IBM Computer Hardware 2 User Manual

IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and GuideRelease 2.54IBM iSeries PCICC FeatureCCA Release 2.54

CCA Release 2.54 A-3. Reason Codes for Return Code 4 ... A-3A-4. Reason Codes for Return Code 8... A-4A-5. Reason

Master_Key_Process CCA Release 2.54 – Clear Old PKA Master Key Register command (offset X'0061') with theCLR-OLD keyword– Load First PKA Ma

CCA Release 2.54 Master_Key_Process FE 1 1 FE FE 1 1 FE / possibly semi-weak /E 1F 1 FE F1 E 1 FE / possibly semi-weak /E 1 1F FE F1 1

Random_Number_Tests CCA Release 2.54 Random_Number_Tests (CSUARNT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X The Random_Number_T

CCA Release 2.54 Random_Number_Tests Required CommandsNone. Chapter 2. CCA Node-Management and Access-Control 2-65

CCA Release 2.54 2-66 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Chapter 3. RSA Key-ManagementThis chapter describes the management of RSA public and private keys and howyou can: Generate keys wi

CCA Release 2.54 ────────────┬───────────────── ┌──────────────────┐ │PKA_Key_Token_Build├┐ └┬──────────────────┘│┌─────────┐ └──────┬───────┬────┘

CCA Release 2.54 The PKA_Key_Generate verb either retains the generated private key within theCoprocessor, or the verb outputs the generated private

CCA Release 2.54 restricted key usage. These systems can determine if a requesting process hasthe right to use the particular key name that is crypto

CCA Release 2.54 You provide or identify the operational transport key (key-encrypting key) and theencrypted private key with its associated public k

CCA Release 2.54 C-1. Key Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2C-2. Key Type Default Control-Vector Values...

CCA Release 2.54 Using the Private Key at Multiple NodesYou can arrange to use a private key at multiple nodes if the nodes have the sameasymmetric m

CCA Release 2.54 PKA_Key_Generate PKA_Key_Generate (CSNDPKG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Generate verb

PKA_Key_Generate CCA Release 2.54 Note: When using the RETAINED key option, the key label supplied in theskeleton key-token references the key stora

CCA Release 2.54 PKA_Key_Generate ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Par

PKA_Key_Generate CCA Release 2.54 skeleton_key_tokenThe skeleton_key_token parameter is a pointer to a string variable containing askeleton key-token

CCA Release 2.54 PKA_Key_Import PKA_Key_Import (CSNDPKI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Import verb is us

PKA_Key_Import CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Param

CCA Release 2.54 PKA_Key_Import Required CommandsThe PKA_Key_Import verb requires the PKA Key Import command (offset X'0104')to be enabled

PKA_Key_Token_Build CCA Release 2.54 PKA_Key_Token_Build (CSNDPKB)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Token_B

CCA Release 2.54 PKA_Key_Token_Build Restrictions The RSA-OPT rule-array keyword is not supported with Version 2. Instead,use keyword RSA-CRT to ob

CCA Release 2.54 xii IBM 4758 CCA Basic Services, Release 2.54, February 2005

PKA_Key_Token_Build CCA Release 2.54 key_values_structure_lengthThe key_values_structure_length parameter is a pointer to an integer variablecontaini

CCA Release 2.54 PKA_Key_Token_Build Figure 3-3 (Page 1 of 2). PKA_Key_Token_Build Key-Values-Structure ContentsOffset(Bytes)Length(Bytes)Description

PKA_Key_Token_Build CCA Release 2.54 key_name_lengthThe key_name_length parameter is a pointer to an integer variable containingthe number of bytes o

CCA Release 2.54 PKA_Key_Token_Build reserved_x(s)The reserved_x parameters are each a pointer to a string variable that isreserved for future use. E

PKA_Key_Token_Build CCA Release 2.54 Token Type ModulusLength inBitsPublicExponentKey-Values Structure (Hexadecimal) StructureLength(Bytes)RSA-CRT 5

CCA Release 2.54 PKA_Key_Token_Build Required CommandsNone Chapter 3. RSA Key-Management 3-21

PKA_Key_Token_Change CCA Release 2.54 PKA_Key_Token_Change (CSNDKTC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Token

CCA Release 2.54 PKA_Key_Token_Change key_identifier_lengthThe key_identifier_length parameter is a pointer to an integer variablecontaining the numb

PKA_Public_Key_Extract CCA Release 2.54 PKA_Public_Key_Extract (CSNDPKX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Publi

CCA Release 2.54 PKA_Public_Key_Extract target_key_token_lengthThe target_key_token_length parameter is a pointer to an integer variablecontaining th

CCA Release 2.54 NoticesReferences in this publication to IBM products, programs, or services do not implythat IBM intends to make these available i

PKA_Public_Key_Hash_Register CCA Release 2.54 PKA_Public_Key_Hash_Register (CSNDPKH)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XT

CCA Release 2.54 PKA_Public_Key_Hash_Register hash_data_lengthThe hash_data_length parameter is a pointer to an integer variable containingthe number

PKA_Public_Key_Register CCA Release 2.54 PKA_Public_Key_Register (CSNDPKR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Pub

CCA Release 2.54 PKA_Public_Key_Register public_key_nameThe public_key_name parameter is a pointer to a string variable containing thename under whic

CCA Release 2.54 3-30 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Chapter 4. Hashing and Digital SignaturesThis chapter discusses the data hashing and the digital signature techniques youcan use to

CCA Release 2.54 The CCA products support the following hash functions:Secure Hash Algorithm-1 (SHA-1) The SHA-1 is defined in FIPS 180-1 andproduces

CCA Release 2.54 Anyone with access to your public key can verify your information as follows:1. Hash the data using the same hashing algorithm that

Digital_Signature_Generate CCA Release 2.54 Digital_Signature_Generate (CSNDDSG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe D

CCA Release 2.54 Digital_Signature_Generate rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The

CCA Release 2.54 The following terms, denoted by a double asterisk (**) in this publication, are thetrademarks of other companies:Diebold Diebold Inc

Digital_Signature_Generate CCA Release 2.54 hash_lengthThe hash_length parameter is a pointer to an integer variable containing thenumber of bytes of

CCA Release 2.54 Digital_Signature_Verify Digital_Signature_Verify (CSNDDSV)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Digit

Digital_Signature_Verify CCA Release 2.54 Notes:1. The hash for PKCS-1.1 and PKCS-1.0 should have been created usingMD5 or SHA-1 algorithms.2. The ha

CCA Release 2.54 Digital_Signature_Verify Notes:1. For ISO-9796, the information identified by the hash parameter must beless than or equal to one-ha

MDC_Generate CCA Release 2.54 MDC_Generate (CSNBMDG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XUse the MDC_Generate verb to crea

CCA Release 2.54 MDC_Generate FormatCSNBMDGreturn_code Input Integerreason_code Input Integerexit_data_length In/Output Integerexit_data In/Output S

MDC_Generate CCA Release 2.54 Chaining_VectorThe chaining_vector parameter is a pointer to an 18-byte string variable thesecurity server uses as a wo

CCA Release 2.54 One_Way_Hash One_Way_Hash (CSNBOWH)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe One_Way_Hash verb obtains a h

One_Way_Hash CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Paramet

CCA Release 2.54 One_Way_Hash hash_lengthThe hash_length parameter is a pointer to an integer variable containing thenumber of bytes of data in the h

CCA Release 2.54 Revision History About This PublicationThe manual is intended for systems and applications analysts and applicationprogrammers who w

CCA Release 2.54 4-16 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Chapter 5. DES Key-ManagementThis chapter describes verbs to perform basic CCA DES key-managementfunctions. Figure 5-1 lists the ve

CCA Release 2.54 Figure 5-1 (Page 2 of 2). Basic CCA DES Key-Management VerbsVerb Page Service EntryPointSvcLcnPKA_Decrypt 5-73 Uses an RSA private-k

CCA Release 2.54 functions in which it can be used. The cryptographic subsystem uses a systemof control vectors1 to separate the cryptographic keys i

CCA Release 2.54 A key that is multiply-enciphered under the master key is an operational key (OP).The key is operational because a cryptographic fac

CCA Release 2.54 Checking a Control Vector Before Processing a CryptographicCommandBefore a CCA cryptographic facility processes a command that uses

CCA Release 2.54  Asymmetric DES keys. An asymmetric DES key is a key in a key pair in whichthe keys are used as opposites.– ENCIPHER and DECIPHER.

CCA Release 2.54 Figure 5-4 on page 5-9 shows the key-type, key subtype, and key-usage keywordsthat can be combined in the Control_Vector_Generate ve

CCA Release 2.54 Figure 5-3 (Page 2 of 2). Key Types and Verb UsageKey Type Usable with VerbsIKEYXLAT, OKEYXLAT Key_TranslatePIN ClassThese keys are

CCA Release 2.54 ├─Key_Type─┤├─Key_Subtype─┤├─Key_Usage──────────────────────────────────────────────────────────────────────┤┬─MAC ─────┐ Note: A

Revision History CCA Release 2.54 Eleventh Edition, April, 2004, CCA Support Program,Release 2.52This revision to the February, 2004, edition of the

CCA Release 2.54 Figure 5-5 (Page 1 of 3). Control Vector Key-Subtype and Key-Usage KeywordsKeyword MeaningKey-Encrypting KeysOPIM IMPORTER keys that

CCA Release 2.54 Figure 5-5 (Page 2 of 3). Control Vector Key-Subtype and Key-Usage KeywordsKeyword MeaningVISA-PVV Select the VISA-PVV PIN-calculati

CCA Release 2.54 Figure 5-5 (Page 3 of 3). Control Vector Key-Subtype and Key-Usage KeywordsKeyword MeaningDKYL5 A DKYGENKY key with this subtype can

CCA Release 2.54  8 16 32 6 63┌─────────┬─────────┬──────────────┬──────────────┬──────────────┬───────────┬─────┐│Key- │Flags │Control Infor-│ In

CCA Release 2.54 External Key-Token: An external key-token contains an external key that ismultiply-enciphered under a key formed by the exclusive-O

CCA Release 2.54 Using the Key-Processing and Key-Storage VerbsFigure 5-8 on page 5-16 shows key-processing and key-storage verbs and howthey relate

CCA Release 2.54 Random_Number_Generate Diversified_Key_Generate ┬┬ ┌────┴────┐ │ │ │  Clear_Key_ │ Key_Part_ Import │ Import ┬ ┌─────────────────

CCA Release 2.54 master key or a key-encrypting key. If you are generating a DES asymmetrickey-type, the verb will multiply-encipher the random numbe

CCA Release 2.54 Since the two halves are random numbers, it is unlikely that the result of theDOUBLE keyword will produce two halves with the same 6

CCA Release 2.54 ┌──────────────┐ ┌──────────────┐Operational │ Key to Be │ │ Imported │ OperationalForm of Key │ Exported │ │ Key │ Form of Keyat N

CCA Release 2.54 Revision History 1. Functions in support of EMV-compatible smart-cards. Support of the PIN Change/Unblock function described in the

CCA Release 2.54 therefore it is very important to handle the key-generating key with a high degree ofsecurity lest the interactions with the whole p

CCA Release 2.54 Security PrecautionsBe sure to see the “Observations on Secure Operations” chapter in the CCASupport Program Installation Manual.In

Clear_Key_Import CCA Release 2.54 Clear_Key_Import (CSNBCKI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Clear_Key_Import verb

CCA Release 2.54 Clear_Key_Import Required CommandsThe Clear_Key_Import verb requires the Encipher Under Master Key command(command offset X'00

Control_Vector_Generate CCA Release 2.54 Control_Vector_Generate (CSNBCVG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Control

CCA Release 2.54 Control_Vector_Generate rule_array_countThe rule_array_count parameter is a pointer to an integer variable containingthe number of e

Control_Vector_Translate CCA Release 2.54 Control_Vector_Translate (CSNBCVT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Contr

CCA Release 2.54 Control_Vector_Translate mask_array_leftThe mask_array_left parameter is a pointer to a string variable containing themask array enc

Control_Vector_Translate CCA Release 2.54 target_key_tokenThe target_key_token parameter is a pointer to a string variable containing anexternal key-

CCA Release 2.54 Cryptographic_Variable_Encipher Cryptographic_Variable_Encipher (CSNBCVE)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X

Revision History CCA Release 2.54 Eighth Edition, Revised, CCA Support Program, Release 2.41This revised Release 2.41 manual incorporates additional

Cryptographic_Variable_Encipher CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparam

CCA Release 2.54 Data_Key_Export Data_Key_Export (CSNBDKX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Data_Key_Export verb ex

Data_Key_Export CCA Release 2.54 target_key_tokenThe target_key_token parameter is a pointer to a string variable containing thereencrypted source-ke

CCA Release 2.54 Data_Key_Import Data_Key_Import (CSNBDKM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Data_Key_Import verb im

Data_Key_Import CCA Release 2.54 RestrictionsStarting with Release 2.41, unless you enable the Unrestrict Data Key Importcommand (offset X'027C

CCA Release 2.54 Diversified_Key_Generate Diversified_Key_Generate (CSNBDKG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Diver

Diversified_Key_Generate CCA Release 2.54  Returns the diversified key, multiply-enciphered by the master key modified bythe control vector. Restric

CCA Release 2.54 Diversified_Key_Generate Keyword MeaningTDES-ENC Specifies that 8 or 16 bytes of clear (not encrypted) data shallbe triple-DES encry

Diversified_Key_Generate CCA Release 2.54 Keyword MeaningTDESEMV2,TDESEMV4Note: These options are available starting with Release 2.51.Specifies tha

CCA Release 2.54 Diversified_Key_Generate Keyword MeaningTDES-XOR Note: This option is available starting with Release 2.50.Specifies that 10 or 18

CCA Release 2.54 Revision History can create an application to to clone keys having any of the CSS, CSR, andSA keys longer than 1024-bits. See “Estab

Diversified_Key_Generate CCA Release 2.54 generating_key_identifierThe generating_key_identifier parameter is a pointer to a string variablecontainin

CCA Release 2.54 Diversified_Key_Generate effective single-length key) by enabling the Enable DKG Single Length Keys andEqual Halves for TDES-ENC, TD

Key_Export CCA Release 2.54 Key_Export (CSNBKEX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Export verb exports a source

CCA Release 2.54 Key_Export FormatCSNBKEXreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output S

Key_Generate CCA Release 2.54 Key_Generate (CSNBKGN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Generate verb generates a

CCA Release 2.54 Key_Generate FormatCSNBKGNreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output

Key_Generate CCA Release 2.54 key_lengthThe key_length parameter is a pointer to an eight-byte string variable,left-justified and padded on the right

CCA Release 2.54 Key_Generate unless you are using the TOKEN keyword, you must identify a null key-tokenon input. Required CommandsDepending on your

Key_Generate CCA Release 2.54 can use to generate a single key copy with default control-vectors. Figure 5-12 onpage 5-49 shows the key types you can

CCA Release 2.54 Key_Generate Figure 5-12. Key_Type and Key_Form Keywords for a Key PairKey_Type_1 Key_Type_2 Key_FormOPOP,OPIM,IMIMKey_FormOPEXKey_F

CCA Release 2.54 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi

Revision History CCA Release 2.54  The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, andPKA_Symmetric_Key_Import verbs are updated to includ

Key_Generate CCA Release 2.54 key-length the verb uses when you supply eight space characters with thekey_length parameter.Figure 5-13. Key Lengths b

CCA Release 2.54 Key_Import Key_Import (CSNBKIM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Import verb imports a source

Key_Import CCA Release 2.54 RestrictionsStarting with Release 2.41, unless you enable the Unrestrict Reencipher to MasterKey command (offset X'

CCA Release 2.54 Key_Import key-halves IMPORTER key-encrypting-key to import a key having unequalkey-halves (key parity bits are ignored). Chapter

Key_Part_Import CCA Release 2.54 Key_Part_Import (CSNBKPI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Part_Import verb is

CCA Release 2.54 Key_Part_Import of one bits, and there are no other problems, the verb will return reasoncode 2. Use of the ADD-PART keyword require

Key_Part_Import CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Para

CCA Release 2.54 Key_Part_Import Required CommandsThe Key_Part_Import verb requires the following commands to be enabled in theactive role: The Loa

Key_Test CCA Release 2.54 Key_Test (CSNBKYT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XYou use the Key_Test verb to verify the v

CCA Release 2.54 Key_Test RestrictionsNone FormatCSNBKYTreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_d

CCA Release 2.54 Fifth Edition, CCA Support Program, Release 2.30The fifth edition of the IBM 4758 CCA Basic Services Reference and Guide Version2.30

Key_Test CCA Release 2.54 key_identifierThe key_identifier parameter is a pointer to a string variable containing aninternal key-token, a key label t

CCA Release 2.54 Key_Token_Build Key_Token_Build (CSNBKTB)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Token_Build verb as

Key_Token_Build CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Para

CCA Release 2.54 Key_Token_Build key_valueThe key_value parameter is a pointer to a string variable containing theencrypted key-value incorporated in

Key_Token_Change CCA Release 2.54 Key_Token_Change (CSNBKTC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XUse the Key_Token_Change

CCA Release 2.54 Key_Token_Change Key_IdentifierThe key_identifier parameter is a pointer to a string variable containing the DESinternal key-token o

Key_Token_Parse CCA Release 2.54 Key_Token_Parse (CSNBKTP)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Token_Parse verb di

CCA Release 2.54 Key_Token_Parse Note: You cannot use a key label for a key-token record in key storage. Thekey token must be in application storage

Key_Token_Parse CCA Release 2.54 key_valueThe key_value parameter is a pointer to a string variable. If the verb returnsthe KEY keyword in the rule a

CCA Release 2.54 Key_Translate Key_Translate (CSNBKTR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Key_Translate verb uses one

CCA Release 2.54 OrganizationThis manual includes: Chapter 1, “Introduction to Programming for the IBM CCA” presents anintroduction to programming

Key_Translate CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Parame

CCA Release 2.54 Multiple_Clear_Key_Import Multiple_Clear_Key_Import (CSNBCKM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Mul

Multiple_Clear_Key_Import CCA Release 2.54 clear_key_lengthThe clear_key_length parameter is a pointer to an integer variable containingthe number of

CCA Release 2.54 PKA_Decrypt PKA_Decrypt (CSNDPKD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Decrypt verb decrypts (unwr

PKA_Decrypt CCA Release 2.54 source_encrypted_key_lengthThe source_encrypted_key_length parameter is a pointer to an integer variablecontaining the n

CCA Release 2.54 PKA_Encrypt PKA_Encrypt (CSNDPKE)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Encrypt verb encrypts (wrap

PKA_Encrypt CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The keywords are ei

CCA Release 2.54 PKA_Encrypt target_dataThe target_data parameter is a pointer to a string variable containing theencrypted data returned by the verb

PKA_Symmetric_Key_Export CCA Release 2.54 PKA_Symmetric_Key_Export (CSNDSYX)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_S

CCA Release 2.54 PKA_Symmetric_Key_Export ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters,

CCA Release 2.54 Related PublicationsIn addition to the manuals listed below, you may wish to refer to other CCA productpublications which may be of

PKA_Symmetric_Key_Export CCA Release 2.54 RSA_enciphered_keyThe RSA_enciphered_key parameter is a pointer to a string variable containingthe exported

CCA Release 2.54 PKA_Symmetric_Key_Generate PKA_Symmetric_Key_Generate (CSNDSYG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe P

PKA_Symmetric_Key_Generate CCA Release 2.54  Key-encrypting keys, either effective single-length or true double-length, aregenerated with the detail

CCA Release 2.54 PKA_Symmetric_Key_Generate FormatCSNDSYGreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_

PKA_Symmetric_Key_Generate CCA Release 2.54 key_encrypting_key_identifierThe key_encrypting_key_identifier parameter is a pointer to a string variabl

CCA Release 2.54 PKA_Symmetric_Key_Generate RSA_enciphered_key_token_lengthThe RSA_enciphered_key_token_length parameter is a pointer to an integerva

PKA_Symmetric_Key_Import CCA Release 2.54 PKA_Symmetric_Key_Import (CSNDSYI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_S

CCA Release 2.54 PKA_Symmetric_Key_Import Restrictions1. Private key key-usage controls can prevent use of specific private keys in thisverb. See pa

PKA_Symmetric_Key_Import CCA Release 2.54 RSA_enciphered_key_lengthThe RSA_enciphered_key_length parameter is a pointer to an integercontaining the n

CCA Release 2.54 PKA_Symmetric_Key_Import  Symmetric Key Import ZERO-PAD command (command offset X'023D') forDATA keys using the ZERO-PAD

CCA Release 2.54  IBM Journal of Research and Development Volume 38 Number 2, 1994,G322-0191 USA Federal Information Processing Standard (FIPS):– D

Prohibit_Export CCA Release 2.54 Prohibit_Export (CSNBPEX)Platform/ProductOS/2 AIX NT OS/400IBM 4758-2/23 X X X XThe Prohibit_Export verb modifies a

CCA Release 2.54 Random_Number_Generate Random_Number_Generate (CSNBRNG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Random_Nu

Random_Number_Generate CCA Release 2.54 random_numberThe random_number parameter is a pointer to a string variable containing therandom number return

CCA Release 2.54 Chapter 6. Data Confidentiality and Data IntegrityThis chapter describes the verbs that use the Data Encryption Standard (DES)algori

CCA Release 2.54 verbs also support the ANSI X9.23 mode of encryption. In X9.23 encryption, atleast one byte of data and up to eight bytes of data ar

CCA Release 2.54 Ensuring Data IntegrityCCA offers three classes of services for ensuring data integrity: Message authentication code (MAC) techniqu

CCA Release 2.54 In each procedure call, a segmenting-control keyword indicates whether the callcontains the first, middle, or last unit of segmented

CCA Release 2.54 Decipher Decipher (CSNBDEC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Decipher verb uses the Data Encryptio

Decipher CCA Release 2.54 ciphertextThe ciphertext parameter is a pointer to a string variable containing the text tobe deciphered.initialization_vec

CCA Release 2.54 Decipher length of the plaintext when it returns. The length will be different whenpadding is removed. Required CommandsThe Decipher

CCA Release 2.54 Chapter 1. Introduction to Programming for the IBM CCAThis chapter introduces you to the IBM Common Cryptographic Architecture (CCA)

Encipher CCA Release 2.54 Encipher (CSNBENC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encipher verb uses the DES algorithm

CCA Release 2.54 Encipher text_lengthThe text_length parameter is a pointer to an integer variable. On input, thetext_length variable contains the nu

Encipher CCA Release 2.54 chaining_vectorThe chaining_vector parameter is a pointer to a string variable containing awork area that the security serv

CCA Release 2.54 MAC_Generate MAC_Generate (CSNBMGN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe MAC_Generate verb generates a

MAC_Generate CCA Release 2.54 FormatCSNBMGNreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output

CCA Release 2.54 MAC_Generate chaining_vectorThe chaining_vector parameter is a pointer to a string variable containing awork area the security serve

MAC_Verify CCA Release 2.54 MAC_Verify (CSNBMVR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe MAC_Verify verb verifies a messag

CCA Release 2.54 MAC_Verify FormatCSNBMVRreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/Output S

MAC_Verify CCA Release 2.54 chaining_vectorThe chaining_vector parameter is a pointer to a string variable containing awork area the security server

CCA Release 2.54 Chapter 7. Key-Storage VerbsThis chapter describes how you can use key-storage mechanisms and theassociated verbs for creating, wri

CCA Release 2.54 An Overview of the CCA EnvironmentFigure 1-1 on page 1-3 provides a conceptual framework for positioning the CCASecurity API. Applic

CCA Release 2.54 Use the Key_Record_Delete verb to delete a key token from a key record, or toentirely delete the key record from key storage.Use the

CCA Release 2.54 Some verbs accept a key label containing a “wild card” represented by an asterisk(*). (X'2A' in ASCII; X'5C' in

DES_Key_Record_Create CCA Release 2.54 DES_Key_Record_Create (CSNBKRC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Rec

CCA Release 2.54 DES_Key_Record_Delete DES_Key_Record_Delete (CSNBKRD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Rec

DES_Key_Record_Delete CCA Release 2.54 key_labelThe key_label parameter is a pointer to a string variable containing the keylabel of a key-token reco

CCA Release 2.54 DES_Key_Record_List DES_Key_Record_List (CSNBKRL)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Record_

DES_Key_Record_List CCA Release 2.54 data_set_name_lengthThe data_set_name_length parameter is a pointer to an integer variablecontaining the number

CCA Release 2.54 DES_Key_Record_Read DES_Key_Record_Read (CSNBKRR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Record_

DES_Key_Record_Write CCA Release 2.54 DES_Key_Record_Write (CSNBKRW)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe DES_Key_Recor

CCA Release 2.54 PKA_Key_Record_Create PKA_Key_Record_Create (CSNDKRC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Rec

CCA Release 2.54 Figure 1-1. CCA Security API, Access Layer, Cryptographic EngineIBM 4758 PCI Cryptographic Coprocessor: The Coprocessor provides a

PKA_Key_Record_Create CCA Release 2.54 key_token_lengthThe key_token_length parameter is a pointer to an integer variable containingthe number of byt

CCA Release 2.54 PKA_Key_Record_Delete PKA_Key_Record_Delete (CSNDKRD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Rec

PKA_Key_Record_Delete CCA Release 2.54 key_labelThe key_label parameter is a pointer to a string variable containing the keylabel of a key-token reco

CCA Release 2.54 PKA_Key_Record_List PKA_Key_Record_List (CSNDKRL)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Record_

PKA_Key_Record_List CCA Release 2.54 rule_array_countThe rule_array_count parameter is a pointer to an integer variable containingthe number of eleme

CCA Release 2.54 PKA_Key_Record_Read PKA_Key_Record_Read (CSNDKRR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Record_

PKA_Key_Record_Read CCA Release 2.54 key_tokenThe key_token parameter is a pointer to a string variable containing the keytoken read from PKA key-sto

CCA Release 2.54 PKA_Key_Record_Write PKA_Key_Record_Write (CSNDKRW)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe PKA_Key_Recor

PKA_Key_Record_Write CCA Release 2.54 key_labelThe key_label parameter is a pointer to a string variable containing the keylabel that identifies the

CCA Release 2.54 Retained_Key_Delete Retained_Key_Delete (CSNDRKD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Retained_Key_De

CCA Release 2.54 Applications employ the CCA security API to obtain services from and to managethe operation of a cryptographic system that meets CCA

Retained_Key_List CCA Release 2.54 Retained_Key_List (CSNDRKL)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Retained_Key_List v

CCA Release 2.54 Retained_Key_List key_label_maskThe key_label_mask parameter points to a string variable containing a keylabel mask that is used to

CCA Release 2.54 7-24 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Chapter 8. Financial Services Support VerbsThere are several classes of verbs described in this chapter: Finance industry PIN proce

CCA Release 2.54 Figure 8-1 (Page 2 of 2). Financial Services Support VerbsVerb Page Service EntryPointSvcLcnPIN_Change/Unblock 8-52 Calculates a PIN

CCA Release 2.54 – Create encrypted PIN blocks for transmission– Generate institution-assigned PINs– Generate an offset or a VISA PIN-validation valu

CCA Release 2.54 Account Customer─Entered PIN Customer─Selected PIN Number ──────────┬───────── ──────────┬──────────│ T─PIN  │ │ Clear ┌─────────

CCA Release 2.54 PIN-Verb SummaryThe following terms are used for the various “PIN” values:A-PIN The quantity derived from a function of the account

CCA Release 2.54 PIN-Calculation Method and PIN-Block Format SummaryAs described in the following sections, you can use a variety of PIN calculationm

CCA Release 2.54 Using Specific Key Types and Key-Usage Bits to Help EnsurePIN SecurityThe control vectors (see Appendix C, “CCA Control-Vector Defin

CCA Release 2.54 Establishing a Master Key: To protect working keys, the master key must begenerated and initialized in a secure manner. One method

CCA Release 2.54 OPINENC (output PIN-block encrypting) key typeThe PIN verbs that encrypt a PIN block require the encrypting key tohave a control vec

CCA Release 2.54 Note: To avoid errors when using the IBM 3624 PIN-block format, you shouldnot include in the decimalization table a decimal digit t

CCA Release 2.54 – Eleven (rightmost) digits of PAN data, excluding the check digit. Forinformation about a PAN, see “Personal Account Number (PAN)”

CCA Release 2.54 Format Control Enforcement: The format-control level is the second element ina PIN profile. For the IBM 4758 implementation, this e

CCA Release 2.54 The CKSN is the concatenation of a terminal identifier and a sequence numberwhich together define a unique terminal (within the set

CCA Release 2.54 Personal Account Number (PAN)A personal account number (PAN) identifies an individual and relates that individualto an account at th

CCA Release 2.54  The MAC_Generate and MAC_Verify verbs incorporate post-padding aX'80'...X'00' string to a message as required

CCA Release 2.54 Clear_PIN_Encrypt Clear_PIN_Encrypt (CSNBCPE)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Clear_PIN_Encrypt v

Clear_PIN_Encrypt CCA Release 2.54 FormatCSNBCPEreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In/O

CCA Release 2.54 Clear_PIN_Encrypt PIN_profileThe PIN_profile parameter points to a string variable containing three 8-byteelements with: a PIN-block

CCA Release 2.54 ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiTrademarks . . . . . . . .

CCA Release 2.54 The Coprocessor supports multiple logons by different users from different hostprocesses. The Coprocessor also supports requests fro

Clear_PIN_Generate CCA Release 2.54 Clear_PIN_Generate (CSNBPGN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Clear_PIN_Generat

CCA Release 2.54 Clear_PIN_Generate RestrictionsNone FormatCSNBPGNreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Int

Clear_PIN_Generate CCA Release 2.54 PIN_check_lengthThe PIN_check_length parameter points to an integer variable in the rangefrom 4 to 16 containing

CCA Release 2.54 Clear_PIN_Generate_Alternate Clear_PIN_Generate_Alternate (CSNBCPA)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XT

Clear_PIN_Generate_Alternate CCA Release 2.54  Calculates the A-PIN. The verb uses the specified calculation method, thedata_array variable, and the

CCA Release 2.54 Clear_PIN_Generate_Alternate Note: When using the ISO-0 format, use the 12 rightmost PAN digits,excluding the check digit.encrypted

Clear_PIN_Generate_Alternate CCA Release 2.54 PIN_check_lengthThe PIN_check_length parameter points to an integer variable in the rangefrom 4 to 16 c

CCA Release 2.54 Clear_PIN_Generate_Alternate When using the NL-PIN-1 keyword, identify the following elements in the dataarray:When using the VISA-P

Clear_PIN_Generate_Alternate CCA Release 2.54 returned_resultThe returned_result parameter points to a string variable containing the clearO-PIN retu

CCA Release 2.54 CVV_Generate CVV_Generate (CSNBCSG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe CVV_Generate verb supports th

CCA Release 2.54 The security server and a directory server manage key storage. Applications canstore locally used cryptographic keys in a key-storag

CVV_Generate CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The keywords are e

CCA Release 2.54 CVV_Generate CVV_key-B_identifierThe CVV_key-B_identifier parameter points a string variable containing aninternal key-token or a ke

CVV_Verify CCA Release 2.54 CVV_Verify (CSNBCSV)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe CVV_Verify verb supports the VISA

CCA Release 2.54 CVV_Verify ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Parameter

CVV_Verify CCA Release 2.54 expiration_dateThe expiration_date parameter points to a string variable containing the cardexpiration date. The date is

CCA Release 2.54 Encrypted_PIN_Generate Encrypted_PIN_Generate (CSNBEPG)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encrypted

Encrypted_PIN_Generate CCA Release 2.54 – When using the ISO-0 PIN-block format, specify a PAN. For informationabout a personal account number (PAN),

CCA Release 2.54 Encrypted_PIN_Generate ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, se

Encrypted_PIN_Generate CCA Release 2.54 PIN_profileThe PIN_profile parameter is a pointer to a string variable containing the PINprofile including th

CCA Release 2.54 Encrypted_PIN_Translate Encrypted_PIN_Translate (CSNBPTR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encrypt

CCA Release 2.54 The Security API, Programming FundamentalsYou obtain CCA cryptographic services from the PCI Cryptographic Coprocessorthrough proced

Encrypted_PIN_Translate CCA Release 2.54 key serial number, and then uses ANSI X9.24-specified “special decryption.”Checks the control vector to ensu

CCA Release 2.54 Encrypted_PIN_Translate ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, s

Encrypted_PIN_Translate CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The key

CCA Release 2.54 Encrypted_PIN_Translate and optionally an additional 24 bytes containing the output current key serialnumber (CKSN). The strings are

Encrypted_PIN_Verify CCA Release 2.54 Encrypted_PIN_Verify (CSNBPVR)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Encrypted_PIN

CCA Release 2.54 Encrypted_PIN_Verify The verb does the following: Decrypts the input PIN-block by using the supplied IPINENC key in ECB mode,or der

Encrypted_PIN_Verify CCA Release 2.54 ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see

CCA Release 2.54 Encrypted_PIN_Verify PIN_check_lengthThe PIN_check_length parameter is a pointer to an integer variable containingthe number of digi

Encrypted_PIN_Verify CCA Release 2.54 data_arrayThe data_array parameter is a pointer to a string variable containing three16-byte character strings,

CCA Release 2.54 Encrypted_PIN_Verify When using the VISA-PVV or VISAPVV4 keywords, identify the followingelements in the data array. For more inform

CCA Release 2.54 CSUA Cryptographic-node and hardware-control services.The last three letters in the entry-point name identify the specific service i

Encrypted_PIN_Verify CCA Release 2.54 Required CommandsThe Encrypted_PIN_Verify verb requires the following commands to be enabled inthe hardware, b

CCA Release 2.54 Key_Encryption_Translate | Key_Encryption_Translate (CSNBKET)| Platform/| Product| OS/2| AIX| Win NT/| 2000| OS/400| IBM 4758-2/23|

Key_Encryption_Translate CCA Release 2.54 | Format| CSNBKET| return_code| Output| Integer| reason_code| Output| Integer| exit_data_length| In/Output|

CCA Release 2.54 Key_Encryption_Translate | key_out_length| The key_out_length parameter points to an integer variable. On input, you| should set the

PIN_Change/Unblock CCA Release 2.54 PIN_Change/Unblock (CSNBPCU)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-23 XUse the PIN_Change/Unblock ve

CCA Release 2.54 PIN_Change/Unblock See “VISA and EMV-Related Smart Card Formats and Processes” onpage E-17 which explains the derivation processes a

PIN_Change/Unblock CCA Release 2.54 RestrictionsThis verb is supported beginning with Release 2.50. Support for the TDESEMV2and TDESEMV4 keywords be

CCA Release 2.54 PIN_Change/Unblock authentication_key_identifier_lengthThe authentication_key_identifier_length parameter points to an integer varia

PIN_Change/Unblock CCA Release 2.54  The first 8 or 16 bytes of data should contain the value used to form thesmart-card-specific authentication val

CCA Release 2.54 PIN_Change/Unblock current_reference_PIN_profileThe current_reference_PIN_profile parameter points to an array of three, 8-bytestrin

CCA Release 2.54 each verb. For descriptions of these parameters, see the definitions with theindividual verbs.Variable Direction: The parameter des

PIN_Change/Unblock CCA Release 2.54 When an MAC-MDK and/or ENC-MDK of key type DKYGENKY is specified withcontrol vector bits (19-22) of B'1111&a

CCA Release 2.54 Secure_Messaging_for_Keys Secure_Messaging_for_Keys (CSNBSKY)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-23 XUse the Secure_

Secure_Messaging_for_Keys CCA Release 2.54  Returns the enciphered text. RestrictionsThis verb is supported beginning with Release 2.50. FormatCSNBS

CCA Release 2.54 Secure_Messaging_for_Keys input_key. You may also specify a key label of a key storage record for such akey. For an internal-form in

Secure_Messaging_for_PINs CCA Release 2.54 Secure_Messaging_for_PINs (CSNBSPN)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-23 XUse the Secure_

CCA Release 2.54 Secure_Messaging_for_PINs The Secure_Messaging_for_PINs verb: Deciphers the input PIN block Reformats the PIN block when the input

Secure_Messaging_for_PINs CCA Release 2.54 input_PIN_blockThe input_PIN_block parameter is a pointer to an eight-byte string variablecontaining the i

CCA Release 2.54 Secure_Messaging_for_PINs clear_text_lengthThe clear_text_length parameter is a pointer to an integer containing the lengthof text t

SET_Block_Compose CCA Release 2.54 SET_Block_Compose (CSNDSBC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe SET_Block_Compose v

CCA Release 2.54 SET_Block_Compose ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, see “Pa

CCA Release 2.54 Commonly Encountered ParametersSome parameters are common to all verbs, other parameters are used with manyof the verbs. This sectio

SET_Block_Compose CCA Release 2.54 The hash is an optional part of the OAEP block. No hash is computed orinserted into the OAEP block if the data_to_

CCA Release 2.54 SET_Block_Compose with the data_to_encrypt variable). The starting address must not fall inside thedata_to_encrypt area. Required Co

SET_Block_Decompose CCA Release 2.54 SET_Block_Decompose (CSNDSBD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe SET_Block_Decom

CCA Release 2.54 SET_Block_Decompose FormatCSNDSBDreturn_code Output Integerreason_code Output Integerexit_data_length In/Output Integerexit_data In

SET_Block_Decompose CCA Release 2.54 RSA-OAEP_block_lengthThe RSA-OAEP_block_length parameter is a pointer to an integer variablecontaining the numbe

CCA Release 2.54 SET_Block_Decompose of a 128-byte buffer. The first 64 bytes of the buffer are reserved for futureuse, and should be set to X'0

SET_Block_Decompose CCA Release 2.54 Required CommandsThe SET_Block_Decompose verb requires the SET Block Decompose command(command offset X'01

CCA Release 2.54 Transaction_Validation Transaction_Validation (CSNBTRV)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2 X X X XThe Transaction_

Transaction_Validation CCA Release 2.54 rule_arrayThe rule_array parameter is a pointer to a string variable containing an array ofkeywords. The keyw

CCA Release 2.54 Transaction_Validation Operation Element Description Validation-ValuesLengthGENERATE andCSC-345555554444333where:55555 = CSC 5 value

CCA Release 2.54 See Appendix A, “Return Codes and Reason Codes” for a detailed discussion ofreturn codes and a complete list of all return and reaso

CCA Release 2.54 8-78 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Appendix A. Return Codes and Reason CodesThis appendix describes the return codes and the reason codes that a verb uses toreport the

CCA Release 2.54 Figure A-2 on page A-2 shows the reason codes, listed in numeric sequence andgrouped by their corresponding return code. The return

CCA Release 2.54 Return Code 4Figure A-3. Reason Codes for Return Code 4ReturnCodeDecReasonCodeDec (Hex)Meaning4 001 (001) The verification test fail

CCA Release 2.54 Return Code 8Figure A-4 (Page 1 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 012 (00C) The token-va

CCA Release 2.54 Figure A-4 (Page 2 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 063 (03F) A key token had an invali

CCA Release 2.54 Figure A-4 (Page 3 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 155 (09B) The value that the genera

CCA Release 2.54 Figure A-4 (Page 4 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 343 (157) Either the data block or

CCA Release 2.54 Figure A-4 (Page 5 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 770 (302) The PKA key token has an

CCA Release 2.54 Figure A-4 (Page 6 of 6). Reason Codes for Return Code 8ReturnCodeDecReasonCodeDec (Hex)Meaning8 1102 (44E) Hardware device driver i

CCA Release 2.54 External A key that is either in the clear, or is encrypted (wrapped) by somekey-encrypting key other than the master key. Generally

CCA Release 2.54 Return Code 12Figure A-5. Reason Codes for Return Code 12ReturnCodeDecReasonCodeDec (Hex)Meaning12 097 (061) File space in key stora

CCA Release 2.54 Return Code 16Figure A-6. Reason Codes for Return Code 16ReturnCodeDecReasonCodeDec (Hex)Meaning16 099 (063) An unrecoverable error

CCA Release 2.54 A-12 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Appendix B. Data StructuresThis appendix describes the following data structures:  Key tokens Chaining vector records  Key-sto

CCA Release 2.54 An IBM 4758 does not permit the introduction of a new master key value that hasthe same verification value as either the current mas

CCA Release 2.54 DES Key-TokensDES key-token data structures are 64 bytes in length, contain an enciphered key, acontrol vector, various flag bits,

CCA Release 2.54 Figure B-3 (Page 2 of 2). Internal DES Key-Token, Version 3 FormatOffset Length Meaning48-59 12 Reserved, binary zero60-63 4 The tok

CCA Release 2.54 External DES Key-TokenCCA implementations generally use a version X'00' external key-token. SeeFigure B-4. The IBM 4758 Ve

CCA Release 2.54 DES Key-Token Flag Byte 1: DES Key-Token Flag Byte 2: Figure B-6. Key-Token Flag Byte 1Bits (MSB...LSB)1 Meaning1xxx xxxx The encr

CCA Release 2.54 Coprocessor but your application will encounter a performance penalty witheach use of the key.Protection of the private key is provi

CCA Release 2.54 commands in the performance of the verb. Each of these commands has to beauthorized for use. Access-control administration concerns

CCA Release 2.54 – Section identifier X'05' for a CRT-format key up to 1024 bits is acceptedas input. A public-key section (RSA section id

CCA Release 2.54 Figure B-8. RSA Key-Token HeaderOffset(Bytes)Length(Bytes)Description000 001 Token identifier (a flag that indicates token type)X&ap

CCA Release 2.54 Figure B-9. RSA Private Key, 1024-Bit Modulus-Exponent FormatOffset(Bytes)Length(Bytes)Description000 001 X'02' Section id

CCA Release 2.54 Figure B-10 (Page 1 of 2). Private Key, 2048-Bit Chinese-Remainder FormatOffset(Bytes)Length(Bytes)Description000 001 X'05&apos

CCA Release 2.54 Figure B-10 (Page 2 of 2). Private Key, 2048-Bit Chinese-Remainder FormatOffset(Bytes)Length(Bytes)Description076+ppp+qqqrrr dp = d

CCA Release 2.54 Figure B-11. RSA Private Key, 1024-Bit Modulus-Exponent Format with OPKOffset(Bytes)Length(Bytes)Description000 001 X'06'

CCA Release 2.54 Figure B-12 (Page 1 of 2). RSA Private Key, Chinese-Remainder Format with OPKOffset(Bytes)Length(Bytes)Description000 001 X'08&

CCA Release 2.54 Figure B-12 (Page 2 of 2). RSA Private Key, Chinese-Remainder Format with OPKOffset(Bytes)Length(Bytes)Description124 Start of the (

CCA Release 2.54 Figure B-13. RSA Public KeyOffset(Bytes)Length(Bytes)Description000 001 X'04', Section identifier, RSA public key001 001 T

CCA Release 2.54 RSA Public-Key Certificate Section: An optional public key certificate(s) sectioncan be included in an RSA key-token. The section c

CCA Release 2.54 Chapter 2. CCA Node-Management and Access-ControlThis chapter discusses: The access-control system that you can use to control who

CCA Release 2.54 Figure B-17. RSA Public-Key Certificate(s) Optional Information Subsection HeaderOffset(Bytes)Length(Bytes)Description000 001 X&apos

CCA Release 2.54 Figure B-21. RSA Public-Key Certificate(s) Signature SubsectionOffset(Bytes)Length(Bytes)Description000 001 X'45', Signatu

CCA Release 2.54 RSA Private-Key Blinding Information: Figure B-22. RSA Private-Key Blinding InformationOffset(Bytes)Length(Bytes)Description000 001

CCA Release 2.54 Key-Storage RecordsKey storage exists as an online, Direct Access Storage Device (DASD)-residentdata set for the storage of key rec

CCA Release 2.54 Figure B-24. Key-Storage-File Header, Record 1 (not OS/400)Offset Length Meaning00 04 The total length of this key record.04 04 The

CCA Release 2.54 Figure B-25. Key-Storage File Header, Record 2 (not OS/400)Offset Length Meaning00 04 The total length of this key record.04 04 The

CCA Release 2.54 Figure B-27. DES Key-Record Format, OS/400 Key StorageOffset Length Meaning00 56 The key label without separators.56 02 Reserved58 6

CCA Release 2.54 Key_Record_List Data SetThere are two Key_Record_List verbs, one for the DES key store and one for thePKA key store. Each creates an

CCA Release 2.54 Figure B-29 (Page 2 of 2). Key-Record-List Data Set Format (Other Than OS/400)Offset Length MeaningDetail Record (Part 1) 0 1 This

CCA Release 2.54 Figure B-30 (Page 1 of 2). Key-Record-List Data Set Format (OS/400 only)Offset Length MeaningHeader Record 0 24 This field contains

CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) . . . . . . . . . . . . . . . . 2-46Key_Storage_Designate (CSUAKSD) . . . . . . . . . .

CCA Release 2.54 CCA Access-ControlThis section describes these CCA access-control system topics: Understanding access control Role-based access c

CCA Release 2.54 Figure B-30 (Page 2 of 2). Key-Record-List Data Set Format (OS/400 only)Offset Length MeaningDetail Record 0 1 This field contains

CCA Release 2.54 Role StructureThis section describes the data structures used with roles.Basic Structure of a RoleThe following figure describes ho

CCA Release 2.54 Aggregate Role StructureA set of zero one or more role definitions are sent in a single data structure. Thisstructure consists of a

CCA Release 2.54 The entire access-control-point structure is comprised of a header, followed by oneor more access-control-point segments. The header

CCA Release 2.54 Figure B-34 (Page 2 of 2). Functions Permitted in Default RoleCode Function NameX'0113' Change the expiration date in a us

CCA Release 2.54 The checksum is defined as the exclusive-OR (XOR) of each byte in the profilestructure. The high-order byte of the checksum field is

CCA Release 2.54 The header is followed by individual sets of authentication data, each containing thedata for one authentication mechanism. This lay

CCA Release 2.54 Figure B-39 (Page 1 of 2). Authentication Data for Each Authentication MechanismField name Length(bytes)DescriptionLength 2 The size

CCA Release 2.54 Authentication Data for Passphrase Authentication: For passphraseauthentication, the mechanism data field contains the 20-byte SHA-

CCA Release 2.54 1   5a 2d 2 53 61 6d 7 6c 65 2 5 72 6f ...Z- Sample Pro66 69 6c 65 2 31 2 2d ab cd   4a 5f 53 6d file 1 -...J_Sm69 7

CCA Release 2.54 A role-based system is more efficient than one in which the authority is assignedindividually for each user. In general, users can b

CCA Release 2.54    1     1   5a 2d 2 53 61 ...Z- Sa6d 7 6c 65 2 5 72 6f 66 69 6c 65 2 31 2 2d mple Profile 1 -ab c

CCA Release 2.54 00 03 The number of bytes of data in the access-control points for thissegment. There are 3 bytes, for the access-control points fro

CCA Release 2.54 Aggregate Role Data StructureFigure B-45 shows the an aggregate role data structure, like you would load usingthe CSUAACI verb. 

CCA Release 2.54 Master Key Shares Data FormatsMaster key shares, and potentially other information to be “cloned” from oneCoprocessor to another Cop

CCA Release 2.54 Function Control VectorThe export (distribution) of cryptographic implementations by USA companies iscontrolled under USA Government

CCA Release 2.54 Figure B-49 (Page 2 of 2). FCV Distribution StructureOffsetDecimal(Hex)LengthDecimalMeaningFCV Supplied to Coprocessor (offset 470 a

CCA Release 2.54 B-44 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Appendix C. CCA Control-Vector Definitions and KeyEncryptionThis appendix describes the following: DES control-vector values1 Spec

CCA Release 2.54 Usually there is a default control-vector associated with each of the key types justlisted; see Figure C-2 on page C-3. The bits in

CCA Release 2.54 You can use the default control-vector for a key type, or you can create a morerestrictive control-vector. The default control-vecto

CCA Release 2.54 Understanding ProfilesAny user who needs to be authenticated to the Coprocessor must have a userprofile. Users who only need the ca

CCA Release 2.54 Figure C-2 (Page 2 of 2). Key Type Default Control-Vector Values Key TypeControl VectorHexadecimal Value forSingle-length Key or Lef

CCA Release 2.54 Control─Vector─Base Bits│    │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 ││ 2 4 6 │8  2 4 │6 8  2 │4 6 8

CCA Release 2.54 Control─Vector─Base Bits│    │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 ││ 2 4 6 │8  2 4 │6 8  2 │4 6 8

CCA Release 2.54 Key-Form Bits, ‘fff’ and ‘FFF’The key-form bits, 40-42...and for a double-length key, bits 104-106...aredesignated ‘fff’ and ‘FFF’ i

CCA Release 2.54 2. For key-encrypting keys, set the following bits: The Key-Encrypting Key-limiting bits, previously described as bits “hhh, bits35

CCA Release 2.54  The MAC control bits (bits 20 and 21). For a MAC generation key, set bits20 and 21 to B'11'. For a MAC verification key,

CCA Release 2.54 9. For the IPINENC (inbound) and OPINENC (outbound) PIN-block cipheringkeys, do the following: Set the TRANSLAT bit (t, bit 21) to

CCA Release 2.54 13. For all keys, set the following bits: The export bit (E, bit 17). If set to 0, the export bit prevents a key frombeing exported

CCA Release 2.54 CCA Key Encryption and Decryption ProcessesThis section describes the CCA key-encryption processes: CCA DES key encryption CCA RSA

CCA Release 2.54 ┌──────────────┬──────────────┬──────────────┐ ┌──────────────┬──────────────┐│ Master Key │ │ Control Vector │└────│─────────┴────│

CCA Release 2.54 Initializing and Managing the Access-Control SystemBefore you can use a Coprocessor with newly loaded or initialized CCA supportyou

CCA Release 2.54 PKA92 Key Format and Encryption ProcessThe PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and thePKA_Symmetric_Key_Import ver

CCA Release 2.54 Decrypting Sub-process: RSA decrypt the AS External Key Block using an RSAprivate key and call the result of the decryption PKR. Th

CCA Release 2.54 Encrypting a Key_Encrypting Key in the NL-EPP-5 FormatThe PKA_Symmetric_Key_Generate verb supports a NL-EPP-5 method ofencrypting a

CCA Release 2.54 you can enter another part that is set to the value of the pre-exclusive-ORquantity (which quantity is discussed later). Use the Ke

CCA Release 2.54 Note that if you are processing a double-length key, you almost certainly will haveto process the key twice, using the key-encryptin

CCA Release 2.54  CVil is the control vector for the left half of the target input PIN-blockencrypting key.e*Km⊕CViml(Kt⊕CVir)  e*Km⊕CVimr(Kt⊕CVir

CCA Release 2.54 Changing Control Vectors with the Control_Vector_Translate VerbDo the following when using the Control_Vector_Translate verb: Provi

CCA Release 2.54 This expression tests whether the control vectors associated with the sourcekey and the target key meet your criteria for the desire

CCA Release 2.54 For expression1: KEK CV ┌─┬─┬─┬─┬─────┬─┬─┬─┬─┬───────────────────────────┐ Control Vector2: Source CV ││1││1│... ││1││1│... │ U

CCA Release 2.54 Selecting the Key-Half Processing ModeThe Control_Vector_Translate verb rule-array keywords determine which key halvesare processed

CCA Release 2.54 Take care to ensure that you define roles that have the authority to performinitialization, including the RQ-TOKEN and RQ-REINT opti

CCA Release 2.54 The verb first processes the source and target tokens as with theSINGLE keyword. Then the source token is processed using thesingle-

CCA Release 2.54 Appendix D. Algorithms and ProcessesThis appendix provides processing details for the following aspects of the CCAdesign: Cryptogra

CCA Release 2.54 S/390 Based Master Key Verification MethodWhen the first and third portions of the symmetric master key have the same value,the mast

CCA Release 2.54 The CCA DES key verification algorithm does the following:1. Sets KKR′ = KKR exclusive-OR RN2. Sets K1 = X'4545454545454545&apo

CCA Release 2.54 When the keywords PADMDC-2 and PADMDC-4 are used, the supplied text isalways padded as follows: If the supplied text is less than 1

CCA Release 2.54 MDC-2 CalculationThe MDC-2 calculation consists of the following procedure: MDC-2 (n, text, KEY1, KEY2, MDC);For i := 1,2,...,n doC

CCA Release 2.54 General Data Encryption ProcessesAlthough the fundamental concepts of ciphering (enciphering and deciphering) dataare simple, differ

CCA Release 2.54 ANSI X3.106 Cipher Block Chaining (CBC) MethodANSI standard X3.106 defines four modes of operation for ciphering. One of thesemodes,

CCA Release 2.54 ┌──────────────┐│Verb Parameter│└──────┬───────┘ │┌─────────────┐ ────── Plaintext from Application Program ────────────│Initiali

CCA Release 2.54 ┌──────────────┐│Verb Parameter│└──────┬───────┘ │┌─────────────┐ ── Plaintext from Application Program ───│Initialization│ ┌────

CCA Release 2.54 Notes:1. During the portions of the year when Daylight Savings Time is not in effect, thetime difference between Eastern Standard Ti

CCA Release 2.54 Triple-DES Ciphering AlgorithmsTriple-DES is used to encrypt keys, PIN blocks, and general data. Severaltechniques are employed:T-DE

CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐ │ T164 │ T264 │ T364 │ │ Tn64 │ └──────┬──────┴──────┬──────┴──

CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐EDE2 EDE3 EDE5 │ T1<64> │ T2<64> │ T3<64> │ │ Tn<64

CCA Release 2.54 MAC Calculation MethodsWith CCA Release 2.51, three variations of DES based message authentication aresupported by the MAC_Generate

CCA Release 2.54 T1 T2 Tn-1 Tn   │ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │││ │││││ ┌──┤ XOR │ ┌──┤ XOR │ ┌──┤ XOR │ │ │││ ││││││ │ │ └──┬──┘ │ └──┬──┘ │ └─

CCA Release 2.54 RSA Key-Pair GenerationRSA key-pair generation is determined based on user input of the modulus bitlength, public exponent, and key

CCA Release 2.54 Access-Control AlgorithmsThe following sections describe algorithms and protocols used by theaccess-control system.Passphrase Verif

CCA Release 2.54 3. The client workstation generates a random number, RN (64 bits).Note: Note: The random-number RN is not used inside the Cryptogra

CCA Release 2.54 Master-Key-Splitting AlgorithmThis section describes the mathematical and cryptographic basis for the m-of-n keyshares scheme.The k

CCA Release 2.54 Formatting Hashes and Keys in Public-Key CryptographyThe Digital_Signature_Generate and Digital_Signature_Verify verbs support sever

CCA Release 2.54 logged on, and frees resources you were using in the host system and in theCoprocessor.Use of Logon Context InformationThe Logon_Con

CCA Release 2.54 – RSASSA-PKCS1-v1_5, the newer name for the block-type 1 format. InCCA, keyword PKCS-1.1 is used to invoke this formatting technique

CCA Release 2.54 Appendix E. Financial System Verbs Calculation Methodsand Data FormatsThis appendix describes the following:  PIN-calculation meth

CCA Release 2.54 PIN-Calculation MethodsThe financial PIN verbs support some or all of these PIN-calculation methods, seeFigure 8-3 on page 8-6: IB

CCA Release 2.54 IBM 3624 PIN-Calculation MethodThe IBM 3624 PIN-calculation method calculates a PIN that is from 4 to 16 digits inlength.The IBM 362

CCA Release 2.54 IBM 3624 PIN Offset Calculation MethodThe IBM 3624 PIN Offset calculation method is the same as the IBM 3624PIN-calculation method e

CCA Release 2.54 Netherlands PIN-1 Calculation MethodThe Netherlands PIN-1 (NL-PIN-1) calculation method calculates a PIN that is 4digits in length.T

CCA Release 2.54 IBM German Bank Pool Institution PIN-Calculation MethodThe IBM German Bank Pool Institution PIN calculation method calculates aninst

CCA Release 2.54 VISA PIN Validation Value (PVV) Calculation MethodThe VISA-PVV calculation method calculates a VISA-PVV that is 4 digits in length.T

CCA Release 2.54 Interbank PIN-Calculation MethodThe Interbank PIN-calculation method consists of the following steps:1. Let X denote the transaction

CCA Release 2.54 PIN-Block FormatsThe PIN verbs support one or more of the following PIN-block formats: IBM 3624 format ISO-0 format (same as the

CCA Release 2.54 Protecting Your Transaction InformationWhen you are logged on to the Coprocessor, the information transmitted to andfrom the CCA Cop

CCA Release 2.54 ISO-0 PIN-Block FormatAn ISO-0 PIN-block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1PIN-block formats. The ISO-0 PIN-bl

CCA Release 2.54 ISO-1 PIN-Block FormatThe ISO-1 PIN-block format is equivalent to an ECI-4 PIN-block format. The ISO-1PIN-block format supports a PI

CCA Release 2.54 ISO-2 PIN-Block FormatThe ISO-2 PIN-block format supports a PIN from 4 to 12 digits in length. A PINthat is longer than 12 digits is

CCA Release 2.54 UKPT Calculation MethodsThis section describes the calculation methods for deriving theunique-key-per-transaction (UKPT) key accordi

CCA Release 2.54 a. Move the rightmost 8 bytes of the current key serial number to a work area(Wa).b. Move the rightmost 3 bytes of Wa to another wor

CCA Release 2.54 The following is an example of calculating the current PIN encrypting key:Wa = X'4567 89AB CDE 'Ca = X'11&apo

CCA Release 2.54 CVV and CVC MethodFigure E-62 shows the method used to generate a card-verification value (CVV) fortrack 2. Each (decimal) digit is

CCA Release 2.54 VISA and EMV-Related Smart Card Formats and ProcessesThe VISA and EMV specifications for performing secure messaging with an EMVcomp

CCA Release 2.54 3. Set the second digit of block-2 to the length of the new PIN (4 to 12), followedby the new PIN, and padded to the right with X&ap

CCA Release 2.54  TDESEMV2 causes processing with a branch factor of 2 and a height of16. TDESEMV4 causes processing with a branch factor of 4 and

CCA Release 2.54 used to establish the maximum strength of certain cryptographic functions, theenvironment identifier, and the maximum number of mast

CCA Release 2.54 E-20 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Appendix F. Verb ListThis appendix lists the verbs supported by the CCA Support Program feature forthe IBM 4758 PCI Cryptographic C

CCA Release 2.54 Figure F-1 (Page 2 of 3). Security API Verbs in Supported EnvironmentsPseudonym Entry-Point OS/2 AIX NT OS/400 PageData Confidential

CCA Release 2.54 Figure F-1 (Page 3 of 3). Security API Verbs in Supported EnvironmentsPseudonym Entry-Point OS/2 AIX NT OS/400 PageFinancial Service

CCA Release 2.54 F-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 Appendix G. Access-Control-Point CodesThe table in this appendix lists the CCA access-control commands (“controlpoints”). The role

CCA Release 2.54 Figure G-1 (Page 1 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'000E' Encipher Encipher CSNBENC

CCA Release 2.54 Figure G-1 (Page 2 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'008E' Generate Key Key_Generate

CCA Release 2.54 Figure G-1 (Page 3 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'0109' Data Key Import Data_Key_

CCA Release 2.54 Figure G-1 (Page 4 of 4). Supported CCA CommandsOffset Command Name Verb Name Entry UsageX'0230' List Retained Key Retaine

CCA Release 2.54 Cryptographic_Resource_Allocate verb will fail if a cryptographic resource isalready allocated.To determine the number of CCA Coproc

CCA Release 2.54 G-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 List of AbbreviationsANSI American National Standards InstituteACF/VTAM Advanced Communications Functionfor the Virtual Telecommunic

CCA Release 2.54 ROM Read-Only MemoryRPQ Request for Price QuotationRSA Rivest, Shamir, and AdlemanSAA Systems Application ArchitectureSAF System Aut

CCA Release 2.54 GlossaryThis glossary includes some terms and definitions fromthe IBM Dictionary of Computing, New York: McGrawHill, 1994. This glo

CCA Release 2.54 Bbus. In a processor, a physical facility along whichdata is transferred.byte. (1) A binary character operated on as a unit andusu

CCA Release 2.54 decipher. (1) To convert enciphered data into cleardata. (2) Synonym for decrypt. (3) Contrast withencipher.decode. (1) To convert

CCA Release 2.54 Hhost. (1) In this publication, same as host computer orhost processor. The machine in which the Coprocessorresides. (2) In a compu

CCA Release 2.54 NNational Institute of Science and Technology(NIST). This is the current name for the US NationalBureau of Standards.network. (1)

CCA Release 2.54 reason code. (1) A value that provides a specificresult as opposed to a general result. (2) Contrast withreturn code.replicated key

CCA Release 2.54 UUnique Key Per Transaction (UKPT). UKPT is acryptographic process that can be used to decipher PINblocks in a transaction.user-exi

CCA Release 2.54 Cryptographic_Variable_Encipher (CSNBCVE) . . . . . . . . . . . . . . . . . . 5-29Data_Key_Export (CSNBDKX) . . . . . . . . . . . .

CCA Release 2.54 the Coprocessor device driver.5 The host code then polls each Coprocessor in turnto determine which ones contain the CCA application

CCA Release 2.54 X-10 IBM 4758 CCA Basic Services, Release 2.54, February 2005

CCA Release 2.54 IndexAAccess Control, CCA 2-2Access_Control_Initialization (CSUAACI) 2-21Access_Control_Maintenance (CSUAACM) 2-24American Expresst

CCA Release 2.54 CSNBCPA (Clear_PIN_Generate_Alternate) 8-21CSNBCPE (Clear_PIN_Encrypt) 8-15CSNBCSG (CVV_Generate) 8-27CSNBCSV (CVV_Verify) 8-30CSNBC

CCA Release 2.54 EEMV (Europay, Mastercard, VISA)application transaction counter (ATC) E-18MAC padding method D-13PIN-block self-encryption E-19PIN_C

CCA Release 2.54 IIM (importable) keys 5-4importable (IM) keys 5-4importing, description 5-18, C-17initializing key storage 2-48, 2-50input/output (I

CCA Release 2.54 keysactivating 3-22asymmetric 5-6ciphering 5-7, 5-10clear 5-16control vectors 5-4deactivating 3-22deleting 3-22, 7-13, 7-21double-le

CCA Release 2.54 listing keys 7-22loading a master key 2-59, 2-64Logging on and logging off 2-7logon context information 2-8Logon Control (CSUALCT) 2

CCA Release 2.54 reenciphering keys 3-22replicated key-halfexport restriction 5-34, 5-42, 5-52export restriction an EXPORTER transport key 5-31Requir

IBMCCA Release 2.54PDF File

CCA Release 2.54 PKA_Key_Token_Change verbs). Whenever a working key is encrypted for localuse, it is encrypted using the current master-key.Symmetri

CCA Release 2.54 The verb performs a one-way function on the key-of-interest, the result of whichis either returned or compared to a known correct re

CCA Release 2.54 must also have been marked as suitable for operation with theMaster_Key_Distribution verb when it was generated.When receiving a sha

CCA Release 2.54 ┌──────────────────────────────────┐│Share─Administration Control Point│ 3. │ │ │││ CERT{SA}(SA) H(CERT{SA}(SA)) ││ ───────┬──── ──

CCA Release 2.54 7. In the target node, generate a retained key usable for master-keyadministration, the Coprocessor Share Receiving (CSR) key, and h

CCA Release 2.54 AIX and Windows Multi-Coprocessor Master-Key Support: It is a generalrecommendation that all of the CCA Coprocessors within the sys

CCA Release 2.54  When all of the Coprocessors are newly initialized, that is, theircurrent-master-key registers are empty, first install the same m

CCA Release 2.54 Intentionally using different master keys in a set of Coprocessors.This situation becomes very complicated if you are using key stor

CCA Release 2.54 Access_Control_Initialization Access_Control_Initialization (CSUAACI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X

CCA Release 2.54 Providing Security for PINs ... 8-6Using Specific Key Types and Key-Usage Bits to Help Ensure PINSecurity .

Access_Control_Initialization CCA Release 2.54 verb_data_1_lengthThe verb_data_1_length parameter is a pointer to an integer variable containingthe n

CCA Release 2.54 Access_Control_Initialization verb_data_length_2The verb_data_length_2 parameter is a pointer to an integer variable containingthe n

Access_Control_Maintenance CCA Release 2.54 Access_Control_Maintenance (CSUAACM)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe A

CCA Release 2.54 Access_Control_Maintenance nameThe name parameter is a pointer to a string variable containing the name of arole or user profile whi

Access_Control_Maintenance CCA Release 2.54 output_data_lengthThe output_data_length parameter is a pointer to an integer variable containingthe numb

CCA Release 2.54 Access_Control_Maintenance Rule-ArrayKeywordContents of output_data VariableGET-PROF Contains the non-secret portion of the selected

Access_Control_Maintenance CCA Release 2.54 Rule-ArrayKeywordContents of output_data VariableGET-ROLE The field contains the non-secret portion of th

CCA Release 2.54 Access_Control_Maintenance Required CommandsThe Access_Control_Maintenance verb requires the following commands to beenabled in the

Cryptographic_Facility_Control CCA Release 2.54 Cryptographic_Facility_Control (CSUACFC)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X

CCA Release 2.54 Cryptographic_Facility_Control ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparame

CCA Release 2.54 Aggregate Role Structure ... B-30Access-Control-Point List . . . . . . . . . . . . . . . . . . . . . . . . .

Cryptographic_Facility_Control CCA Release 2.54 verb_data_lengthThe verb_data_length parameter is a pointer to an integer variable containingthe numb

CCA Release 2.54 Cryptographic_Facility_Control  For SET-MOFN, verb_data is an input variable. The variable contentsestablish the minimum and maximu

Cryptographic_Facility_Query CCA Release 2.54 Cryptographic_Facility_Query (CSUACFQ)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XT

CCA Release 2.54 Cryptographic_Facility_Query On output, the verb sets the variable to the number of rule-array elements itreturns to the application

Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 1 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb

CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 2 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb

Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 3 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb

CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 4 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb

Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 5 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb

CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 6 of 7). Cryptographic_Facility_Query Information Returned inthe Rule ArrayElementNumb

CCA Release 2.54 Triple-DES Ciphering Algorithms ... D-10MAC Calculation Methods... D-13RSA Key-Pair

Cryptographic_Facility_Query CCA Release 2.54 verb_data_lengthThe verb_data_length parameter is a pointer to an integer variable containingthe number

CCA Release 2.54 Cryptographic_Facility_Query of this verb. Its use depends on the options specified by the host applicationprogram.The verb_data par

Cryptographic_Resource_Allocate CCA Release 2.54 Cryptographic_Resource_Allocate (CSUACRA)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X

CCA Release 2.54 Cryptographic_Resource_Allocate resource_name_lengthThe resource_name_length parameter is a pointer to an integer variablecontaining

Cryptographic_Resource_Deallocate CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/2

CCA Release 2.54 Cryptographic_Resource_Deallocate resource_name_lengthThe resource_name_length parameter is a pointer to an integer variablecontaini

Key_Storage_Designate CCA Release 2.54 Key_Storage_Designate (CSUAKSD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 XThe Key_Storage_D

CCA Release 2.54 Key_Storage_Designate key_storage_file_name_lengthThe key_storage_file_name_length parameter is a pointer to an integer variablecont

Key_Storage_Initialization CCA Release 2.54 Key_Storage_Initialization (CSNBKSI)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe K

CCA Release 2.54 Key_Storage_Initialization key_storage_file_name_lengthThe key_storage_file_name_length parameter is a pointer to an integer variabl

CCA Release 2.54 Figures1-1. CCA Security API, Access Layer, Cryptographic Engine ... 1-32-1. CCA Node, Access-Control, and Master-Key Manageme

Logon_Control CCA Release 2.54 Logon_Control (CSUALCT)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XUse the Logon_Control verb to p

CCA Release 2.54 Logon_Control user_idThe user_id parameter is a pointer to a string variable containing the ID stringwhich identifies the user to th

Logon_Control CCA Release 2.54 On input, this field contains the length (in bytes) of the auth_data variable.When no usage is defined for the auth_da

CCA Release 2.54 Master_Key_Distribution Master_Key_Distribution (CSUAMKD)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Master_

Master_Key_Distribution CCA Release 2.54 – The private_key_name of the Coprocessor-retained key used to decrypt theclone_info_encrypting_key. This ke

CCA Release 2.54 Master_Key_Distribution ParametersFor the definitions of the return_code, reason_code, exit_data_length, and exit_dataparameters, s

Master_Key_Distribution CCA Release 2.54 clone_info_encrypting_keyThe clone_info_encrypting_key parameter is a pointer to a string variablecontaining

CCA Release 2.54 Master_Key_Process Master_Key_Process (CSNBMKP)Platform/ProductOS/2 AIX Win NT/2000OS/400IBM 4758-2/23 X X X XThe Master_Key_Proces

Master_Key_Process CCA Release 2.54  The master-key verification pattern (MKVP) of the new master-key is comparedagainst the MKVP of the current and

CCA Release 2.54 Master_Key_Process key_partThe key_part parameter is a pointer to a string variable containing a 168-bit(3x56-bit, 24-byte) clear ke