-31 "B" or "C" key blocks that have or will have "E" exportability, because ECB-mode does
| not comply with ANS X9.24 Part 1. This parameter exists to allow for KEK separation. It is
| possible that KEKs are restricted as to what they can wrap, such that a KEK for wrapping CCA
| external keys might not be usable for wrapping TR-31 external keys, or the other way around.
| Note: The Padding Block, ID "PB" cannot be added by the user, and therefore is not accepted in the
| opt_blocks parameter. CCA adds a Padding Block of the appropriate size as needed when
| building the TR-31 key block in Key_Export_to_TR31. The Padding Block for optional blocks
| serves no security purpose, unlike the padding in the encrypted key portion of the payload.
| tr31_key_block_length
| The tr31_key_block_length parameter is a pointer to an integer variable containing the length in bytes
| of the tr31_key_block variable. On input, specify the size of the application program buffer available for
| the output key-token. On return from the verb, this variable is updated to contain the actual length of
| that returned token. TR-31 key blocks are variable in length.
| tr31_key_block
| The tr31_key_block parameter is a pointer to a string variable containing the output key block
| produced by the verb. The output key block contains the external form of the key created by the verb,
| wrapped according to the method specified.
| Note: The padding optional block in the output TR-31 key block can be present with zero data bytes.
| This is because sometimes the optional block portion of the header needs exactly four bytes of
| padding, the size of an optional block header without the data portion. The data portion is
| defined as optional by TR-31, which allows this.
| Required commands
| The Key_Export_to_TR31 verb requires the following commands to be enabled in the active role:
| Be aware of the interaction of access-control point X'0158' (TR31 Export - Permit Any CCA Key if INCL-CV
| Is Specified) with the INCL-CV keyword. Without the INCL-CV keyword, most export translations are
| guarded by key-type-specific access control points, to guard the source CCA system against attacks
| involving reimport of the exported key under ambiguous circumstances. When the control vector is
| exported along with the key as an optional block securely bound to the encrypted key, the source system
| is somewhat protected because the key on import is allowed to have only the form of the included control
| In addition to the above commands, the verb requires these additional commands to be enabled in the
| active role depending on the TR-31 key usage rule-array keyword provided and additional information as
| shown in the table referenced in the rightmost column:
|| TR-31 key usage Specific key type and control
| keyword Offset Command vector attributes
| "B0": TR-31 BDK base derivation keys
| BDK X'0180' TR31 Export - Permit KEYGENKY:UKPT to B0 See Table 63 on page 508.
| "C0": TR-31 CVK card verification keys
| CVK X'0181' TR31 Export - Permit MAC/MACVER:AMEX- See Table 64 on page 509.
| CSC to C0:G/C/V
| X'0182' TR31 Export - Permit MAC/MACVER:CVV-
| KEYA to C0:G/C/V
| X'0183' TR31 Export - Permit MAC/MACVER:ANY-
| MAC to C0:G/C/V
| X'0184' TR31 Export - Permit
| "D0": TR-31 data encryption keys
| ENC X'0185' TR31 Export - Permit ENCIPHER/DECIPHER/ See Table 65 on page 511.
| CIPHER to D0:E/D/B
| X'0186' TR31 Export - Permit DATA to D0:B
| "E0", "E1", "E2", "E3", "E4", and "E5": TR-31 EMC/chip issuer master-key keys
| The TR31_Key_Import verb is analogous to the existing Key_Import verb, except that TR31_Key_Import
| accepts an external non-CCA DES key-token instead of an external CCA fixed-length DES key-token, and
| it translates the key to either an external or internal fixed-length DES key-token instead of only an internal
| fixed-length DES key-token. An import by TR31_Key_Import to an external key-token requires a suitable
| internal fixed-length DES key-encrypting key. The purpose of both verbs is to import a DES key from
| another party.
| An external-to-external translation would not normally be called an export or import operation. Instead, it
| would be called a key translation and would be handled by a verb such as Key_Translate or
| Key_Translate2. For practical reasons, the export of an external CCA DES key-token to an external TR-31
| format is supported by the Key_Export_to_TR31 verb, and the import of an external TR-31 key block to an
| external CCA DES key-token format is supported by the TR31_Key_Import verb.
| Note that the TR31_Key_Import verb does not support the translation of an external key from
| encipherment under one key-encrypting key to encipherment under a different key-encrypting key. When
| converting an external TR-31 key block to an external fixed-length DES key-token, the key-encrypting key
| used to wrap the external TR-31 key block must be the same as the one used to wrap the external
| fixed-length DES key-token. Use the Key_Translate or Key_Translate2 verbs for switching external key
| wrapping keys: the normal function of those verbs.
| Both CCA and TR-31 define key attributes that control key usage. In both cases, the usage information is
| securely bound to the key so that the attributes cannot be changed in unintended or uncontrolled ways.
| CCA maintains its DES key attributes in a control vector (CV), while a TR-31 key block uses fields: key
| usage, algorithm, mode of use, and exportability.
| Each attribute in a CCA control vector falls under one of these categories:
| 1. There is a one-to-one correspondence between the CV attribute and the TR-31 attribute. For these
| attributes, conversion is straightforward.
| 2. There is not a one-to-one correspondence between the CV attribute and the TR-31 attribute, but the
| attribute can be automatically translated when performing this export operation.
| 3. There is not a one-to-one correspondence between the CV attribute and the TR-31 attribute, in which
| case a rule-array keyword has been defined to specify which attribute is to be used in the TR-31 key
| block.
| 4. Item (1), (2), or (3) applies, but there are some attributes that are lost completely on translation (for
| example, key-generating bits in key-encrypting keys).
| 5. None of the above applies, because the key type, its attributes, or both simply cannot be reasonably
| translated into a TR-31 key block.
| The control vector is always checked for compatibility with the TR-31 attributes. It is an error if the
| specified control vector attributes are in any way incompatible with the attributes of the input key. In
| addition, access control points are defined that can be used to restrict the permitted attribute conversions.
| The import operation produces the CCA external or internal fixed-length DES key-token as its output. It
| does not return any field values or optional block data from the TR-31 key block header. To obtain the
| header field values, use the TR31_Key_Token_Parse verb. To obtain optional block data from the header,
| use the TR31_Optional_Data_Read verb.
| If the TR-31 key block contains an IBM-proprietary block, the TR31_Key_Import verb verifies that the
| control vector is compatible with the attributes in the TR-31 key block. If any incompatibility is found, the
| verb rejects the import. If the control vector is valid for the key, the verb uses it for the control vector of the
| CCA DES key-token. Note that the import operation is always subject to the restrictions imposed by the
| relevant access control points, even if a control vector is received.
| A control vector, if present, can be in the TR-31 key block in one of two ways, depending on the control
| vector transport control keyword specified in the rule array of the Key_Export_to_TR31 verb when the key
| was exported. One keyword option is ATTR-CV, and the other is INCL-CV:
| ATTR-CV
| Causes a copy of the control vector to be included in the TR-31 key block. The TR-31 key usage and
| mode of use fields are set to IBM proprietary. See TR-31 optional block data on page 629. These
| proprietary values indicate that the usage and mode information is contained in the included control
| vector. In this case, if the TR31_Key_Import verb successfully verifies that the included control vector
| does not conflict with the rule-array keywords specified, it uses it as the control vector for the
| imported CCA DES key-token.
| INCL-CV
| Causes a copy of the control vector to be include din the TR-31 key block, and the TR-31 key usage
| and mode of use fields contain attributes from the set defined in the TR-31 standard. In this case, the
| TR31_Key_Import verb verifies that the usage and mode information in those fields are compatible
| with the included control vector. The verb also verifies that no rule array keywords conflict with the
| control vector.
| Note that the included CV could have more capability from a CCA perspective than the TR-31 usage
| and mode fields indicate. This is not an error, because the key block binding methods give the
| importer assurance that the key block optional blocks are as secure as any other attribute.
| Special notes:
| 1. Several import situations might require keywords. Keywords are ignored for INCL-CV scenarios unless
| they directly conflict with the included CV. For example, the verb returns an error if the control vector
| indicates that a DKYGENKY key has a subtype of DKYL0 and the user specifies the DKYL1 keyword.
| 2. Be aware of the interaction of ACP X'0158' (TR31 Export - Permit Any CCA Key if INCL-CV Is
| Specified) with the INCL-CV keyword for the Key_Export_to_TR31 verb. Without the INCL-CV keyword
| specified, most export translations are guarded by key type specific ACPs. This is to guard the source
| CCA system against attacks involving reimport of the exported key under ambiguous circumstances.
| When the control vector is exported in an optional block along with the key, it is securely bound to the
| encrypted key. This somewhat protects the source system because the key on import is only allowed
| to have the form of the included control vector. Expansion of capability is blocked. If ACP X'0158' is not
| enabled in the active role, the type-specific ACPs are still required. However, if ACP X'0158' is
| enabled, the key-type specific ACPs are not checked when INCL-CV is specified.
| 3. Be aware of ACP X'017C' (TR31 Import - Permit V0/V1/V2:N to PINGEN/PINVER) for import of
| PINGEN or PINVER keys to wrapping mode A, usage V0, V1, V2, and mode N.
| Examples:
| 1. A full MAC key that is exported as TR-31 "C0" key block with an included control vector will be
| re-imported as a full MAC key.
| 2. A DKYGENKY key with key usage DALL key exported as a TR-31 "E0", "E1", or "E2" key block with
| an included control vector will be re-imported as a DKYGENKY key with key usage DALL, even though
| the "E0", "E1", and "E2 types are more restricted.
| Restrictions
| The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| Format
| Parameter name Direction Data type Data length or value
| CSNBT31I
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 1, 2, 3, or 4
| rule_array Input String array rule_array_count * 8 bytes
| tr31_key_block_length Input Integer See CSNBT31P.
| tr31_key_block Input String tr31_key_block_length bytes
| unwrap_kek_identifier_length Input Integer 64
| unwrap_kek_identifier Input String unwrap_kek_identifier_length bytes
| wrap_kek_identifier_length Input Integer 0
| wrap_kek_identifier Input String wrap_kek_identifier_length bytes
| output_key_identifier_length In/Output Integer 64
| output_key_identifier In/Output String output_key_identifier_length bytes
| num_opt_blocks Output Integer 0
| cv_source Output Integer See Table 77 on page 546.
| protection_method Output Integer See Table 78 on page 546.
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 1, 2, 3, or 4.
| Notes:
| 1. These are the base keys from which derived unique key per transaction (DUKPT) initial keys are derived for
| individual devices such as PIN pads.
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be the following:
| "B0" BDK base derivation key.
| 3. There are no specific access-control commands for this translation because it is not ambiguous or in need of
| interpretation.
|
| Table 71 shows all valid translations for import of a TR-31 CVK card verification key (usage "C0") to a
| CCA MAC or DATA key, along with any access control commands that must be enabled in the active
| role for that key type and control vector attributes. These keys are for computing or verifying (against
| supplied value) a card verification code with the CVV, CVC, CVC2, and CVV2 algorithm.
| Table 71. Import translation table for a TR-31 CVK card verification key (usage "C0")
| Key block
| protection
| method
| keyword
| Key (version Mode Rule-array CCA key type and control
| usage ID) of use keywords vector attributes Offset Command
| "C0" "A", "B", or "G" or CVK-CSC MAC, single or double length, X'015B' TR31 Import - Permit C0 to
| "C" "C" AMEX-CSC (CV bits 0 - 3 = MAC/MACVER:AMEXCSC
| B'0100')
| CVK-CVV MAC, double length, X'015A' TR31 Import - Permit C0 to
| CVVKEY-A (CV bits 0 - 3 = MAC/MACVER:CVVKEY-A
| B'0010')
| "V" CVK-CSC MACVER, single or double X'015B' TR31 Import - Permit C0 to
| length, AMEX-CSC (CV bits 0 MAC/MACVER:AMEXCSC
| - 3 = B'0100')
| CVK-CVV MACVER, double length, X'015A' TR31 Import - Permit C0 to
| CVVKEY-A (CV bits 0 - 3 = MAC/MACVER:CVVKEY-A
| B'0010')
| Security considerations:
| 1. There is asymmetry in the translation from a CCA DATA key to a TR-31 key. The asymmetry results from CCA
| DATA keys having attributes of both data encryption keys and MAC keys, while TR-31 separates data encryption
| keys from MAC keys. A CCA DATA key can be exported to a TR-31 "C0" key, provided that one or both
| applicable MAC generate and MAC verify control vector bits are on. However, a TR-31 "C0" key cannot be
| imported to the lower-security CCA DATA key, it can only be imported to a CCA key type of MAC or MACVER.
| This restriction eliminates the ability to export a CCA MAC or MACVER key to a TR-31 key and re-importing it
| back as a CCA DATA key with the capability to Encipher, Decipher, or both.
| 2. The translation from TR-31 usage "C0" is controlled by rule array keywords when using the TR31_Key_Import
| verb. This makes it possible to convert an exported CCA CVVKEY-A key into an AMEX-CSC key or the other way
| around. To prevent such a conversion, do not enable offsets X'015A' (TR31 Import - Permit C0 to
| MAC/MACVER:CVVKEY-A) and X'015B' (TR31 Import - Permit C0 to MAC/MACVER:AMEXCSC) at the same
| time. However, if both CVVKEY-A and AMEX-CSC translation types are required, then offsets X'015A' and
| X'015B' must be enabled. In this case, control is up to the development, deployment, and execution of the
| applications themselves.
| Notes:
| 1. Card verification keys are used for computing or verifying (against supplied value) a card verification code with
| the CVV, CVC, CVC2, and CVV2 algorithms. In CCA, this corresponds to keys used with two algorithms:
| v Visa CVV and MasterCard CVC codes are generated and verified using the CVV_Generate and CVV_Verify
| verbs. These verbs require a key type of DATA or MAC/MACVER with a subtype extension (CV bits 0 - 3) of
| ANY-MAC, single-length CVVKEY-A and single-length CVVKEY-B, and beginning with Release 4.2 a
| double-length CVVKEY-A (see CVV_Key_Combine verb). The MAC generate and the MAC verify (CV bits 20 -
| 21) key usage values must be set appropriately.
| v American Express CSC codes are generated and verified using the Transaction_Validation verb. This verb
| requires a key type of MAC or MACVER with a subtype extension of ANY-MAC or AMEX-CSC.
| 2. The translation from TR-31 usage "C0" to a CCA MAC/MACVER key with a subtype extension of ANY-MAC (CV
| bits 0 - 3 = B'0000') is not allowed.
| 3. This table defines the only supported translations for this TR-31 usage. Usage must be the following:
| "C0" CVK card verification key
| 4. CCA does not have an equivalent to the TR-31 "generate only" mode of use, so a translation from TR-31 mode
| "G" will result in a CCA MAC key with both MAC generate and MAC verify attributes (CV bits 20 - 21 = B'11').
| Note that any key that can perform a generate can readily verify a MAC as well.
| 5. The CCA representation and the TR-31 representation of CVV keys are incompatible. CCA represents the
| CVVKEY-A and CVVKEY-B keys as two 8-byte (single length) keys, while TR-31 represents these keys as one
| 16-byte key. Beginning with Release 4.2, the CVV_Generate and CVV_Verify verbs have support added to accept
| one 16-byte CVV key, using left and right key parts as A and B. Current Visa standards require this.
| 6. Import and export of 8-byte CVVKEY-A and CVVKEY-B MAC/MACVER keys will only be allowed using the
| proprietary TR-31 usage+mode values ("10" and "1", respectively) to indicate encapsulation of the IBM control
| vector in an optional block, because the 8-byte CVVKEY-A is meaningless and useless as a TR-31 "C0" usage
| key of any mode.
|
| Table 72 shows all valid translations for import of a TR-31 data encryption key (usage "D0") to a CCA
| ENCIPHER, DECIPHER, CIPHER, or DATA key, along with any access control commands that must
| be enabled in the active role for that key type and control vector attributes. These keys are used for
| the encryption and/or decryption of data.
| Table 72. Import translation table for a TR-31 data encryption key (usage "D0")
| Key block
| protection
| method
| Key keyword Mode of Rule-array CCA key type and control vector
| usage (version ID) use keywords attributes Offset Command
| "D0" "A", "B", or "E" N/A ENCIPHER, single or double length N/A N/A
| "C"
| "D" N/A DECIPHER, single or double length
| "B" N/A CIPHER, single or double length
| Security consideration: There is asymmetry in the translation from a CCA DATA key to a TR-31 key. The
| asymmetry results from CCA DATA keys having attributes of both data encryption keys and MAC keys, while TR-31
| separates data encryption keys from MAC keys. A CCA DATA key can be exported to a TR-31 "D0" key, provided
| that one or both applicable Encipher or Decipher control vector bits are on. However, a TR-31 "D0" key cannot be
| imported to the lower-security CCA DATA key, it can only be imported to a CCA key type of ENCIPHER,
| DECIPHER, or CIPHER. This restriction eliminates the ability to export a CCA DATA key to a TR-31 key, and
| re-importing it back as a CCA DATA key with the capability to MAC generate and MAC verify.
| Notes:
| 1. Data encryption keys are used for the encryption and decryption of data.
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be the following:
| "D0" Data encryption
| 3. There are no specific access-control commands for this translation since it is not ambiguous or in need of
| interpretation.
|
| Notes:
| 1. MAC keys are used to compute or verify a code for message authentication.
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be one of the following:
| "M0" SO 16609 MAC algorithm 1, TDEA
| The ISO 16609 MAC algorithm 1 is based on ISO 9797. It is identical to "M1" except that it does not
| support 8-byte DES keys.
| "M1" SO 9797 MAC algorithm 1
| The ISO 9797 MAC algorithm 1 is identical to "M0" except that it also supports 8-byte DES keys.
| "M3" ISO 9797 MAC algorithm 3
| This is the X9.19 style of Triple-DES MAC.
| 3. A CCA control vector has no bits defined to limit key usage by algorithm, such as CBC MAC (TR-31 usage "M0"
| and "M1") or X9.19 (TR-31 usage "M3"). When importing a TR-31 key block, the resulting CCA key token
| deviates from the restrictions of usages "M0", "M1", and "M3". Importing a TR-31 key block which allows MAC
| generation ("G" or "C") results in a control vector with the ANY-MAC attribute rather than for the restricted
| algorithm that is set in the TR-31 key block. The ANY-MAC attribute provides the same restrictions as what CCA
| currently uses for generating and verifying MACs.
|
| Failure to comply with this recommendation allows changing PINVER keys into PINGEN and the other way around.
| Notes:
| 1. PIN encryption keys are used to protect PIN blocks. PIN verification keys are used to generate or verify a PIN
| using a particular PIN-calculation method for that key type.
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be one of the following:
| "P0" PIN encryption
| "V0" PIN verification, KPV, other algorithm
| Usage "V0" does not have its own PIN-calculation method defined. The mapping to NO-SPEC is
| sub-optimal. Exporting to "N" mode restricts keys from being imported with the IBM-PIN/IBM-PINO or
| VISA-PVV attribute, while CCA NO-SPEC allows any method.
| "V1" PIN verification, IBM 3624
| "V2" PIN verification, Visa PVV
| The NOOFFSET keyword is not allowed for the Visa PVV algorithm because it does not support this
| attribute.
| 3. Mode must be one of the following:
| "E" Encrypt/wrap only
| This restricts PIN encryption keys to encrypting a PIN block. May be used to create or reencipher an
| encrypted PIN block (for key-to-key translation).
| "D" Decrypt/unwrap only
| This restricts PIN encryption keys to decrypting a PIN block. Generally used in a PIN translation to
| decrypt the incoming PIN block.
| "N" No special restrictions (other than restrictions implied by the key usage)
| This is used by several vendors for a PIN generate or PIN verification key when the key block version ID
| is "A".
| "G" Generate only
| This is used for a PINGEN key that may not perform a PIN verification. The control vector will not have
| its EPINVER attribute on (CV bit 22 = B'0').
| "V" Verify only
| This is used for PIN verification only. If the TR-31 key block does not have a control vector included, the
| only usage bits set on in the control vector will be the EPINVER bit (CV bits 18 - 22 = B'00001').
| "C" Both generate and verify (combined)
| The control vector will have the default PINGEN bits on (CV bits 18 -22 = B'11111').
| 4. Any attempt to import a TR-31 "P0" key that has mode "B" (both encrypt and decrypt) will result in an error
| because CCA does not support this combination of attributes.
| 5. If the TR-31 key block contains a control vector, and the control vector has NOOFFSET on, the NOOFFSET
| keyword is not necessary because the verb will automatically set NOOFFSET on in this case.
|
| Table 76 on page 542 shows all valid translations for import of a TR-31 EMV/chip issuer master-key
| key (usages "E0", "E1", "E2", "E3", "E4", "E5") to a CCA DKYGENKY, DATA, MAC, CIPHER, or
| ENCIPHER key, along with any access control commands that must be enabled in the active role for
| that key type and control vector attributes. These keys are used by the chip cards to perform
| cryptographic operations or, in some cases, to derive keys used to perform operations.
| Notes:
| 1. EMV/chip issuer master-key keys are used by the chip cards to perform cryptographic operations or, in some
| cases, to derive keys used to perform operations. In CCA, these are (a) diversified key-generating keys (key type
| DKYGENKY), allowing derivation of operational keys, or (b) operational keys. Note that in this context, "master
| key" has a different meaning than for CCA. These master keys, also called a KMCs, are described by EMV as
| DES master keys for personalization session keys. They are used to derive the corresponding chip card master
| keys, and not typically used directly for cryptographic operations other than key derivation. In CCA, these are
| usually key generating keys with derivation level DKYL1 (CV bits 12 - 14 = B'001'), used to derive other key
| generating keys (the chip card master keys). For some cases, or for older EMV key derivation methods, the
| issuer master keys could be level DKYL0 (CV bits 12 - 14 = B'000').
| 2. This table defines the only supported translations for this TR-31 usage. Usage must be one of the following:
| "E0" Application cryptograms
| "E1" Secure messaging for confidentiality
| "E2" Secure messaging for integrity
| "E3" Data authentication code
| "E4" Dynamic numbers
| "E5" Card personalization
| 3. EMV support in CCA is quite different than TR-31 support, and CCA key types do not match TR-31 types.
| 4. DKYGENKY keys are double length only.
| 5. In CCA, a MAC key that can perform a MAC generate operation also can perform a MAC verify. For TR-31 mode
| "G" (generate only), the translation to a CCA key results in a key that can perform MAC generate and MAC verify.
|
| tr31_key_block_length
| The tr31_key_block_length parameter is a pointer to an integer variable containing the number of
| bytes of data in the tr31_key_block variable. The length field in the TR-31 block is a 4-digit decimal
| number, so the maximum acceptable length is 9992 bytes.
| tr31_key_block
| The tr31_key_block parameter is a pointer to a string variable containing the TR-31 key block that is to
| be imported. The key block is protected with the key identified by the unwrap_kek_identifier parameter.
| unwrap_kek_identifier_length
| The unwrap_kek_identifier_length parameter is a pointer to an integer variable containing the number
| of bytes of data in the unwrap_kek_identifier variable. Set this value to 64.
| unwrap_kek_identifier
| The unwrap_kek_identifier parameter is a pointer to a string variable containing the operational
| fixed-length DES key-token used to unwrap the key identified by the tr31_key_block parameter, or a
| key label of such a key in DES key-storage. The key must have a key type of IMPORTER or
| IKEYXLAT, and be authorized for import.
| Note: DES keys wrapped in ECB mode (CCA legacy wrap mode) cannot be used to wrap or unwrap
| TR-31 "B" or "C" key blocks that have or will have "E" exportability, because ECB-mode does
| not comply with ANS X9.24 Part 1.
| wrap_kek_identifier_length
| The wrap_kek_identifier_length parameter is a pointer to an integer variable containing the length in
| bytes of the wrap_kek_identifier variable. The value must be greater than or equal to 0. A null
| key-token can have a length of 1. Set this value to 64 for a key label or a KEK.
| wrap_kek_identifier
| The wrap_kek_identifier parameter is a pointer to a string variable containing the operational
| fixed-length DES key-token used to wrap the key identified by the output_key_identifier parameter, a
| null key-token, or a key label of such a key in DES key-storage. If the key token identified by the
| parameter is not null, it must have a key type of IMPORTER or IKEYXLAT, be authorized for import,
| Be aware of access-control point X'017C' (TR31 Import - Permit V0/V1/V2:N to PINGEN/PINVER) for
| import of PINGEN or PINVER keys to wrapping method "A", usage "V0", "V1", or "V2", and mode "N".
| TR-31 key blocks with legacy key usage "A" (key block protected using the Key Variant Binding Method
| 2005 Edition) use the same mode "N" for PINGEN as well as PINVER keys. For usage "A" keys only,
| enabling a PINGEN and PINVER access-control point while enabling offset X'017C' (for mode "N") is NOT
| recommended. Failure to comply with this recommendation allows changing PINVER keys into PINGEN,
| and the other way around.
| In addition to the above commands, the verb requires these additional commands to be enabled in the
| active role depending on the rule-array keyword provided:
|| Specific key usage, version ID,
| Rule-array keyword Offset Command and mode values
| "C0": TR-31 CVK card verification keys
| CVK-CSC X'015B' TR31 Import - Permit C0 to See Table 71 on page 533.
| MAC/MACVER:AMEXCSC
| CVK-CVV X'015A' TR31 Import - Permit C0 to
| MAC/MACVER:CVKEY-A
| The TR-31 header fields that are disassembled into separate pieces of information include a key block
| version ID, key block length, key usage, algorithm, mode of use, key version number, exportability, and
| number of optional blocks. Except for the two length values, which are returned as integers, the verb
| returns the field values as ASCII strings. This is the format used in the TR-31 key block itself. For
| additional information, see X9 TR-31 2010: Interoperable Secure Key Exchange Block Specification for
| Symmetric Algorithms.
| The following table summarizes the key blocks fields returned by this verb:
|| Field or
| buffer
| string
| length in
| TR-31 field name Verb parameter bytes Description of TR-31 field
| Key block version ID key_block_version 1 Identifies the method by which the key block is
| cryptographically protected and the content layout of the
| block.
| Key block length key_block_length 4 Entire key block length after encoding (header, encrypted
| (integer) confidential data, and MAC).
| Key usage key_usage 2 Provides information about the intended function of the
| protected key/sensitive data, such as data encryption, PIN
| encryption, or key wrapping. Numeric values are reserved
| for proprietary use (that is, not defined by TR-31).
| Algorithm algorithm 1 The approved symmetric algorithm for which the protected
| key may be used. Numeric values are reserved for
| proprietary use.
| Mode of use mode 1 Defines the operation for which the protected key can
| perform. Numeric values are reserved for proprietary use.
| Key version number key_version_number 2 Version number to optionally indicate that the contents of
| the key block is a component (key part), or to prevent
| re-injection of an old key. This field is a tool for
| enforcement of local key change rules.
| Exportability exportability 1 Defines whether the protected key may be exported.
| Number of optional num_opt_blocks 4 Defines the number of optional blocks included in the key
| blocks (integer) block. If this value is greater than zero, use the
| TR31_Optional_Data_Read verb to obtain the contents of
| the optional blocks.
|
| This verb does not perform cryptographic services on any key value. You cannot use this verb to change a
| key or to change the control vector related to a key.
| Format
| Parameter name Direction Data type Data length or value
| CSNBT31P
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 0
| rule_array Input String array rule_array_count * 8 bytes
| tr31_key_length Input Integer
| tr31_key Input String tr31_key_length bytes
| key_block_version Output String 1 byte
| key_block_length Output Integer
| key_usage Output String 2 bytes
| algorithm Output String 1 byte
| mode Output String 1 byte
| key_version_number Output String 2 bytes
| exportability Output String 1 byte
| num_opt_blocks Output Integer
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 0.
| rule_array
| The rule_array parameter is a pointer to a string variable containing an array of keywords. The
| keywords are 8 bytes in length and must be left-aligned and padded on the right with space
| characters. No rule array keywords are currently defined for this verb.
| tr31_key_length
| The tr31_key_length parameter is a pointer to an integer variable containing the number of bytes of
| Required commands
| None.
| The TR-31 key block has an unencrypted header that can contain optional blocks. The header is securely
| bound to the key block using the integrated MAC. An optional block has a two-byte ASCII block ID value
| that determines the use of the block. The ID of each block in an optional blocks structure must be unique.
| The verb builds a structure of optional blocks by adding one optional block with each call. This process is
| repeated until the entire set of optional blocks has been added. For each call, provide the components for
| a single optional block. This includes the optional block ID, the optional block length in bytes, and the
| optional block data. In addition, provide an optional blocks buffer large enough to add the optional block
| being built.
| There are two valid scenarios for the optional blocks buffer provided on input, as determined by the value
| of the opt_blocks_length variable:
| 1. The optional blocks buffer is empty. In this case, the newly constructed optional block is copied into the
| buffer.
| 2. The optional blocks buffer contains one or more existing optional blocks. In this case, the newly
| constructed optional block is appended to the existing optional blocks. No duplicate IDs are allowed.
| Upon successful completion, the opt_blocks_length variable is updated to the length of the returned
| optional blocks structure.
| This verb does not perform cryptographic services on any key value. You cannot use this verb to change a
| key or to change the control vector related to a key.
| Restrictions
| v The following table shows the supported releases and associated operating systems for this verb:
|| CCA CCA CCA CCA CCA CCA CCA
| Operating system 4.2 4.1 4.0 3.60 3.30 3.27 3.25
| AIX
| IBM i
| Red Hat Enterprise Linux
| SUSE Linux Enterprise Server X
| Windows
| Note: See Table 2 on page xviii for a list of supported operating system releases.
|
| v An optional block with an ID of "PB" (padding block) cannot be added by the user. The
| Key_Export_to_TR31 verb adds a padding block of the appropriate size as needed when building the
| TR-31 key block. Unlike the padding within the encrypted key portion of the key block, the padding
| block for optional blocks serves no security purpose.
|
| CSNBT31O
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 0
| rule_array Input String array rule_array_count * 8 bytes
| opt_blocks_bfr_length Input Integer 0
| opt_blocks_length In/Output Integer opt_blocks_bfr_length
| opt_blocks In/Output String opt_blocks_length bytes
| num_opt_blocks Output Integer 0
| opt_block_id Input String 2 bytes
| opt_block_data_length Input Integer 0
| opt_block_data Input String opt_block_data_length bytes
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 0, because no keywords are currently defined for this
| verb.
| rule_array
| The rule_array parameter is a pointer to a string variable containing an array of keywords. The
| keywords are 8 bytes in length and must be left-aligned and padded on the right with space
| characters. No rule_array keywords are currently defined for this verb.
| opt_blocks_bfr_length
| The opt_blocks_bfr_length parameter is a pointer to an integer variable containing the length in bytes
| of the buffer allocated for the opt_blocks variable. Set this length to at least the size of any optional
| blocks structure in the buffer plus the optional block being added.
| opt_blocks_length
| The opt_blocks_length parameter is a pointer to an integer variable containing the length in bytes of
| the data in the opt_blocks variable. This length must be less than or equal to the value of the
| opt_blocks_bfr_length variable. On input, set this variable to the length of the optional blocks structure
| being updated. Set this value to zero if this is the first optional block in the structure. On successful
| completion, this variable is updated with the length of the updated variable.
| opt_blocks
| The opt_blocks parameter is a string variable containing a buffer for the optional blocks structure that
| the verb updates. In the first call to the verb, the buffer will generally be empty. The verb appends one
| optional block to the buffer with each call.
| num_opt_blocks
| The num_opt_blocks parameter is a pointer to an integer variable containing the number of optional
| blocks contained in the opt_blocks variable that is returned by the verb.
| Required commands
| None.
| A TR-31 key block contains an unencrypted header that can include one or more optional blocks. All parts
| of the header are securely bound to the key block using the integrated MAC.
| Optional blocks in a key block must each be identified by a unique two-byte ID. The value of an ID must
| either be defined by TR-31 or be a numeric value, otherwise the key block is invalid. Numeric IDs are
| reserved for proprietary use. For additional information, see X9 TR-31 2010: Interoperable Secure Key
| Exchange Block Specification for Symmetric Algorithms.
| In order to obtain the data of a particular optional block from the header of an external TR-31 key block,
| perform the following steps:
| 1. Use the tr31_key parameter to identify the TR-31 key block that this verb is to process.
| 2. Call the TR31_Key_Token_Parse verb to parse the TR-31 key block. See TR31_Key_Token_Parse
| (CSNBT31P) on page 551. Upon successful completion:
| v Set the value of the tr31_key_length variable to the value returned in the tr31_key_length variable.
| v Set the value of the num_opt_blocks variable to the value returned in the num_opt_blocks variable.
| v Allocate a string buffer in bytes for the opt_blocks_id and an integer buffer in bytes for the
| opt_blocks_length variables. These buffers must be at least two times the value of the
| num_opt_blocks variable.
| 3. Specify a rule-array keyword of INFO to obtain information about the optional blocks in the key block.
| The opt_block_id, opt_block_data_length, and opt_block_data parameters are ignored.
| 4. Call the TR31_Optional_Data_Read verb to read data from the TR-31 key block. Upon successful
| completion, the verb returns an array of optional block IDs in the opt_blocks_id variable, and an array
| of lengths for the optional block IDs in the opt_blocks_length variable. The IDs and lengths are
| returned in same order as the optional blocks appear in the header of the TR-31 key block.
| 5. Determine which ID of the unique IDs contained in the opt_blocks_id variable is to be obtained from
| the TR-31 key block. Set the opt_block_id variable to this two-byte value. Set the value of the
| opt_block_data_length variable to the corresponding length from the opt_blocks_length variable.
| Note: The offset used to locate the ID in the opt_blocks_id variable has the same value as the offset
| for the corresponding length in the opt_blocks_length variable.
| 6. Allocate a buffer in bytes for the opt_block_data variable that is at least the value of the
| opt_block_data_length variable.
| 7. Specify a rule-array keyword of DATA to obtain the length and data of the specified optional block. The
| num_opt_blocks and the opt_blocks_id parameters are ignored.
| 8. Call the TR31_Optional_Data_Read verb. Upon successful completion, the verb returns the data of the
| specified optional block in the opt_block_data variable. The verb updates the opt_block_data_length
| variable to the number of bytes returned in the opt_block_data variable.
| This verb does not perform cryptographic services on any key value. You cannot use this verb to change a
| key or to change the control vector related to a key.
| Format
| Parameter name Direction Data type Data length or value
| CSNBT31R
| return_code Output Integer See Appendix A.
| reason_code Output Integer See Appendix A.
| exit_data_length In/Output Integer 0
| exit_data In/Output String exit_data_length bytes
| rule_array_count Input Integer 0
| rule_array Input String array rule_array_count * 8 bytes
| tr31_key_length Input Integer
| tr31_key Input String tr31_key_length bytes
| opt_block_id Input String 2 bytes
| num_opt_blocks Input Integer
| opt_block_ids Output String array 2 * num_opt_blocks bytes
| opt_block_lengths Output String array 2 * num_opt_blocks bytes
| opt_block_data_length In/Output Integer
| opt_block_data Output String opt_block_data_length bytes
|
| See Appendix I, Java Native Interface, on page 743 for information about calling this verb using the JNI.
| Parameters
| For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see
| Parameters common to all verbs on page 9.
| rule_array_count
| The rule_array_count parameter is a pointer to an integer variable containing the number of elements
| in the rule_array variable. The value must be 1.
| rule_array
| The rule_array parameter is a pointer to a string variable containing an array of keywords. The
| keywords are 8 bytes in length and must be left-aligned and padded on the right with space
| characters. The rule_array keywords for this verb are shown below:
|| Keyword Meaning
| Operation (one required)
| INFO Return information about the optional blocks in the TR-31 key block.
| DATA Return the data contained in a specified optional block in the TR-31 key block.
| Required commands
| None.
Reason code numbers narrow down the meaning of a return code. All reason code numbers are unique
and associated with a single return code. Generally, you can base your application program design on the
return codes.
Each verb supplies a return code and a reason code in the variables identified by the return_code and
reason_code parameters. See Parameters common to all verbs on page 9.
Return codes
A return code provides a general indication of the results of verb processing. A return code can have the
values shown in Table 79.
Table 79. Return code values
Hex value Decimal value Meaning
00 00 This return code indicates a normal completion of verb processing.
To provide additional information, there are also nonzero reason
codes associated with this return code.
04 04 This return code is a warning that indicates that the verb
completed processing; however, an unusual event occurred. The
event is most likely related to a problem created by the user, or it
is a normal occurrence based on the data supplied to the verb.
08 08 This return code indicates that the verb prematurely stopped
processing. Generally, the application programmer needs to
investigate the significance of the associated reason code to
determine the origin of the problem. In some cases, due to
transient conditions, retrying the verb might produce different
results.
0C 12 This return code indicates that the verb prematurely stopped
processing. Either a coprocessor is not available or a processing
error occurred. The reason is most likely related to a problem in
the set up of the hardware or in the configuration of the software.
10 16 This return code indicates that the verb prematurely stopped
processing. A processing error occurred. If these errors persist, a
repair of the coprocessor hardware or a correction to the
coprocessor software might be required.
Note: If an application receives a return code greater than 4, an error occurred. In the case of an error,
assume that any output variables other than the return code and reason code are not valid.
Reason codes
A reason code details the results of verb processing. Every reason code is associated with a single return
code. A nonzero reason code can be associated with a zero return code.
User Defined Extensions (UDX) return reason codes in the range of 20480 (X'5000') through 24575
(X'5FFF').
561
The remainder of this appendix lists the reason codes that accompany each of the return codes. The
return codes are shown in decimal form, and the reason codes are shown in decimal and in hexadecimal
(hex) form.
In general, a key that is available to an application program or held in key storage is multiply-enciphered
by some other key. When a key is enciphered by the CCA node's master key, the key is designated an
internal key and is held in an internal key-token structure. Therefore, an internal key-token or internal
trusted block is used to hold a key and its related information for use at a specific CCA node.
An external key-token or external trusted block is used to communicate a key between nodes, or to hold a
key in a form not enciphered by a CCA master key. DES keys and PKA private-keys contained in an
external key-token or external trusted block are multiply-enciphered by a transport key. In a CCA-node, a
transport key is a double-length DES key-encrypting key (KEK).
The remainder of this section describes the structures used with the IBM 4765 and IBM 4764:
v Master-key verification pattern
v Token-validation value and record-validation value on page 578
v Null key tokens on page 578
v Internal fixed-length AES key tokens on page 578 (Release 3.30 or later)
v Fixed-length DES key tokens on page 580
v External RKX DES key tokens on page 583
v PKA key tokens on page 585
v Trusted blocks on page 600
v Variable-length symmetric key-token on page 614
When an application program supplies a fixed-length AES or DES key-token, the CCA node checks the
TVV. When a CCA verb builds a fixed-length AES or DES key-token, it calculates and stores a TVV in the
key token.
The record-validation value (RVV) used in AES, DES, and PKA key-storage records is calculated in the
same manner as the AES or DES TVV, except that for PKA the last bytes added are always treated as a
4-byte integer. The RVV is the sum of each sequential 4-byte value in the record, except for the four bytes
where the RVV itself is stored.
Note: AES key tokens are not supported in releases before Release 3.30.
The (DES) Key_Import verb accepts input with offset zero valued to X'00'. In this special case, the verb
treats information starting at offset 16 as an enciphered, single-length key. In a very limited sense, this
special case can be considered a null DES key-token.
Note: Fixed-length AES key tokens are not supported in releases before Release 3.30.
Depending on the flag byte, the key token either contains an encrypted key, a clear key, or the key is
absent. An encrypted key is encrypted under an AES master key identified by a master-key verification
pattern (MKVP) in the key token. The key token contains a two-byte integer that specifies the length of the
All keys in fixed-length AES key tokens are DATA keys. If the flag byte indicates that a control vector (CV)
is present, it must be all binary zeros. An all-zero CV represents the CV value of an AES DATA key. If a
key is present without a control vector in a key token, that is accepted and the key is interpreted as an
AES DATA key.
The AES internal key-token is the structure used to hold AES keys that are either encrypted with the AES
master-key, or in cleartext format.
Table 85. Internal fixed-length AES key-token format, version X'04'
Offset (bytes) Length (bytes) Description
0 1 X'01' (a token identifier flag that indicates an internal key-token)
1 3 Implementation-dependent bytes, must be X'000000'
4 1 Token version number (X'04')
5 1 Reserved, binary zero
6 1 Flag byte; for more information, see Table 86 on page 580
7 1 LRC
Contains the master-key verification pattern of the AES master-key used to encrypt
the key contained in the token, or binary zeros if the token does not contain a key
or the key is in the clear. The MKVP is calculated as the leftmost 8 bytes of the
SHA-256 hash of the string formed by pre-pending the byte X'01' to the cleartext
master-key value.
16 32 Key value, if present. Contains either:
v A 256-bit encrypted-key value.
The clear key value is padded on the right with binary zeros, and the entire
256-bit value is encrypted under the AES master-key using AES CBC mode with
an initialization vector of binary zeros.
v A 128-bit, 192-bit, or 256-bit clear-key value left-aligned and padded on the right
with binary zeros for the entire 256-bit field.
48 8 Control vector
This value must be binary zeros for all AES key tokens that have a control vector
present.
56 2 Clear-key bit length
Integer specifying the length in bits of the clear-key value. If no key is present in a
completed token, this length is zero. In a skeleton token, this is the length of the
key to be created in the token when used as input to the Key_Generate verb.
58 2 Encrypted-key byte length
Integer specifying the length in bytes of the encrypted-key value. This value is zero
if the token does not contain a key or the key is in the clear.
60 4 The token-validation value (TVV)
1xxx xxxx Key is encrypted under the AES master-key (ignored if no key present).
xx0x xxxx Encrypted or clear key present, MKVP present if key is encrypted.
If an internal fixed-length DES key-token has a key present, it contains a key multiply-enciphered by a
DES master key. If an external fixed-length DES key-token has a key present, it contains a key
multiply-enciphered by a key-encrypting key.
2. MSB is the most significant bit; LSB is the least significant bit.
1xxx xxxx The encrypted key value and, if an internal fixed-length DES key-token, the master-key verification pattern
(version 0) or master-key version number (version 3) are present.
Note: All other bit combinations are reserved; undefined bits should be zero.
Table 92 describes the settings for flag byte 2 of fixed-length DES key tokens. Flag byte 2 was added in
Release 4.1.
Table 92. Internal and external fixed-length DES key-token flag byte 2 (Release 4.1 or later)
Bits (MSB...LSB)4 Description
000x xxxx The encrypted key is wrapped using the legacy (WRAP-ECB) method.
001x xxxx The encrypted key is wrapped using the enhanced (WRAP-ENH) method.
Notes:
1. All other bit combinations are reserved; undefined bits should be zero.
2. Before Release 4.1, this byte is reserved, and should be binary zero.
Note: Verbs other than CSNDRKX and the DES key-storage do not support RKX key tokens or RKX key
token records.
As can be seen in the table, RKX key tokens are 64 bytes in length, have a token identifier flag (X'02'), a
token version number (X'10'), and room for encrypted keys like normal fixed-length DES key tokens.
Unlike normal fixed-length DES key tokens, RKX key tokens do not have a control vector, flag bits, and a
token-validation value. In addition, RKX key tokens have a confounder value, a MAC value, and room for a
third encrypted key.
3. MSB is the most significant bit; LSB is the least significant bit.
4. MSB is the most significant bit; LSB is the least significant bit.
The trusted block rule identifier used to create this key token. A subsequent call to
Remote_Key_Export (CSNDRKX) can use this token with a trusted block rule that
references the rule ID that must have been used to create this token. The trusted
block rule can be compared with this rule ID for verification purposes.
The Rule ID is an 8-byte string of ASCII characters, left-aligned and padded on the
right with space characters. Acceptable characters are A...Z, a...z, 0...9, - (X'2D'),
and _ (X'5F'). All other characters are reserved for future use.
48 8 Reserved, binary zero
56 8 MAC value
ISO 16609 CBC-mode Triple-DES MAC, computed over the 56 bytes starting at
offset 0 and including the encrypted key value and the rule ID using the same MAC
key that is used to protect the trusted block itself.
This MAC value guarantees that the key and the rule ID cannot be modified without
detection, providing integrity and binding the rule ID to the key itself. This MAC
value must verify with the same trusted block used to create the key, thus binding
the key structure to that specific trusted block.
Notes:
v A fixed, randomly derived variant is exclusive-ORed with the MAC key before it is used to encipher the
generated or exported key and confounder.
v The MAC key is located within a trusted block (internal format) and can be recovered by decipherment
under a variant of the PKA master key.
v The trusted block is originally created in external form by the CSNDTBC verb and then converted to
internal form by the CSNDPKI verb prior to the CSNDRKX call.
As with other CCA key tokens, both internal and external forms are defined.
v An internal PKA key-token contains a private key that is protected by encrypting the private key
information using the CCA-node asymmetric master key, or by an object protection key (OPK) that is
| itself encrypted by the APKA or PKA asymmetric master key. The internal key-token also contains the
modulus and the public-key exponent. A master-key verification pattern is also included to enable
determination that the proper master key is available to process the protected private key.
Note: The format and content of an internal key-token is local to a specific node and product
implementation, and does not represent an interchange format.
v An external RSA key-token contains the modulus and the public-key exponent. Also, the external
key-token optionally contains the private key. If the private key is present, it is either in the clear or it
might be protected by encryption using a double-length DES transport key. An external key-token is an
inter-product interchange data structure.
The RSA private key can be protected by encrypting a confounder (a random number) and the private key
information exclusive of the modulus. An encrypted RSA private key in an external key-token is protected
by a double-length DES transport key and the EDE2 algorithm. See RSA private-key encryption and
decryption process on page 671. The private key and the blinding values in an internal RSA key-token are
protected by the triple-length asymmetric (PKA) master key and encryption algorithms as specified with
each private key data structure.
Note: You cannot use a Modulus-Exponent format for RSA keys with a modulus (key size) greater than
1024 bits.
Note: Keys with a modulus greater than 2048 bits are not supported in releases before Release 3.30.
Section identifier X'05' for a CRT-format key up to 1024 bits is accepted as input
v A public-key section (section identifier X'04')
A second SHA-1 hash value is located at offset 30 within the private-key section. This hash value is
computed on optional, designated key-token information following the public-key section. The value of this
SHA-1 hash is included in the computation of the hash value at offset 4. As with the offset 4 hash value,
the hash at offset 30 is validated whenever a private key is recovered from the token for productive use.
In addition to the hash checks, various token-format and content checks are performed to validate the key
values.
The optional private-key name section can be used by access-monitor systems (for example, RACF) to
ensure that the application program is entitled to employ the particular private key.
This section type is created by selected IBM Cryptographic Adapters and the IBM CCA Support
Program. Version 2 and later software uses this format for a clear or an encrypted RSA private
key in an external key token.
001 001 Section version number (X'00').
002 002 Section length in bytes (X'016C').
004 020 SHA-1 hash value of the private-key subsection cleartext, offset 28 to and including the
modulus that ends at offset 363.
024 002 Reserved, binary zero.
026 002 Master-key verification pattern in an internal key-token, else X'0000'.
028 001 Key format and security flag:
X'00' Unencrypted RSA private-key subsection identifier
X'82' Encrypted RSA private-key subsection identifier
029 001 Reserved, binary zero.
030 020 SHA-1 hash of the optional key-name section; if there is no name section, then 20 bytes of
X'00'.
| 050 001 Key-usage flag:
| B'11xx xxxx' Only key unwrapping (KM-ONLY)
| B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT)
| B'01xx xxxx' Undefined
| B'00xx xxxx' Only signature generation (SIG-ONLY)
This section type is only created by the IBM Version 1 CCA Support Program.
001 001 Section version number (X'00').
002 002 Section length in bytes (76 + ppp + qqq + rrr + sss + ttt + uuu + xxx + nnn).
004 020 SHA-1 hash value of the private-key subsection cleartext, offset 28 to the end of the
modulus.
024 002 Length in bytes of the optionally encrypted secure subsection, or X'0000' if the subsection is
not encrypted.
026 002 Master-key verification pattern in an internal key-token, else X'0000'.
028 001 Key format and security flag:
X'40' Unencrypted RSA private-key subsection identifier, Chinese-Remainder Theorem
format
X'42' Encrypted RSA private-key subsection identifier, Chinese-Remainder Theorem
format
029 001 Reserved, binary zero.
030 020 SHA-1 hash of the optional key-name section; if there is no name section, then 20 bytes of
X'00'.
| 050 001 Key-usage flag:
| B'11xx xxxx' Only key unwrapping (KM-ONLY)
| B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT)
| B'01xx xxxx' Undefined
| B'00xx xxxx' Only signature generation (SIG-ONLY)
Table 98. RSA private key, 1024-bit Modulus-Exponent format with OPK section (X'06')
Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'06' RSA private key, 1024-bit maximum Modulus-Exponent format (RSA-PRIV)
This section type is created by the IBM Version 2 and later CCA Support Program. This
section type provides compatibility and interchangeability with the CCF hardware in z/OS
processors.
001 001 Section version number (X'00').
002 002 Section length (X'0198').
004 020 SHA-1 hash value of the private-key subsection cleartext, offset 28 up to and including the
modulus that ends at offset 363.
024 004 Reserved, binary zero.
028 001 Key format and security flag:
X'02' Encrypted RSA private key with OPK
029 001 Private key source flag:
X'21' Imported from cleartext
X'22' Imported from ciphertext
X'23' Generated using regeneration data
X'24' Randomly generated
030 020 SHA-1 hash of all optional sections that follow the public-key section, if any, else 20 bytes
of X'00'.
| 050 001 Key-usage flag:
| B'11xx xxxx' Only key unwrapping (KM-ONLY)
| B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT)
| B'01xx xxxx' Undefined
| B'00xx xxxx' Only signature generation (SIG-ONLY)
The asymmetric master key encrypts the OPK using the EDE3 algorithm. See Triple-DES
ciphering algorithms on page 685.
108 128 Private-key exponent, d. d = e-1mod((p-1)(q-1)), 1 < d < n, and where e is the public
exponent.
The OPK encrypts the private key exponent using the EDE5 algorithm. See Triple-DES
ciphering algorithms on page 685 and Figure 49 on page 688.
236 128 Modulus, n. n = pq, where p and q are prime and 2512 n < 21024.
364 016 Asymmetric-keys master-key verification pattern.
380 020 SHA-1 hash value of the subsection cleartext, offset 400 to the section end. This hash
value is checked after an enciphered private key is deciphered for use.
400 002 Reserved, binary zero.
| This format is used for a clear or an encrypted RSA private-key in an external key-token up
| to a modulus size of 4096 bits. This section type is not created in releases before Release
| 4.1.
| 001 001 Section version number (X'00').
| 002 002 Section length (132 + ddd + nnn + xxx).
| 004 020 SHA-1 hash value of the private-key subsection cleartext, offset 28 to the end of the
| modulus.
| 024 002 Length in bytes of the optionally encrypted secure subsection, or X'0000' if the subsection
| is not encrypted.
| 026 002 Reserved (X'0000').
| 028 001 Key format and security flags:
| External token:
| X'00' Unencrypted RSA private-key subsection identifier
| X'82' Encrypted RSA private-key subsection identifier
| 029 001 Private key source flag:
| X'00' Generation method unknown
| 030 020 SHA-1 hash of all optional sections that follow the public-key section, if any, else 20 bytes
| of X'00'.
| 050 001 Key-usage flag:
| B'11xx xxxx' Only key unwrapping (KM-ONLY)
| B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT)
| B'01xx xxxx' Undefined
| B'00xx xxxx' Only signature generation (SIG-ONLY)
| Padding of X'00' bytes for a length of xxx bytes such that the length from the start of the
| confounder at offset 124 to the end of the padding field is a multiple of 8 bytes.
| 122 002 Reserved, binary zeros.
| Start of the (optionally) encrypted subsection; all of the fields starting with the confounder field and ending with the variable-length
| pad field are enciphered for key confidentiality when the key format and security flags (offset 28) indicate that the private key is
| enciphered.
| 124 008 Confounder.
| The transport key encrypts the private key exponent using the EDE2 algorithm. See
| Triple-DES ciphering algorithms on page 685 and Figure 49 on page 688.
| 132 + ddd xxx Pad of X'00' bytes.
| End of the optionally encrypted subsection.
| 132 + ddd + xxx nnn Private-key modulus.
|
Table 100. RSA private key, Chinese-Remainder Theorem format with OPK section (X'08')
Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'08' RSA private key, CRT format (RSA-CRT) with OPK
This section type is created by the IBM Version 2 and later CCA Support Program.
001 001 Section version number (X'00').
002 002 Section length (132+ppp+qqq+rrr+sss+uuu+xxx+nnn).
004 020 SHA-1 hash value of the private-key subsection cleartext, offset 28 to the end of the
modulus.
024 004 Reserved, binary zero.
028 001 Key format and security flag:
External token:
X'40' Unencrypted RSA private-key subsection identifier
X'42' Encrypted RSA private-key subsection identifier
Internal token:
X'08' Encrypted RSA private-key subsection identifier
029 001 Key source flag:
Internal tokens:
X'21' Imported from cleartext
X'22' Imported from ciphertext
X'23' Generated using regeneration data
X'24' Randomly generated
030 020 SHA-1 hash of all optional sections that follow the public key section, if any; else 20 bytes
of X'00'.
| 050 001 Key-usage flag:
| B'11xx xxxx' Only key unwrapping (KM-ONLY)
| B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT)
| B'01xx xxxx' Undefined
| B'00xx xxxx' Only signature generation (SIG-ONLY)
Internal token: Object Protection Key (OPK), 8-byte confounder and three 8-byte keys used
in the Triple-DES CBC process to encrypt the private key and blinding information. These
32 bytes are Triple-DES CBC encrypted by the asymmetric master key. See TDES at
Triple-DES ciphering algorithms on page 685.
124 Start of the (optionally) encrypted subsection.
v External token:
When offset 028 is X'40', the subsection is not encrypted.
When offset 028 is X'42', the subsection is encrypted by the double-length transport
key using the Triple-DES CBC process.
v Internal token:
When offset 028 is X'08', the subsection is encrypted by the triple-length OPK using the
Triple-DES CBC process.
RSA public-key certificate section: An optional public-key certificate section can be included in an RSA
key-token. The section consists of:
v The section header (identifier X'40')
v A public-key subsection (identifier X'41')
v An optional certificate information subsection (identifier X'42') with any or all of these TLV objects:
User data (tag identifier X'50')
EID (tag identifier X'51')
Serial number (tag identifier X'52')
v One or more signature subsections (tag identifier X'45')
The section is composed of a series of subsections and tag-length-variable (TLV) objects to form a
self-defining data structure. One or more TLV objects can be included in the variable portion of a
higher-level TLV object.
The section header is described followed by descriptions of the subsections and TLV objects that can be
included in the section.
Table 107. TLV object (X'51') of private-key environment identifier of RSA public-key certificate
Offset (bytes) Length (bytes) Description
000 001 Tag identifier:
X'51' Private key EID TLV object
001 001 TLV object version number (X'00').
002 002 TLV object length (X'0014').
004 016 EID string of the CCA node that generated the public and private key. This TLV must be
provided in a skeleton key-token with usage of the PKA_Key_Generate verb. The verb fills in
the EID string prior to certifying the public key. The EID value is encoded using the ASCII
character set.
Note: See Number representation in PKA key tokens on page 587.
The signature is calculated on data that begins with the signature section identifier (X'40')
through the byte immediately preceding this signature field.
Note: More than one signature subsection can be included in a signature section. This accommodates the possibility of a
self-signature as well as a device-key signature.
Note: See Number representation in PKA key tokens on page 587.
| Translation control:
| B'xxxx xx1x' Private key translation is allowed (XLATE-OK)
| B'xxxx xx0x' Private key translation is not allowed (NO-XLATE)
| 009 001 Curve type:
| X'00' Prime
| X'01' Brainpool
| External key-token
| v For an encrypted private key, KEK verification pattern (KVP)
| v For a clear private key, binary zeros
| v For a skeleton, binary zeros
| Internal key-token
| v For encrypted private key, master-key verification pattern (MKVP)
| v For a skeleton, binary zeros
| 024 048 Object Protection Key (OPK).
| For an internal key token: OPK, integrity check value (ICV), 8-byte confounder, and a 256-bit
| AES key used with the AESKW algorithm to encrypt the ECC private key, otherwise binary
| zeros.
| Note: The OPK is encrypted by the APKA master key using AESKW.
| 072 002 Length in bytes of associated data.
| 074 002 Length in bytes of formatted section, bb.
| Associated data section
| Start of IBM
| associated data
| 076 001 Associated data section version (X'00').
Used with internal key-tokens created by the CCA Support Program, Version 1 (having
section identifiers X'02' or X'05').
001 001 Section version number (X'00').
002 002 Section length (34+rrr+iii).
004 020 SHA-1 hash value of the internal information subsection cleartext, offset 28 to the section end.
This hash value is checked after an enciphered private key is deciphered for use.
024 002 Length in bytes of the encrypted secure subsection.
026 002 Reserved, binary zero.
028 Start of the encrypted secure subsection. An internal token with section identifiers X'02' or X'05' uses the
asymmetric master key and the EDE3 algorithm. See Triple-DES ciphering algorithms on page 685.
028 002 Length of the random number r, in bytes: rrr.
030 002 Length of the random number multiplicative inverse r-1, in bytes: iii.
032 002 Length of the padding field, in bytes xxx.
034 rrr Random number r (used in blinding).
034+rrr iii Random number r-1 (used in blinding).
034+rrr+iii xxx X'00' padding of length xxx bytes such that the length from the start of the encrypted
subsection to the end of the padding field is a multiple of 8 bytes.
End of the encrypted subsection.
Note: See Number representation in PKA key tokens on page 587.
Trusted blocks
A trusted block is an extension of CCA PKA key tokens using new section identifiers. Trusted blocks are
an integral part of a remote key-loading process. For more information on their usage, see Improved
remote key distribution on page 178.
Trusted blocks contain various items, some of which are optional, and some of which can be present in
different forms. Tokens are composed of concatenated sections that, unlike CCA PKA key tokens, occur in
no prescribed order.
As with other CCA key-tokens, both internal and external forms are defined:
v An external trusted block contains a randomly generated confounder and a triple-length MAC key
enciphered under a DES IMP-PKA transport key. The MAC key is used to calculate an ISO 16609
CBC-mode Triple-DES MAC of the trusted block contents. An external trusted block is created by the
Trusted_Block_Create verb. This verb can:
1. Create an inactive external trusted block
2. Change an external trusted block from inactive to active
v An internal trusted block contains a confounder and triple-length MAC key enciphered under a variant of
the PKA master key. The MAC key is used to calculate a TDES MAC of the trusted block contents. A
PKA master-key verification pattern is also included to enable determination that the proper master key
is available to process the key. The Remote_Key_Export verb only operates on trusted blocks that are
internal. An internal trusted block must be imported from an external trusted block that is active using
the PKA_Key_Import verb.
Every trusted block starts with a token header. The first byte of the token header determines the key form:
v An external header (first byte X'1E'), created by the Trusted_Block_Create verb
v An internal header (first byte X'1F'), imported from an active external trusted block by the
PKA_Key_Import verb
Following the token header of a trusted block is an unordered set of sections. A trusted block is formed by
concatenating these sections to a trusted block header:
v An optional public-key section (trusted block section identifier X'11')
The trusted block trusted RSA public-key section includes the key itself in addition to a key-usage flag.
No multiple sections are allowed.
v An optional rule section (trusted block section identifier X'12')
A trusted block can have zero or more rule sections.
1. A trusted block with no rule sections can be used by the PKA_Key_Token_Change and
PKA_Key_Import verbs. A trusted block with no rule sections can also be used by the
Digital_Signature_Verify verb, provided there is an RSA public-key section that has its key-usage
flag bits set to allow digital signature operations.
2. At least one rule section is required when the Remote_Key_Export verb is used to:
Generate an RKX key-token
Export an RKX key-token
Export a CCA DES key-token
Encrypt the clear generated or exported key using the provided vendor certificate
3. If a trusted block has multiple rule sections, each rule section must have a unique 8-character Rule
ID.
v An optional name (key label) section (trusted block section identifier X'13')
The trusted block name section provides a 64-byte variable to identify the trusted block, just as key
labels are used to identify other CCA keys. This name, or label, enables a host access-control system
such as RACF to use the name to verify that the application has authority to use the trusted block. No
multiple sections are allowed.
v A required information section (trusted block section identifier X'14')
The trusted block information section contains control and security information related to the trusted
block. The information section is required while the others are optional. This section contains the
cryptographic information that guarantees its integrity and binds it to the local system. No multiple
sections are allowed.
v An optional application-defined data section (trusted block section identifier X'15')
An external trusted block has its MAC key enciphered under an IMP-PKA key-encrypting key. An internal
trusted block has its MAC key enciphered under a variant of the PKA master key, and the master-key
verification pattern is stored in the information section.
Following the header, in no particular order, are trusted block sections. There are five different sections
defined, each identified by a one-byte section identifier (X'11' - X'15'). Two of the five sections have
subsections defined. A subsection is a tag-length-value (TLV) object, identified by a two-byte subsection
tag.
Only sections X'12' and X'14' have subsections defined; the other sections do not. A section and its
subsections, if any, are one contiguous unit of data. The subsections are concatenated to the related
section, but are otherwise in no particular order. Section X'12' has five subsections defined (X'0001' -
X'0005'), and section X'14' has two (X'0001' and X'0002'). Of all the subsections, only subsection X'0001'
of section X'14' is required. Section X'14' is also required.
The trusted block sections and subsections are described in detail in the following sections.
Trusted block section X'11' contains the trusted RSA public key in addition to a key-usage flag indicating
whether the public key is usable in key-management operations, digital signature operations, or both.
Section X'11' is optional. No multiple sections are allowed. It has no subsections defined.
Trusted block section X'12' contains information that defines a rule. A trusted block can have zero or more
rule sections.
1. A trusted block with no rule sections can be used by the PKA_Key_Token_Change and
PKA_Key_Import verbs. A trusted block with no rule sections can be used by the
Digital_Signature_Verify verb, provided there is an RSA public-key section that has its key-usage flag
set to allow digital signature operations.
2. At least one rule section is required when the Remote_Key_Export verb is used to:
v Generate an RKX key-token
v Export an RKX key-token
v Export a CCA DES key-token
v Generate or export a key encrypted by a public key. The public key is contained in a vendor
certificate and is the root certification key for the ATM vendor. It is used to verify the digital signature
on public-key certificates for specific individual ATMs.
3. If a trusted block has multiple rule sections, each rule section must have a unique 8-character Rule ID.
Note: The overall length of the trusted block cannot exceed its maximum size of 3500 bytes.
An 8-byte character string that uniquely identifies the rule within the trusted block.
Valid ASCII characters are: A...Z, a...z, 0...9, - (hyphen), and _ (underscore), left-aligned and
padded on the right with space characters.
012 004 Flags (undefined flag bits are reserved and must be zero).
B'00000000' Generate new key
B'00000001' Export existing key
016 001 Generated key length.
Length in bytes of key to be generated when flags value (offset 012) is set to generate a
new key; otherwise ignore this value. Valid values are 8, 16, or 24; return an error if not
valid.
017 001 Key-check algorithm identifier (all others are reserved and must not be used):
Value Meaning
X'00' Do not compute key-check value. Set the key_check_value_length variable to
zero.
X'01' Encrypt an 8-byte block of binary zeros with the key. See Encrypt zeros DES-key
verification algorithm on page 679.
X'02' Compute the MDC-2 hash of the key. See Modification Detection Code
calculation on page 679.
018 001 Symmetric encrypted output key format flag (all other values are reserved and must not be
used).
Section X'12' has five rule subsections (tag-length-value objects) defined. These subsections are
summarized in the following table:
Table 118. Summary of trusted block rule subsection
Rule
subsection
tag TLV object Optional or required Comments
X'0001' Transport key Optional Contains variant to be exclusive-ORed into the cleartext transport
variant key.
X'0002' Transport key Optional; required to use Contains the rule ID for the rule that must have been used to create
rule reference an RKX key-token as a the transport key.
transport key
X'0003' Common Optional for key Contains the export key and source key minimum and maximum
export key generation; required for lengths, an output key variant length and variant, a CV length, and a
parameters key export of an existing CV to be exclusive-ORed with the cleartext transport key to control
key usage of the key.
X'0004' Source key Optional; required if the Contains the rule ID for the rule used to create the source key.
reference source key is an RKX Note: Include all rules that will ever be needed when a trusted block
key-token is created. A rule cannot be added to a trusted block after it has been
created.
X'0005' Export key Optional; used for export Contains mask length, mask, and CV template to limit the usage of
CCA token of CCA DES key tokens the exported key. Also contains the template length and template that
parameters only defines which source key labels are allowed.
Subsection X'0001' of the trusted block rule section (X'12') is the transport key variant TLV object. This
subsection is optional. It contains a variant to be exclusive-ORed into the cleartext transport key.
This length must be greater than or equal to the length of the transport key that is identified by
the transport_key_identifier parameter. If the variant is longer than the key, truncate it on the
right to the length of the key prior to use.
008 nnn Transport key variant.
Exclusive-OR this variant into the cleartext transport key, provided: (1) the length of the variant
field value (offset 007) is not zero, and (2) the symmetric encrypted output key format flag
(offset 018 in section X'12') is X'01'.
Note: A transport key is not used when the symmetric encrypted output key is in RKX
key-token format.
Note: See Number representation in trusted blocks on page 602.
Subsection X'0002' of the trusted block rule section (X'12') is the transport key rule reference TLV object.
This subsection is optional. It contains the rule ID for the rule that must have been used to create the
transport key. This subsection must be present to use an RKX key-token as a transport key.
Contains the rule identifier for the rule that must have been used to create the RKX key-token
used as the transport key.
The Rule ID is an 8-byte string of ASCII characters, left-aligned and padded on the right with
space characters. Acceptable characters are A...Z, a...z, 0...9, - (X'2D'), and _ (X'5F'). All other
characters are reserved for future use.
Note: See Number representation in trusted blocks on page 602.
Subsection X'0003' of the trusted block rule section X'12') is the common export key parameters TLV
object. This subsection is optional, but is required for the key export of an existing source key (identified
by the source_key_identifier parameter) in either RKX key-token format or CCA DES key-token format. For
new key generation, this subsection applies the output key variant to the cleartext generated key, if such
an option is desired. It contains the input source key and output export key minimum and maximum
lengths, an output key variant length and variant, a CV length, and a CV to be exclusive-ORed with the
cleartext transport key.
Also applies to the source key. Not applicable for key generation.
009 001 Export key maximum length in bytes (yyy). Length must be 0, 8, 16, or 24.
Also applies to the source key. Not applicable for key generation.
Valid values are 0 or 8 - 255. If greater than 0, the length must be at least as long as the
longest key ever to be exported using this rule. If the variant is longer than the key, truncate it
on the right to the length of the key prior to use.
Note: The output key variant (offset 011) is not used if this length is zero.
011 xxx Output key variant.
The variant can be any value. Exclusive-OR this variant into the cleartext value of the output
key.
011+xxx 001 CV length in bytes (yyy).
v If the length is not 0, 8, or 16, return an error.
v If the length is 0, and if the source key is a CCA DES key-token, preserve the CV in the
symmetric encrypted output if the output is to be in the form of a CCA DES key-token.
v If a nonzero length is less than the length of the key identified by the source_key_identifier
parameter, return an error.
v If the length is 16, and if the CV (offset 012 + xxx) is valued to 16 bytes of X'00' (ignoring
the key-part bit), then:
1. Ignore all CV bit definitions
2. If CCA DES key-token format, set the flag byte of the symmetric encrypted output key to
indicate a CV value is present (see Fixed-length DES key-token flag bytes (internal and
external) on page 583)
3. If the source key is 8 bytes in length, do not replicate the key to 16 bytes
012+xxx yyy CV. (See Appendix C, CCA control-vector definitions and key encryption, on page 655.)
Place this CV into the output exported key-token, provided that the symmetric encrypted
output key format selected (offset 018 in rule section) is CCA DES key-token.
v If the symmetric encrypted output key format flag (offset 018 in section X'12') indicates
return an RKX key-token (X'00'), then ignore this CV. Otherwise, exclusive-OR this CV into
the cleartext transport key.
v Exclusive-OR the CV of the source key into the cleartext transport key if the CV length
(offset 011 + xxx) is set to 0. If a transport key to encrypt a source key has equal left and
right key halves, return an error. Replicate the key halves of the key identified by the
source_key_identifier parameter whenever all of these conditions are met:
1. The Replicate Key command (offset X'00DB') is enabled in the active role
2. The CV length (offset 011 + xxx) is 16, and both CV halves are nonzero
3. The source_key_identifier parameter (contained in either a CCA DES key-token or RKX
key-token) identifies an 8-byte key
4. The key-form bits (40 - 42) of this CV do not indicate a single-length key (are not set to
zero)
5. Key-form bit 40 of this CV does not indicate the key is to have guaranteed unique
halves (is not set to B'1'; see Key-form bits, 'fff' and 'FFF' on page 660).
Note: A transport key is not used when the symmetric encrypted output key is in RKX
key-token format.
Note: See Number representation in trusted blocks on page 602.
Subsection X'0004' of the trusted block rule section (X'12') is the source key rule reference TLV object.
This subsection is optional, but is required if using an RKX key-token as a source key (identified by
source_key_identifier parameter). It contains the rule ID for the rule used to create the export key. If this
subsection is not present, an RKX key-token format source key will not be accepted for use.
Rule identifier for the rule that must have been used to create the source key.
The Rule ID is an 8-byte string of ASCII characters, left-aligned and padded on the right with
space characters. Acceptable characters are A...Z, a...z, 0...9, - (X'2D'), and _ (X'5F'). All other
characters are reserved for future use.
Note: See Number representation in trusted blocks on page 602.
Subsection X'0005' of the trusted block rule section (X'12') is the export key CCA token parameters TLV
object. This subsection is optional. It contains a mask length, mask, and template for the export key CV
limit. It also contains the template length and template for the source key label. When using a CCA DES
key-token as a source key input parameter, its key type can be "filtered" by using the export key CV limit
mask (offset 005) and limit template (offset 005+yyy) in this subsection.
Do not use CV limits if this CV limit mask length (yyy ) is zero. Use CV limits if yyy is
nonzero, in which case yyy:
v Must be 8 or 16
v Must not be less than the export key minimum length (offset 008 in subsection X'0003')
v Must be equal in length to the actual source key length of the key
Example: An export key minimum length of 16 and an export key CV limit mask length of 8
returns an error.
009 yyy Export key CV limit mask (does not exist if yyy=0).
Indicates which CV bits to check against the source key CV limit template (offset 009+yyy).
Examples: A mask of X'FF' means check all bits in a byte. A mask of X'FE' ignores the
parity bit in a byte.
Specifies the required values for those CV bits that are checked based on the export key
CV limit mask (offset 009). (See Figure 37 on page 658.)
The export key CV limit mask and template have the same length, yyy. This is because
these two variables work together to restrict the acceptable CVs for CCA DES key tokens to
be exported. The checks work as follows:
1. If the length of the key to be exported is less than yyy, return an error
2. Logical AND the CV for the key to be exported with the export key CV limit mask
3. Compare the result to the export key CV limit template
4. Return an error if the comparison is not equal
Examples: An export key CV limit mask of X'FF' for CV byte 1 (key type) along with an
export key CV limit template of X'3F' (key type CVARENC) for byte 1 filters out all key types
except CVARENC keys.
Note: Using the mask and template to permit multiple key types is possible, but cannot
consistently be achieved with one rule section. For example, setting bit 10 to 1 in the mask
and the template permits PIN processing keys and cryptographic variable encrypting keys,
and only those keys. However, a mask to permit PIN-processing keys and key-encrypting
keys, and only those keys, is not possible. In this case, multiple rule sections are required,
one to permit PIN-processing keys and the other to permit key-encrypting keys.
009+yyy+yyy 001 Source key label template length in bytes (zzz).
Valid values are 0 and 64. Return an error if the length is 64 and a source key label is not
provided.
010+yyy+yyy zzz Source key label template (does not exist if zzz = 0).
If a key label is identified by the source_key_identifier parameter, verify that the key label
name matches this template. If the comparison fails, return an error. The source key label
template must conform to the following rules:
v The key label template must be 64 bytes in length
v The first character cannot be in the range X'00' - X'1F', nor can it be X'FF'
v The first character cannot be numeric (X'30' - X'39')
v A key label name is terminated by a space character (X'20') on the right and must be
padded on the right with space characters
v The only special characters permitted are #, $, @, and * (X'23', X'24', X'40', and X'2A')
v The wildcard X'2A' (*) is only permitted as the first character, the last character, or the
only character in the template
v Only alphanumeric characters (a...z, A...Z, 0...9), the four special characters (X'23', X'24',
X'40', and X'2A'), and the space character (X'20') are allowed
Note: See Number representation in trusted blocks on page 602.
Trusted block section X'13' contains the name (key label). The trusted block name section provides a
64-byte variable to identify the trusted block, just as key labels are used to identify other CCA keys. This
name, or label, enables a host access-control system such as RACF to use the name to verify that the
application has authority to use the trusted block.
Section X'13' is optional. No multiple sections are allowed. It has no subsections defined. This section is
defined in the following table:
Table 124. Trusted block key label (name) section (X'13')
Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'13' Trusted block name (key label)
001 001 Section version number (X'00').
Trusted block section X'14' contains control and security information related to the trusted block. This
information section is separate from the public key and other sections because this section is required
while the others are optional. This section contains the cryptographic information that guarantees its
integrity and binds it to the local system.
Section X'14' is required. No multiple sections are allowed. Two subsections are defined. This section is
defined in the following table:
Table 125. Trusted block information section (X'14')
Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'14' Trusted block information
001 001 Section version number (X'00').
002 002 Section length in bytes (10+xxx).
004 002 Reserved, binary zero.
006 004 Flags:
B'00000000' Trusted block is in the inactive state
B'00000001' Trusted block is in the active state
010 xxx Information section subsections (tag-length-value objects).
Section X'14' has two information subsections (tag-length-value objects) defined. These subsections are
summarized in the following table:
Table 126. Summary of trusted block information subsections
Rule Optional or
subsection tag TLV object required Comments
X'0001' Protection Required Contains the encrypted 8-byte confounder and triple-length (24-byte) MAC
information key, the ISO 16609 CBC-mode Triple-DES MAC value, and the MKVP of the
PKA master key (computed using MDC4).
X'0002' Activation and Optional Contains flags indicating whether or not the coprocessor is to validate dates,
expiration dates and contains the activation and expiration dates that are considered valid for
the trusted block.
Note: See Number representation in trusted blocks on page 602.
Subsection X'0001' of the trusted block information section (X'14') is the protection information TLV object.
This subsection is required. It contains the encrypted 8-byte confounder and triple-length (24-byte) MAC
key, the ISO 16609 CBC-mode Triple-DES MAC value, and the MKVP of the PKA master key (computed
using MDC4).
Contains the encrypted 8-byte confounder and triple-length (24-byte) MAC key in the following
format:
Offset Description
00 - 07 Confounder
08 - 15 Left key
16 - 23 Middle key
24 - 31 Right key
038 008 MAC.
Contains the PKA master-key verification pattern, computed using MDC4, when the trusted
block is in internal form, otherwise contains binary zero.
Note: See Number representation in trusted blocks on page 602.
Subsection X'0002' of the trusted block information section (X'14') is the activation and expiration dates
TLV object. This subsection is optional. It contains flags indicating whether or not the coprocessor is to
validate dates, and contains the activation and expiration dates that are considered valid for the trusted
block.
Contains the first date that the trusted block can be used for generating or exporting keys.
Format of the date is YYMD, where:
YY Big-endian year (return an error if greater than 9999)
M Month (return an error if any value other than X'01' - X'0C')
D Day of month (return an error if any value other than X'01' - X'1F'; day must be valid
for given month and year, including leap years)
Return an error if the activation date is after the expiration date or is not valid.
012 004 Expiration date.
Contains the last date that the trusted block can be used. Same format as activation date
(offset 008). Return an error if date is not valid.
Note: See Number representation in trusted blocks on page 602.
Trusted block section X'15' contains application-defined data. The trusted block application-defined data
section can be used to include application-defined data in the trusted block. The purpose of the data in
this section is defined by the application; it is neither examined nor used by CCA in any way.
Section X'15' is optional. No multiple sections are allowed. It has no subsections defined. This section is
defined in the following table:
Table 129. Trusted block application-defined data section (X'15')
Offset (bytes) Length (bytes) Description
000 001 Section identifier:
X'15' Application-defined data
001 001 Section version number (X'00').
002 002 Section length (6+xxx)
004 002 Application data length
The value of xxx can be between 0 - N, where N does not cause the overall length of the
trusted block to exceed its maximum size of 3500 bytes.
006 xxx Application-defined data
Might be used to hold a public-key certificate for the trusted public key.
Note: See Number representation in trusted blocks on page 602.
| Table 131 on page 617 shows the format of the CIPHER variable-length symmetric key-token that,
| beginning with Release 4.2, can be used with the AES algorithm. An AES CIPHER key-token is used by
| the Symmetric_Algorithm_Decipher (CSNBSAD) and Symmetric_Algorithm_Encipher (CSNBSAE) verbs to
| decipher or encipher data with the AES algorithm.
| Table 132 on page 620 shows the format of the MAC variable-length symmetric key-token that, beginning
| with Release 4.1, can be used with the HMAC algorithm. An HMAC MAC key-token is used by the
| HMAC_Generate (CSNBHMG) and HMAC_Verify (CSNBHMV) verbs to generate or verify keyed hash
| message authentication codes.
| Table 133 on page 623 shows the format of the EXPORTER and IMPORTER variable-length symmetric
| key tokens that can be used with the AES algorithm. An EXPORTER operational key-token is used by the
| Symmetric_Key_Export (CSNDSYX) verb to export an internal AES or HMAC variable-length symmetric
| key-token into an external variable-length symmetric key-token, either into an AESKW or PKOAEP2
| wrapped payload. An IMPORTER operational key-token is used by the Symmetric_Key_Import2
| (CSNDSYI2) verb to import an external AES or HMAC variable-length symmetric key-token, containing
| either an AESKW or PKOAEP2 wrapped payload, into an internal variable-length symmetric key-token.
The general format of the token version number X'05' key token is shown in Table 130.
Table 130. Variable-length symmetric key-token, version X'05' general format (Release 4.1 or later)
Length
Offset (bytes) (bytes) Description
Header
000 01 Token identifier:
X'00' Null key-token
X'01' Internal key-token
X'02' External key-token
| Value is left-aligned in the field and padded on the right with binary zeros.
| Note: For key-wrapping method X'03' (PKOAEP2), this value is filled with binary
| zeros.
026 01 Encrypted section key-wrapping method:
X'00' Clear key
X'01' CBC enhanced (not used in this token)
| X'02' AESKW (internal tokens and external keys with AES KEK)
| X'03' PKOAEP2 (for external tokens only)
| Table 131 shows the format of the CIPHER variable-length symmetric key-token that, beginning with
| Release 4.2, can be used with the AES algorithm. An AES CIPHER key-token is used by the
| Symmetric_Algorithm_Decipher (CSNBSAD) and Symmetric_Algorithm_Encipher (CSNBSAE) verbs to
| decipher or encipher data with the AES algorithm.
| Table 131. Variable-length symmetric key-token, key type CIPHER (Release 4.2 or later)
| Length
| Offset (bytes) (bytes) Description
| Header
| 000 01 Token identifier:
| X'01' Internal key-token
| X'02' External key-token
| Value is left-aligned in the field and padded on the right with binary zeros.
| Note: For key-wrapping method X'03' (PKOAEP2), this value is filled with binary
| zeros.
| 026 01 Encrypted section key-wrapping method:
| X'02' AESKW (internal tokens and external keys with AES KEK)
| X'03' PKOAEP2 (for external tokens only)
| High-order byte:
| B'1xxx xxxx' Key can be used for encryption.
| B'0xxx xxxx' Key cannot be used for encryption.
| B'x1xx xxxx' Key can be used for decryption.
| B'x0xx xxxx' Key cannot be used for decryption.
| High-order byte:
| X'00' Key can be used for Cipher Block Chaining (CBC).
| X'01' Key can be used for Electronic Code Book (ECB).
| X'02' Key can be used for Cipher Feedback (CFB).
| X'03' Key can be used for Output Feedback (OFB).
| X'04' Key can be used for Galois/Counter Mode (GCM).
| X'05' Key can be used for Xor-Encrypt-Xor-based Tweaked Stealing (XTS).
| Low-order byte:
| B'xxxx xxxx' Reserved
Value is left-aligned in the field and padded on the right with binary zeros.
Note: For key-wrapping method X'03' (PKOAEP2), this value is filled with binary
zeros.
026 01 Encrypted section key-wrapping method:
X'00' Clear key
X'02' AESKW
X'03' PKOAEP2
027 01 Hash algorithm used for wrapping.
| 24 + kl + iead + uad
034 01 Length in bytes of the key label: kl (0 or 64).
035 01 Length in bytes of the IBM extended associated data: iead (0).
036 01 Length in bytes of the user-definable associated data: uad (0 - 255).
037 01 Reserved, binary zero.
038 02 Length in bits of the payload: pl.
Valid values are 0 when no key is present, 80 - 2048 when key is clear, and 464 -
2432 when key is encrypted.
040 01 Reserved, binary zero.
041 01 Type of algorithm for which the key can be used.
X'03' HMAC
042 02 Key type:
X'0002' MAC
044 01 Key-usage fields count: kuf (2).
045 02 Key-usage field 1.
High-order byte:
B'1xxx xxxx' Key can be used for generate.
B'0xxx xxxx' Key cannot be used for generate.
B'x1xx xxxx' Key can be used for verify.
B'x0xx xxxx' Key cannot be used for verify.
High-order byte:
B'1xxx xxxx' SHA-1 hash method is allowed for the key.
B'0xxx xxxx' SHA-1 hash method is not allowed for the key.
B'x1xx xxxx' SHA-224 hash method is allowed for the key.
B'x0xx xxxx' SHA-224 hash method is not allowed for the key.
B'xx1x xxxx' SHA-256 hash method is allowed for the key.
B'xx0x xxxx' SHA-256 hash method is not allowed for the key.
B'xxx1 xxxx' SHA-384 hash method is allowed for the key.
B'xxx0 xxxx' SHA-384 hash method is not allowed for the key.
B'xxxx 1xxx' SHA-512 hash method is allowed for the key.
B'xxxx 0xxx' SHA-512 hash method is not allowed for the key.
| Low-order byte:
| xxxx xxxx Reserved
Table 133 on page 623 shows the format of the EXPORTER and IMPORTER variable-length symmetric
key tokens that can be used with the AES algorithm. An EXPORTER operational key-token is used by the
Symmetric_Key_Export (CSNDSYX) verb to export an internal AES or HMAC variable-length symmetric
key-token into an external variable-length symmetric key-token, either into an AESKW or PKOAEP2
wrapped payload. An IMPORTER operational key-token is used by the Symmetric_Key_Import2
(CSNDSYI2) verb to import an external AES or HMAC variable-length symmetric key-token, containing
either an AESWK or PKOAEP2 wrapped payload, into an internal variable-length symmetric key-token.
| Value is left-aligned in the field and padded on the right with binary zeros.
| Note: For key-wrapping method X'03' (PKOAEP2), this value is filled with binary
| zeros.
| 026 01 Encrypted section key-wrapping method:
| X'02' AESKW (internal tokens and external keys with AES KEK)
| X'03' PKOAEP2 (for external tokens only)
| High-order byte:
| B'xxxx xxxx' Reserved
| Low-order byte:
| B'xxxx xxxx' Reserved
| High-order byte:
| B'1xxx xxxx' Key can wrap DES keys.
| B'0xxx xxxx' Key cannot wrap DES keys.
| B'x1xx xxxx' Key can wrap AES keys.
| B'x0xx xxxx' Key cannot wrap AES keys.
| B'xx1x xxxx' Key can wrap HMAC keys.
| B'xx0x xxxx' Key cannot wrap HMAC keys.
| B'xxx1 xxxx' Key can wrap RSA keys.
| B'xxx0 xxxx' Key cannot wrap RSA keys.
| B'xxxx 1xxx' Key can wrap ECC keys.
| B'xxxx 0xxx' Key cannot wrap ECC keys.
| Low-order byte:
| B'xxxx xxxx' Reserved
| High-order byte:
| B'1xxx xxxx' Key can wrap DATA class keys.
| B'0xxx xxxx' Key cannot wrap DATA class keys.
| B'x1xx xxxx' Key can wrap KEK class keys.
| B'x0xx xxxx' Key cannot wrap KEK class keys.
| B'xx1x xxxx' Key can wrap PIN class keys.
| B'xx0x xxxx' Key cannot wrap PIN class keys.
| B'xxx1 xxxx' Key can wrap DERIVATION class keys.
| B'xxx0 xxxx' Key cannot wrap DERIVATION class keys.
| B'xxxx 1xxx' Key can wrap CARD class keys.
| B'xxxx 0xxx' Key cannot wrap CARD class keys.
| Low-order byte:
| B'xxxx xxxx' Reserved
| High-order byte:
| B'1xxx xxxx' Allow export using symmetric key.
| B'0xxx xxxx' Prohibit export using symmetric key.
| B'x1xx xxxx' Allow export using unauthenticated asymmetric key.
| B'x0xx xxxx' Prohibit export using unauthenticated asymmetric key.
| B'xx1x xxxx' Allow export using authenticated asymmetric key.
| B'xx0x xxxx' Prohibit export using authenticated asymmetric key.
| High-order byte:
| B'11xx xxxx' Key is incomplete. Key requires at least 2 more parts.
| B'10xx xxxx' Key is incomplete. Key requires at least 1 more part.
| B'01xx xxxx' Key is incomplete. Key can be completed or have more parts added.
| B'00xx xxxx' Key is complete. No more parts can be added.
| Pedigree indicates how key was originally created and how it got into the current system.
| If a TR-31 key block contains an optional block as defined by Table 138, the data contains a copy of the
| 8-byte or 16-byte DES control vector that was in the CCA key-token of the key being exported. The copied
| control vector is in hex-ASCII format.
| The control vector is only copied from the CCA key-token when the user of the Key_Export_to_TR31 verb
| specifies a control vector transport control keyword (INCL-CV or ATTR-CV):
| 1. If the optional block contains a control vector as the result of specifying the INCL-CV keyword during
| export, the key usage and mode of use fields indicate the key attributes, and these attributes are
| verified during export to be compatible with the ones in the included control vector.
| 2. If the optional block contains a control vector as the result of specifying the ATTR-CV keyword during
| export, the key usage field (byte number 5 - 6 of the TR-31 key block) is set to the proprietary value
| "10" (X'3130'), and the mode of use field (byte number 8) is set to the proprietary value "1" (X'31').
| These proprietary values indicate that the key attributes are specified in the included control vector.
| See Chapter 9, TR-31 symmetric-key management, on page 499 for additional information on how CCA
| uses an IBM-defined optional block in a TR-31 key block.
| Table 138. IBM optional block data in a TR-31 key block
| Offset Length
| (bytes) (bytes) Description
| 00 02 Proprietary ID of TR-31 optional block (alphanumeric-ASCII):
| X'3130' IBM proprietary optional block (ASCII string "10")
| 02 02 Length of optional block (hex-ASCII):
The whole KEYDATA field should be encrypted with Triple-DES in ECB mode. There is no chaining
between the two KEYDATA fields.
The whole KEYDATA field should be encrypted with Triple-DES in ECB mode. There is no chaining
between the two KEYDATA fields.
The whole KEYDATA field should be encrypted with Triple-DES in ECB mode. There is no chaining
between the two KEYDATA fields.
Note: According to the EMV Card Personalization Specification, only ECB is used to encrypt the RSA
Private Key components.
For platforms other than IBM i, the first two records in key storage contain key-storage control information
that includes the key verification information for the master key that is used to multiply-encipher the keys
that are held in key storage.
v Table 148 on page 634 shows the format of the first record in the file header of the key-storage file. This
record contains the default master-key verification pattern, and part of the file description.
v Table 149 on page 635 shows the format of the second record in the file header of the key-storage file.
This record contains the rest of the file description for key storage.
For platforms other than IBM i, Table 150 on page 636 shows the format of the AES, DES, and PKA
records that contain key tokens. For the IBM i platform, the AES, DES, and PKA key tokens are held in
distinct record formats.
v Table 151 on page 636 shows the format of the records in IBM i DES key-storage that contain key
tokens.
v Table 152 on page 636 shows the format of the records in IBM i AES and PKA key-storage that contain
key tokens.
Table 152. AES and PKA key-record format, IBM i key storage
Offset (bytes) Length (bytes) Description
000 64 The key label without separators.
064 24 Reserved.
088 04 The date and time of when this record was created.
092 04 The date and time of when this record was last updated.
096 04 The record validation value.
100 02 The key token length.
102 ?? The PKA key token.
KYRLTnnn.LST
where nnn is the numeric portion of the name and nnn starts at 001 and increments to 999 and then
wraps back to 001. Locate the dataset using the fully-qualified dataset name returned by the verb.
Each list dataset has a header record, followed by zero to n detail records, where n is the number of key
records with matching key labels.
Table 153. Key-record-list dataset format (other than IBM i)
Offset (bytes) Length (bytes) Description
Header record (part 1)
000 24 This field contains the installation-configured listing header. The default values are:
v For the AES key-store, AES KEY-RECORD-LIST
v For the DES key-store, DES KEY-RECORD-LIST
v For the PKA key-store, PKA KEY-RECORD-LIST
024 02 This field contains spaces for separation.
026 19 This field contains the date and the time when the list was generated. The format is
yyyy-mm-dd hh:tt:ss, where:
yyyy Year
mm Month
dd Day
hh Hour
tt Minute
ss Second
Unless otherwise noted, all 2-byte and 4-byte integers are in big-endian format; the high-order byte of the
value is in the lowest-numbered address in memory.
Role structures
This section describes the data structures of a role, which control what permitted operations a user can
perform, and when those operations can be performed.
Bytes Field
2 Role structure version (X01, X00)
2 Role structure length (bytes)
20 Comment
2 Checksum
2 Reserved
8 Role ID
2 Required authentication strength
2 Lower time limit
2 Upper time limit
1 Valid DOW
1 Reserved
variable Permitted operations
Note: The checksum value is not used in the current role structure. It can be verified by the IBM 4764
Cryptographic Coprocessor with a future version of the role structure.
The permitted operations are defined by the Access-Control-Point list, described in Access-control-point
list on page 640.
The lower time limit and upper time limit fields are 2-byte structures with each byte containing a binary
value. The first byte contains the hour (0-23) and the second byte contains the minute (0-59). For
example, 8:45 AM is represented by X'08' in the first byte, and X'2D' in the second.
If the lower time limit and upper time limit are identical, the role is valid for use at any time of the day.
The valid days-of-the-week are represented in a single byte with each bit representing a single day. Set
the appropriate bit to B'1' to validate a specific day. The first, or most significant bit (MSB) represents
Sunday, the second bit represents Monday, and so on. The last or least significant bit (LSB) is reserved
and must be set to zero.
The header defines the number of roles that follow in the rest of the structure. Its layout is shown in
Figure 25 on page 640, with three concatenated role structures shown for illustration.
Access-control-point list
The user's permissions (permitted operations) are attached to each role in the form of an
Access-Control-Point list. This list is a map of bits, with one bit for each primitive function that can be
independently controlled. If a bit is True (1), the user has the authority to use the corresponding function, if
all other access conditions are also satisfied. If the bit is False (0), the user is not permitted to make use
of the function that bit represents.
Each access-control-point identifier (offset) is a two-byte integer (X'0000' - X'FFFF'). This allows
addressability of 2 (64K) bits. Only a small fraction of these addressable bits are used, so storing the
entire 64K bit (8K byte) table in each role would waste memory space. Instead, the table is stored as a
sparse matrix, where only the necessary bits are included.
To accomplish this, each bit map is stored as a series of one or more bit-map segments, where each can
hold a variable number of bits. Each segment must start with a bit that is the high-order bit in a byte, and
each must end with a bit that is the low order bit in a byte. This restriction results in segments that have
no partial bytes at the beginning or end. Any bits that do not represent defined access-control points must
be set to zero, indicating that the corresponding function is not permitted.
The bitmap portion of each segment is preceded by a header, providing information about the segment.
The header contains the following fields:
Starting bit number
The index of the first bit contained in the segment. The index of the first access-control point in the
table is zero (X'0000').
Ending bit number
The index of the last bit contained in the segment.
Number of bytes in segment
The number of bytes of bit-map data contained in this segment.
The access-control points that are enabled in the default role are shown in Table 154.
Table 154. Commands permitted in default role
Access-control-point Command name
X'0107' One-Way Hash, SHA-1
X'0110' Set Clock
X'0111' Reinitialize Device
X'0112' Initialize Access-Control System
X'0113' Change User Profile Expiration Date
X'0114' Change User Profile Authentication Data
X'0115' Reset User Profile Logon-Attempt-Failure Count
X'0116' Read Public Access-Control Information
X'0117' Delete User Profile
Profile structures
This section describes the data structures related to access-control profiles. Each profile defines a unique
8-character user ID, padded on the right with space characters. Use the Logon_Control verb to log on to
the coprocessor using the profile identified by the specified user ID. Once logged on, the user has the
authority to use commands as defined by the role ID identified by the user profile.
Bytes Field
2 Profile structure version (X01, X00)
2 Profile length
20 Comment
2 Checksum
1 Logon failure count
1 Reserved
8 User ID
8 Role ID
4 Activation date (see format below)
4 Expiration date (see format below)
variable Authentication data
Bytes Field
2 Year (big-endian format)
1 Month (1-12)
1 Day (1-31)
The checksum is defined as the exclusive-OR of each byte in the profile structure. The high-order byte of
the checksum field is set to zero (X'00'), and the exclusive-OR result is put in the low-order byte.
Note: The checksum value is not used in the current profile structure.
The header defines the number of profiles that follow in the rest of the structure. Its layout is shown in
Figure 29, with three concatenated profile structures shown for illustration.
Bytes Field
4 Number of profiles in aggregate structure
4 Reserved
variable First profile
variable Second profile
variable Third profile
There are two versions of the authentication data structure, corresponding to profiles versions 1.0 and 1.1.
The only difference is in the meaning of the length field, as described below.
General structure of authentication data: The authentication data field is a series of one or more
authentication data structures, each containing the data and parameters for a single authentication
method. The field begins with a header, which contains two data elements.
Length
A 2-byte integer value defining how many bytes of authentication information are in the structure.
For profile structure version 1.0, the length includes all bytes after the length field itself. For profile
structure version 1.1, the length includes all bytes after the header, where the header includes
both the Length field and the Field type-identifier field.
Field type-identifier
A 2-byte integer value which identifies the type of data following the header. The identifier must be
set to the integer value X'0001', which indicates that the data is of type authentication data.
The header is followed by individual sets of authentication data, each containing the data for one
authentication mechanism. This layout is shown pictorially in Figure 30 on page 644.
The content of the individual authentication data structures is shown in Table 155.
Table 155. Authentication data for each authentication mechanism
Field name Length Description
(bytes)
Length 2 The size of this set of authentication mechanism data, in bytes. The length field
includes all bytes of mechanism data following the length field itself.
The 2-byte exp_year is in big-endian format. The high-order byte is at the lower
numbered address.
Mechanism 4 This field contains flags and attributes needed to fully describe the operation and
attributes use of the authentication mechanism. One flag is defined for all methods:
Renewable
A Boolean value that indicates whether the user is permitted to renew the
authentication data. If this value is true (1), the user can renew the data by
authenticating, and then providing new authentication data. For example, to
replace a passphrase, the user first logs on using his or her passphrase. Then,
the passphrase would be changed by providing the new passphrase
authentication data using the Access_Control_Initialization verb with the
CHG-AD rule-array keyword. The format of the passphrase authentication data
is described immediately below under mechanism data.
The renewable bit is the most-significant bit (MSB) in the 4-byte attributes field. The
other 31 bits are unused, and must be set to B'0'.
Mechanism variable This field contains the data needed to perform the authentication. The size, content,
data and complexity of this data varies according to the authentication mechanism. For
example, the content might be as simple as a password that is compared to one
entered by the user, or it might be as complex as a set of sophisticated biometric
reference data, or a public key certificate.
Authentication data for passphrase authentication: For passphrase authentication, the mechanism
data field contains the 20-byte SHA-1 hash value of the user's passphrase. The hash value is computed in
the host, where it is used to construct the profile that is downloaded to the coprocessor.
00 20 00 01 00 ff 07 db 06 01 80 00 00 00 fb f5 . ..............
c4 84 75 5f ba 59 6b ca 4a 9d ca 08 fb 52 9e e2 ..u_.Yk.J....R..
45 41 EA
User profile
Figure 32 provides an example of the contents of an entire user profile, containing the passphrase data
shown above.
00 00 00 01 00 00 00 00 01 00 00 5a 2d 20 53 61 ...........Z- Sa
6d 70 6c 65 20 50 72 6f 66 69 6c 65 20 31 20 2d mple Profile 1 -
ab cd 00 00 4a 5f 53 6d 69 74 68 20 41 44 4d 49 ....J_Smith ADMI
4e 31 20 20 07 da 06 01 07 db 0c 1f 00 24 00 01 N1 ........."..
00 20 00 01 00 ff 07 da 06 01 80 00 00 00 fb f5 . ..............
c4 84 75 5f ba 59 6b ca 4a 9d ca 08 fb 52 9e e2 ..u_.Yk.J....R..
45 41 EA
Access-control-point list
Figure 34 shows the contents of a sample access-control-point list.
00 02 00 00 00 00 01 17 00 23 00 00 f0 ff ff ff .........#......
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 02 ................
00 02 17 00 03 00 00 8f 99 fe ..........
01 00 00 62 2a 4e 65 77 20 64 65 66 61 75 6c 74 ....*New default
20 72 6f 6c 65 20 31 2a ab cd 00 00 44 45 46 41 role 1*....DEFA
55 4c 54 20 23 45 01 0f 17 1e 7c 00 00 02 00 00 ULT #E....|.....
00 00 01 17 00 23 00 00 f0 ff ff ff ff ff ff ff .....#..........
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
ff ff ff ff ff ff ff ff ff ff ff 02 00 02 17 8f ................
99 fe ..
00 00 00 01 00 00 00 00 01 00 00 62 2a 4e 65 77 ............*New
20 64 65 66 61 75 6c 74 20 72 6f 6c 65 20 31 2a default role 1*
ab cd 00 00 44 45 46 41 55 4c 54 20 23 45 01 0f ....DEFAULT #E..
17 1e 7c 00 00 02 00 00 00 00 01 17 00 23 00 00 ..|..........#..
f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
ff ff ff 02 00 02 17 8f 99 fe ..........
IBM distributes the FCV in a digitally signed data structure (certificate). Table 159 and Table 160 on page
653 show the format of the data structure that contains the FCV as distributed by IBM. Use Table 159 for
releases before Release 4.1, and use Table 160 on page 653 for Release 4.1 or later. As shown in
Table 159, the FCV is located at offset 470 (X'1D6'), and has a length of 204 bytes. Table 160 on page
653 shows that the FCV is located at offset 1,238 (X'4D6'), and has a length of 588 bytes. This information
is needed for loading an FCV using the Cryptographic_Facility_Control verb.
For information on loading or clearing an FCV, see the Cryptographic_Facility_Control verb on page 42.
For information on querying an FCV, see the Cryptographic_Facility_Query verb on page 48.
Notes:
1. Government policies and the FCV do not limit the key-length of keys used in digital signature
operations.
2. The SET services can employ 56-bit DES for data encryption, and 1024-bit RSA key-lengths when
distributing DES keys.
3. AES is not supported in releases before Release 3.30.
4. Keys with a modulus length greater than 2048 bits are not supported in releases before Release 3.30.
5. ECC key-agreement services are not supported in releases before Release 4.1.
Table 159. FCV distribution structure, FCV format version X'00' (releases before Release 4.1)
Offset decimal Length
(hex) decimal Description
000 (000) 390 Package header and validating-key public key certificate.
390 (186) 080 Descriptive text coded in ASCII.
470 (1D6) 204 Function control vector (FCV).
Note: Unless noted otherwise, a control vector is a DES control vector base in this appendix.
In CCA, a control vector is a non-secret quantity that expresses permissible usages for an associated key.
When a CCA DES key is encrypted, the key-encrypting key is exclusive-ORed with the control vector to
form the actual key used in the DES key-encrypting process. This technique allows the generator or
introducer of a key to specify how the key is to be distributed and used. Attacks can be mounted against a
cryptographic system when it is possible to use a key for other than its intended purpose. The CCA
control-vector key-typing scheme and the command authorization and control-vector checking performed
by a CCA node together provide an important defense against misuse of keys and related attacks.
Although the CCA architecture permits several advanced techniques, the techniques described in this book
use the same control-vector value for the second half of a double-length key as for the first half, except for
the reversal of two bits. This topic about control-vector values focuses on a 64-bit vector with the
understanding that, for a double-length key, the control-vector value associated with each key half is
essentially the same.
Bits 8 to 14, and sometimes bits 18 to 22, of a control vector define the key as belonging to one of several
general classes of keys as shown in Table 161.
Table 161. DES key classes
Key type Key usage
Key-encrypting keys
IMPORTER Used to decrypt a key brought to this local node.
EXPORTER Used to encrypt a key taken from this local node.
IKEYXLAT Used to decrypt an input key in the Key_Translate service.
OKEYXLAT Used to encrypt an output key in the Key_Translate service.
Data operation keys
CIPHER, Used only to encrypt or decrypt data.
DECIPHER,
ENCIPHER
DATA Used to encrypt or decrypt data, or to generate or verify a MAC.
DATAC Used to specify a DATA-class key that performs in the Encipher and Decipher verbs, but not in
the MAC_Generate and MAC_Verify verbs.
655
Table 161. DES key classes (continued)
Key type Key usage
DATAM Used to specify a DATA-class key that performs in the MAC_Generate and MAC_Verify verbs,
but not in the Encipher and Decipher verbs.
DATAMV Used to specify a DATA-class key that performs in the MAC_Verify verb, but not in the
MAC_Generate, Encipher, or Decipher verbs.
MAC Used to generate or verify a MAC.
MACVER Used to verify a MAC code; cannot be used in MAC-generation.
SECMSG Used to encrypt keys or PINs in a secure message.
PIN-processing keys
IPINENC Inbound PIN encrypting key, used to decrypt a PIN block.
OPINENC Outbound PIN encrypting key, used to encrypt a PIN block.
PINGEN Used to generate and verify PIN values.
PINVER Used to verify, but not generate, PIN values.
Special cryptographic-variable encrypting keys
CVARENC Used to encrypt the mask arrays in the Cryptographic_Variable_Encipher verb for the
Control_Vector_Translate verb.
CVARPINE Used to encrypt a clear PIN in the no-longer-supported Encrypted_PIN_Generate_Alternate
verb.
CVARXCVL, Used to encrypt special control values in the Cryptographic_Variable_Encipher verb for use with
CVARXCVR the Control_Vector_Translate verb.
Key-generating keys
DKYGENKY Used to generate a diversified key based on a key-generating key.
KEYGENKY Used to generate or derive other keys.
Usually, there is a default control-vector associated with each of the key types previously listed; see
Table 162 on page 657. The bits in positions 16 - 22 and 33 - 37 generally have different meanings for
every key class. Many of the remaining bits in a control vector have a common meaning. Most of the DES
key-management services permit you to use the default control-vector value by naming the key class in
the service's key-type variable. This does not apply to all key-type classes.
You can use the default control-vector for a key type, or you can create a more restrictive control-vector.
The default control-vector for a key type provides basic key-separation functions. Optional usage
restrictions can further tighten the security of the system.
The cryptographic subsystem creates a default control vector for a key type when you use the
Key_Generate verb and specify a null key token and a key-type in the key_type parameter. Also, when
you import or export a key, you can specify a key type to obtain a default control-vector instead of
supplying a control vector in a key token. If you specify a key type with the Key_Import verb, ensure that
the default control-vector is the same as the control vector that was used to encrypt the key.
The additional control-vector bits that you can turn on or off permit you to further restrict the use of a key.
This gives you the ability to implement the general security policy of permitting only those capabilities
actually required in a system. The additional bits are designed to block specific attacks although these
attacks are often obscure.
You can obtain the value for a control vector in one of several ways:
v To use a default-value control vector, obtain the value from Table 162 on page 657.
The bits can also have the following values in some CCA implementations although not created by
keyword in the IBM 4765 or IBM 4764 implementations:
B'110' Double-length key, left half, halves guaranteed unique
B'101' Double-length key, right half, halves guaranteed unique
v The key subtype bits (bits 12 - 14). Set bits 12 - 14 to one of the following values:
PIN-calculation method
Bits 0 - 3 keyword Description
B'0000' NO-SPEC A key with this control vector can be used with any
PIN-calculation method.
B'0001' IBM-PIN or IBM-PINO A key with this control vector can be used only with the
IBM PIN or PIN-offset calculation method.
B'0010' VISA-PVV A key with this control vector can be used only with the
Visa PVV PIN-calculation method.
B'0100' GBP-PIN or GBP-PINO A key with this control vector can be used only with the
German Banking Pool PIN or PIN-offset calculation
method.
B'0011' INBK-PIN A key with this control vector can be used only with the
InterBank PIN-calculation method.
B'0101' NL-PIN-1 A key with this control vector can be used only with the
Netherlands PIN-1 calculation method.
v The prohibit-offset bit (o, bit 37) to restrict operations to the PIN value. Set the bit to B'1' to prevent
operation with the IBM 3624 PIN-offset calculation method and the IBM German Bank Pool
PIN-offset calculation method.
8. For PINGEN, IPINENC, and OPINENC keys, set bits 18 - 22 to indicate whether the key can be used
with the following verbs; for the bit numbers, see Figure 37 on page 658:
9. For the IPINENC and OPINENC PIN-block ciphering keys, do the following:
v Set the TRANSLAT bit (t, bit 21) to B'1' to permit the key to be used in the
Encrypted_PIN_Translate verb. The Control_Vector_Generate verb can set the TRANSLAT bit to
B'1' when you supply the TRANSLAT keyword.
v Set the REFORMAT bit (r, bit 22) to B'1' to permit the key to be used in the
Encrypted_PIN_Translate verb. The Control_Vector_Generate verb can set the REFORMAT bit and
the TRANSLAT bit to B'1' when you supply the REFORMAT keyword.
10. For the cryptographic-variable encrypting keys (bits 18 - 22), set the key-usage bits (bits 18 - 22) to
one of the following values:
Note: An external key is a key enciphered by a KEK other than the master key.
Remote_Key_Export verb
Use the Remote_Key_Export verb to change a control vector during an export operation.
The pre-exclusive-OR technique requires exclusive-ORing additional information into the value of the
IMPORTER or EXPORTER KEK by one of the following methods:
v Exchange the KEK in the form of a plaintext value or in the form of key parts. For example, if you use
the Key_Part_Import verb to enter the KEK key parts, you can enter another part that is set to the value
of the pre-exclusive-OR quantity (which quantity is discussed later).
v Use the Key_Generate verb to generate an IMPORTER/EXPORTER pair of KEKs, with the KEY-PART
control vector bit set on. Then use the Key_Part_Import verb to enter an additional key part that is set
to the value of the pre-exclusive-OR quantity.
To understand how you can change a keys control vector when importing or exporting keys, you must first
understand the importing and exporting process. For example, when exporting key K, the cryptogram
e*KmCVk(K) is changed to the cryptogram e*KEKCVk1(K).
Notes:
1. The first cryptogram is read as the multiple encipherment of key K by the key formed from the
exclusive-OR of the master key and the control vector, CVk, of key K.
2. The second cryptogram is read as the multiple encipherment of key K by the key formed from the
exclusive-OR of the KEK and the control vector, CVk1, of key K. KEK represents the value of the
EXPORTER key.
3. A control vector of value binary zero is equivalent to not having a control vector.
The CCA specifies that in all but one case, CVk is the same as CVk1. The exception is that a DATA key
where the CVk contains the value of a default CV for that key type, has a CVk1 value equal to binary zero.
To change the control vector on key K, the KEK must be set to the value:
v KEK CVk1 CVk2
where:
v KEK is the value of the shared EXPORTER key.
v represents exclusive-OR.
v CVk1 is the control vector value used with the operational key K at the local node.
v CVk2 is the desired control vector value for the exported key K.
This process works because the value CVk1 is specified in the key token for the exported key. The
Key_Export verb provides this control-vector value to the hardware, which exclusive-ORs it with the
EXPORTER KEK. However, you have set the EXPORTER KEK to the value KEKCVk1, and when CVk1 is
exclusive-ORed with CVk1, the effect is that CVk1 is removed. Because you also set the KEK to include the
desired control vector, CVk2, the exported key has a changed control vector.
If you need to change the control vector for a key when importing the key, the Key_Import verb works in a
similar manner. You exclusive-OR the actual control vector value and the desired control vector value for
the imported key into the value of the key-encrypting key. Then when you call the Key_Import verb, be
sure that the source-key token contains the control vector of the desired target key.
If you are processing a double-length key, you must process the key twice, using the key-encrypting key
modified by different values each appropriate to a key half. Then you concatenate the resulting two correct
key-halves.
CCA system
Transport-key XOR
othersystem variant XOR
control vector to obtain
KEK-left and KEK-right e*KEK.Variant(Kp)
Doublelength KEK
XOR
Decipherkey process
Control vector for the
PINblockenciphering key,
control vector left and
control vector right PINblockenciphering key (Kp)
Figure 38 shows a typical situation. In a non-CCA system, a PIN-block encrypting key is singly encrypted
by a transport key. No control vector modifies the value of the transport key, Kt, used to encrypt the
PIN-block encrypting key, Kp. The resulting cryptogram can be designated eKt(Kp). Because
triple-encryption is the same as single-encryption when both halves of the encrypting key are equal,
eKt(Kp) = e*Kt(Kp).
In the CCA system, a PIN-block decrypting key is an IPINENC key and must be double length. If both
halves of the double-length key are the same, the IPINENC key effectively performs single encryption. You
must import both halves of the target IPINENC key in different steps and combine the result to obtain the
desired result key.
1. Create two key-encrypting keys to import each half of the target input PIN-block encrypting key. When
you receive key Kt, store this as two different keys:
e*KmCViml(KtCVil) \ e*KmCVimr(KtCVil)
where:
CViml is the control vector for the left half of an IMPORTER key
CVimr is the control vector for the right half of an IMPORTER key
CVil is the control vector for the left half of the target input PIN-block encrypting key
e*KmCViml(KtCVir) \ e*KmCVimr(KtCVir)
where:
CVir is the control vector for the right half of the target input PIN-block encrypting key
The tests consist of evaluating four logic expressions, the results of which must be a string of binary zeros.
The expressions operate bit-for-bit on information that is contained in the mask arrays and in the portions
of the control vectors associated with the key or key-half that is being processed. If any of the expression
evaluations do not result in all zero bits, the verb is ended with a control vector violation return code 8 and
reason code 39. See Figure 39 on page 669. Only the 56 bit positions that are associated with a key value
are evaluated. The low-order bit that is associated with key parity in each key-byte is not evaluated.
Encipher two copies of the mask array, each under a different cryptographic-variable key using key type
CVARENC. To encipher each copy of the mask array, use the Cryptographic_Variable_Encipher verb. Use
two different keys so that the enciphered-array copies are unique values. When using the
Control_Vector_Translate verb, the mask_array_left parameter and the mask_array_right parameter
identify the enciphered mask arrays. The array_key_left_identifier parameter and the
array_key_right_identifier parameter identify the target keys for deciphering the mask arrays. The
array_key_left_identifier key must have a key type of CVARXCVL and the array_key_right_identifier key
must have a key type of CVARXCVR. The cryptographic process deciphers the arrays and compares the
results; for the verb to continue, the deciphered arrays must be equal. If the results are not equal, the verb
returns the return code 8 and reason code 385 (X'181') for data that is not valid.
When using the Key_Generate verb to create the key pairs CVARENC-CVARXCVL and
CVARENC-CVARXCVR, the hardware requires the Generate_Key_Set_Extended command to be enabled.
Each key in the key pair must be generated for a different node. The CVARENC keys are generated for, or
imported into, the node where the mask array is enciphered. After enciphering the mask array, destroy the
enciphering key. The CVARXCVL and CVARXCVR keys are generated for, or imported into, the node
where the Control_Vector_Translate verb is performed.
If using the BOTH keyword to process both halves of a double-length key, remember that key-form bits 41,
42, 105, and 106 are different in the left and right halves of the CCA control-vector and must be ignored in
your mask-array tests (that is, make the corresponding B2 or B3 bits equal to zero).
When the control vectors pass the masking tests, the verb does the following:
v Deciphers the source key. In the decipher process, the verb uses a key that is formed by the
exclusive-OR of the KEK and the control vector in the key-token variable the source_key_token
parameter identifies.
v Enciphers the deciphered source key. In the encipher process, the verb uses a key that is formed by
the exclusive-OR of the KEK and the control vector in the key token variable the target_key_token
parameter identifies.
v Places the enciphered key in the key field in the key token variable the target_key_token parameter
identifies.
For expression
4: Source CV 0101... 0101... Source CV
Exclusive-OR
Target CV 0011... 0011... Target CV
Intermediate 0110... 0110...
result
Logical-AND
Set to 1
B_values 0000... 1111... those positions
to be tested
Report a CV
Final Result 0000... 0110... violation if any
bit position is 1
To prevent the verb from ensuring that each key byte has odd parity, you can specify the NOADJUST
keyword. If you do not specify the NOADJUST keyword, or if you specify the ADJUST keyword, the verb
ensures that each byte of the target key has odd parity.
Control_Vector_Translate Example
As an example, consider the case of receiving a single-length PIN-block encrypting key from a non-CCA
system. Often such a key is encrypted by an unmodified transport key (no control vector is used). In a
CCA system, an inbound PIN encrypting key (IPINENC) is double-length.
First, use the Key_Token_Build verb to insert the single-length key value into the left-half key-space in a
key token. Specify USE-CV as a key type and a control vector value set to 16 bytes of X'00'. Also specify
EXTERNAL, KEY, and CV keywords in the rule array. This key token is the source token.
The target key token can also be created using the Key_Token_Build verb. Specify a key type of IPINENC
and the NO-EXPORT rule-array keyword.
Second, call the Control_Vector_Translate verb and specify a rule-array keyword of LEFT. The mask
arrays can be constructed as follows:
v A1 is set to the value of the KEK's control vector, most likely the value of an IMPORTER key, perhaps
with the NO-EXPORT bit set. B1 is set to 8 bytes of X'FF' so that all bits of the KEK's control vector are
tested.
v A2 is set to 8 bytes of X'00', the null value of the source key control vector. B2 is set to 8 bytes of X'FF'
so that all bits of the source-key control vector is tested.
v A3 is set to the value of the target key's left-half control vector. B3 is set to X'FFFF FFFF FF9F FFFF'.
This causes all bits of the control vector to be tested except for the two (fff) bits used to distinguish
between the left-half and right-half target-key control vector.
v B4 is set to 8 bytes of X'00' so that no comparison is made between the source and target control
vectors.
Beginning with the CCA Support Program Version 2, the private RSA secret key values in an internal PKA
key-token are encrypted using a randomly generated Object Protection Key (OPK). The OPK is then
encrypted with the asymmetric (PKA) master key and stored in the key token. For external encrypted RSA
private keys, encryption of the secret key values is provided by the DES transport key. See Table 98 on
page 590 and Table 100 on page 592.
Multiple Multiple
encipherment decipherment
Clear key Multiply-enciphered key
0 7 8 15 0 7 8 15
K1
Encode EncodeK4 K3
Decode DecodeK6
K2
Decode DecodeK5 K2
Encode EncodeK5
K3
Encode EncodeK6 K1
Decode DecodeK4
Multiply-enciphered key Clear key
Mask subprocess:
1. Form the initial key block by padding the PKR with zero bits on the left, high-order end to the length of
the modulus.
2. Create a mask by CBC-encrypting a multiple of 8 bytes of binary zeros using K as the key and the
length of the modulus, and IV as the initialization vector as defined in the PKR at offsets 45 and 53.
3. Exclusive-OR the mask with the key block.
Overwrite subprocess:
1. Set the high-order bits of the masked key block to B'01'.
RSA-encrypt subprocess: RSA-encrypt the masked and overwritten key-record using the public key of
the receiving node. This is the last step in creating an AS external key block.
Decrypting subprocess: RSA-decrypt the AS external key block using an RSA private key. The private
key must be usable for key management purposes.
Validating subprocess: Verify that the high-order 2 bits of the decrypted key block are valued to B'01'
and that the low-order 4 bits of the key block are valued to B'0110'.
Unmasking subprocess: Set IV to the value of the 8 bytes at offset 53 of PKR. There is a variable
quantity of padding in the key block prior to offset 0. See Table 163 on page 674.
Set K to the exclusive-OR of IV and the value of the 8 bytes at offset 45 of the PKR record.
Create a mask that is equal in length to the key block by CBC encrypting a multiple of 8 bytes of binary
zeros using K as the key and IV as the initialization vector. Exclusive-OR the mask with the key record.
The control vector base of the recovered key is the value at offset 21. If the control vector base bits 40-42
are valued to B'010' or B'110', the key is double length. Set the right half of the received key's control
vector equal to the left half and reverse bits 41 and 42 in the right half.
The recovered key is at offset 37 and is either 8 or 16 bytes long based on the control vector base bits
40-42. If these bits are valued to B'000', the key is single length. If these bits are valued to B'010' or
B'110', the key is double length.
The IBM 4765 and the IBM 4764 employ several verification pattern generation methods.
677
v ex(Y) is the DES encoding of Y using x as a key
v represents the bitwise exclusive-OR function
Version X'00' internal CCA DES key tokens use this eight-byte master-key verification pattern.
Both the MKVP and KVP for AES will use the same algorithm. Both will be computed with the following
process.
1. Compute the SHA-256 hash of the string formed by prepending the byte X'01' to the cleartext key
value.
2. Take the leftmost eight bytes of the hash as the verification pattern.
The value is truncated to eight bytes because this is the length allocated for the verification in several CCA
structures and APIs. For example, the AES key token has eight bytes for the MKVP, and the Key_Test
verb has an eight-byte parameter for the verification pattern.
The RSA private key sections X'06' and X'08' use this 16-byte MDC value as the master-key verification
pattern.
The CCA verification method first creates a random number. A one-way cryptographic function combines
the random number with the key or key part. The verification method returns the result of this one-way
cryptographic function (the verification pattern) and the random number.
Note: A one-way cryptographic function is a function in which it is easy to compute the output from a
given input, but it is not computationally feasible to compute the input given an output.
where:
RN Is the random number generated or provided
KKL Is the value of the single-length key, or is the left half of the double-length key
KKR Is XL8'00' if the key is a single-length key, or is the value of the right half of the double-length key
VP Is the verification pattern
| In this method, the AES key data encryption algorithm encodes a 128-bit value that is all zero bits. The
| leftmost 32 bits of the result are compared to the trial input value or returned from the Key_Test2 verb in
| an 8-byte variable that is padded with bits valued to zero.
In this method the single-length or double-length key data encryption algorithm encodes a 64-bit value that
is all zero bits. The leftmost 32 bits of the result are compared to the trial input value or returned from the
Key_Test verb.
For a single-length key, the key data encryption algorithm encodes an 8-byte, all-zero-bits value.
For a double-length key, the key data encryption algorithm triple-encodes an 8-byte, all-zero-bits value.
The left half (high-order half) key encodes the zero-bit value, this result is data encryption algorithm
decoded by the right key half, and that result is data encryption algorithm encoded by the left key half.
The MDC_Generate verb supports four versions of the MDC calculation method that you specify by using
one of the keywords shown in Table 165 on page 680. All versions use the MDC-1 calculation.
When the keywords PADMDC-2 and PADMDC-4 are used, the supplied text is always padded as follows:
v If the total supplied text is less than 16 bytes in length, pad bytes are appended to make the text length
equal to 16 bytes. A length of zero is allowed.
v If the total supplied text is at least 16 bytes in length, pad bytes are appended to make the text length
equal to the next-higher multiple of 8 bytes. One or more pad bytes are always added.
v All appended pad bytes, other than the last pad byte, are set to X'FF'.
v The last pad byte is set to a binary value equal to the count of all appended pad bytes (X'01' to X'10').
Use the resulting pad text in the following procedures. The MDC_Generate verb uses these MDC
calculation methods. See MDC_Generate (CSNBMDG) on page 126 for more information about the
MDC_Generate verb.
Ciphering methods
The Data Encryption Standard (DES) algorithm defines operations on 8-byte data strings. The DES
algorithm is used in many different processes within CCA:
v Encrypting and decrypting general data
v Triple-encrypting and triple-decrypting PIN blocks
v Triple-encrypting and triple-decrypting DES keys
v Triple-encrypting and triple-decrypting RSA private keys with several processes
v Deriving keys, hashing data, generating CVV values, and so forth
The Encipher and Decipher verbs describe how you can request encryption or decryption of application
data. See the following topic: General data-encryption processes on page 682 for a description of the two
standardized processes you can use.
See DES key encryption and decryption processes on page 671, and Triple-DES ciphering algorithms
on page 685, which describe how CCA DES keys are enciphered.
These methods also differ in how they define the initial chaining value (ICV).
This section describes how the Encipher and Decipher verbs implement these methods.
An ICV is exclusive-ORed with the first block of 8 bytes. When you call the Encipher verb or the Decipher
verb, specify the INITIAL or CONTINUE keywords. If you specify the INITIAL keyword, the default, the
initialization vector from the verb parameter is exclusive-ORed with the first 8 bytes of data. If you specify
the CONTINUE keyword, the OCV identified by the chaining_vector parameter is exclusive-ORed with the
first 8 bytes of data.
Verb parameter
Plaintext from application program
Initialization
vector Data (1,8) Data (9,16) Data (N*87,N*8)
INITIAL
keyword
or
ICV
XOR
XOR
XOR
CONTINUE
keyword
Encipher Encipher Encipher
OCV
Data (1,8) Data (9,16) Data (N*87,N*8)
Ciphertext to application program
Chaining vector
Ciphertext from application program
Initialization
vector Data (1,8) Data (9,16) Data (N*87,N*8)
OCV
Decipher Decipher Decipher
INITIAL
keyword
or
ICV
XOR
XOR
XOR
CONTINUE
keyword
Data (1,8) Data (9,16) Data (N*87,N*8)
Plaintext to application program
Chaining vector
When the coprocessor enciphers the plaintext, the resulting ciphertext is always 1 - 8 bytes longer than
the plaintext. See Figure 45 on page 685. This is true even if the length of the plaintext is a multiple of
eight bytes. When the coprocessor deciphers the ciphertext, it uses the last byte of the deciphered data as
the number of bytes to remove from the end (pad bytes, if any, and count byte). The result is the original
plaintext. See Figure 46 on page 685.
The output chaining vector can be used as feedback with this method in the same way as with the NIST
SP 800-38A method.
The ANS X9.23 method requires the caller to supply an initialization vector, and it does not allow
specification of a pad character.
Note: The ANS X9.23 standard has been withdrawn, but the X9.23 padding method is retained in CCA for
compatibility with applications that rely on this method.
Plaintext from application program
Initialization
vector Data (1,8) Data (N*87,N*8) Data Pad Count
XOR
XOR
XOR
Encipher Encipher Encipher
Data (1,8) Data (N*87,N*8) Last block
Ciphertext to application program
Verb parameter
Ciphertext from application program
Initialization
vector Data (1,8) Data (N*87,N*8) Last block
Decipher Decipher Decipher
XOR
XOR
XOR
Data (1,8) Data (N*87,N*8) Data Pad Count
Plaintext to application program
/
T164
T264
T364
Tn64
/
IV
XOR
XOR
XOR //
XOR
Ka
e Ka
e Ka
e Ka
e
Kb
d Kb
d Kb
d Kb
d
Kc
e Kc
e Kc
e Kc
e
/
S164
S264
S364
Sn64
/
| A keyed-hash MAC (HMAC) based message authentication can be used by the HMAC_Generate and
| HMAC_Verify verbs.
5. The ANS X9.9 standard defines five authentication options. The MAC_Generate and MAC_Verify verbs implement Option 1, binary
data.
Note: ANS X9.19 Basic Procedure and ISO/IEC 9797-1 MAC Algorithm 1 are the same as ANS X9.9
Option 1.
EMV MAC
| The EMV smart card standards define MAC generation and verification processes that are the same as
| ANS X9.9 Option 1 (same as ISO/IEC 9797-1 MAC Algorithm 1) and ANS X9.19 Optional Procedure
| (same as ISO/IEC 9797-1, MAC Algorithm 3), except for padding added to the end of the message.
| Append 1 byte of X'80' to the original message, then append from 0 - 7 additional bytes, as required, of
| X'00' to form an extended message, which is a multiple of 8 bytes in length.
Using X9.9 Option 1 and X9.19 Optional Procedure, the leftmost 32 bits (4 bytes) of On are taken as the
MAC. In the EMV standards, the MAC value is 4-8 bytes in length. CCA provides support for the leftmost
4, 6 and 8 bytes of MAC value.
The ISO 16609 CBC-mode Triple-DES MAC method uses a double-length DES key and operates on data
blocks that are a multiple of 8 bytes. If the last input data block is not a multiple of 8 bytes, binary zeros
are appended to the right of the block. A CBC-mode Triple-DES encryption operation is performed on the
data, with all output discarded except for the final output block.
The resulting MAC value is processed according to other specifications supplied to the verb call.
| To see how to compute a MAC over the data, see FIPS PUB 198-1 available at http://csrc.nist.gov/
| publications/fips/fips198-1/FIPS-198-1_final.pdf.
An RSA key is generated by the IBM 4764 PCI-X and the IBM 4765 PCIe Cryptographic Coprocessors in
the following manner with respect to random numbers:
1. For each key generation, and for any size of key, the PKA manager seeds an internal FIPS-approved,
SHA-1 based psuedo random number generator (PRNG) with the first 24 bytes of information that it
receives from three successive calls to the random number generator (RNG) manager's PRNG
interface.
2. The RNG manager can supply a random number in two ways, but with the CCA Support Program only
one way is used, namely, the PRNG method. The PKA manager seeds an internal FIPS-approved,
SHA-1 based PRNG with 24 bytes obtained.
The RNG manager can respond to requests for random numbers from other processes with such
responses interspersed between responses to PKA manager requests. An RSA key is generated from
random information obtained from two cascaded SHA-1 PRNGs.
3. An RSA key is based on one or more 24-byte seeds from the RNG manager souce depending on the
dynamic mix of tasks running inside the coprocessor.
Design criteria
The passphrase verification protocol is designed to meet the following criteria.
v The use of cryptographic algorithms is permitted in the client logon software, but there must be no
storage of any long-term cryptographic keys. This is because secure key storage is generally not
available in the client workstation.
v Replay attacks must not be feasible. This means that the logon request message must be protected so
that it cannot be captured by an adversary, and later replayed to gain access to the genuine user's
privileges.
v An attacker should not be able to guess the cleartext content of the logon request message.
v No special hardware should be required on the client workstation.
v The logon process must result in the establishment of a session key known only to the cryptographic
coprocessor and the client. This key is used on subsequent transactions to prove the identity of the
sender, and to secure transmitted data.
v The session key is generated in the coprocessor.
SHA-1 hash of the passphrase is hex 42BED1CD 1DB68934 6319E315 F3C096A8 B2E08DB2
K1 is 42BED1CD 1DB68934
K2 is 6319E315 F3C096A8
K3 is B2E08DB2 00000000
Note: The random-number RN is not used inside the Cryptographic Coprocessor. It is only included
in the protocol to guarantee that the cleartext of the logon request is different every time.
4. The client workstation sends a logon request to the Cryptographic Coprocessor, including the
following information:
v { UID, eKL(RN, UID, timestamp) }
Master-key-splitting algorithm
This section describes the mathematical and cryptographic basis for the m-of-n key shares scheme.
The value to be shared is the master key, Km, which is a Triple-DES key and 168 bits long. Let P be the
first prime number larger than 2168. All operations are carried out modulo P.
Shamir's secret sharing allows the sharing of Km among n trustees in a way that no set of t or less of
trustees has any information about Km, while t+1 trustees can reconstruct Km.
Sharing phase:
1. Randomly choose a_t,...,a_1 in [0..P-1]
2. Consider the polynomial f(x) = a_t x t + ... + a_1 x + a_0, where a_0=Km.
Compute mk_i = f(i) mod P for all i=1,...n
3. Proceed to distribute the values mk_i as described above.
Reconstruction phase:
6. For a description of the EDE3 encryption process, see Figure 49 on page 688.
This section also describes the PKCS #1 methods for placing a key in a bit string for RSA ciphering as
part of a key exchange.
The CCA products described in this document implement these processes using the terminology of the
Version 1.5, Version 2.0, and Version 2.1 standards:
v For formatting keys for secured transport:
| Encryption/decryption scheme RSAES-OAEP is the preferred method for key encipherment8 when
| exchanging data keys between systems. In CCA, keywords PKCSOAEP (Version 2.0) and
Using the terminology from the older PKCS #1 v1.5 standard, block types 00 and 01 are used to format a
hash, and block-type 02 is used to format a DES key. The blocks consist of the following (\ means
concatenation):
X'00' \ BT \ PS \ X'00' \ D
where:
BT Is the block-type, X'00', X'01', or X'02'.
PS Is the padding of as many bytes as required to make the block the same length as the modulus of
the RSA key. Pad bytes are X'00' for block-type 00, X'FF' for block-type 01, and random and nonzero
for block-type 02. The length of PS must be at least 8 bytes.
D Is the key, or the concatenation of the ASN.1 BER-encoded hash identifier and the hash value
| You can create the ASN.1 BER encoding of an MD5, SHA-1, or SHA-256 value by prepending these
strings to the 16-byte or 20-byte hash values, respectively:
MD5 X'3020300C 06082A86 4886F70D 02050500 0410'
SHA-1 X'30213009 06052B0E 03021A05 000414'
| SHA-256 X'3031300D 06096086 48016503 04020105 000420'
The PIN-calculation methods are independent from PIN-block formats. A PIN can be calculated by any
method and generally used in any PIN-block format. For example, a PIN can be calculated by the IBM
3624 PIN-calculation method and used either in the IBM 3624 PIN-block format or in another PIN-block
format.
Table 167. Financial PIN-calculation methods, data formats, and other items
Item Page
IBM 3624 PIN-calculation method 698
IBM 3624 PIN-offset calculation method 698
Netherlands PIN-1 calculation method 699
IBM German Bank Pool Institution PIN-calculation method 699
Visa PIN-validation value (PVV) PIN-calculation method 700
InterBank PIN-calculation method 700
3624 PIN-block format 701
ISO-0 PIN-block format 701
ISO-1 PIN-block format 702
ISO-2 PIN-block format 702
ISO-3 PIN-block format (Release 3.30 or later) 703
UKPT calculation methods (ANS X9.24) 704
CVV, CVC (Visa, MasterCard) 706
Visa and EMV formats and processes 707
In the description of the financial PIN verbs, these terms are employed:
A-PIN The quantity derived from a function of the account number, PIN-generating key (PINGEN or
PINVER), and other inputs such as a decimalization table.
697
C-PIN The quantity that a customer should use to identify himself; in general, this can be a
customer-selected or institution-assigned quantity.
O-PIN A quantity, sometimes called an offset, that relates the A-PIN to the C-PIN as permitted by certain
methods.
T-PIN The trial PIN presented for verification.
The IBM 3624 PIN-calculation method consists of the following steps to create the A-PIN:
1. Encrypt the hexadecimal validation data with a key that has a control vector that specifies the PINGEN
(or PINVER) key type to produce a 64-bit quantity.
2. Convert the character format decimalization table to an equivalent array of sixteen 4-bit hexadecimal
digits, and use the decimalization table to convert the hexadecimal digits (X'0' to X'F') of the encrypted
validation data to decimal digits (X'0' to X'9'). Call this result newpin.
Let newpin(i), decimalization_table(i), and encrypted_validation_data(i) each represent the (i)th
hexadecimal digit in each quantity.
The digits of newpin are obtained by the following procedure:
For i = 1 to 16 do:
j := encrypted_validation_data(i)
newpin(i) := decimalization_table(j)
end do
3. Select the n leftmost decimal digits of newpin, where n is the PIN length. The result is an n-digit
calculated A-PIN. The PIN must be from 4 16 digits in length.
Example:
Encrypted validation data = E5C1BD67B66AE7C6
Decimalization table index = 0123456789ABCDEF
Decimalization table = 8351296477461538
Newpin = 3913656466643416
PIN length = 6
Calculated A-PIN = 391365 (leftmost 6 digits of newpin)
Example:
Encrypted validation data = 8325A637B66EA7A8
Decimalization table index = 0123456789ABCEDF
Decimalization table = 0123456789012345
A-PIN = 2506
O-PIN = 9957
C-PIN, Customer PIN = 1453
The German Bank Pool Institution PIN-calculation method consists of the following steps:
1. Encrypt the hexadecimal validation data with an institution key that has a control vector that specifies
the PINGEN (or PINVER) key type to get a 64-bit quantity.
2. Convert the character format decimalization table to an equivalent array of sixteen 4-bit hexadecimal
digits, and use the decimalization table to convert the first 6 hexadecimal digits (X'0' to X'F') of the
encrypted validation data to decimal digits (X'0' to X'9'). Call this result newpin.
The digits of newpin are obtained by the following procedure:
For i = 1 to 6 do:
j := encrypted_validation_data(i)
newpin(i) := decimalization_table(j)
end do
3. Select the 4 rightmost digits of newpin. The result is a 4-digit intermediate PIN.
4. If the first digit of the intermediate PIN is 0, assign 1 to the first digit of the institution PIN, and assign
the remaining 3 digits of the intermediate PIN to the institution PIN.
If the first digit of the intermediate PIN is not 0, assign the value of the intermediate PIN to the
institution PIN.
The PIN is not encrypted.
Example:
Appendix E. Financial system verbs calculation methods and data formats 699
Encrypted validation data = E5A4FD67B66AE7C6
Decimalization table index = 0123456789ABCDEF
Decimalization table = 0123456789012345
Newpin = 450453
Intermediate PIN = 0453 (4 rightmost digits of newpin)
Institution PIN = 1453 (first digit is changed to 1
because the intermediate PIN had a
first digit of 0)
PIN-block formats
The PIN verbs support one or more of the following PIN-block formats:
v IBM 3624
v ISO-0 (same as ANS X9.8, VISA-1, and ECI-1).
v ISO-1 (same as the ECI-4)
v ISO-2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
P P/XP/XP/XP/XP/XP/XP/XP/XP/XP/XP/XP/XP/XP/XP/X
where:
P Is a PIN digit, which is a 4-bit value from X'0' - X'9'. The values of the PIN digits are independent.
P/X Is a PIN digit or a pad value. A PIN digit has a 4-bit value from X'0' - X'9'. A pad value has a 4-bit
value from X'0' - X'F' and must be different from any PIN digit. The number of pad values for this
format is in the range from 0 - 15, and all the pad values must have the same value.
Example:
PIN = 0123456, Pad = X'E'
PIN block = X'0123456EEEEEEEEE'
The following are the formats of the intermediate PIN-block, the PAN block, and the ISO-0 PIN-block:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 L P P P P P/FP/FP/FP/FP/FP/FP/FP/F F F
Intermediate PIN-Block = IPB
0 0 0 0 PANPANPANPANPANPANPANPANPANPANPANPAN
PAN Block
P P P/FP/FP/FP/FP/FP/FP/FP/F F F
0 L P P XORXORXORXORXORXORXORXORXORXORXORXOR
PANPANPANPANPANPANPANPANPANPANPANPAN
PIN Block = IPB XOR PAN Block
where:
0 Is the value X'0' for ISO-0.
L Is the length of the PIN, which is a 4-bit value from X'4' - X'C'.
P Is a PIN digit, which is a 4-bit value from X'0' - X'9'. The values of the PIN digits are independent.
Appendix E. Financial system verbs calculation methods and data formats 701
P/F Is a PIN digit or pad value. A PIN digit has a 4-bit value from X'0' - X'9'. A pad value has a 4-bit
value of X'F'. The number of pad values in the intermediate PIN block (IPB) is from 2 - 10.
F Is the value X'F' for the pad value.
PAN Is twelve 4-bit digits that represent the rightmost 12 digits of the primary account-number
(excluding the check digit).
Each PAN digit has a value from X'0' - X'9'.
The PIN block is the result of exclusive-ORing the 64-bit IPB with the 64-bit PAN block.
Example:
L = 6, PIN = 123456, Personal Account Number = 111222333444555
06123456FFFFFFFF : IPB
0000222333444555 : PAN block for ISO-0 (ANS X9.8, VISA-1, ECI-1) PIN-block format
06121675CCBBBAAA : PIN block for ISO-0 (ANS X9.8, VISA-1, ECI-1) PIN-block format
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 L P P P P P/RP/RP/RP/RP/RP/RP/RP/R R R
where:
1 Is the value X'1' for ISO-1.
L Is the length of the PIN, which is a 4-bit value from X'4' - X'C'.
P Is a PIN digit, which is a 4-bit value from X'0' - X'9'. The values of the PIN digits are independent.
R Is a random digit, which is a value from X'0' - X'F'. Typically, this should be used for predetermined
transaction unique data such as a sequence number.
P/R Is a PIN digit or a random digit, depending on the value of PIN length L. The number of random
digits is in the range from 2 - 10, and each random digit in a PIN-block format can be different.
Example:
L = 6, PIN = 123456
PIN block = X'161234566ABCFDE1', where X'6', X'A', X'B', X'C', X'F',
X'D', X'E', and X'1' are the random fillers
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
2 L P P P P P/FP/FP/FP/FP/FP/FP/FP/F F F
Example:
L = 6, PIN = 123456
PIN block = X'26123456FFFFFFFF'
Note: The ISO-3 PIN-block format is not supported in releases before Release 3.30.
The following are the formats of the intermediate PIN-block, the PAN block, and the ISO-3 PIN-block:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
3 L P P P P P/RP/RP/RP/RP/RP/RP/RP/R R R
Intermediate PIN-Block = IPB
0 0 0 0 PANPANPANPANPANPANPANPANPANPANPANPAN
PAN Block
P P P/RP/RP/RP/RP/RP/RP/RP/R R R
3 L P P XORXORXORXORXORXORXORXORXORXORXORXOR
PANPANPANPANPANPANPANPANPANPANPANPAN
PIN Block = IPB XOR PAN Block
where:
3 Is the value X'3' for ISO-3.
L Is the length of the PIN, which is a 4-bit value from X'4' - X'C'.
P Is a PIN digit, which is a 4-bit value from X'0' - X'9'. The values of the PIN digits are independent.
P/R Is a PIN digit or pad value. A PIN digit has a 4-bit value from X'0' - X'9'. A pad value has a random
4-bit value of X'A' - X'F'. The number of pad values in the intermediate PIN block (IPB) is from 2 -
10.
R Is a random digit, which is a value from X'A' - X'F'.
PAN Is twelve 4-bit digits that represent the rightmost 12 digits of the primary account-number
(excluding the check digit).
Each PAN digit has a value from X'0' - X'9'.
The PIN block is the result of exclusive-ORing the 64-bit IPB with the 64-bit PAN block.
Example:
Appendix E. Financial system verbs calculation methods and data formats 703
L = 6, PIN = 123456, Personal Account Number = 111222333444555
36123456AFBECDDC : IPB (where XAFBECDDC are random digits)
0000222333444555 : PAN block for ISO-3 (ANS X9.8, VISA-1, ECI-1) PIN-block format
361216759CFA8889 : PIN block for ISO-3 (ANS X9.8, VISA-1, ECI-1) PIN-block format
9. This material is adapted from the Visa Point-of-Sale Equipment Requirements: PIN Processing and Data Authentication publication.
Note: The CCA implementation does not adjust key parity on any of the bytes of the derived
encrypting key before encrypting them under its master key. Parity adjustment is not done
because the key value is used in two XOR operations during the special decrypt process of
recovering the clear PIN-block.
Appendix E. Financial system verbs calculation methods and data formats 705
3. Perform an XOR operation with the rightmost byte of Ku and X'FF' to produce a variant of the key;
name the result Kuv.
4. Perform an XOR operation with Kuv and Pc; store the result in T1.
5. Encrypt T1 with Kuv; store the result in T2.
6. Perform an XOR operation with Kuv; store the result in Pe.
The value in Pe is the encrypted PIN-block that the POS terminal sends.
The special decryption process consists of the previous steps, but in reverse.
10. Adapted from VisaNet Electronic Value Exchange Standards Manual, pages AA-8 and AA-9.
At the CCA API, the CVV_Generate and CVV_Verify verbs require two operational key identifiers, key-A
and key-B, as defined in the CVV method. The identifiers can be key labels or internal key-tokens.
The key-A and key-B key pair can include the following key types:
1. Both keys can be DATA keys.
2. Both keys can be MAC-class keys with the ANY subtype extension.
3. Both keys can be MAC-class keys with the KEY-A and KEY-B subtype extensions as appropriate.
The CVV_Generate verb requires the control-vector bit 20 to be set to B'1'. The CVV_Verify verb requires
the control-vector bit 21 to be set to B'1'.
Book 2, Annex A1.3, describes how a smart-card, card-specific authentication code is derived from a
card-issuer-supplied encryption key (ENC-MDK). The Integrated Circuit Card Specification (VIS) 1.4.0
Corrections indicates that the key used should be an authentication key (MAC-MDK).
Appendix E. Financial system verbs calculation methods and data formats 707
Book 2, Annex A1.3 describes how a smart-card, card-specific session key is derived from a
card-issuer-supplied PIN-block-encryption key (ENC-MDK). The encryption key is derived using a
tree-based-derivation technique. IBM CCA offers two variations of the tree-based technique (TDESEMV2
and TDESEMV4), and a third technique CCA designates TDES-XOR.
In addition, Book 2 describes construction of the PIN block sent to an EMV card to initialize or update the
user's PIN.
Visa Integrated Circuit Card Specification Manual, Version 1.4.0, Appendix B.4, contains a description of
the session-key derivation technique CCA designates TDES-XOR.
Augmented by the above-mentioned documentation, the relevant processes are described in these
sections:
v Derivation of the smart-card-specific authentication code
v Constructing the PIN-block for transporting an EMV smart-card PIN
v Derivation of the CCA TDES-XOR session key
v Derivation of the EMV TDESEMVn tree-based session-key
v PIN-block self-encryption
PIN-block construction:
1. Form three 8-byte, 16-digit blocks, block-1, block-2, and block-3, and set all digits to X'0'.
2. Replace the rightmost four bytes of block-1 with the authentication code described in the previous
section.
3. Set the second digit of block-2 to the length of the new PIN (4 to 12), followed by the new PIN, and
padded to the right with X'F'.
4. Include any current PIN by placing it into the leftmost digits of block-3.
5. Exclusive-OR block-1, block-2, and block-3 to form the 8-byte PIN block.
6. Pad the PIN block with other portions of the message for the smart card:
v Prepend X'08' (the length of the PIN block)
v Append X'80', followed by 6 bytes of X'00'
PIN-block self-encryption
In the Secure_Messaging_for_PINs (CSNBSPN) verb, you can use the SELFENC rule-array keyword to
specify that the 8-byte PIN block shall be used as a DES key to encrypt the PIN block. The verb copies
the self-encrypted PIN block to the clear PIN-block in the output message.
Appendix E. Financial system verbs calculation methods and data formats 709
710 CCA Basic Services October 14, 2011
Appendix F. Verb list
This section lists the verbs supported by the CCA Support Program. Table 168 lists each verb by the
verbs pseudonym and entry-point name and lists the page for the verb. Be sure to look at the top of the
first page of a verb description to determine which platform and product supports the verb.
Table 168. Security API verbs in supported environments
Pseudonym Entry point Page
AES and DES key-processing and key-storage verbs
AES_Key_Record_Create CSNBAKRC 392
AES_Key_Record_Delete CSNBAKRD 394
AES_Key_Record_List CSNBAKRL 396
AES_Key_Record_Read CSNBAKRR 398
AES_Key_Record_Write CSNBAKRW 400
Clear_Key_Import CSNBCKI 198
Control_Vector_Generate CSNBCVG 200
Control_Vector_Translate CSNBCVT 203
Cryptographic_Variable_Encipher CSNBCVE 205
Data_Key_Export CSNBDKX 207
Data_Key_Import CSNBDKM 209
DES_Key_Record_Create CSNBKRC 402
DES_Key_Record_Delete CSNBKRD 404
DES_Key_Record_List CSNBKRL 406
DES_Key_Record_Read CSNBKRR 408
DES_Key_Record_Write CSNBKRW 409
Diversified_Key_Generate CSNBDKG 211
| EC_Diffie-Hellman CSNDEDH 217
Key_Encryption_Translate CSNBKET 224
Key_Export CSNBKEX 227
Key_Generate CSNBKGN 229
Key_Generate2 CSNBKGN2 239
Key_Import CSNBKIM 245
Key_Part_Import CSNBKPI 247
Key_Part_Import2 CSNBKPI2 251
Key_Storage_Initialization CSNBKSI 65
Key_Test CSNBKYT 256
Key_Test2 CSNBKYT2 261
Key_Test_Extended CSNBKYTX 265
Key_Token_Build CSNBKTB 270
Key_Token_Build2 CSNBKTB2 275
Key_Token_Change CSNBKTC 279
Key_Token_Change2 CSNBKTC2 281
Key_Token_Parse CSNBKTP 283
711
Table 168. Security API verbs in supported environments (continued)
Pseudonym Entry point Page
| Key_Token_Parse2 CSNBKTP2 286
Key_Translate CSNBKTR 294
Key_Translate2 CSNBKTR2 296
Multiple_Clear_Key_Import CSNBCKM 301
PKA_Decrypt CSNDPKD 305
PKA_Encrypt CSNDPKE 307
Prohibit_Export CSNBPEX 309
Prohibit_Export_Extended CSNBPEXX 311
Random_Number_Generate CSNBRNG 313
Random_Number_Generate_Long CSNBRNGL 315
Remote_Key_Export CSNDRKX 317
Restrict_Key_Attribute CSNBRKA 328
Symmetric_Algorithm_Decipher CSNBSAD 378
Symmetric_Algorithm_Encipher CSNBSAE 383
Symmetric_Key_Export CSNDSYX 333
Symmetric_Key_Generate CSNDSYG 339
Symmetric_Key_Import CSNDSYI 345
Symmetric_Key_Import2 CSNDSYI2 350
Trusted_Block_Create CSNDTBC 353
Data confidentiality and data integrity verbs
Decipher CSNBDEC 360
Digital_Signature_Generate CSNDDSG 118
Digital_Signature_Verify CSNDDSV 122
Encipher CSNBENC 363
HMAC_Generate CSNBHMG 366
HMAC_Verify CSNBHMV 369
MAC_Generate CSNBMGN 372
MAC_Verify CSNBMVR 375
MDC_Generate CSNBMDG 126
One_Way_Hash CSNBOWH 134
Random_Number_Tests CSUARNT 78
Coprocessor control verbs
Access_Control_Initialization CSUAACI 35
Access_Control_Maintenance CSUAACM 38
Cryptographic_Facility_Control CSUACFC 42
Cryptographic_Facility_Query CSUACFQ 48
Cryptographic_Facility_Version CSUACFV 58
Cryptographic_Resource_Allocate CSUACRA 59
Cryptographic_Resource_Deallocate CSUACRD 61
Key_Storage_Designate CSUAKSD 63
Important: By default, you should disable commands. Do not enable an access-control point unless you
know why you are enabling it.
See the Required commands section at the end of each verb description for access-control guidance for
each verb.
Table 169. Supported CCA commands
Offset Command name Verb name Entry Usage
X'000E' Encipher Encipher CSNBENC O
X'000F' Decipher Decipher CSNBDEC O
X'0010' Generate MAC MAC_Generate CSNBMGN O
X'0011' Verify MAC MAC_Verify CSNBMVR O
X'0012' Reencipher to Master Key Key_Import CSNBKIM O
X'0013' Reencipher from Master Key Key_Export CSNBKEX O
X'0018' Load First Master Key Part Master_Key_Process CSNBMKP SC, SEL
X'0019' Combine Master Key Parts Master_Key_Process CSNBMKP SC, SEL
X'001A' Set Master Key Master_Key_Process CSNBMKP SC, SEL
X'001B' Load First Key Part Key_Part_Import CSNBKPI SC, SEL
X'001C' Combine Key Parts Key_Part_Import CSNBKPI SC, SEL
715
Table 169. Supported CCA commands (continued)
Offset Command name Verb name Entry Usage
X'001D' Compute Verification Pattern AES_Key_Record_Create CSNBAKRC R
AES_Key_Record_Delete CSNBAKRD
AES_Key_Record_List CSNBAKRL
AES_Key_Record_Read CSNBAKRR
AES_Key_Record_Write CSNBAKRW
DES_Key_Record_Create CSNBKRC
DES_Key_Record_Delete CSNBKRD
DES_Key_Record_List CSNBKRL
DES_Key_Record_Read CSNBKRR
DES_Key_Record_Write CSNBKRW
Key_Storage_Initialization CSNBKSI
Key_Test CSNBKYT
| Key_Test2 (Rel. 4.0 or later) CSNBKYT2
Key_Test_Extended CSNBKYTX
PKA_Key_Record_Create CSNDKRC
PKA_Key_Record_Delete CSNDKRD
PKA_Key_Record_List CSNDKRL
PKA_Key_Record_Read CSNDKRR
PKA_Key_Record_Write CSNDKRW
X'001F' Translate Key Key_Translate CSNBKTR O
X'0020' Generate Random Master Key Master_Key_Process CSNBMKP O, SEL
| X'0021' Compute ENC-ZERO Verification Pattern for AES Key_Test2 CSNBKYT2 O (Rel. 4.2 or later)
X'0032' Clear New Master Key Register Master_Key_Process CSNBMKP O, SUP
X'0033' Clear Old Master Key Register Master_Key_Process CSNBMKP O, SUP
X'0040' Generate Diversified Key (CLR8-ENC) Diversified_Key_Generate CSNBDKG O, SEL
X'0041' Generate Diversified Key (TDES-ENC) Diversified_Key_Generate CSNBDKG O, SEL
X'0042' Generate Diversified Key (TDES-DEC) Diversified_Key_Generate CSNBDKG O, SEL
X'0043' Generate Diversified Key (SESS-XOR) Diversified_Key_Generate CSNBDKG O, SEL
X'0044' Enable DKG Single Length Keys and Equal Halves for Diversified_Key_Generate CSNBDKG SC, SEL
TDES-ENC, TDES-DEC
X'0045' Generate Diversified Key (TDES-XOR) Diversified_Key_Generate CSNBDKG O, SEL
X'0046' Generate Diversified Key (TDESEMVn) Diversified_Key_Generate CSNBDKG O, SEL
X'0053' Load First Asymmetric Master Key Part Master_Key_Process CSNBMKP SC, SEL
X'0054' Combine Asymmetric Master Key Parts Master_Key_Process CSNBMKP SC, SEL
X'0057' Set Asymmetric Master Key Master_Key_Process CSNBMKP SC, SEL
X'0060' Clear New Asymmetric Master Key Buffer Master_Key_Process CSNBMKP SC, SEL
X'0061' Clear Old Asymmetric Master Key Buffer Master_Key_Process CSNBMKP SC, SEL
X'008A' Generate MDC MDC_Generate CSNBMDG R
| X'008C' Generate Key Set Key_Generate
CSNBKGN O
| X'008E' Generate Key Key_Generate CSNBKGN R
| Random_Number_Generate CSNBRNG
X'0090' Reencipher to Current Master Key Key_Token_Change CSNBKTC R
X'00A0' Generate Clear 3624 PIN Clear_PIN_Generate CSNBPGN O
X'00A4' Generate Clear 3624 PIN Offset Clear_PIN_Generate_Alternate CSNBCPA O
X'00AB' Verify Encrypted 3624 PIN Encrypted_PIN_Verify CSNBPVR O
X'00AC' Verify Encrypted German Bank Pool PIN Encrypted_PIN_Verify CSNBPVR O
X'00AD' Verify Encrypted Visa PVV Encrypted_PIN_Verify CSNBPVR O
X'00AE' Verify Encrypted InterBank PIN Encrypted_PIN_Verify CSNBPVR O
X'00AF' Format and Encrypt PIN Clear_PIN_Encrypt CSNBCPE O
X'00B0' Generate Formatted and Encrypted 3624 PIN Encrypted_PIN_Generate CSNBEPG O
X'00B1' Generate Formatted and Encrypted German Bank Encrypted_PIN_Generate CSNBEPG O
Pool PIN
X'00B2' Generate Formatted and Encrypted InterBank PIN Encrypted_PIN_Generate CSNBEPG O
X'00B3' Translate PIN with No Format-Control to No Encrypted_PIN_Translate CSNBPTR O
Format-Control
X'00B7' Reformat PIN with No Format-Control to No Encrypted_PIN_Translate CSNBPTR O
Format-Control
X'00BB' Generate Clear Visa PVV Alternate Clear_PIN_Generate_Alternate CSNBCPA O
ID Initial default.
SEL Usage of this command is normally restricted to one or more selected roles.
This verb performs more than one function, as determined by the keywords identified by the rule_array parameter of the verb call. Not all
functions of the verb require the command in this row.
| This verb does not always require the command in this row. Use as determined by the control vector or key usage fields for the key and
| the action being performed.
Before the CCA node is put into normal operation, the access-control setup can be audited using the
Access_Control_Maintenance and Cryptographic_Facility_Query verbs. If for any reason the status
response is not as anticipated, the node should not be activated for application purposes.
Note: With authority to use either the Initialize Access Control or Delete Role commands, you can delete
the DEFAULT role. Deleting the DEFAULT role causes the automatic recreation of the initial
725
DEFAULT role. The initial DEFAULT role permits setting up any capabilities. Users with access to
these commands have unlimited authority through manipulation of the access-control system.
Changing a passphrase
The passphrase used to authenticate access to a profile is not communicated out of the DLL or shared
library you call with the Logon_Control verb. Rather, the passphrase is hashed to form a cryptographic key
that is used to pass the profile identifier and other information to permit the coprocessor to validate access
to the profile.
When you change a passphrase with the Access_Control_Initialization verb, use the PROTECTD keyword.
This causes the passphrase to be encrypted within the DLL or shared-library layer before it is
communicated to the coprocessor. This can block a lower-level sniffer program or the CCA trace facility
from capturing the new, clear passphrase.
If a role contains permission to change a passphrase, the passphrase of any profile can be changed. You
should consider if passphrase Change a User Profile Authentication Data command, should be permitted
and, if so, which roles should have this authority (offset X'0114').
If any user reports an inability to log on, this should be reported to someone other than (or certainly in
addition to) an individual with passphrase-changing permission.
In all cases, enable only the commands needed to accommodate the permitted applications.
By default, DATA-class keys perform in both encipher and MAC generation and verification operations.
You might also find uses for enciphering data where you want to disallow the possibility that the data is
ever deciphered. You can determine the equivalence of two copies of source data by comparing their
enciphered value. Thus, you can store an enciphered copy of data and determine later that other data is
not equivalent without revealing the clear value of the original data. A hash process can give the same
effect, but in some environments, encryption might be faster than hashing.
Consider the use of the CIPHER-class keys rather than the more general DATA-class keys because the
CIPHER-class keys have reduced capabilities and thus offer fewer opportunities for misuse.
For example, a data originator can encipher data and be sure that no one can decipher the data on his
node using an ENCIPHER-class key. The DECIPHER-class copy of the key, probably with the CCA
export-allowed control-vector bit turned off, can be sent over the one-way key-distribution channel to
another node. Only there can the data be deciphered.
As another example, a key-distribution center can originate and distribute a no-export-allowed MAC key to
one node and the matching MACVER key, also with the no-export-allowed attribute, can be sent to
another node. In this scenario (and if the CCA master keys are managed and audited in a secure manner),
the MAC verification node has no means of producing a valid MAC on altered data.
The Key_Part_Import verb provides additional separation in functional capability. The preexisting Combine
Key Parts command (X'001C', invoked with the MIDDLE and LAST keywords) processes key-part
information and completes a key by turning off the key-part control-vector bit. Two new options are added:
These commands enable you to designate an individual with the authority to accept a key without
providing that individual with the possibility of modifying the value of the key.
Pre-exclusive-OR
Additional information, such as a variant or a control-vector value, can be exclusive-ORed into a
key-encrypting key so other keys processed with the modified key-encrypting key can be assigned
alternative control vectors and alternative functionality. This pre-exclusive-OR technique can be
valuable when exchanging keys with non-CCA systems. However, an adversary, if permitted to
employ the technique, could change the control vector of a key to his advantage. To counter this
threat, separate key-part loading responsibilities so that an individual can oversee the operations
and complete a key without having the authority to add information to the key.
Clear key-part interception
Key-part information flows in the clear through your host system. If you view this as an
unacceptable risk, consider the following alternatives:
Random generation of master keys
If you need to backup the master key or have the same master key in an additional
coprocessor, use master-key cloning to securely transfer the value of the master key to
additional coprocessors.
Random key-generation and RSA-based key-distribution
Distribute RSA-encrypted, randomly generated DES data or DES key-encrypting keys to
the node where the key should be instantiated. With CCA and this strategy, you do not
need key parts or secrecy. Continue to use two-channel distribution techniques to ensure
integrity of the public-key distribution. This is true even when certificates are in use; you
must provide integrity for the top-level public key.
Key export
Be careful when allowing the export of keys from your system, especially when enabling the
Symmetric_Key_Generate verb and the other key-export verbs:
v Data_Key_Export
v Key_Export
v Symmetric_Key_Export
In particular, the verbs Symmetric_Key_Export and Symmetric_Key_Generate permit the export of selected
classes of keys under any public key. Ensure that the target nodes are legitimate and that only appropriate
processes have use of these verbs, EXPORTER keys, and public keys.
Consider taking advantage of the export-allowed control-vector bit. By switching this bit off, you can
prevent a key from being exported.
Note: Master-key-encrypted RSA private keys or retained RSA private keys cannot be exported from a
CCA node.
Key unwrapping
An RSA private key that is used in a symmetric-key exchange to unwrap or decrypt a DES key should not
typically be allowed to perform digital signature signing. This is because the Digital_Signature_Generate
verb could be used with the ZERO-PAD keyword to reveal the DES key. To prevent this from happening,
Clear-key operations
Remember that the following CCA verbs operate with keys in the clear. Carefully consider using them.
CSNDSYX A clear, unprotected public key is entered under which DATA keys can
Symmetric_Key_Export be enciphered. This operation can be disallowed through the
access-control system.
The Key_Import, Key_Export, Data_Key_Import, and Data_Key_Export verbs do not permit use of a
replicated key-encrypting key to import or export a non-replicated key unless special permission is granted
using the unrestrict commands, X'0276', X'0277', X'027B', and X'027C'.
RSA keys
When generating RSA key pairs, you must consider these issues:
v Regeneration data (excluding ECC key pairs)
v Attributes for signature and key management
v Retained keys (not valid with an ECC private key)
Regeneration data
When an application calls the PKA_Key_Generate verb to generate a non-ECC key pair, it can specify
regeneration_data that seeds the random number generator. If the same regeneration data is supplied in
the future, the same RSA key-pair is generated. This can be useful in a development environment, but is
inappropriate in a production environment.
The access control system only allows use of regeneration data when you enable command X'027D',
Permit Regeneration Data.
If you use the Digital_Signature_Generate verb with the ZERO-PAD option and supply a wrapped
symmetric key, the verb decrypts the wrapped key and an application can then recover the symmetric key
in the clear. This most likely is undesirable. Generally, private keys intended for use in key-management
applications should be generated with the KM-ONLY attribute to block the use of the key in the
Digital_Signature_Generate verb. For private keys used to generate digital signatures, consider applying
the SIG-ONLY attribute.
Retained keys
In some applications you must not release an RSA private key in any form from the device in which it is
generated. Using the RETAIN keyword with the PKA_Key_Generate verb prevents the coprocessor from
outputting the private key. Alternative choices permit the key to be returned to the application wrapped
under the master key or a transport key, or returned in the clear with access-control permission.
You can confirm that a key has been generated and retained in the coprocessor using the
Retained_Key_List verb and the verification of a digital signature made with the retained key. Because no
means exist to import an RSA private key into retained-key storage, the list of key labels returned from the
Retained_Key_List verb demonstrates the existence of a particular named key. You can confirm that the
same label does not exist in host-system key-storage using the PKA_Key_Record_List verb.
Unrestricted usage permits the generation of PIN numbers for the specified
account numbers, using information that can be known to an adversary.
Certain status information can be obtained from the Miniboot component of the coprocessor through the
coprocessor load utility (CLU). This response is signed and can be validated using the CLU utility.
RS-232 port
All CCA input and output is via the embedded control program within the coprocessor. The embedded
control program of the 4764 PCI-X Cryptographic Coprocessor provides a device driver for the RS-232
communications port which is integral to the coprocessor. For the 4765 PCIe Cryptographic Coprocessor,
the embedded kernel provides a device driver for its RS-232 communications port. A second RS-232
communications port on the PCIe coprocessor is strictly for use by the MicroBlaze soft processor.
However, the standard CCA application program makes no use of the ports and, therefore, they are
functionally inert. No information from or to the standard implementation of CCA will pass over the RS-232
port interface.
Master-key cloning
If you employ master-key cloning, then the distribution of shares needs to be accommodated, perhaps with
a unique role and profile for the individual permitted to process sharen. Registering the public key of the
authorization node should be split between two users such as SO1 and SO2. See Table 170 on page 726.
The remainder of this section outlines considerations for use of the IBM 4765 and IBM 4764 consistent
with the high-security requirements of these application areas. The IBM 4765 and IBM 4764 with CCA
offer many capabilities. If you choose to deviate from some of the guidelines in this section, for example,
to achieve greater flexibility in operation, be sure to review the earlier portions of this section for guidance.
Application environment
The application environment includes a computing system and the surrounding policies, personnel, and
physical security to address Public Key Infrastructure CA, RA, OCSP responder, or time-stamping
services. An application program must be selected that employs CCA and the coprocessor, and that
implements the desired services. The application program must be reviewed against the guidelines
discussed in the section Application requirements on page 734. The organization must install an IBM
4765 or IBM 4764 Coprocessor and the CCA Support Program. The organization will need to observe the
requirements discussed in sections Policy requirements on page 735 and Operational requirements and
plan on page 736.
The security functions of the coprocessor do not rely on the correctness of the host software or the fact
that this software is not tampered with or bypassed. But, of course, for the coprocessor to be useful,
functions of the host system need to execute correctly. For example, if a human user wants a document to
be signed, it is a requirement that the host software ensure that (1) the document displayed to the user is
represented by a hash of the document, and that (2) the hash is forwarded unaltered to the coprocessor
for inclusion in the digital signature.
Threat considerations
Appendix E, "Threat considerations for a digital-signing server" in the IBM 4765 PCIe Cryptographic
Coprocessor CCA Support Program Installation Manual and in the IBM 4764 PCI-X Cryptographic
Coprocessor CCA Support Program Installation Manual contain a list of threats which should be
considered specific to a digital-signing server. For each threat, the appendix describes how the
coprocessor and the CCA Support Program address the threat and/or actions the using organization
should take to mitigate the exposure. As your plans for using the coprocessor evolve, periodically check
them against requirements noted in the appendix.
Security objectives
The security objectives can be broken into two broad classes:
v Objectives met by the coprocessor and its internal software
v Objectives to be met by the using organization
11. CA: Certification Authority; RA: Registration Authority; OCSP responder: Open Certificate Status Protocol responder.
Objectives to be met by the using organization: The using organization must meet these security
objectives without placing further requirements on the coprocessor:
1. Provide a system environment including host computer, operating system, application program(s), and
data repositories that provide the normal operating environment for the coprocessor
2. Provide for secure data storage for sensitive information such as user passphrases
3. Provide trusted, trained individuals to perform as subsequently described
4. Perform the setup and normal operations according to the guidelines in subsequent sections
5. Monitor for and respond to error situations that could represent a deviation from normal operation
Application requirements
The selected application must:
1. Employ the CCA interface as described in the appropriate IBM 4765 or IBM 4764 publications:
v This CCA Basic Services Reference and Guide
v The IBM 4765 PCIe Cryptographic Coprocessor CCA Support Program Installation Manual or the
IBM 4764 PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual
2. Generate an RSA key-pair which meets these requirements:
a. Has an appropriate key-length, 1024 + 256 * s, where 0 s 8
b. Flags the key for use only in digital signature operations12
c. Extends the skeleton key-token to obtain a self-signature that incorporates the coprocessor serial
number and application-supplied information 13
d. Is retained within the coprocessor14
e. Is not generated with reference to any regeneration data15
f. Makes known the key label used to access the private key so that an auditor might confirm that a
retained key is in use16
12. Employ a skeleton key-token (from the PKA_Key_Generate verb) with the SIG-ONLY (signature only) attribute.
13. The application might permit the introduction of a nonce to be included in the self-signed public-key certificate returned from the
PKA_Key_Generate verb. Note that this does not guarantee that the private key exists in a coprocessor, but does provide
additional assurance and integrity on the public-key value.
14. Use the RETAIN rule-array keyword on the PKA_Key_Generate verb.
15. The regeneration_data_length variable in the PKA_Key_Generate call must be valued to zero.
16. The key label also must not exist in the key storage of the host system.
Policy requirements
These policy requirements are focused on the coprocessor and must be augmented through consideration
of the host-system operating system and digital-signing application, the physical environment, and so forth,
which are necessarily unique to each installation.
Required tasks: The organization must establish a complete set of rules (policy) governing the selection,
installation, commissioning, operation, decommissioning, and auditing of the proposed digital-signing
server. With reference to the coprocessor, consider these items:
1. Refer to Appendix E, "Threat considerations for a digital-signing server" in the IBM 4765 PCIe
Cryptographic Coprocessor CCA Support Program Installation Manual or in the IBM 4764 PCI-X
Cryptographic Coprocessor CCA Support Program Installation Manual to check your decisions.
2. Assign individuals to roles as discussed in Personnel assignments.
3. Identify, procure, install, and test a host-system computer paying attention to the security requirements
which the operating system should support. You need to limit the exposure from rogue processes
which might:
v Intercept passphrases
v Modify the data to be signed after the data has been approved for signing
v Substitute an alternative cryptographic process that could be subverted
4. Install an IBM cryptographic coprocessor and CCA software and prerequisite software as documented
in the IBM 4765 PCIe Cryptographic Coprocessor CCA Support Program Installation Manual or the
IBM 4764 PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual.
v The CCA Support Program software must be installed as indicated in Chapters 3, 4, and up through
the section entitled "How to establish a test node" in the IBM 4765 PCIe Cryptographic Coprocessor
CCA Support Program Installation Manual or the IBM 4764 PCI-X Cryptographic Coprocessor CCA
Support Program Installation Manual.
v An auditor should use the CLU utility VA command to confirm that the code loaded in the
coprocessor is validated, has the correct release identifiers, and has SEG2 and SEG3 owner
identifiers valued to 2.
5. Identify, procure, install, and test a host-system application program that conforms to your
requirements and which can employ the coprocessor within the constraints described under the
Application requirements on page 734.
6. Limit access to the environment of the coprocessor.
7. Make maximum use of host-system security features.
8. Carry out the tasks detailed in Operational requirements and plan on page 736.
9. Provide for periodic audit review of the system and associated records.
Personnel assignments: Related to the use of the coprocessor, assign and train individuals to serve in
these capacities:
The secure usage of the coprocessor is dependent on the definition of roles in accordance with a specific
usage policy. A role defines a set of permissible coprocessor commands. To perform a CCA verb (service)
requires the use of one or more commands. A command is enabled by a permission in the active role. If
the caller of a verb is not logged on, the DEFAULT role is active. There is always a DEFAULT role. A user
might log on by referencing his profile and presenting his passphrase. The user's profile identifies a role
which expresses his permissions to enable commands and thus CCA verbs.
The CCA Support Program provides considerable flexibility in the configuration of roles. Other suitable
ways to set up a secure CCA system as a digital-signing server exist beyond the example described here.
For more details of the concept of roles within the coprocessor, see the introductory material in Chapter 2,
CCA node management and access control, on page 13 and Appendix G, Access-control-point codes,
on page 715.
The plan should address these phases of activity related to the coprocessor:
Checkout
In this phase, the hardware and software are installed and preliminary tests are performed,
individuals are trained, and so forth. Refer to the CCA Support Program Installation Manual.
Setup
In this phase, the specific set of access controls are established by the administrator, as listed in
Table 172 on page 738. Perform these steps:
1. Begin this activity by reinstalling the CCA software using the CLU utility and the software file
CNWxxxxx.CLU as described in the section, "Loading software into the coprocessor" of the CCA
Support Program Installation Manual.
17. Two or more administrators might be assigned to work together to ensure that the required tasks, and no more, are performed
correctly and in sequence. An objective is that the administrators will not collude with each other.
This role is used to verify reasonable (Use the "Enable All" button in the CNM utility.)
operation of the installed hardware
and software. Once checkout is
complete and setup is underway, this
role is replaced by the OP-DEF role
(Operational Default) and the other
roles described next.
SETUP X'001A', (MKP) Set Master Key
X'001D', (KSI) Compute Verification Pattern
Use this role during initial application X'0020', (MKP) Generate Random Master Key
testing and establishment of roles and X'0101', (DSV) Digital_Signature_Verify
profiles. Once proper operation is X'0107', (OWH) One-Way Hash, SHA-1
confirmed, delete the profile(s) which X'010F', (CFC) Reset Intrusion Latch
activates this role. This role permits X'0110', (CFC) Set Clock
alteration and extension of the X'0111', (CFC) Reinitialize Device
access-control regime. X'0112', (ACI) Initialize Access-Control System
X'0113', (ACI) Change User Profile Expiration Date
X'0114', (ACI) Change User Profile Authentication Data
X'0115', (ACI) Reset User Profile Logon-Attempt-Failure
Count
X'0116', (ACM) Read Public Access-Control Information
X'0117', (ACM) Delete User Profile
X'0118', (ACM) Delete Role
X'0119', (CFC) Load Function-Control Vector
X'011A', (CFC) Clear Function-Control Vector
X'011C', (CFC) Set EID
X'0203', (RKD) Delete Retained Key
X'0230', (RKL) List Retained Key Names
SETUP-1 X'001D', (KSI) Compute Verification Pattern
X'0114', (ACI) Change User Profile Authentication Data
Use this role to alter the passphrases X'0115', (ACI) Reset User Profile Logon-Attempt-Failure
of users. Once passphrases have Count
been changed, delete the profile(s) X'0116', (ACM) Read Public Access-Control Information
which activates this role. X'0117', (ACM) Delete User Profile
OP-DEF Operational Default X'001D', (KRL) Compute Verification Pattern
X'0101', (DSV) Digital_Signature_Verify
The role permits very limited X'0107', (OWH) One-Way Hash, SHA-1
functionality when no user is logged X'0116', (ACM) Read Public Access-Control Information
on.
AUDITOR X'001D', (KRL) Compute Verification Pattern
X'0101', (DSV) Digital_Signature_Verify
Use this role to query the X'0107', (OWH) One-Way Hash, SHA-1
access-control setup and to confirm X'0111', (CFC) Reinitialize Device
that the profiles which employ the X'0116', (ACM) Read Public Access-Control Information
setup roles are deleted. The role X'0117', (ACM) Delete User Profile
permits confirmation of retained-key X'0203', (RKD) Delete Retained Key
labels. X'0230', (RKL) List Retained Key Names
An optional command
Possibly an auditor should be able to disable use of the cryptographic facility or a specific key. Enablement of
these commands for the auditor is an application design issue.
Alternatives to the role scheme: These variations to the role scheme can be considered:
Key Generation
You can eliminate the role used specifically for key generation and grant that authority to any one
of the SIGNER, SETUP-1, or SETUP roles.
An advantage of the distinct KEY-GEN role is an improved procedure for enabling the auditor to
confirm the appropriateness of the generated key prior to productive use.
An advantage in permitting the signer to generate the key lies in the fact that the signer is
responsible for use of the key.
Permitting the SETUP role to generate the key can reduce the number of roles. However, note
that under the SETUP role, the access controls remain changeable. It might be advantageous to
delay key generation until the access controls are rendered unchangeable.
Private Key Deletion
The private key(s) can be deleted by zeroizing the segment 2 and segment 3 software. It is also
possible to delete a retained private-key using the Retained_Key_Delete verb which uses the
Delete Retained Key command (X'0203'). You should decide when and who will have the
responsibility for key deletion (zeroization). As appropriate, enable the Delete Retained Key
command in any of the defined roles.
Passphrase Changes
You can eliminate the SETUP-1 role if you have the user passphrases set using the SETUP role.
The SETUP-1 role enables an auditor to first check the roles prior to having the various users
come and establish their passphrases.
This role is used to verify reasonable (Use the "Enable All" button in the CNM utility.)
operation of the installed hardware
and software. Once initial checkout is
complete, this role is replaced by the
Operational Default role and the other
roles described next.
An optional command
Possibly an auditor should be able to disable use of the cryptographic facility or a specific key. Enablement of
these commands for the auditor is an application design issue.
An overview of the way in which users can build Java programs to use with the CCA Support Program is
provided in Chapter 7 of the IBM 4765 PCIe Cryptographic Coprocessor CCA Support Program Installation
Manual. It includes:
v The procedure for compiling a program calling the CCA Java Native Interface (JNI)
v A sample Java routine for calling the CCA JNI
Table 174 gives the entry point names and JNI formats for each verb, and the page where the verb is
described in detail. The names are listed alphabetically.
Table 174. Format summary of JNI calls
JNI entry-point name JNI format Page
CSNBAKRCJ public native void CSNBAKRCJ(hikmNativeInteger return_code, 392
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] key_label, hikmNativeInteger key_token_length, byte[] key_token);
CSNBAKRDJ public native void CSNBAKRDJ(hikmNativeInteger return_code, 394
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] key_label);
CSNBAKRLJ public native void CSNBAKRLJ(hikmNativeInteger return_code, 396
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] key_label, hikmNativeInteger dataset_name_length,
byte[] dataset_name, byte[] security_server_name);
CSNBAKRRJ public native void CSNBAKRRJ(hikmNativeInteger return_code, 398
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] key_label, hikmNativeInteger key_token_length, byte[] key_token);
CSNBAKRWJ public native void CSNBAKRWJ(hikmNativeInteger return_code, 400
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] key_label, hikmNativeInteger key_token_length, byte[] key_token);
| CSNBCKCJ public native void CSNBCKCJ(hikmNativeInteger return_code, hikmNativeInteger 452
| reason_code, hikmNativeInteger exit_data_length, byte[] exit_data,
| hikmNativeInteger rule_array_count, byte[] rule_array, hikmNativeInteger
| key_a_identifier_length, byte[] key_a_identifier, hikmNativeInteger
| key_b_identifier_length, byte[] key_b_identifier, hikmNativeInteger
| output_key_identifier_length, byte[] output_key_identifier);
CSNBCKIJ public native void CSNBCKIJ(hikmNativeInteger return_code, 198
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, byte[] clear_key, byte[] target_key_identifier);
CSNBCKMJ public native void CSNBCKMJ(hikmNativeInteger return_code, 301
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
hikmNativeInteger clear_key_length, byte[] clear_key,
byte[] key_identifier);
743
Table 174. Format summary of JNI calls (continued)
JNI entry-point name JNI format Page
CSNBCPAJ public native void CSNBCPAJ(hikmNativeInteger return_code, 444
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, byte[] inbound_PIN_encrypting_key_identifier,
byte[] PIN_generating_key_identifier, byte[] input_PIN_profile,
byte[] PAN_data, byte[] encrypted_PIN_block, hikmNativeInteger
rule_array_count, byte[] rule_array, hikmNativeInteger PIN_check_length,
byte[] data_array, byte[] returned_result);
CSNBCPEJ public native void CSNBCPEJ(hikmNativeInteger return_code, 438
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, byte[] PIN_encrypting_key_identifier, hikmNativeInteger
rule_array_count, byte[] rule_array, byte[] clear_PIN, byte[] PIN_profile,
byte[] PAN_data, hikmNativeInteger sequence_number,
byte[] encrypted_PIN_block);
CSNBCSGJ public native void CSNBCSGJ(hikmNativeInteger return_code, 449
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] PAN_data, byte[] expiration_date, byte[] service_code,
byte[] CVV_key-A_identifier, byte[] CVV_key-B_identifier,
byte[] CVV_value);
CSNBCSVJ public native void CSNBCSVJ(hikmNativeInteger return_code, 456
hikmNativeInteger reason_code, hikmNativeInteger exit_data_length,
byte[] exit_data, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] PAN_data, byte[] expiration_date, byte[] service_code,
byte[] CVV_key-A_identifier, byte[] CVV_key-B_identifier,
byte[] CVV_value);
CSNBCVEJ public native void CSNBCVEJ(hikmNativeInteger return_code, hikmNativeInteger 205
reason_code, hikmNativeInteger exit_data_length, byte[] exit_data,
byte[] c-variable_encrypting_key_identifier, hikmNativeInteger
text_length, byte[] plaintext, byte[] initialization_vector,
byte[] ciphertext);
CSNBCVGJ public native void CSNBCVGJ(hikmNativeInteger return_code, hikmNativeInteger 200
reason_code, hikmNativeInteger exit_data_length, byte[] exit_data,
byte[] key_type, hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] reserved, byte[] control_vector);
CSNBCVTJ public native void CSNBCVTJ(hikmNativeInteger return_code, hikmNativeInteger 203
reason_code, hikmNativeInteger exit_data_length, byte[] exit_data,
byte[] KEK_key_identifier, byte[] source_key_token,
byte[] array_key_left_identifier, byte[] mask_array_left,
byte[] array_key_right_identifier, byte[] mask_array_right,
hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] target_key_token);
CSNBDECJ public native void CSNBDECJ(hikmNativeInteger return_code, hikmNativeInteger 360
reason_code, hikmNativeInteger exit_data_length, byte[] exit_data,
byte[] key_identifier, hikmNativeInteger text_length, byte[] ciphertext,
byte[] initialization_vector, hikmNativeInteger rule_array_count,
byte[] rule_array, byte[] chaining_vector, byte[] plaintext);
CSNBDKGJ public native void CSNBDKGJ(hikmNativeInteger return_code, hikmNativeInteger 211
reason_code, hikmNativeInteger exit_data_length, byte[] exit_data,
hikmNativeInteger rule_array_count, byte[] rule_array,
byte[] generating_key_identifier, hikmNativeInteger data_length,
byte[] data, byte[] data_decrypting_key_identifier,
byte[] generated_key_identifier);
CSNBDKMJ public native void CSNBDKMJ(hikmNativeInteger return_code, hikmNativeInteger 209
reason_code, hikmNativeInteger exit_data_lengthh, byte[] exit_data,
byte[] source_key_token, byte[] importer_key_identifier,
byte[] target_key_identifier);
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that only
that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property
Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publications. IBM
may make improvements and/or changes in the product(s) and/or program(s) described in this publication
at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in
any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of
the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this one)
and (ii) the mutual use of the information which has been exchanged, should contact:
| crypto@us.ibm.com
757
Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by
IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any
equivalent agreement between us.
Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate
them as completely as possible, the examples include the names of individuals, companies, brands, and
products. All of these names are fictitious and any similarity to the names and addresses used by an
actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing
application programs conforming to the application programming interface for the operating platform for
which the sample programs are written. These examples have not been thoroughly tested under all
conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these
programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be
liable for any damages arising out of your use of the sample programs.
Each copy or any portion of these sample programs or any derivative work, must include a copyright
notice as follows: (your company name) (year). Portions of this code are derived from IBM Corp.
Sample Programs. Copyright IBM Corp. _enter the year or years_.
YOU ACCEPT THE TERMS OF THIS IBM LICENSE AGREEMENT FOR MACHINE CODE BY
YOUR USE OF THE HARDWARE PRODUCT OR MACHINE CODE. PLEASE READ THE
AGREEMENT CONTAINED IN THIS BOOK BEFORE USING THE HARDWARE PRODUCT.
You accept the terms of this Agreement18 by your initial use of a machine that contains IBM Licensed
Internal Code (called Code). These terms apply to Code used by certain machines IBM or your reseller
specifies (called Specific Machines). International Business Machines Corporation or one of its
subsidiaries (IBM) owns copyrights in Code or has the right to license Code. IBM or a third party owns all
copies of Code, including all copies made from them.
If you are the rightful possessor of a Specific Machine, IBM grants you a license to use the Code (or any
replacement IBM provides) on, or in conjunction with, only the Specific Machine for which the Code is
provided. IBM licenses the Code to only one rightful possessor at a time.
You agree to acquire any replacement for, or additional copy of, Code directly from IBM in accordance with
IBM's standard policies and practices. You also agree to use that Code under these terms.
You may transfer possession of the Code to another party only with the transfer of the Specific Machine. If
you do so, you must 1) destroy all your copies of the Code that were not provided by IBM, 2) either give
the other party all your IBM-provided copies of the Code or destroy them, and 3) notify the other party of
these terms. IBM licenses the other party when it accepts these terms. These terms apply to all Code you
acquire from any source.
Your license terminates when you no longer rightfully possess the Specific Machine.
Notices 759
760 CCA Basic Services October 14, 2011
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information at:
www.ibm.com/legal/copytrade.shtml
Adobe is either a registered trademark or trademark of Adobe Systems Incorporated in the United States,
and/or other countries.
Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and
other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.
761
762 CCA Basic Services October 14, 2011
List of abbreviations
ADB Actual Data Block EDE Encipher-Decipher-Encipher
AES Advanced Encryption Standard EEPROM
AIX Advanced Interactive Executive operating Electrically Erasable, Programmable
system Read-Only Memory
| ANS American National Standards EID Environment Identifier
ANSI American National Standards Institute EPP Encrypting PIN PAD
API Application Programming Interface FCV Function Control Vector
ASCII American National Standard Code for FIPS Federal Information Processing Standards
Information Interchange HMAC Keyed Hash MAC
ASN Abstract Syntax Notation | HSM Hardware Security Module
ATC Application Transaction Counter IBM International Business Machines
ATM Automated Teller Machine ICSF Integrated Cryptographic Service Facility
BC Block Contents ICV Initial Chaining Value
| BDK Base Derivation Key IEC International Electrotechnical Commission
BER ASN.1 Basic Encoding Rules I/O Input/Output
CA Certification Authority IPL Initial Program Load
CBC Cipher Block Chaining ISO International Organization for
CCA Common Cryptographic Architecture Standardization
| CDMF Commercial Data Masking Facility (IBM ISO/DIS
| 4758 only) International Organization for
CKSN Current-Key Serial Number Standardization/Draft International
CLU Coprocessor Load Utility Standard
| CMS Cryptographic Message Syntax ISO/FDIS
CNI Coprocessor Node Initialization International Organization for
CMOS Complementary Metal Oxide Standardization/Final Draft International
Semiconductor Standard
CMK Current Master Key JNI Java Native Interface
CNM Cryptographic Node Management (utility) | KC Key Confirmation
COBOL | KDF Key Derivation Function
Common Business-Oriented Language KEK Key-Encrypting Key
CRT Chinese-Remainder Theorem KM Master Key
| CSC Card Security Code KVP Key Verification Pattern
CV Control Vector LRC Longitudinal Redundancy Check
CVC Card-Verification Code LSB Least significant bit
| CVK Card Verification Key MB Megabyte
CVV Card-Verification Value MAC Message Authentication Code
DEA Data Encryption Algorithm MD5 Message Digest-5 Hash Algorithm
DES Data Encryption Standard MDC Modification Detection Code
DOW Day of the Week MDK Master-Derivation Key
DMA Direct Memory Access | MFK Master File Key
DSS Digital Signature Standard MK Master Key
| DUKPT MKVP Master-Key Verification Pattern
| Derived Unique Key Per Transaction MSB Most significant bit
EBCDIC NIST National Institute of Standards and
Extended Binary Coded Decimal Technology (USA)
Interchange Code NL Netherlands
| EC Elliptic Curve NMK New Master Key
ECB Electronic Code Book OAEP Optimal Asymmetric Encryption Padding
ECC Elliptic Curve Cryptography OCSP Open Certificate Status Protocol
| ECDH Elliptic Curve Diffie-Hellman OEM Original Equipment Manufacturer
| ECDSA | OID Object Identifier
| Elliptic Curve Digital Signature Algorithm OMK Old Master Key
ECI Eurocheque International OPK Object Protection Key
763
PAN Personal Account Number
PCI Peripheral Component Interconnect
PCIe PCI Express
PCI-XPCI Extended
PIN Personal Identification Number
PKA Public Key Algorithm
PKCS Public-Key Cryptography Standards
POST Power-On Self Test
PRNG Pseudo Random Number Generator
PROM Programmable Read-Only Memory
| PVV PIN Validation Value
RA Registration Authority
RACF Resource Access Control Facility
RAM Random Access Memory
| RFC Request for Comments
RHEL Red Hat Enterprise Linux
RNG Random Number Generator
ROM Read-Only Memory
RSA Rivest, Shamir, and Adleman
| SEC 2Standards for Efficient Cryptography 2
| SECG Standards for Efficient Cryptography
| Group
SET Secure Electronic Transaction
SHA Secure Hash Algorithm
SLES SUSE Linux Enterprise Server
SNA Systems Network Architecture
SSL Secure Sockets Layer
TLV Tag, Length, Value
TVV Token-validation value
UDK Unique DEA Key
UDX User-Defined Extension
UKPT Unique Key Per Transaction
UTC Coordinated Universal Time
VIS Visa Integrated Circuit Card Specification
XOR Exlusive-OR
access. A specific type of interaction between a authentication. A process used to verify the integrity
subject and an object that results in the flow of of transmitted data, especially a message (I). In
information from one to the other. computer security, a process used to verify the user of
an information system or protected resources.
access control. Ensuring that the resources of a
computer system can be accessed only by authorized authorization. The right granted to a user to
users in authorized ways. communicate with or make use of a computer system
(I). The process of granting a user either complete or
access method. A technique for moving data between restricted access to an object, resource, or function.
main storage and input/output devices.
authorize. To permit or give authority to a user to
adapter. A printed circuit card that modifies the system communicate with or make use of an object, resource,
unit to allow it to operate in a particular way. or function.
765
C Cryptographic Node Management (CNM) utility.
One of the utility programs supplied with the CCA
Support Program. It enables you to initialize the
Card-Verification Code (CVC). See Card-Verification
coprocessor access controls and the cryptographic
Value.
master keys.
Card-Verification Value (CVV). A cryptographic
cryptography. The transformation of data to conceal
method, defined by VISA, for detecting forged
its meaning.
magnetic-striped cards. This method cryptographically
checks the contents of a magnetic stripe. This process
is functionally the same as MasterCards D
Card-Verification Code (CVC) process.
data. A representation of facts or instructions in a form
Commercial Data Masking Facility (CDMF). An suitable for communication, interpretation, or processing
alternate algorithm for data confidentiality applications, by human or automatic means. Data includes constants,
based on the DES algorithm with an effective 40-bit key variables, arrays, and character strings. Any
strength. CDMF is supported only prior to Version 3. representations such as characters or analog quantities
to which meaning is or might be assigned. (A)
channel. A path along which signals can be sent; for
example, a data channel or an output channel. (A) data-encrypting key. A key used to encipher,
decipher, or authenticate data. Contrast with
ciphertext. Text that results from the encipherment of
key-encrypting key.
plaintext. See also plaintext.
Data Encryption Algorithm (DEA). A 64-bit block
Cipher Block Chaining (CBC). A mode of operation
cipher that uses a 64-bit key, of which 56 bits are used
that cryptographically connects one block of ciphertext
to control the cryptographic process and 8 bits are used
to the next plaintext block.
for parity checking to ensure that the key is transmitted
clear data. Data that is not enciphered. properly.
cleartext. Text that has not been altered by a Data Encryption Standard (DES). The National
cryptographic process. Synonym for plaintext. See also Institute of Standards and Technology Data Encryption
ciphertext. Standard, adopted by the U.S. government as Federal
Information Processing Standard (FIPS) Publication 46.
Common Cryptographic Architecture (CCA). The which allows only hardware implementations of the
CCA API is the programming interface described in this data-encryption algorithm.
document.
dataset. The major unit of data storage and retrieval,
concatenation. An operation that joins two characters consisting of a collection of data in one of several
or strings in the order specified, forming one string prescribed arrangements and described by control
whose length is equal to the sum of the lengths of its information to which the system has access.
parts.
decipher. To convert enciphered data into clear data.
configuration. The manner in which the hardware and Synonym for decrypt. Contrast with encipher.
software of an information processing system are
organized and interconnected. (I) The physical and decode. To convert data by reversing the effect of
logical arrangement of devices and programs that some previous encoding. (A) (I) In the CCA products,
constitutes a data processing system. decode and encode relate to the Electronic Code Book
mode of the Data Encryption Standard (DES). Contrast
control program. A computer program designed to with encode and decipher.
schedule and to supervise the programs running in a
computer system. (A) (I) decrypt. To decipher or decode. Synonym for
decipher. Contrast with encrypt.
control vector (CV). In CCA, a 16-byte string that is
exclusive-ORed with a master key or a key-encrypting device driver. A program that contains the code
key to create another key that is used to encipher and needed to attach and use a device.
decipher data or data keys. A control vector determines
device ID. In the IBM 4765 and IBM 4764 CCA
the type of key and the restrictions on the use of that
implementations, a user-defined field in the
key.
configuration data that can be used for any purpose the
coprocessor. In this document, the IBM 4765 PCIe user specifies. For example, it can be used to identify a
and IBM 4764 PCI-X Cryptographic Coprocessors, particular device, by using a unique ID similar to a serial
generally also when using the CCA Support Program. number.
Glossary 767
key-encrypting key (KEK). A key used for the Modification Detection Code (MDC). In cryptography,
encryption and decryption of other keys. Contrast with a number or value that interrelates all bits of a data
data-encrypting key. Also called a transport key. stream so that, when enciphered, modification of any bit
in the data stream results in a new MDC.
| key agreement. A key establishment procedure where
| the resultant secret keying material is a function of multi-user environment. A computer system that
| information contributed by two participants, so that no provides terminals and keyboards for more than one
| party can predetermine the value of the secret keying user at the same time.
| material independently from the contributions from the
| other parties.
N
key half. In the CCA implementation, one of the two
DES keys that make up a double-length key. National Institute of Science and Technology
(NIST). The current name for the US National Bureau
key identifier. In the CCA implementation, a 64-byte of Standards.
variable which is either a key label or a key token.
network. A configuration of data-processing devices
key label. In the CCA implementation, an identifier of and software programs connected for information
a key-record in key storage. See Key labels on page interchange. An arrangement of nodes and connecting
170 and Key-label content on page 390. branches. (I)
key storage. In the CCA implementation, a data file node. In a network, a point at which one-or-more
that contains cryptographic keys which are accessed by functional units connect channels or data circuits. (I)
key label.
| nonce. A time-varying value that has at most a
key token. In the CCA implementation, a data | negligible chance of repeating, such as a random value
structure that can contain a cryptographic key, a control | that is generated anew for each use, a timestamp, a
vector, and other information related to the key. | sequence number, or some combination of these.
L P
link. The logical connection between nodes including panel. The complete set of information shown in a
the end-to-end control procedures. The combination of single image on a display station screen.
physical media, protocols, and programming that
connects devices on a network. In computer parameter. In the CCA security API, an address
programming, the part of a program, in some cases a pointer passed to a verb to address a variable
single instruction or an address, that passes control and exchanged between an application program and the
parameters between separate portions of the computer verb.
program. (A) (I) To interconnect items of data or
password. In computer security, a string of characters
portions of one or more computer programs. (I) In SNA,
known to the computer system and a user; the user
the combination of the link connection and link stations
must specify it to gain full or limited access to a system
joining network nodes.
and to the data stored within it.
profile. Data that describes the significant return code. A code used to influence the execution of
characteristics of a user, a group of users, or succeeding instructions. (A) A value returned to a
one-or-more computer resources. program to indicate the results of an operation
requested by that program. In the CCA implementation,
protocol. A set of semantic and syntactic rules that a value that provides a general result as opposed to a
determines the behavior of functional units in achieving specific result. Contrast with reason code.
communication. (I) In SNA, the meanings of and the
sequencing rules for requests and responses used to Rivest-Shamir-Adleman (RSA) algorithm. A
manage the network, transfer data, and synchronize the public-key cryptography process developed by R.
states of network components. A specification for the Rivest, A. Shamir, and L. Adleman.
format and relative timing of information exchanged
between communicating parties. RS-232. A specification that defines the interface
between data terminal equipment and data
public key. In computer security, a key that is widely circuit-terminating equipment, using serial binary data
known, and used with a public-key algorithm to encrypt interchange.
data. The encrypted data can be decrypted only with
the related private key. Contrast with private key. See RS-232C. A standard that defines the specific physical,
also public-key algorithm. electronic, and functional characteristics of an interface
line that uses a 25-pin connector to connect a
Public-Key Algorithm (PKA). In computer security, an workstation to a communication device.
asymmetric cryptographic process that uses a public
key to encrypt data and a related private key to decrypt RSA algorithm. Rivest-Shamir-Adleman encryption
data. Contrast with Data Encryption Algorithm and Data algorithm.
Encryption Standard algorithm. See also
Rivest-Shamir-Adleman algorithm. S
public-key hardware. That portion of the security
security. The protection of data, system operations,
module in an IBM 4765 and IBM 4764 that performs
and devices from accidental or intentional ruin, damage,
modulus-exponentiation arithmetic.
or exposure.
Public-Key Cryptography Standards (PKCS).
security server. In the CCA implementation, the
Specifications produced by RSA Laboratories in
functions provided through calls made to the security
cooperation with secure system developers worldwide,
API.
for the purpose of accelerating the deployment of
public-key cryptography. First published in 1991. server. On a Local Area Network, a data station that
provides facilities to other data stations; for example, a
R file server, a print server, a mail server. (A)
Random access memory (RAM). A storage device session. In network architecture, for the purpose of
into which data are entered and from which data are data communication between functional units, all the
retrieved in a non-sequential manner. activities that take place during the establishment,
maintenance, and release of the connection. (I) The
Read-only memory (ROM). Memory in which stored period of time during which a user of a terminal can
data cannot be modified by the user except under communicate with an interactive system (usually, the
special conditions. elapsed time between logon and logoff).
reason code. A value that provides a specific result as Session-Level Encryption (SLE). A Systems Network
opposed to a general result. Contrast with return code. Architecture (SNA) protocol that provides a method for
establishing a session with a unique key for that
Glossary 769
session. This protocol establishes a cryptographic key userid. A string of characters that uniquely identifies a
and the rules for deciphering and enciphering user to the system.
information in a session.
utility program. A computer program in general
string. A sequence of elements of the same nature, support of computer processes. (I)
such as characters, considered as a whole. (I)
U
Unique key per transaction (UKPT). A cryptographic
process that can be used to decipher PIN blocks in a
transaction.
771
control vectors (CVs) (continued) CSNBAKRL (AES_Key_Record_List) 396
bit map (continued) CSNBAKRLJ 743
XLATE bit 662 CSNBAKRR (AES_Key_Record_Read) 398
changing 203, 205 CSNBAKRRJ 743
Changing CSNBAKRW (AES_Key_Record_Write) 400
Control_Vector_Translate verb 667 CSNBAKRWJ 743
pre-exclusive-OR technique 665 CSNBCKC (CVV_Key_Combine) 452
changing method of key encryption 224 CSNBCKCJ 743
checking 148 CSNBCKI (Clear_Key_Import) 198
control information 667 CSNBCKIJ 743
default values 152 CSNBCKM (Multiple_Clear_Key_Import) 301
description 148 CSNBCKMJ 743
determining values 661 CSNBCPA (Clear_PIN_Generate_Alternate) 444
enciphering 198 CSNBCPAJ 744
exporting a DATA key 207 CSNBCPE (Clear_PIN_Encrypt) 438
exporting a key 227 CSNBCPEJ 744
exporting a key to TR31 501 CSNBCSG (CVV_Generate) 449
generating 200 CSNBCSGJ 744
generating a key 211, 229, 239 CSNBCSV (CVV_Verify) 456
importing a DATA key 209 CSNBCSVJ 744
importing a key 245 CSNBCVE (Cryptographic_Variable_Encipher) 205
importing parts of a key 247, 251 CSNBCVEJ 744
key form bits, fff 660 CSNBCVG (Control_Vector_Generate) 200
key separation 147 CSNBCVGJ 744
key-half processing mode 669 CSNBCVT (Control_Vector_Translate) 203
keywords 162 CSNBCVTJ 744
mask array information 667 CSNBDEC (Decipher) 360
multiply-deciphering keys 671 CSNBDECJ 744
multiply-enciphering keys 671 CSNBDKG (Diversified_Key_Generate) 211
producing ciphertext 205 CSNBDKGJ 744
specifying values 661 CSNBDKM (Data_Key_Import) 209
testing 667 CSNBDKMJ 744
translating 203 CSNBDKX (Data_Key_Export) 207
values 655 CSNBDKXJ 745
verbs 198, 200, 203, 205, 207, 209, 211, 217, 224, CSNBENC (Encipher) 363
227, 229, 239, 245, 247, 251, 256, 261, 265, 501 CSNBENCJ 745
verifying key value 256, 261 CSNBEPG (Encrypted_PIN_Generate) 459
verifying value of key, external 265 CSNBEPGJ 745
violation 667 CSNBHMG (HMAC_Generate) 366
Control_Vector_Generate (CSNBCVG) 200 CSNBHMGJ 745
Control_Vector_Translate CSNBHMV (HMAC_Verify) 369
example 671 CSNBHMVJ 745
mask array 667 CSNBKET (Key_Encryption_Translate) 224
Control_Vector_Translate (CSNBCVT) 203 CSNBKETJ 745
controlling the cryptographic facility 20 CSNBKEX (Key_Export) 227
coprocessor resource selection 59, 61 CSNBKEXJ 745
creating a hash value 126 CSNBKGN (Key_Generate) 229
cryptographic CSNBKGN2 (Key_Generate2) 239
separation 141 CSNBKGN2J 746
cryptographic engine 3 CSNBKGNJ 745
Cryptographic_Facility_Control (CSUACFC) 42 CSNBKIM (Key_Import) 245
Cryptographic_Facility_Query (CSUACFQ) 48 CSNBKIMJ 746
Cryptographic_Facility_Version (CSUACFV) 58 CSNBKPI (Key_Part_Import) 247
Cryptographic_Resource_Allocate (CSUACRA) 59 CSNBKPI2 (Key_Part_Import2) 251
Cryptographic_Resource_Deallocate (CSUACRD) 61 CSNBKPI2J 746
Cryptographic_Variable_Encipher (CSNBCVE) 205 CSNBKPIJ 746
cryptographic-variable-class keys 151 CSNBKRC (DES_Key_Record_Create) 402
CSNBAKRC (AES_Key_Record_Create) 392 CSNBKRCJ 746
CSNBAKRCJ 743 CSNBKRD (DES_Key_Record_Delete) 404
CSNBAKRD (AES_Key_Record_Delete) 394 CSNBKRDJ 746
CSNBAKRDJ 743 CSNBKRL (DES_Key_Record_List) 406
Index 773
CSNDSYG (Symmetric_Key_Generate) 339 data structure (continued)
CSNDSYGJ 754 authentication data 643
CSNDSYI (Symmetric_Key_Import) 345 chaining-vector-record format 633
CSNDSYI2 (Symmetric_Key_Import2) 350 examples 646
CSNDSYI2J 754 key-record-list datasets 637
CSNDSYIJ 754 key-storage record 633
CSNDSYX (Symmetric_Key_Export) 333 key-token formats 577
CSNDSYXJ 754 list of 577
CSNDTBC (Trusted_Block_Create) 353 passphrase authentication 645
CSNDTBCJ 754 profile 642, 643, 646, 647
CSUAACI (Access_Control_Initialization) 35 role 648, 649
CSUAACIJ 754 role, aggregate 639
CSUAACM (Access_Control_Maintenance) 38 role, basic 639
CSUAACMJ 754 Data_Key_Export (CSNBDKX) 207
CSUACFC (Cryptographic_Facility_Control) 42 Data_Key_Import (CSNBDKM) 209
CSUACFCJ 755 DATA-class keys 150, 162
CSUACFQ (Cryptographic_Facility_Query) 48 deactivating keys 404, 412, 420
CSUACFQJ 755 deallocating a coprocessor resource 61
CSUACFV (Cryptographic_Facility_Version) 58 decimalization table 432
CSUACFVJ 755 Decipher (CSNBDEC) 360
CSUACRA (Cryptographic_Resource_Allocate) 59 default role 641
CSUACRAJ 755 defaults, control vectors 152
CSUACRD (Cryptographic_Resource_Deallocate) 61 deleting
CSUACRDJ 755 key records 404, 412, 420, 422
CSUAKSD (Key_Storage_Designate) 63 key tokens 87, 92, 95, 103, 105, 108, 110, 112,
CSUALCT (Logon_Control) 67 404, 412, 420, 422
CSUALCTJ 755 DES key-storage initialization 65
CSUAMKD (Master_Key_Distribution) 70 DES_Key_Record_Create (CSNBKRC) 402
CSUAMKDJ 755 DES_Key_Record_Delete (CSNBKRD) 404
CSUARNT (Random_Number_Tests) 78 DES_Key_Record_List (CSNBKRL) 406
CSUARNTJ 755 DES_Key_Record_Read (CSNBKRR) 408
current key serial number 431, 434, 463, 464, 469, DES_Key_Record_Write (CSNBKRW) 409
704 device key 4
CVARENC key type 151 digital signature 1, 117
CVARXCVL key type 151 ANS X9.31 694
CVARXCVR key type 151 hash formats 694
CVC 436, 449, 456, 706 PKCS #1 694
CVV 436, 449, 456, 706 digital signature processing
CVV_Generate (CSNBCSG) 449 Digital_Signature_Generate (CSNDDSG) 118
CVV_Key_Combine (CSNBCKC) 452 Digital_Signature_Verify (CSNDDSV) 122
CVV_Verify (CSNBCSV) 456 MDC_Generate (CSNBMDG) 126
One_Way_Hash (CSNBOWH) 134
Digital_Signature_Generate (CSNDDSG) 118
D Digital_Signature_Verify (CSNDDSV) 122
data digital-signing server 733
array elements 432 Diversified_Key_Generate (CSNBDKG) 211
confidentiality 357 diversifying (smart card) keys 177
ensuring 357 dual-control security policy 247
integrity 357, 358
segmented 359
validation 432 E
data confidentiality 1, 357 EC_Diffie-Hellman (CSNDEDH) 217
Data Encryption Algorithm electronic code-book
ciphering methods 357, 681 Control_Vector_Translate verb 203
ciphering verbs 357 Cryptographic_Variable_Encipher verb 205
data confidentiality 357 Data_Key_Export verb 207
verbs 357 Data_Key_Import verb 209
data integrity 1, 357 default value 667
data structure Diversified_Key_Generate verb 211
access control 647 EC_Diffie-Hellman verb 217
authentication 643, 646 Key_Encryption_Translate verb 224
Index 775
flag byte 1 583 importer (continued)
format Key_Import verb 150
chaining_vector record 633 Key_Translate verb 150
control, financial PIN 434 importing keys 92
key tokens description 175
external 581 importing, description 175, 665
internal 581 initializing key storage 63, 65
null 578 Input/Output
key-record-list datasets 637 parameters 8
key-storage record 633 input/output (I/O) parameters 8
formatting hashes and keys 694 installing keys 172
function control vector 650 Interbank
functional overview, CCA 1 calculation method 433, 700
intermediate PIN-block (IPB) 702, 703
internal 169
G key tokens
generating a digital signature 118 building 270, 275
generating key changing 279, 281
control vectors 200 copying into application storage 408
CSNBTRV 496 copying into key storage 409, 418
CVV 449 format 581
Key_Generate verb 173 Key_Token_Build verb 270
keys 173 Key_Token_Build2 verb 275
generating keys 87 Key_Token_Change verb 279
remote key export 187 Key_Token_Change2 verb 281
German Bank Pool Institution PIN RSA 585
calculation method 699 introduction 1
introduction of master-key parts 28
intrusion latch 24, 42
H IPB (intermediate PIN-block) 702, 703
hash formatting 694 IPINENC
hashing Clear_PIN_Generate_Alternate verb 151, 431
data 115 control-vector default values 657
Digital_Signature_Generate 118 Encrypted_PIN_Translate verb 151, 431
Digital_Signature_Verify 122 Encrypted_PIN_Verify verb 151, 431
MD5 116 ISO-0 PIN-block format 701
MDC 116 ISO-1 PIN-block format 702
One_Way_Hash 134 ISO-2 PIN-block format 702
RIPEMD-160 116 ISO-3 PIN-block format 703
SHA-1 116
SHA-224 134
SHA-256 134 J
SHA-384 134 Java interaction 1
SHA-512 134 Java Native Interface (JNI) 743
HMAC_Generate (CSNBHMG) 366
HMAC_Verify (CSNBHMV) 369
K
key cache, host side 6
I key diversification 177
IBM 3624 PIN-calculation method key formatting 694
block format 701 key identifier 170
calculation method 698, 699 key label 164, 170, 390
clear 441 key management 1
offset calculation method 698 (CSNBCKI) 198
IM (importable) keys 142 exporting keys 665
importable (IM) keys 142 generating keys 173
importer importing keys 175
Control_Vector Translate verb 150 key shares 28
control-vector default values 657 key storage
Data_Key_Import verb 150 description 178
Key_Generate verb 150
Index 777
Key_Translate (CSNBKTR) 294 key-processing and key-storage verbs (continued)
Key_Translate2 (CSNBKTR2) 296 Symmetric_Algorithm_Encipher (CSNBSAE) 383
key-encrypting key 142 TR31_Key_Import (CSNBT31I) 528
key-encrypting-key class keys 150 TR31_Key_Token_Parse (CSNBT31P) 551
key-export operation 175 TR31_Optional_Data_Build (CSNBT31O) 555
key-generating keys 163 TR31_Optional_Data_Read (CSNBT31R) 558
key-generating-key class keys 151 Trusted_Block_Create (CSNDTBC) 353
key-half processing mode 669 using 170
key-import operation 176 key-record-list datasets 637
key-management keys key-storage initialization 63, 65
Common Cryptographic Architecture key-storage selection 63
support 137 key-token verification patterns 678
key-processing and key-storage verbs 170 keys
AES_Key_Record_Create (CSNBAKRC) 392 asymmetric 151
AES_Key_Record_Delete (CSNBAKRD) 394 ciphering 150, 162
AES_Key_Record_List (CSNBAKRL) 396 class 137
AES_Key_Record_Read (CSNBAKRR) 398 clear 173
AES_Key_Record_Write (CSNBAKRW) 400 control vectors 147
Control_Vector_Translate (CSNBCVT) 203 deciphering 360
Cryptographic_Resource_Allocate (CSUACRA) 59 Decipher verb 360
Cryptographic_Resource_Deallocate deleting 412, 420
(CSUACRD) 61 double-length 152
Cryptographic_Variable_Encipher (CSNBCVE) 205 enciphering 363
CVV_Key_Combine (CSNBCKC) 452 Encipher verb 363
Data_Key_Export (CSNBDKX) 207 exportable (EX) 142
Data_Key_Import (CSNBDKM) 209 exporting, asymmetric techniques 176
DES_Key_Record_Create (CSNBKRC) 402 exporting, symmetric techniques 175
DES_Key_Record_Delete (CSNBKRD) 404 external 142
DES_Key_Record_List (CSNBKRL) 406 external DES key-tokens 168
DES_Key_Record_Read (CSNBKRR) 408 extracting 108
DES_Key_Record_Write (CSNBKRW) 409 generate HMAC 366
Diversified_Key_Generate (CSNBDKG) 211 HMAC_Generate verb 366
EC_Diffie-Hellman (CSNDEDH) 217 generate MAC 372
Key_Encryption_Translate (CSNBKET) 224 MAC_Generate verb 372
Key_Export (CSNBKEX) 227 generating, DES 173
Key_Export_to_TR31 (CSNBT31X) 501 generating, RSA 691
Key_Generate (CSNBKGN) 229 identifiers 170
Key_Generate2 (CSNBKGN2) 239 importable (IM) 142
Key_Import (CSNBKIM) 245 importing 175
Key_Part_Import (CSNBKPI) 247 importing, asymmetric techniques 176
Key_Part_Import2 (CSNBKPI2) 251 installing 172
Key_Storage_Designate (CSUAKSD) 63 key management 137, 140
Key_Storage_Initialization (CSNBKSI) 65 key-encrypting key 142
Key_Test (CSNBKYT) 256 key-storage initialization 63, 65
Key_Test_Extended (CSNBKYTX) 265 key-usage keywords 160
Key_Test2 (CSNBKYT2) 261 label 164
PKA_Key_Import (CSNDPKI) 92 label, content 390
PKA_Key_Record_Create (CSNDKRC) 410 labels
PKA_Key_Record_Delete (CSNDKRD) 412 definition 170
PKA_Key_Record_List (CSNDKRL) 414 length 164
PKA_Key_Record_Read (CSNDKRR) 416 listing 422
PKA_Key_Record_Write (CSNDKRW) 418 managing 137, 140
PKA_Key_Token_Build (CSNDPKB) 95 master key 11
PKA_Key_Token_Change (CSNDKTC) 103 master-key loading 74, 78
PKA_Public_Key_Extract (CSNDPKX) 108 multiply-deciphered 142, 176
PKA_Public_Key_Hash_Register (CSNDPKH) 110 multiply-enciphered 141, 173
PKA_Public_Key_Register (CSNDPKR) 112 operational (OP) 142
Remote_Key_Export (CSNDRKX) 317 parity 142
Retained_Key_Delete (CSNDRKD) 420 parts
Retained_Key_List (CSNDRKL) 422 generating 173
Symmetric_Algorithm_Decipher (CSNBSAD) 378 secure 172
Index 779
master-key verification pattern 27 OPINENC (continued)
MasterCard, CVC 449, 456, 706 Encrypted_PIN_Translate verb 151, 431
MD5 116 OPK, object protection key 590, 592, 610
MDC 116 output chaining value (OCV) 683
MDC keyed hash 128 overlapped processing restrictions 6
MDC_Generate (CSNBMDG) 126
message authentication code
calculation methods 689 P
ensuring data integrity 358 pad digit 434
generating 359 PAN (personal account number) 436
segmented data 359 parameters
values 359 common 9
Modification Detection Code description 9
calculation method 679 exit_data 9
segmented data 359 exit_data_length 9
services 358 keyword 10
multi-coprocessor reason_code 9, 561
0S/400 support 26, 31 return_code 9, 561
AIX, Linux, and Windows support 26 rule_array 10
capability 25 transaction_security 432
CCA host implementation 26 variable direction and type 9
control vector 671 verb 7
description 141 parity 142
generating 173 parity, key 142
IBM i 31 parity, key parts 247
master key considerations 31 personal account number (PAN) 436
single- and double-length keys 673 PIN
multiple PIN-calculation methods 431 calculation methods 697
Multiple_Clear_Key_Import (CSNBCKM) 301 PIN verify
multiply-deciphered keys 142, 176 control-vector default values 657
multiply-enciphered keys 141, 173 Encrypted_PIN_Verify verb 151, 431
PIN_Change/Unblock (CSNBPCU) 475
PIN-block encrypting key 431
N PIN-class keys 151, 163
NIST SP 800-38A CBC method 682, 684 PINGEN
non-repudiation 1 Clear_PIN_Generate verb 151, 431
notices Clear_PIN_Generate_Alternate verb 151, 431
licensed internal code 758 Clear_PIN_Verify verb 431
notices statement 757 control-vector default values 657
null DES key-token 169 Encrypted_PIN_Generate verb 151, 431
null key-token 578 Encrypted_PIN_Generate_Alternate verb 151, 431
Encrypted_PIN_Verify verb 151
PKA_Decrypt (CSNDPKD) 305
O PKA_Encrypt (CSNDPKE) 307
OAEP 694 PKA_Key_Generate (CSNDPKG) 87
object protection key (OPK) 590, 592, 610 PKA_Key_Import (CSNDPKI) 92
obtaining a hash value 134 PKA_Key_Record_Create (CSNDKRC) 410
OCV (output chaining value) 683 PKA_Key_Record_Delete (CSNDKRD) 412
OKEYXLAT PKA_Key_Record_List (CSNDKRL) 414
control-vector default values 657 PKA_Key_Record_Read (CSNDKRR) 416
Key_Translate verb 150 PKA_Key_Record_Write (CSNDKRW) 418
One_Way_Hash (CSNBOWH) 134 PKA_Key_Token_Build (CSNDPKB) 95
OP (operational) keys 142, 176 PKA_Key_Token_Change (CSNDKTC) 103
operating environments PKA_Key_Translate (CSNDPKT) 105
supported environments 6 PKA_Public_Key_Extract (CSNDPKX) 108
operational (OP) keys 176 PKA_Public_Key_Hash_Register (CSNDPKH) 110
operational keys (OP) 142 PKA_Public_Key_Register (CSNDPKR) 112
OPINENC PKCS #1 formats 694
Clear_PIN_Encrypt verb 151, 431 pre-exclusive-OR technique 665
control-vector default values 657 private key
Encrypted_PIN_Generate verb 151, 431 Integrity 587, 602
Index 781
Symmetric_Key_Import (CSNDSYI) 345 verb entry-point names (continued)
Symmetric_Key_Import2 (CSNDSYI2) 350 CSNBCVT 203
CSNBDEC 360
CSNBDKG 211
T CSNBDKM 209
TDES 685 CSNBDKX 207
tests, control vectors 667 CSNBENC 363
token-validation value (TVV) 578 CSNBEPG 459
TR31_Key_Import (CSNBT31I) 528 CSNBHMG 366
TR31_Key_Token_Parse (CSNBT31P) 551 CSNBHMV 369
TR31_Optional_Data_Build (CSNBT31O) 555 CSNBKET 224
TR31_Optional_Data_Read (CSNBT31R) 558 CSNBKEX 227
Transaction_Validation (CSNBTRV) 496 CSNBKGN 229
transport key 577 CSNBKGN2 239
trial pin 426 CSNBKIM 245
Triple-DES 685 CSNBKPI 247
trusted blocks 179 CSNBKPI2 251
CCA API changes 182 CSNBKRC 402
creating 184 CSNBKRD 404
exporting keys 184 CSNBKRL 406
using 184 CSNBKRR 408
Trusted_Block_Create (CSNDTBC) 353 CSNBKRW 409
TVV (token-validation value) 578 CSNBKSI 65
CSNBKTB 270
CSNBKTB2 275
U CSNBKTC 279
UKPT 704 CSNBKTC2 281
UKPT (unique key per transaction) 463 CSNBKTP 283
understanding and managing master keys 27 CSNBKTP2 286
current master-key 27 CSNBKTR 294
new master-key 27 CSNBKTR2 296
old master-key 27 CSNBKYT 256
unique key per transaction (UKPT) 463 CSNBKYT2 261
unique-key-per-transaction 704 CSNBKYTX 265
Encrypted_PIN_Translate verb 431 CSNBMDG 126
Encrypted_PIN_Verify verb 431 CSNBMGN 372
CSNBMKP 74
CSNBMVR 375
V CSNBOWH 134
CSNBPCU 475
validation data 432
CSNBPEX 309
variables
CSNBPEXX 311
description 7
CSNBPGN 441
direction 8
CSNBPTR 463
length 9
CSNBPVR 469
maximum length 8
CSNBRNG 313
types 8
CSNBRNGL 315
verb entry-point names
CSNBSAD 378
CSNBAKRC 392
CSNBSAE 383
CSNBAKRD 394
CSNBSKY 481
CSNBAKRL 396
CSNBSPN 484
CSNBAKRR 398
CSNBT31I 528
CSNBAKRW 400
CSNBT31O 555
CSNBCKC 452
CSNBT31P 551
CSNBCKI 198
CSNBT31R 558
CSNBCKM 301
CSNBT31X 501
CSNBCPA 444
CSNBTRV 496
CSNBCPE 438
CSNDDSG 118
CSNBCSG 449
CSNDDSV 122
CSNBCSV 456
CSNDEDH 217
CSNBCVE 205
CSNDKRC 410
CSNBCVG 200
Index 783