IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and GuideRelease 2.54IBM iSeries PCICC FeatureCCA Release 2.54
CCA Release 2.54 A-3. Reason Codes for Return Code 4 ... A-3A-4. Reason Codes for Return Code 8... A-4A-5. Reason
Master_Key_Process CCA Release 2.54 – Clear Old PKA Master Key Register command (offset X'0061') with theCLR-OLD keyword– Load First PKA Ma
CCA Release 2.54 Master_Key_Process FE 1 1 FE FE 1 1 FE / possibly semi-weak /E 1F 1 FE F1 E 1 FE / possibly semi-weak /E 1 1F FE F1 1
Random_Number_Tests CCA Release 2.54 Random_Number_Tests (CSUARNT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X The Random_Number_T
CCA Release 2.54 Random_Number_Tests Required CommandsNone. Chapter 2. CCA Node-Management and Access-Control 2-65
CCA Release 2.54 2-66 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Chapter 3. RSA Key-ManagementThis chapter describes the management of RSA public and private keys and howyou can: Generate keys wi
CCA Release 2.54 ────────────┬───────────────── ┌──────────────────┐ │PKA_Key_Token_Build├┐ └┬──────────────────┘│┌─────────┐ └──────┬───────┬────┘
CCA Release 2.54 The PKA_Key_Generate verb either retains the generated private key within theCoprocessor, or the verb outputs the generated private
CCA Release 2.54 restricted key usage. These systems can determine if a requesting process hasthe right to use the particular key name that is crypto
CCA Release 2.54 You provide or identify the operational transport key (key-encrypting key) and theencrypted private key with its associated public k
CCA Release 2.54 C-1. Key Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2C-2. Key Type Default Control-Vector Values...
CCA Release 2.54 Using the Private Key at Multiple NodesYou can arrange to use a private key at multiple nodes if the nodes have the sameasymmetric m
CCA Release 2.54 PKA_Key_Generate PKA_Key_Generate (CSNDPKG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Generate verb
PKA_Key_Generate CCA Release 2.54 Note: When using the RETAINED key option, the key label supplied in theskeleton key-token references the key stora
CCA Release 2.54 PKA_Key_Generate ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Par
PKA_Key_Generate CCA Release 2.54 skeleton_key_tokenThe skeleton_key_token parameter is a pointer to a string variable containing askeleton key-token
CCA Release 2.54 PKA_Key_Import PKA_Key_Import (CSNDPKI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Import verb is us
PKA_Key_Import CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Param
CCA Release 2.54 PKA_Key_Import Required CommandsThe PKA_Key_Import verb requires the PKA Key Import command (offset X'0104')to be enabled
PKA_Key_Token_Build CCA Release 2.54 PKA_Key_Token_Build (CSNDPKB)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Token_B
CCA Release 2.54 PKA_Key_Token_Build Restrictions The RSA-OPT rule-array keyword is not supported with Version 2. Instead,use keyword RSA-CRT to ob
CCA Release 2.54 xii IBM 4758 CCA Basic Services, Release 2.54, February 2005
PKA_Key_Token_Build CCA Release 2.54 key_values_structure_lengthThe key_values_structure_length parameter is a pointer to an integer variablecontaini
CCA Release 2.54 PKA_Key_Token_Build Figure 3-3 (Page 1 of 2). PKA_Key_Token_Build Key-Values-Structure ContentsOffset(Bytes)Length(Bytes)Description
PKA_Key_Token_Build CCA Release 2.54 key_name_lengthThe key_name_length parameter is a pointer to an integer variable containingthe number of bytes o
CCA Release 2.54 PKA_Key_Token_Build reserved_x(s)The reserved_x parameters are each a pointer to a string variable that isreserved for future use. E
PKA_Key_Token_Build CCA Release 2.54 Token Type ModulusLength inBitsPublicExponentKey-Values Structure (Hexadecimal) StructureLength(Bytes)RSA-CRT 5
CCA Release 2.54 PKA_Key_Token_Build Required CommandsNone Chapter 3. RSA Key-Management 3-21
PKA_Key_Token_Change CCA Release 2.54 PKA_Key_Token_Change (CSNDKTC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Token
CCA Release 2.54 PKA_Key_Token_Change key_identifier_lengthThe key_identifier_length parameter is a pointer to an integer variablecontaining the numb
PKA_Public_Key_Extract CCA Release 2.54 PKA_Public_Key_Extract (CSNDPKX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Publi
CCA Release 2.54 PKA_Public_Key_Extract target_key_token_lengthThe target_key_token_length parameter is a pointer to an integer variablecontaining th
CCA Release 2.54 NoticesReferences in this publication to IBM products, programs, or services do not implythat IBM intends to make these available i
PKA_Public_Key_Hash_Register CCA Release 2.54 PKA_Public_Key_Hash_Register (CSNDPKH)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XT
CCA Release 2.54 PKA_Public_Key_Hash_Register hash_data_lengthThe hash_data_length parameter is a pointer to an integer variable containingthe number
PKA_Public_Key_Register CCA Release 2.54 PKA_Public_Key_Register (CSNDPKR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Pub
CCA Release 2.54 PKA_Public_Key_Register public_key_nameThe public_key_name parameter is a pointer to a string variable containing thename under whic
CCA Release 2.54 3-30 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Chapter 4. Hashing and Digital SignaturesThis chapter discusses the data hashing and the digital signature techniques youcan use to
CCA Release 2.54 The CCA products support the following hash functions:Secure Hash Algorithm-1 (SHA-1) The SHA-1 is defined in FIPS 180-1 andproduces
CCA Release 2.54 Anyone with access to your public key can verify your information as follows:1. Hash the data using the same hashing algorithm that
Digital_Signature_Generate CCA Release 2.54 Digital_Signature_Generate (CSNDDSG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe D
CCA Release 2.54 Digital_Signature_Generate rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The
CCA Release 2.54 The following terms, denoted by a double asterisk (**) in this publication, are thetrademarks of other companies:Diebold Diebold Inc
Digital_Signature_Generate CCA Release 2.54 hash_lengthThe hash_length parameter is a pointer to an integer variable containing thenumber of bytes of
CCA Release 2.54 Digital_Signature_Verify Digital_Signature_Verify (CSNDDSV)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Digit
Digital_Signature_Verify CCA Release 2.54 Notes:1. The hash for PKCS-1.1 and PKCS-1.0 should have been created usingMD5 or SHA-1 algorithms.2. The ha
CCA Release 2.54 Digital_Signature_Verify Notes:1. For ISO-9796, the information identified by the hash parameter must beless than or equal to one-ha
MDC_Generate CCA Release 2.54 MDC_Generate (CSNBMDG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XUse the MDC_Generate verb to crea
CCA Release 2.54 MDC_Generate FormatCSNBMDGreturn_code Input Integerreason_code Input Integerexit_data_length In/Output Integerexit_data In/Output S
MDC_Generate CCA Release 2.54 Chaining_VectorThe chaining_vector parameter is a pointer to an 18-byte string variable thesecurity server uses as a wo
CCA Release 2.54 One_Way_Hash One_Way_Hash (CSNBOWH)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe One_Way_Hash verb obtains a h
One_Way_Hash CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Paramet
CCA Release 2.54 One_Way_Hash hash_lengthThe hash_length parameter is a pointer to an integer variable containing thenumber of bytes of data in the h
CCA Release 2.54 Revision History About This PublicationThe manual is intended for systems and applications analysts and applicationprogrammers who w
CCA Release 2.54 4-16 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Chapter 5. DES Key-ManagementThis chapter describes verbs to perform basic CCA DES key-managementfunctions. Figure 5-1 lists the ve
CCA Release 2.54 Figure 5-1 (Page 2 of 2). Basic CCA DES Key-Management VerbsVerb Page Service EntryPointSvcLcnPKA_Decrypt 5-73 Uses an RSA private-k
CCA Release 2.54 functions in which it can be used. The cryptographic subsystem uses a systemof control vectors1 to separate the cryptographic keys i
CCA Release 2.54 A key that is multiply-enciphered under the master key is an operational key (OP).The key is operational because a cryptographic fac
CCA Release 2.54 Checking a Control Vector Before Processing a CryptographicCommandBefore a CCA cryptographic facility processes a command that uses
CCA Release 2.54 Asymmetric DES keys. An asymmetric DES key is a key in a key pair in whichthe keys are used as opposites.– ENCIPHER and DECIPHER.
CCA Release 2.54 Figure 5-4 on page 5-9 shows the key-type, key subtype, and key-usage keywordsthat can be combined in the Control_Vector_Generate ve
CCA Release 2.54 Figure 5-3 (Page 2 of 2). Key Types and Verb UsageKey Type Usable with VerbsIKEYXLAT, OKEYXLAT Key_TranslatePIN ClassThese keys are
CCA Release 2.54 ├─Key_Type─┤├─Key_Subtype─┤├─Key_Usage──────────────────────────────────────────────────────────────────────┤┬─MAC ─────┐ Note: A
Revision History CCA Release 2.54 Eleventh Edition, April, 2004, CCA Support Program,Release 2.52This revision to the February, 2004, edition of the
CCA Release 2.54 Figure 5-5 (Page 1 of 3). Control Vector Key-Subtype and Key-Usage KeywordsKeyword MeaningKey-Encrypting KeysOPIM IMPORTER keys that
CCA Release 2.54 Figure 5-5 (Page 2 of 3). Control Vector Key-Subtype and Key-Usage KeywordsKeyword MeaningVISA-PVV Select the VISA-PVV PIN-calculati
CCA Release 2.54 Figure 5-5 (Page 3 of 3). Control Vector Key-Subtype and Key-Usage KeywordsKeyword MeaningDKYL5 A DKYGENKY key with this subtype can
CCA Release 2.54 8 16 32 6 63┌─────────┬─────────┬──────────────┬──────────────┬──────────────┬───────────┬─────┐│Key- │Flags │Control Infor-│ In
CCA Release 2.54 External Key-Token: An external key-token contains an external key that ismultiply-enciphered under a key formed by the exclusive-O
CCA Release 2.54 Using the Key-Processing and Key-Storage VerbsFigure 5-8 on page 5-16 shows key-processing and key-storage verbs and howthey relate
CCA Release 2.54 Random_Number_Generate Diversified_Key_Generate ┬┬ ┌────┴────┐ │ │ │ Clear_Key_ │ Key_Part_ Import │ Import ┬ ┌─────────────────
CCA Release 2.54 master key or a key-encrypting key. If you are generating a DES asymmetrickey-type, the verb will multiply-encipher the random numbe
CCA Release 2.54 Since the two halves are random numbers, it is unlikely that the result of theDOUBLE keyword will produce two halves with the same 6
CCA Release 2.54 ┌──────────────┐ ┌──────────────┐Operational │ Key to Be │ │ Imported │ OperationalForm of Key │ Exported │ │ Key │ Form of Keyat N
CCA Release 2.54 Revision History 1. Functions in support of EMV-compatible smart-cards. Support of the PIN Change/Unblock function described in the
CCA Release 2.54 therefore it is very important to handle the key-generating key with a high degree ofsecurity lest the interactions with the whole p
CCA Release 2.54 Security PrecautionsBe sure to see the “Observations on Secure Operations” chapter in the CCASupport Program Installation Manual.In
Clear_Key_Import CCA Release 2.54 Clear_Key_Import (CSNBCKI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Clear_Key_Import verb
CCA Release 2.54 Clear_Key_Import Required CommandsThe Clear_Key_Import verb requires the Encipher Under Master Key command(command offset X'00
Control_Vector_Generate CCA Release 2.54 Control_Vector_Generate (CSNBCVG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Control
CCA Release 2.54 Control_Vector_Generate rule_array_countThe rule_array_count parameter is a pointer to an integer variable containingthe number of e
Control_Vector_Translate CCA Release 2.54 Control_Vector_Translate (CSNBCVT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Contr
CCA Release 2.54 Control_Vector_Translate mask_array_leftThe mask_array_left parameter is a pointer to a string variable containing themask array enc
Control_Vector_Translate CCA Release 2.54 target_key_tokenThe target_key_token parameter is a pointer to a string variable containing anexternal key-
CCA Release 2.54 Cryptographic_Variable_Encipher Cryptographic_Variable_Encipher (CSNBCVE)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X
Revision History CCA Release 2.54 Eighth Edition, Revised, CCA Support Program, Release 2.41This revised Release 2.41 manual incorporates additional
Cryptographic_Variable_Encipher CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparam
CCA Release 2.54 Data_Key_Export Data_Key_Export (CSNBDKX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Data_Key_Export verb ex
Data_Key_Export CCA Release 2.54 target_key_tokenThe target_key_token parameter is a pointer to a string variable containing thereencrypted source-ke
CCA Release 2.54 Data_Key_Import Data_Key_Import (CSNBDKM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Data_Key_Import verb im
Data_Key_Import CCA Release 2.54 RestrictionsStarting with Release 2.41, unless you enable the Unrestrict Data Key Importcommand (offset X'027C
CCA Release 2.54 Diversified_Key_Generate Diversified_Key_Generate (CSNBDKG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Diver
Diversified_Key_Generate CCA Release 2.54 Returns the diversified key, multiply-enciphered by the master key modified bythe control vector. Restric
CCA Release 2.54 Diversified_Key_Generate Keyword MeaningTDES-ENC Specifies that 8 or 16 bytes of clear (not encrypted) data shallbe triple-DES encry
Diversified_Key_Generate CCA Release 2.54 Keyword MeaningTDESEMV2,TDESEMV4Note: These options are available starting with Release 2.51.Specifies tha
CCA Release 2.54 Diversified_Key_Generate Keyword MeaningTDES-XOR Note: This option is available starting with Release 2.50.Specifies that 10 or 18
CCA Release 2.54 Revision History can create an application to to clone keys having any of the CSS, CSR, andSA keys longer than 1024-bits. See “Estab
Diversified_Key_Generate CCA Release 2.54 generating_key_identifierThe generating_key_identifier parameter is a pointer to a string variablecontainin
CCA Release 2.54 Diversified_Key_Generate effective single-length key) by enabling the Enable DKG Single Length Keys andEqual Halves for TDES-ENC, TD
Key_Export CCA Release 2.54 Key_Export (CSNBKEX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Export verb exports a source
CCA Release 2.54 Key_Export FormatCSNBKEXreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output S
Key_Generate CCA Release 2.54 Key_Generate (CSNBKGN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Generate verb generates a
CCA Release 2.54 Key_Generate FormatCSNBKGNreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output
Key_Generate CCA Release 2.54 key_lengthThe key_length parameter is a pointer to an eight-byte string variable,left-justified and padded on the right
CCA Release 2.54 Key_Generate unless you are using the TOKEN keyword, you must identify a null key-tokenon input. Required CommandsDepending on your
Key_Generate CCA Release 2.54 can use to generate a single key copy with default control-vectors. Figure 5-12 onpage 5-49 shows the key types you can
CCA Release 2.54 Key_Generate Figure 5-12. Key_Type and Key_Form Keywords for a Key PairKey_Type_1 Key_Type_2 Key_FormOPOP,OPIM,IMIMKey_FormOPEXKey_F
CCA Release 2.54 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi
Revision History CCA Release 2.54 The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, andPKA_Symmetric_Key_Import verbs are updated to includ
Key_Generate CCA Release 2.54 key-length the verb uses when you supply eight space characters with thekey_length parameter.Figure 5-13. Key Lengths b
CCA Release 2.54 Key_Import Key_Import (CSNBKIM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Import verb imports a source
Key_Import CCA Release 2.54 RestrictionsStarting with Release 2.41, unless you enable the Unrestrict Reencipher to MasterKey command (offset X'
CCA Release 2.54 Key_Import key-halves IMPORTER key-encrypting-key to import a key having unequalkey-halves (key parity bits are ignored). Chapter
Key_Part_Import CCA Release 2.54 Key_Part_Import (CSNBKPI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Part_Import verb is
CCA Release 2.54 Key_Part_Import of one bits, and there are no other problems, the verb will return reasoncode 2. Use of the ADD-PART keyword require
Key_Part_Import CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Para
CCA Release 2.54 Key_Part_Import Required CommandsThe Key_Part_Import verb requires the following commands to be enabled in theactive role: The Loa
Key_Test CCA Release 2.54 Key_Test (CSNBKYT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XYou use the Key_Test verb to verify the v
CCA Release 2.54 Key_Test RestrictionsNone FormatCSNBKYTreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_d
CCA Release 2.54 Fifth Edition, CCA Support Program, Release 2.30The fifth edition of the IBM 4758 CCA Basic Services Reference and Guide Version2.30
Key_Test CCA Release 2.54 key_identifierThe key_identifier parameter is a pointer to a string variable containing aninternal key-token, a key label t
CCA Release 2.54 Key_Token_Build Key_Token_Build (CSNBKTB)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Token_Build verb as
Key_Token_Build CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Para
CCA Release 2.54 Key_Token_Build key_valueThe key_value parameter is a pointer to a string variable containing theencrypted key-value incorporated in
Key_Token_Change CCA Release 2.54 Key_Token_Change (CSNBKTC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XUse the Key_Token_Change
CCA Release 2.54 Key_Token_Change Key_IdentifierThe key_identifier parameter is a pointer to a string variable containing the DESinternal key-token o
Key_Token_Parse CCA Release 2.54 Key_Token_Parse (CSNBKTP)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Token_Parse verb di
CCA Release 2.54 Key_Token_Parse Note: You cannot use a key label for a key-token record in key storage. Thekey token must be in application storage
Key_Token_Parse CCA Release 2.54 key_valueThe key_value parameter is a pointer to a string variable. If the verb returnsthe KEY keyword in the rule a
CCA Release 2.54 Key_Translate Key_Translate (CSNBKTR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Translate verb uses one
CCA Release 2.54 OrganizationThis manual includes: Chapter 1, “Introduction to Programming for the IBM CCA” presents anintroduction to programming
Key_Translate CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Parame
CCA Release 2.54 Multiple_Clear_Key_Import Multiple_Clear_Key_Import (CSNBCKM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Mul
Multiple_Clear_Key_Import CCA Release 2.54 clear_key_lengthThe clear_key_length parameter is a pointer to an integer variable containingthe number of
CCA Release 2.54 PKA_Decrypt PKA_Decrypt (CSNDPKD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Decrypt verb decrypts (unwr
PKA_Decrypt CCA Release 2.54 source_encrypted_key_lengthThe source_encrypted_key_length parameter is a pointer to an integer variablecontaining the n
CCA Release 2.54 PKA_Encrypt PKA_Encrypt (CSNDPKE)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Encrypt verb encrypts (wrap
PKA_Encrypt CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The keywords are ei
CCA Release 2.54 PKA_Encrypt target_dataThe target_data parameter is a pointer to a string variable containing theencrypted data returned by the verb
PKA_Symmetric_Key_Export CCA Release 2.54 PKA_Symmetric_Key_Export (CSNDSYX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_S
CCA Release 2.54 PKA_Symmetric_Key_Export ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters,
CCA Release 2.54 Related PublicationsIn addition to the manuals listed below, you may wish to refer to other CCA productpublications which may be of
PKA_Symmetric_Key_Export CCA Release 2.54 RSA_enciphered_keyThe RSA_enciphered_key parameter is a pointer to a string variable containingthe exported
CCA Release 2.54 PKA_Symmetric_Key_Generate PKA_Symmetric_Key_Generate (CSNDSYG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe P
PKA_Symmetric_Key_Generate CCA Release 2.54 Key-encrypting keys, either effective single-length or true double-length, aregenerated with the detail
CCA Release 2.54 PKA_Symmetric_Key_Generate FormatCSNDSYGreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_
PKA_Symmetric_Key_Generate CCA Release 2.54 key_encrypting_key_identifierThe key_encrypting_key_identifier parameter is a pointer to a string variabl
CCA Release 2.54 PKA_Symmetric_Key_Generate RSA_enciphered_key_token_lengthThe RSA_enciphered_key_token_length parameter is a pointer to an integerva
PKA_Symmetric_Key_Import CCA Release 2.54 PKA_Symmetric_Key_Import (CSNDSYI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_S
CCA Release 2.54 PKA_Symmetric_Key_Import Restrictions1. Private key key-usage controls can prevent use of specific private keys in thisverb. See pa
PKA_Symmetric_Key_Import CCA Release 2.54 RSA_enciphered_key_lengthThe RSA_enciphered_key_length parameter is a pointer to an integercontaining the n
CCA Release 2.54 PKA_Symmetric_Key_Import Symmetric Key Import ZERO-PAD command (command offset X'023D') forDATA keys using the ZERO-PAD
CCA Release 2.54 IBM Journal of Research and Development Volume 38 Number 2, 1994,G322-0191 USA Federal Information Processing Standard (FIPS):– D
Prohibit_Export CCA Release 2.54 Prohibit_Export (CSNBPEX)Platform/ProductOS/2 AIX NT OS/400IBM 4758-2/23 X X X XThe Prohibit_Export verb modifies a
CCA Release 2.54 Random_Number_Generate Random_Number_Generate (CSNBRNG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Random_Nu
Random_Number_Generate CCA Release 2.54 random_numberThe random_number parameter is a pointer to a string variable containing therandom number return
CCA Release 2.54 Chapter 6. Data Confidentiality and Data IntegrityThis chapter describes the verbs that use the Data Encryption Standard (DES)algori
CCA Release 2.54 verbs also support the ANSI X9.23 mode of encryption. In X9.23 encryption, atleast one byte of data and up to eight bytes of data ar
CCA Release 2.54 Ensuring Data IntegrityCCA offers three classes of services for ensuring data integrity: Message authentication code (MAC) techniqu
CCA Release 2.54 In each procedure call, a segmenting-control keyword indicates whether the callcontains the first, middle, or last unit of segmented
CCA Release 2.54 Decipher Decipher (CSNBDEC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Decipher verb uses the Data Encryptio
Decipher CCA Release 2.54 ciphertextThe ciphertext parameter is a pointer to a string variable containing the text tobe deciphered.initialization_vec
CCA Release 2.54 Decipher length of the plaintext when it returns. The length will be different whenpadding is removed. Required CommandsThe Decipher
CCA Release 2.54 Chapter 1. Introduction to Programming for the IBM CCAThis chapter introduces you to the IBM Common Cryptographic Architecture (CCA)
Encipher CCA Release 2.54 Encipher (CSNBENC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encipher verb uses the DES algorithm
CCA Release 2.54 Encipher text_lengthThe text_length parameter is a pointer to an integer variable. On input, thetext_length variable contains the nu
Encipher CCA Release 2.54 chaining_vectorThe chaining_vector parameter is a pointer to a string variable containing awork area that the security serv
CCA Release 2.54 MAC_Generate MAC_Generate (CSNBMGN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe MAC_Generate verb generates a
MAC_Generate CCA Release 2.54 FormatCSNBMGNreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output
CCA Release 2.54 MAC_Generate chaining_vectorThe chaining_vector parameter is a pointer to a string variable containing awork area the security serve
MAC_Verify CCA Release 2.54 MAC_Verify (CSNBMVR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe MAC_Verify verb verifies a messag
CCA Release 2.54 MAC_Verify FormatCSNBMVRreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output S
MAC_Verify CCA Release 2.54 chaining_vectorThe chaining_vector parameter is a pointer to a string variable containing awork area the security server
CCA Release 2.54 Chapter 7. Key-Storage VerbsThis chapter describes how you can use key-storage mechanisms and theassociated verbs for creating, wri
CCA Release 2.54 An Overview of the CCA EnvironmentFigure 1-1 on page 1-3 provides a conceptual framework for positioning the CCASecurity API. Applic
CCA Release 2.54 Use the Key_Record_Delete verb to delete a key token from a key record, or toentirely delete the key record from key storage.Use the
CCA Release 2.54 Some verbs accept a key label containing a “wild card” represented by an asterisk(*). (X'2A' in ASCII; X'5C' in
DES_Key_Record_Create CCA Release 2.54 DES_Key_Record_Create (CSNBKRC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Rec
CCA Release 2.54 DES_Key_Record_Delete DES_Key_Record_Delete (CSNBKRD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Rec
DES_Key_Record_Delete CCA Release 2.54 key_labelThe key_label parameter is a pointer to a string variable containing the keylabel of a key-token reco
CCA Release 2.54 DES_Key_Record_List DES_Key_Record_List (CSNBKRL)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Record_
DES_Key_Record_List CCA Release 2.54 data_set_name_lengthThe data_set_name_length parameter is a pointer to an integer variablecontaining the number
CCA Release 2.54 DES_Key_Record_Read DES_Key_Record_Read (CSNBKRR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Record_
DES_Key_Record_Write CCA Release 2.54 DES_Key_Record_Write (CSNBKRW)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Recor
CCA Release 2.54 PKA_Key_Record_Create PKA_Key_Record_Create (CSNDKRC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Rec
CCA Release 2.54 Figure 1-1. CCA Security API, Access Layer, Cryptographic EngineIBM 4758 PCI Cryptographic Coprocessor: The Coprocessor provides a
PKA_Key_Record_Create CCA Release 2.54 key_token_lengthThe key_token_length parameter is a pointer to an integer variable containingthe number of byt
CCA Release 2.54 PKA_Key_Record_Delete PKA_Key_Record_Delete (CSNDKRD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Rec
PKA_Key_Record_Delete CCA Release 2.54 key_labelThe key_label parameter is a pointer to a string variable containing the keylabel of a key-token reco
CCA Release 2.54 PKA_Key_Record_List PKA_Key_Record_List (CSNDKRL)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Record_
PKA_Key_Record_List CCA Release 2.54 rule_array_countThe rule_array_count parameter is a pointer to an integer variable containingthe number of eleme
CCA Release 2.54 PKA_Key_Record_Read PKA_Key_Record_Read (CSNDKRR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Record_
PKA_Key_Record_Read CCA Release 2.54 key_tokenThe key_token parameter is a pointer to a string variable containing the keytoken read from PKA key-sto
CCA Release 2.54 PKA_Key_Record_Write PKA_Key_Record_Write (CSNDKRW)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Recor
PKA_Key_Record_Write CCA Release 2.54 key_labelThe key_label parameter is a pointer to a string variable containing the keylabel that identifies the
CCA Release 2.54 Retained_Key_Delete Retained_Key_Delete (CSNDRKD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Retained_Key_De
CCA Release 2.54 Applications employ the CCA security API to obtain services from and to managethe operation of a cryptographic system that meets CCA
Retained_Key_List CCA Release 2.54 Retained_Key_List (CSNDRKL)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Retained_Key_List v
CCA Release 2.54 Retained_Key_List key_label_maskThe key_label_mask parameter points to a string variable containing a keylabel mask that is used to
CCA Release 2.54 7-24 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Chapter 8. Financial Services Support VerbsThere are several classes of verbs described in this chapter: Finance industry PIN proce
CCA Release 2.54 Figure 8-1 (Page 2 of 2). Financial Services Support VerbsVerb Page Service EntryPointSvcLcnPIN_Change/Unblock 8-52 Calculates a PIN
CCA Release 2.54 – Create encrypted PIN blocks for transmission– Generate institution-assigned PINs– Generate an offset or a VISA PIN-validation valu
CCA Release 2.54 Account Customer─Entered PIN Customer─Selected PIN Number ──────────┬───────── ──────────┬──────────│ T─PIN │ │ Clear ┌─────────
CCA Release 2.54 PIN-Verb SummaryThe following terms are used for the various “PIN” values:A-PIN The quantity derived from a function of the account
CCA Release 2.54 PIN-Calculation Method and PIN-Block Format SummaryAs described in the following sections, you can use a variety of PIN calculationm
CCA Release 2.54 Using Specific Key Types and Key-Usage Bits to Help EnsurePIN SecurityThe control vectors (see Appendix C, “CCA Control-Vector Defin
CCA Release 2.54 Establishing a Master Key: To protect working keys, the master key must begenerated and initialized in a secure manner. One method
CCA Release 2.54 OPINENC (output PIN-block encrypting) key typeThe PIN verbs that encrypt a PIN block require the encrypting key tohave a control vec
CCA Release 2.54 Note: To avoid errors when using the IBM 3624 PIN-block format, you shouldnot include in the decimalization table a decimal digit t
CCA Release 2.54 – Eleven (rightmost) digits of PAN data, excluding the check digit. Forinformation about a PAN, see “Personal Account Number (PAN)”
CCA Release 2.54 Format Control Enforcement: The format-control level is the second element ina PIN profile. For the IBM 4758 implementation, this e
CCA Release 2.54 The CKSN is the concatenation of a terminal identifier and a sequence numberwhich together define a unique terminal (within the set
CCA Release 2.54 Personal Account Number (PAN)A personal account number (PAN) identifies an individual and relates that individualto an account at th
CCA Release 2.54 The MAC_Generate and MAC_Verify verbs incorporate post-padding aX'80'...X'00' string to a message as required
CCA Release 2.54 Clear_PIN_Encrypt Clear_PIN_Encrypt (CSNBCPE)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Clear_PIN_Encrypt v
Clear_PIN_Encrypt CCA Release 2.54 FormatCSNBCPEreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/O
CCA Release 2.54 Clear_PIN_Encrypt PIN_profileThe PIN_profile parameter points to a string variable containing three 8-byteelements with: a PIN-block
CCA Release 2.54 ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiTrademarks . . . . . . . .
CCA Release 2.54 The Coprocessor supports multiple logons by different users from different hostprocesses. The Coprocessor also supports requests fro
Clear_PIN_Generate CCA Release 2.54 Clear_PIN_Generate (CSNBPGN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Clear_PIN_Generat
CCA Release 2.54 Clear_PIN_Generate RestrictionsNone FormatCSNBPGNreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Int
Clear_PIN_Generate CCA Release 2.54 PIN_check_lengthThe PIN_check_length parameter points to an integer variable in the rangefrom 4 to 16 containing
CCA Release 2.54 Clear_PIN_Generate_Alternate Clear_PIN_Generate_Alternate (CSNBCPA)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XT
Clear_PIN_Generate_Alternate CCA Release 2.54 Calculates the A-PIN. The verb uses the specified calculation method, thedata_array variable, and the
CCA Release 2.54 Clear_PIN_Generate_Alternate Note: When using the ISO-0 format, use the 12 rightmost PAN digits,excluding the check digit.encrypted
Clear_PIN_Generate_Alternate CCA Release 2.54 PIN_check_lengthThe PIN_check_length parameter points to an integer variable in the rangefrom 4 to 16 c
CCA Release 2.54 Clear_PIN_Generate_Alternate When using the NL-PIN-1 keyword, identify the following elements in the dataarray:When using the VISA-P
Clear_PIN_Generate_Alternate CCA Release 2.54 returned_resultThe returned_result parameter points to a string variable containing the clearO-PIN retu
CCA Release 2.54 CVV_Generate CVV_Generate (CSNBCSG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe CVV_Generate verb supports th
CCA Release 2.54 The security server and a directory server manage key storage. Applications canstore locally used cryptographic keys in a key-storag
CVV_Generate CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The keywords are e
CCA Release 2.54 CVV_Generate CVV_key-B_identifierThe CVV_key-B_identifier parameter points a string variable containing aninternal key-token or a ke
CVV_Verify CCA Release 2.54 CVV_Verify (CSNBCSV)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe CVV_Verify verb supports the VISA
CCA Release 2.54 CVV_Verify ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Parameter
CVV_Verify CCA Release 2.54 expiration_dateThe expiration_date parameter points to a string variable containing the cardexpiration date. The date is
CCA Release 2.54 Encrypted_PIN_Generate Encrypted_PIN_Generate (CSNBEPG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encrypted
Encrypted_PIN_Generate CCA Release 2.54 – When using the ISO-0 PIN-block format, specify a PAN. For informationabout a personal account number (PAN),
CCA Release 2.54 Encrypted_PIN_Generate ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, se
Encrypted_PIN_Generate CCA Release 2.54 PIN_profileThe PIN_profile parameter is a pointer to a string variable containing the PINprofile including th
CCA Release 2.54 Encrypted_PIN_Translate Encrypted_PIN_Translate (CSNBPTR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encrypt
CCA Release 2.54 The Security API, Programming FundamentalsYou obtain CCA cryptographic services from the PCI Cryptographic Coprocessorthrough proced
Encrypted_PIN_Translate CCA Release 2.54 key serial number, and then uses ANSI X9.24-specified “special decryption.”Checks the control vector to ensu
CCA Release 2.54 Encrypted_PIN_Translate ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, s
Encrypted_PIN_Translate CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The key
CCA Release 2.54 Encrypted_PIN_Translate and optionally an additional 24 bytes containing the output current key serialnumber (CKSN). The strings are
Encrypted_PIN_Verify CCA Release 2.54 Encrypted_PIN_Verify (CSNBPVR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encrypted_PIN
CCA Release 2.54 Encrypted_PIN_Verify The verb does the following: Decrypts the input PIN-block by using the supplied IPINENC key in ECB mode,or der
Encrypted_PIN_Verify CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see
CCA Release 2.54 Encrypted_PIN_Verify PIN_check_lengthThe PIN_check_length parameter is a pointer to an integer variable containingthe number of digi
Encrypted_PIN_Verify CCA Release 2.54 data_arrayThe data_array parameter is a pointer to a string variable containing three16-byte character strings,
CCA Release 2.54 Encrypted_PIN_Verify When using the VISA-PVV or VISAPVV4 keywords, identify the followingelements in the data array. For more inform
CCA Release 2.54 CSUA Cryptographic-node and hardware-control services.The last three letters in the entry-point name identify the specific service i
Encrypted_PIN_Verify CCA Release 2.54 Required CommandsThe Encrypted_PIN_Verify verb requires the following commands to be enabled inthe hardware, b
CCA Release 2.54 Key_Encryption_Translate | Key_Encryption_Translate (CSNBKET)| Platform/| Product| OS/2| AIX| Win NT/| 2000| OS/400| IBM 4758-2/23|
Key_Encryption_Translate CCA Release 2.54 | Format| CSNBKET| return_code| Output| Integer| reason_code| Output| Integer| exit_data_length| In/Output|
CCA Release 2.54 Key_Encryption_Translate | key_out_length| The key_out_length parameter points to an integer variable. On input, you| should set the
PIN_Change/Unblock CCA Release 2.54 PIN_Change/Unblock (CSNBPCU)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-23 XUse the PIN_Change/Unblock ve
CCA Release 2.54 PIN_Change/Unblock See “VISA and EMV-Related Smart Card Formats and Processes” onpage E-17 which explains the derivation processes a
PIN_Change/Unblock CCA Release 2.54 RestrictionsThis verb is supported beginning with Release 2.50. Support for the TDESEMV2and TDESEMV4 keywords be
CCA Release 2.54 PIN_Change/Unblock authentication_key_identifier_lengthThe authentication_key_identifier_length parameter points to an integer varia
PIN_Change/Unblock CCA Release 2.54 The first 8 or 16 bytes of data should contain the value used to form thesmart-card-specific authentication val
CCA Release 2.54 PIN_Change/Unblock current_reference_PIN_profileThe current_reference_PIN_profile parameter points to an array of three, 8-bytestrin
CCA Release 2.54 each verb. For descriptions of these parameters, see the definitions with theindividual verbs.Variable Direction: The parameter des
PIN_Change/Unblock CCA Release 2.54 When an MAC-MDK and/or ENC-MDK of key type DKYGENKY is specified withcontrol vector bits (19-22) of B'1111&a
CCA Release 2.54 Secure_Messaging_for_Keys Secure_Messaging_for_Keys (CSNBSKY)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-23 XUse the Secure_
Secure_Messaging_for_Keys CCA Release 2.54 Returns the enciphered text. RestrictionsThis verb is supported beginning with Release 2.50. FormatCSNBS
CCA Release 2.54 Secure_Messaging_for_Keys input_key. You may also specify a key label of a key storage record for such akey. For an internal-form in
Secure_Messaging_for_PINs CCA Release 2.54 Secure_Messaging_for_PINs (CSNBSPN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-23 XUse the Secure_
CCA Release 2.54 Secure_Messaging_for_PINs The Secure_Messaging_for_PINs verb: Deciphers the input PIN block Reformats the PIN block when the input
Secure_Messaging_for_PINs CCA Release 2.54 input_PIN_blockThe input_PIN_block parameter is a pointer to an eight-byte string variablecontaining the i
CCA Release 2.54 Secure_Messaging_for_PINs clear_text_lengthThe clear_text_length parameter is a pointer to an integer containing the lengthof text t
SET_Block_Compose CCA Release 2.54 SET_Block_Compose (CSNDSBC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe SET_Block_Compose v
CCA Release 2.54 SET_Block_Compose ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Pa
CCA Release 2.54 Commonly Encountered ParametersSome parameters are common to all verbs, other parameters are used with manyof the verbs. This sectio
SET_Block_Compose CCA Release 2.54 The hash is an optional part of the OAEP block. No hash is computed orinserted into the OAEP block if the data_to_
CCA Release 2.54 SET_Block_Compose with the data_to_encrypt variable). The starting address must not fall inside thedata_to_encrypt area. Required Co
SET_Block_Decompose CCA Release 2.54 SET_Block_Decompose (CSNDSBD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe SET_Block_Decom
CCA Release 2.54 SET_Block_Decompose FormatCSNDSBDreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In
SET_Block_Decompose CCA Release 2.54 RSA-OAEP_block_lengthThe RSA-OAEP_block_length parameter is a pointer to an integer variablecontaining the numbe
CCA Release 2.54 SET_Block_Decompose of a 128-byte buffer. The first 64 bytes of the buffer are reserved for futureuse, and should be set to X'0
SET_Block_Decompose CCA Release 2.54 Required CommandsThe SET_Block_Decompose verb requires the SET Block Decompose command(command offset X'01
CCA Release 2.54 Transaction_Validation Transaction_Validation (CSNBTRV)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2 X X X XThe Transaction_
Transaction_Validation CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The keyw
CCA Release 2.54 Transaction_Validation Operation Element Description Validation-ValuesLengthGENERATE andCSC-345555554444333where:55555 = CSC 5 value
CCA Release 2.54 See Appendix A, “Return Codes and Reason Codes” for a detailed discussion ofreturn codes and a complete list of all return and reaso
CCA Release 2.54 8-78 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Appendix A. Return Codes and Reason CodesThis appendix describes the return codes and the reason codes that a verb uses toreport the
CCA Release 2.54 Figure A-2 on page A-2 shows the reason codes, listed in numeric sequence andgrouped by their corresponding return code. The return
CCA Release 2.54 Return Code 4Figure A-3. Reason Codes for Return Code 4ReturnCodeDecReasonCodeDec (Hex)Meaning4 001 (001) The verification test fail
CCA Release 2.54 Return Code 8Figure A-4 (Page 1 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 012 (00C) The token-va
CCA Release 2.54 Figure A-4 (Page 2 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 063 (03F) A key token had an invali
CCA Release 2.54 Figure A-4 (Page 3 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 155 (09B) The value that the genera
CCA Release 2.54 Figure A-4 (Page 4 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 343 (157) Either the data block or
CCA Release 2.54 Figure A-4 (Page 5 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 770 (302) The PKA key token has an
CCA Release 2.54 Figure A-4 (Page 6 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 1102 (44E) Hardware device driver i
CCA Release 2.54 External A key that is either in the clear, or is encrypted (wrapped) by somekey-encrypting key other than the master key. Generally
CCA Release 2.54 Return Code 12Figure A-5. Reason Codes for Return Code 12ReturnCodeDecReasonCodeDec (Hex)Meaning12 097 (061) File space in key stora
CCA Release 2.54 Return Code 16Figure A-6. Reason Codes for Return Code 16ReturnCodeDecReasonCodeDec (Hex)Meaning16 099 (063) An unrecoverable error
CCA Release 2.54 A-12 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Appendix B. Data StructuresThis appendix describes the following data structures: Key tokens Chaining vector records Key-sto
CCA Release 2.54 An IBM 4758 does not permit the introduction of a new master key value that hasthe same verification value as either the current mas
CCA Release 2.54 DES Key-TokensDES key-token data structures are 64 bytes in length, contain an enciphered key, acontrol vector, various flag bits,
CCA Release 2.54 Figure B-3 (Page 2 of 2). Internal DES Key-Token, Version 3 FormatOffset Length Meaning48-59 12 Reserved, binary zero60-63 4 The tok
CCA Release 2.54 External DES Key-TokenCCA implementations generally use a version X'00' external key-token. SeeFigure B-4. The IBM 4758 Ve
CCA Release 2.54 DES Key-Token Flag Byte 1: DES Key-Token Flag Byte 2: Figure B-6. Key-Token Flag Byte 1Bits (MSB...LSB)1 Meaning1xxx xxxx The encr
CCA Release 2.54 Coprocessor but your application will encounter a performance penalty witheach use of the key.Protection of the private key is provi
CCA Release 2.54 commands in the performance of the verb. Each of these commands has to beauthorized for use. Access-control administration concerns
CCA Release 2.54 – Section identifier X'05' for a CRT-format key up to 1024 bits is acceptedas input. A public-key section (RSA section id
CCA Release 2.54 Figure B-8. RSA Key-Token HeaderOffset(Bytes)Length(Bytes)Description000 001 Token identifier (a flag that indicates token type)X&ap
CCA Release 2.54 Figure B-9. RSA Private Key, 1024-Bit Modulus-Exponent FormatOffset(Bytes)Length(Bytes)Description000 001 X'02' Section id
CCA Release 2.54 Figure B-10 (Page 1 of 2). Private Key, 2048-Bit Chinese-Remainder FormatOffset(Bytes)Length(Bytes)Description000 001 X'05&apos
CCA Release 2.54 Figure B-10 (Page 2 of 2). Private Key, 2048-Bit Chinese-Remainder FormatOffset(Bytes)Length(Bytes)Description076+ppp+qqqrrr dp = d
CCA Release 2.54 Figure B-11. RSA Private Key, 1024-Bit Modulus-Exponent Format with OPKOffset(Bytes)Length(Bytes)Description000 001 X'06'
CCA Release 2.54 Figure B-12 (Page 1 of 2). RSA Private Key, Chinese-Remainder Format with OPKOffset(Bytes)Length(Bytes)Description000 001 X'08&
CCA Release 2.54 Figure B-12 (Page 2 of 2). RSA Private Key, Chinese-Remainder Format with OPKOffset(Bytes)Length(Bytes)Description124 Start of the (
CCA Release 2.54 Figure B-13. RSA Public KeyOffset(Bytes)Length(Bytes)Description000 001 X'04', Section identifier, RSA public key001 001 T
CCA Release 2.54 RSA Public-Key Certificate Section: An optional public key certificate(s) sectioncan be included in an RSA key-token. The section c
CCA Release 2.54 Chapter 2. CCA Node-Management and Access-ControlThis chapter discusses: The access-control system that you can use to control who
CCA Release 2.54 Figure B-17. RSA Public-Key Certificate(s) Optional Information Subsection HeaderOffset(Bytes)Length(Bytes)Description000 001 X&apos
CCA Release 2.54 Figure B-21. RSA Public-Key Certificate(s) Signature SubsectionOffset(Bytes)Length(Bytes)Description000 001 X'45', Signatu
CCA Release 2.54 RSA Private-Key Blinding Information: Figure B-22. RSA Private-Key Blinding InformationOffset(Bytes)Length(Bytes)Description000 001
CCA Release 2.54 Key-Storage RecordsKey storage exists as an online, Direct Access Storage Device (DASD)-residentdata set for the storage of key rec
CCA Release 2.54 Figure B-24. Key-Storage-File Header, Record 1 (not OS/400)Offset Length Meaning00 04 The total length of this key record.04 04 The
CCA Release 2.54 Figure B-25. Key-Storage File Header, Record 2 (not OS/400)Offset Length Meaning00 04 The total length of this key record.04 04 The
CCA Release 2.54 Figure B-27. DES Key-Record Format, OS/400 Key StorageOffset Length Meaning00 56 The key label without separators.56 02 Reserved58 6
CCA Release 2.54 Key_Record_List Data SetThere are two Key_Record_List verbs, one for the DES key store and one for thePKA key store. Each creates an
CCA Release 2.54 Figure B-29 (Page 2 of 2). Key-Record-List Data Set Format (Other Than OS/400)Offset Length MeaningDetail Record (Part 1) 0 1 This
CCA Release 2.54 Figure B-30 (Page 1 of 2). Key-Record-List Data Set Format (OS/400 only)Offset Length MeaningHeader Record 0 24 This field contains
CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) . . . . . . . . . . . . . . . . 2-46Key_Storage_Designate (CSUAKSD) . . . . . . . . . .
CCA Release 2.54 CCA Access-ControlThis section describes these CCA access-control system topics: Understanding access control Role-based access c
CCA Release 2.54 Figure B-30 (Page 2 of 2). Key-Record-List Data Set Format (OS/400 only)Offset Length MeaningDetail Record 0 1 This field contains
CCA Release 2.54 Role StructureThis section describes the data structures used with roles.Basic Structure of a RoleThe following figure describes ho
CCA Release 2.54 Aggregate Role StructureA set of zero one or more role definitions are sent in a single data structure. Thisstructure consists of a
CCA Release 2.54 The entire access-control-point structure is comprised of a header, followed by oneor more access-control-point segments. The header
CCA Release 2.54 Figure B-34 (Page 2 of 2). Functions Permitted in Default RoleCode Function NameX'0113' Change the expiration date in a us
CCA Release 2.54 The checksum is defined as the exclusive-OR (XOR) of each byte in the profilestructure. The high-order byte of the checksum field is
CCA Release 2.54 The header is followed by individual sets of authentication data, each containing thedata for one authentication mechanism. This lay
CCA Release 2.54 Figure B-39 (Page 1 of 2). Authentication Data for Each Authentication MechanismField name Length(bytes)DescriptionLength 2 The size
CCA Release 2.54 Authentication Data for Passphrase Authentication: For passphraseauthentication, the mechanism data field contains the 20-byte SHA-
CCA Release 2.54 1 5a 2d 2 53 61 6d 7 6c 65 2 5 72 6f ...Z- Sample Pro66 69 6c 65 2 31 2 2d ab cd 4a 5f 53 6d file 1 -...J_Sm69 7
CCA Release 2.54 A role-based system is more efficient than one in which the authority is assignedindividually for each user. In general, users can b
CCA Release 2.54 1 1 5a 2d 2 53 61 ...Z- Sa6d 7 6c 65 2 5 72 6f 66 69 6c 65 2 31 2 2d mple Profile 1 -ab c
CCA Release 2.54 00 03 The number of bytes of data in the access-control points for thissegment. There are 3 bytes, for the access-control points fro
CCA Release 2.54 Aggregate Role Data StructureFigure B-45 shows the an aggregate role data structure, like you would load usingthe CSUAACI verb.
CCA Release 2.54 Master Key Shares Data FormatsMaster key shares, and potentially other information to be “cloned” from oneCoprocessor to another Cop
CCA Release 2.54 Function Control VectorThe export (distribution) of cryptographic implementations by USA companies iscontrolled under USA Government
CCA Release 2.54 Figure B-49 (Page 2 of 2). FCV Distribution StructureOffsetDecimal(Hex)LengthDecimalMeaningFCV Supplied to Coprocessor (offset 470 a
CCA Release 2.54 B-44 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Appendix C. CCA Control-Vector Definitions and KeyEncryptionThis appendix describes the following: DES control-vector values1 Spec
CCA Release 2.54 Usually there is a default control-vector associated with each of the key types justlisted; see Figure C-2 on page C-3. The bits in
CCA Release 2.54 You can use the default control-vector for a key type, or you can create a morerestrictive control-vector. The default control-vecto
CCA Release 2.54 Understanding ProfilesAny user who needs to be authenticated to the Coprocessor must have a userprofile. Users who only need the ca
CCA Release 2.54 Figure C-2 (Page 2 of 2). Key Type Default Control-Vector Values Key TypeControl VectorHexadecimal Value forSingle-length Key or Lef
CCA Release 2.54 Control─Vector─Base Bits│ │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 ││ 2 4 6 │8 2 4 │6 8 2 │4 6 8
CCA Release 2.54 Control─Vector─Base Bits│ │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 ││ 2 4 6 │8 2 4 │6 8 2 │4 6 8
CCA Release 2.54 Key-Form Bits, ‘fff’ and ‘FFF’The key-form bits, 40-42...and for a double-length key, bits 104-106...aredesignated ‘fff’ and ‘FFF’ i
CCA Release 2.54 2. For key-encrypting keys, set the following bits: The Key-Encrypting Key-limiting bits, previously described as bits “hhh, bits35
CCA Release 2.54 The MAC control bits (bits 20 and 21). For a MAC generation key, set bits20 and 21 to B'11'. For a MAC verification key,
CCA Release 2.54 9. For the IPINENC (inbound) and OPINENC (outbound) PIN-block cipheringkeys, do the following: Set the TRANSLAT bit (t, bit 21) to
CCA Release 2.54 13. For all keys, set the following bits: The export bit (E, bit 17). If set to 0, the export bit prevents a key frombeing exported
CCA Release 2.54 CCA Key Encryption and Decryption ProcessesThis section describes the CCA key-encryption processes: CCA DES key encryption CCA RSA
CCA Release 2.54 ┌──────────────┬──────────────┬──────────────┐ ┌──────────────┬──────────────┐│ Master Key │ │ Control Vector │└────│─────────┴────│
CCA Release 2.54 Initializing and Managing the Access-Control SystemBefore you can use a Coprocessor with newly loaded or initialized CCA supportyou
CCA Release 2.54 PKA92 Key Format and Encryption ProcessThe PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and thePKA_Symmetric_Key_Import ver
CCA Release 2.54 Decrypting Sub-process: RSA decrypt the AS External Key Block using an RSAprivate key and call the result of the decryption PKR. Th
CCA Release 2.54 Encrypting a Key_Encrypting Key in the NL-EPP-5 FormatThe PKA_Symmetric_Key_Generate verb supports a NL-EPP-5 method ofencrypting a
CCA Release 2.54 you can enter another part that is set to the value of the pre-exclusive-ORquantity (which quantity is discussed later). Use the Ke
CCA Release 2.54 Note that if you are processing a double-length key, you almost certainly will haveto process the key twice, using the key-encryptin
CCA Release 2.54 CVil is the control vector for the left half of the target input PIN-blockencrypting key.e*Km⊕CViml(Kt⊕CVir) e*Km⊕CVimr(Kt⊕CVir
CCA Release 2.54 Changing Control Vectors with the Control_Vector_Translate VerbDo the following when using the Control_Vector_Translate verb: Provi
CCA Release 2.54 This expression tests whether the control vectors associated with the sourcekey and the target key meet your criteria for the desire
CCA Release 2.54 For expression1: KEK CV ┌─┬─┬─┬─┬─────┬─┬─┬─┬─┬───────────────────────────┐ Control Vector2: Source CV ││1││1│... ││1││1│... │ U
CCA Release 2.54 Selecting the Key-Half Processing ModeThe Control_Vector_Translate verb rule-array keywords determine which key halvesare processed
CCA Release 2.54 Take care to ensure that you define roles that have the authority to performinitialization, including the RQ-TOKEN and RQ-REINT opti
CCA Release 2.54 The verb first processes the source and target tokens as with theSINGLE keyword. Then the source token is processed using thesingle-
CCA Release 2.54 Appendix D. Algorithms and ProcessesThis appendix provides processing details for the following aspects of the CCAdesign: Cryptogra
CCA Release 2.54 S/390 Based Master Key Verification MethodWhen the first and third portions of the symmetric master key have the same value,the mast
CCA Release 2.54 The CCA DES key verification algorithm does the following:1. Sets KKR′ = KKR exclusive-OR RN2. Sets K1 = X'4545454545454545&apo
CCA Release 2.54 When the keywords PADMDC-2 and PADMDC-4 are used, the supplied text isalways padded as follows: If the supplied text is less than 1
CCA Release 2.54 MDC-2 CalculationThe MDC-2 calculation consists of the following procedure: MDC-2 (n, text, KEY1, KEY2, MDC);For i := 1,2,...,n doC
CCA Release 2.54 General Data Encryption ProcessesAlthough the fundamental concepts of ciphering (enciphering and deciphering) dataare simple, differ
CCA Release 2.54 ANSI X3.106 Cipher Block Chaining (CBC) MethodANSI standard X3.106 defines four modes of operation for ciphering. One of thesemodes,
CCA Release 2.54 ┌──────────────┐│Verb Parameter│└──────┬───────┘ │┌─────────────┐ ────── Plaintext from Application Program ────────────│Initiali
CCA Release 2.54 ┌──────────────┐│Verb Parameter│└──────┬───────┘ │┌─────────────┐ ── Plaintext from Application Program ───│Initialization│ ┌────
CCA Release 2.54 Notes:1. During the portions of the year when Daylight Savings Time is not in effect, thetime difference between Eastern Standard Ti
CCA Release 2.54 Triple-DES Ciphering AlgorithmsTriple-DES is used to encrypt keys, PIN blocks, and general data. Severaltechniques are employed:T-DE
CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐ │ T164 │ T264 │ T364 │ │ Tn64 │ └──────┬──────┴──────┬──────┴──
CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐EDE2 EDE3 EDE5 │ T1<64> │ T2<64> │ T3<64> │ │ Tn<64
CCA Release 2.54 MAC Calculation MethodsWith CCA Release 2.51, three variations of DES based message authentication aresupported by the MAC_Generate
CCA Release 2.54 T1 T2 Tn-1 Tn │ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │││ │││││ ┌──┤ XOR │ ┌──┤ XOR │ ┌──┤ XOR │ │ │││ ││││││ │ │ └──┬──┘ │ └──┬──┘ │ └─
CCA Release 2.54 RSA Key-Pair GenerationRSA key-pair generation is determined based on user input of the modulus bitlength, public exponent, and key
CCA Release 2.54 Access-Control AlgorithmsThe following sections describe algorithms and protocols used by theaccess-control system.Passphrase Verif
CCA Release 2.54 3. The client workstation generates a random number, RN (64 bits).Note: Note: The random-number RN is not used inside the Cryptogra
CCA Release 2.54 Master-Key-Splitting AlgorithmThis section describes the mathematical and cryptographic basis for the m-of-n keyshares scheme.The k
CCA Release 2.54 Formatting Hashes and Keys in Public-Key CryptographyThe Digital_Signature_Generate and Digital_Signature_Verify verbs support sever
CCA Release 2.54 logged on, and frees resources you were using in the host system and in theCoprocessor.Use of Logon Context InformationThe Logon_Con
CCA Release 2.54 – RSASSA-PKCS1-v1_5, the newer name for the block-type 1 format. InCCA, keyword PKCS-1.1 is used to invoke this formatting technique
CCA Release 2.54 Appendix E. Financial System Verbs Calculation Methodsand Data FormatsThis appendix describes the following: PIN-calculation meth
CCA Release 2.54 PIN-Calculation MethodsThe financial PIN verbs support some or all of these PIN-calculation methods, seeFigure 8-3 on page 8-6: IB
CCA Release 2.54 IBM 3624 PIN-Calculation MethodThe IBM 3624 PIN-calculation method calculates a PIN that is from 4 to 16 digits inlength.The IBM 362
CCA Release 2.54 IBM 3624 PIN Offset Calculation MethodThe IBM 3624 PIN Offset calculation method is the same as the IBM 3624PIN-calculation method e
CCA Release 2.54 Netherlands PIN-1 Calculation MethodThe Netherlands PIN-1 (NL-PIN-1) calculation method calculates a PIN that is 4digits in length.T
CCA Release 2.54 IBM German Bank Pool Institution PIN-Calculation MethodThe IBM German Bank Pool Institution PIN calculation method calculates aninst
CCA Release 2.54 VISA PIN Validation Value (PVV) Calculation MethodThe VISA-PVV calculation method calculates a VISA-PVV that is 4 digits in length.T
CCA Release 2.54 Interbank PIN-Calculation MethodThe Interbank PIN-calculation method consists of the following steps:1. Let X denote the transaction
CCA Release 2.54 PIN-Block FormatsThe PIN verbs support one or more of the following PIN-block formats: IBM 3624 format ISO-0 format (same as the
CCA Release 2.54 Protecting Your Transaction InformationWhen you are logged on to the Coprocessor, the information transmitted to andfrom the CCA Cop
CCA Release 2.54 ISO-0 PIN-Block FormatAn ISO-0 PIN-block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1PIN-block formats. The ISO-0 PIN-bl
CCA Release 2.54 ISO-1 PIN-Block FormatThe ISO-1 PIN-block format is equivalent to an ECI-4 PIN-block format. The ISO-1PIN-block format supports a PI
CCA Release 2.54 ISO-2 PIN-Block FormatThe ISO-2 PIN-block format supports a PIN from 4 to 12 digits in length. A PINthat is longer than 12 digits is
CCA Release 2.54 UKPT Calculation MethodsThis section describes the calculation methods for deriving theunique-key-per-transaction (UKPT) key accordi
CCA Release 2.54 a. Move the rightmost 8 bytes of the current key serial number to a work area(Wa).b. Move the rightmost 3 bytes of Wa to another wor
CCA Release 2.54 The following is an example of calculating the current PIN encrypting key:Wa = X'4567 89AB CDE 'Ca = X'11&apo
CCA Release 2.54 CVV and CVC MethodFigure E-62 shows the method used to generate a card-verification value (CVV) fortrack 2. Each (decimal) digit is
CCA Release 2.54 VISA and EMV-Related Smart Card Formats and ProcessesThe VISA and EMV specifications for performing secure messaging with an EMVcomp
CCA Release 2.54 3. Set the second digit of block-2 to the length of the new PIN (4 to 12), followedby the new PIN, and padded to the right with X&ap
CCA Release 2.54 TDESEMV2 causes processing with a branch factor of 2 and a height of16. TDESEMV4 causes processing with a branch factor of 4 and
CCA Release 2.54 used to establish the maximum strength of certain cryptographic functions, theenvironment identifier, and the maximum number of mast
CCA Release 2.54 E-20 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Appendix F. Verb ListThis appendix lists the verbs supported by the CCA Support Program feature forthe IBM 4758 PCI Cryptographic C
CCA Release 2.54 Figure F-1 (Page 2 of 3). Security API Verbs in Supported EnvironmentsPseudonym Entry-Point OS/2 AIX NT OS/400 PageData Confidential
CCA Release 2.54 Figure F-1 (Page 3 of 3). Security API Verbs in Supported EnvironmentsPseudonym Entry-Point OS/2 AIX NT OS/400 PageFinancial Service
CCA Release 2.54 F-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 Appendix G. Access-Control-Point CodesThe table in this appendix lists the CCA access-control commands (“controlpoints”). The role
CCA Release 2.54 Figure G-1 (Page 1 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'000E' Encipher Encipher CSNBENC
CCA Release 2.54 Figure G-1 (Page 2 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'008E' Generate Key Key_Generate
CCA Release 2.54 Figure G-1 (Page 3 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'0109' Data Key Import Data_Key_
CCA Release 2.54 Figure G-1 (Page 4 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'0230' List Retained Key Retaine
CCA Release 2.54 Cryptographic_Resource_Allocate verb will fail if a cryptographic resource isalready allocated.To determine the number of CCA Coproc
CCA Release 2.54 G-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 List of AbbreviationsANSI American National Standards InstituteACF/VTAM Advanced Communications Functionfor the Virtual Telecommunic
CCA Release 2.54 ROM Read-Only MemoryRPQ Request for Price QuotationRSA Rivest, Shamir, and AdlemanSAA Systems Application ArchitectureSAF System Aut
CCA Release 2.54 GlossaryThis glossary includes some terms and definitions fromthe IBM Dictionary of Computing, New York: McGrawHill, 1994. This glo
CCA Release 2.54 Bbus. In a processor, a physical facility along whichdata is transferred.byte. (1) A binary character operated on as a unit andusu
CCA Release 2.54 decipher. (1) To convert enciphered data into cleardata. (2) Synonym for decrypt. (3) Contrast withencipher.decode. (1) To convert
CCA Release 2.54 Hhost. (1) In this publication, same as host computer orhost processor. The machine in which the Coprocessorresides. (2) In a compu
CCA Release 2.54 NNational Institute of Science and Technology(NIST). This is the current name for the US NationalBureau of Standards.network. (1)
CCA Release 2.54 reason code. (1) A value that provides a specificresult as opposed to a general result. (2) Contrast withreturn code.replicated key
CCA Release 2.54 UUnique Key Per Transaction (UKPT). UKPT is acryptographic process that can be used to decipher PINblocks in a transaction.user-exi
CCA Release 2.54 Cryptographic_Variable_Encipher (CSNBCVE) . . . . . . . . . . . . . . . . . . 5-29Data_Key_Export (CSNBDKX) . . . . . . . . . . . .
CCA Release 2.54 the Coprocessor device driver.5 The host code then polls each Coprocessor in turnto determine which ones contain the CCA application
CCA Release 2.54 X-10 IBM 4758 CCA Basic Services, Release 2.54, February 2005
CCA Release 2.54 IndexAAccess Control, CCA 2-2Access_Control_Initialization (CSUAACI) 2-21Access_Control_Maintenance (CSUAACM) 2-24American Expresst
CCA Release 2.54 CSNBCPA (Clear_PIN_Generate_Alternate) 8-21CSNBCPE (Clear_PIN_Encrypt) 8-15CSNBCSG (CVV_Generate) 8-27CSNBCSV (CVV_Verify) 8-30CSNBC
CCA Release 2.54 EEMV (Europay, Mastercard, VISA)application transaction counter (ATC) E-18MAC padding method D-13PIN-block self-encryption E-19PIN_C
CCA Release 2.54 IIM (importable) keys 5-4importable (IM) keys 5-4importing, description 5-18, C-17initializing key storage 2-48, 2-50input/output (I
CCA Release 2.54 keysactivating 3-22asymmetric 5-6ciphering 5-7, 5-10clear 5-16control vectors 5-4deactivating 3-22deleting 3-22, 7-13, 7-21double-le
CCA Release 2.54 listing keys 7-22loading a master key 2-59, 2-64Logging on and logging off 2-7logon context information 2-8Logon Control (CSUALCT) 2
CCA Release 2.54 reenciphering keys 3-22replicated key-halfexport restriction 5-34, 5-42, 5-52export restriction an EXPORTER transport key 5-31Requir
IBMCCA Release 2.54PDF File
CCA Release 2.54 PKA_Key_Token_Change verbs). Whenever a working key is encrypted for localuse, it is encrypted using the current master-key.Symmetri
CCA Release 2.54 The verb performs a one-way function on the key-of-interest, the result of whichis either returned or compared to a known correct re
CCA Release 2.54 must also have been marked as suitable for operation with theMaster_Key_Distribution verb when it was generated.When receiving a sha
CCA Release 2.54 ┌──────────────────────────────────┐│Share─Administration Control Point│ 3. │ │ │││ CERT{SA}(SA) H(CERT{SA}(SA)) ││ ───────┬──── ──
CCA Release 2.54 7. In the target node, generate a retained key usable for master-keyadministration, the Coprocessor Share Receiving (CSR) key, and h
CCA Release 2.54 AIX and Windows Multi-Coprocessor Master-Key Support: It is a generalrecommendation that all of the CCA Coprocessors within the sys
CCA Release 2.54 When all of the Coprocessors are newly initialized, that is, theircurrent-master-key registers are empty, first install the same m
CCA Release 2.54 Intentionally using different master keys in a set of Coprocessors.This situation becomes very complicated if you are using key stor
CCA Release 2.54 Access_Control_Initialization Access_Control_Initialization (CSUAACI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X
CCA Release 2.54 Providing Security for PINs ... 8-6Using Specific Key Types and Key-Usage Bits to Help Ensure PINSecurity .
Access_Control_Initialization CCA Release 2.54 verb_data_1_lengthThe verb_data_1_length parameter is a pointer to an integer variable containingthe n
CCA Release 2.54 Access_Control_Initialization verb_data_length_2The verb_data_length_2 parameter is a pointer to an integer variable containingthe n
Access_Control_Maintenance CCA Release 2.54 Access_Control_Maintenance (CSUAACM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe A
CCA Release 2.54 Access_Control_Maintenance nameThe name parameter is a pointer to a string variable containing the name of arole or user profile whi
Access_Control_Maintenance CCA Release 2.54 output_data_lengthThe output_data_length parameter is a pointer to an integer variable containingthe numb
CCA Release 2.54 Access_Control_Maintenance Rule-ArrayKeywordContents of output_data VariableGET-PROF Contains the non-secret portion of the selected
Access_Control_Maintenance CCA Release 2.54 Rule-ArrayKeywordContents of output_data VariableGET-ROLE The field contains the non-secret portion of th
CCA Release 2.54 Access_Control_Maintenance Required CommandsThe Access_Control_Maintenance verb requires the following commands to beenabled in the
Cryptographic_Facility_Control CCA Release 2.54 Cryptographic_Facility_Control (CSUACFC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X
CCA Release 2.54 Cryptographic_Facility_Control ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparame
CCA Release 2.54 Aggregate Role Structure ... B-30Access-Control-Point List . . . . . . . . . . . . . . . . . . . . . . . . .
Cryptographic_Facility_Control CCA Release 2.54 verb_data_lengthThe verb_data_length parameter is a pointer to an integer variable containingthe numb
CCA Release 2.54 Cryptographic_Facility_Control For SET-MOFN, verb_data is an input variable. The variable contentsestablish the minimum and maximu
Cryptographic_Facility_Query CCA Release 2.54 Cryptographic_Facility_Query (CSUACFQ)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XT
CCA Release 2.54 Cryptographic_Facility_Query On output, the verb sets the variable to the number of rule-array elements itreturns to the application
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 1 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 2 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 3 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 4 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 5 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 6 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb
CCA Release 2.54 Triple-DES Ciphering Algorithms ... D-10MAC Calculation Methods... D-13RSA Key-Pair
Cryptographic_Facility_Query CCA Release 2.54 verb_data_lengthThe verb_data_length parameter is a pointer to an integer variable containingthe number
CCA Release 2.54 Cryptographic_Facility_Query of this verb. Its use depends on the options specified by the host applicationprogram.The verb_data par
Cryptographic_Resource_Allocate CCA Release 2.54 Cryptographic_Resource_Allocate (CSUACRA)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X
CCA Release 2.54 Cryptographic_Resource_Allocate resource_name_lengthThe resource_name_length parameter is a pointer to an integer variablecontaining
Cryptographic_Resource_Deallocate CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/2
CCA Release 2.54 Cryptographic_Resource_Deallocate resource_name_lengthThe resource_name_length parameter is a pointer to an integer variablecontaini
Key_Storage_Designate CCA Release 2.54 Key_Storage_Designate (CSUAKSD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 XThe Key_Storage_D
CCA Release 2.54 Key_Storage_Designate key_storage_file_name_lengthThe key_storage_file_name_length parameter is a pointer to an integer variablecont
Key_Storage_Initialization CCA Release 2.54 Key_Storage_Initialization (CSNBKSI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe K
CCA Release 2.54 Key_Storage_Initialization key_storage_file_name_lengthThe key_storage_file_name_length parameter is a pointer to an integer variabl
CCA Release 2.54 Figures1-1. CCA Security API, Access Layer, Cryptographic Engine ... 1-32-1. CCA Node, Access-Control, and Master-Key Manageme
Logon_Control CCA Release 2.54 Logon_Control (CSUALCT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XUse the Logon_Control verb to p
CCA Release 2.54 Logon_Control user_idThe user_id parameter is a pointer to a string variable containing the ID stringwhich identifies the user to th
Logon_Control CCA Release 2.54 On input, this field contains the length (in bytes) of the auth_data variable.When no usage is defined for the auth_da
CCA Release 2.54 Master_Key_Distribution Master_Key_Distribution (CSUAMKD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Master_
Master_Key_Distribution CCA Release 2.54 – The private_key_name of the Coprocessor-retained key used to decrypt theclone_info_encrypting_key. This ke
CCA Release 2.54 Master_Key_Distribution ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, s
Master_Key_Distribution CCA Release 2.54 clone_info_encrypting_keyThe clone_info_encrypting_key parameter is a pointer to a string variablecontaining
CCA Release 2.54 Master_Key_Process Master_Key_Process (CSNBMKP)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Master_Key_Proces
Master_Key_Process CCA Release 2.54 The master-key verification pattern (MKVP) of the new master-key is comparedagainst the MKVP of the current and
CCA Release 2.54 Master_Key_Process key_partThe key_part parameter is a pointer to a string variable containing a 168-bit(3x56-bit, 24-byte) clear ke
Comments to this Manuals