Aller à la page of
Les manuels d’utilisation similaires
-
Computer Hardware
IBM 8306
314 pages 8.05 mb -
Computer Hardware
IBM 8190
290 pages 8.5 mb -
Computer Hardware
IBM Computer
58 pages 3.48 mb -
Computer Hardware
IBM 2254
252 pages 3.9 mb -
Computer Hardware
IBM CI5VGM Series
134 pages 0.86 mb -
Computer Hardware
IBM 8312
314 pages 8.05 mb -
Computer Hardware
IBM 8143
72 pages 1.4 mb -
Computer Hardware
IBM 8122
44 pages 1.67 mb
Un bon manuel d’utilisation
Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation IBM 2. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel IBM 2 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.
Qu'est ce que le manuel d’utilisation?
Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation IBM 2 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.
Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.
Donc, ce qui devrait contenir le manuel parfait?
Tout d'abord, le manuel d’utilisation IBM 2 devrait contenir:
- informations sur les caractéristiques techniques du dispositif IBM 2
- nom du fabricant et année de fabrication IBM 2
- instructions d'utilisation, de réglage et d’entretien de l'équipement IBM 2
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes
Pourquoi nous ne lisons pas les manuels d’utilisation?
Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage IBM 2 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles IBM 2 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service IBM en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées IBM 2, comme c’est le cas pour la version papier.
Pourquoi lire le manuel d’utilisation?
Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif IBM 2, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.
Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation IBM 2. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.
Table des matières du manuel d’utilisation
-
Page 1
IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and Guide Release 2.54 IBM iSeries PCICC Feature CCA Release 2.54[...]
-
Page 2
CCA Release 2.54 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xiii. | Thirteenth Edition (December, 2004) | This manual describes the IBM Common Cryptographic Architecture (CCA) Basic Services API, Release 2.54 as revised in | December 2004, implemented for the [...]
-
Page 3
CCA Release 2.54 Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii About This Publication ................................ xv Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 4
CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) . . . . . . . . . . . . . . . . 2-46 Key_Storage_Designate (CSUAKSD) . . . . . . . . . . . . . . . . . . . . . . . 2-48 Key_Storage_Initialization (CSNBKSI) . . . . . . . . . . . . . . . . . . . . . . . 2-50 Logon_Control (CSUALCT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 5
CCA Release 2.54 Cryptographic_Variable_Encipher (CSNBCVE) . . . . . . . . . . . . . . . . . . 5-29 Data_Key_Export (CSNBDKX) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31 Data_Key_Import (CSNBDKM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33 Diversified_Key_Generate (CSNBDKG) . . . . . . . . . . . . . . . . . . . . . . 5[...]
-
Page 6
CCA Release 2.54 Providing Security for PINs ............................ 8-6 Using Specific Key Types and Key-Usage Bits to Help Ensure PIN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Supporting Multiple PIN-Calculation Methods .................. 8-8 PIN-Calculation Methods . . . . . . . . . . . . . . . .[...]
-
Page 7
CCA Release 2.54 Aggregate Role Structure ........................... B-30 Access-Control-Point List . . . . . . . . . . . . . . . . . . . . . . . . . . . B-30 Default Role Contents ............................. B-31 Profile Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-32 Basic Structure of a Profile .............[...]
-
Page 8
CCA Release 2.54 Triple-DES Ciphering Algorithms ........................ D-10 MAC Calculation Methods .............................. D-13 RSA Key-Pair Generation .............................. D-15 Access-Control Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-16 Passphrase Verification Protocol ........................ D-16[...]
-
Page 9
CCA Release 2.54 Figures 1-1. CCA Security API, Access Layer, Cryptographic Engine ........ 1-3 2-1. CCA Node, Access-Control, and Master-Key Management Verbs .. 2-1 2-2. Coprocessor-to-Coprocessor Master-Key Cloning ........... 2-16 2-3. Cryptographic_Facility_Query Information Returned in the Rule Array 2-36 3-1. Public-Key Key-Administration Ser[...]
-
Page 10
CCA Release 2.54 A-3. Reason Codes for Return Code 4 .................... A-3 A-4. Reason Codes for Return Code 8 .................... A-4 A-5. Reason Codes for Return Code 12 ................... A-10 A-6. Reason Codes for Return Code 16 ................... A-11 B-1. PKA Null Key-Token Format ....................... B-2 B-2. Internal DES Key-Token,[...]
-
Page 11
CCA Release 2.54 C-1. Key Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 C-2. Key Type Default Control-Vector Values ................ C-3 C-3. Control-Vector-Base Bit Map ....................... C-5 C-4. Multiply-Enciphering and Multiply-Deciphering CCA Keys ...... C-13 C-5. PKA96 Clear DES Key Record ..................[...]
-
Page 12
CCA Release 2.54 xii IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 13
CCA Release 2.54 Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM’s product, program, or service may be used. Any functional[...]
-
Page 14
CCA Release 2.54 The following terms, denoted by a double asterisk (**) in this publication, are the trademarks of other companies: Diebold Diebold Inc. Docutel Docutel MasterCard MasterCard International, Inc. Pentium Intel Corporation NCR National Cash Register Corporation RSA RSA Data Security, Inc. UNIX UNIX Systems Laboratories, Inc. VISA VISA[...]
-
Page 15
CCA Release 2.54 Revision History About This Publication The manual is intended for systems and applications analysts and application programmers who will evaluate or create programs for the IBM 4758 Common Cryptographic Architecture (CCA) support for the IBM 4758 Models 002 and 023 technology used with IBM eServer iSeries (OS/400) Option 35, CCA C[...]
-
Page 16
Revision History CCA Release 2.54 Eleventh Edition, April, 2004, CCA Support Program, Release 2.52 This revision to the February, 2004, edition of the IBM 4758 CCA Basic Services Reference and Guide for the IBM 4758 Models 002 and 023 , Release 2.52, replaces the February, 2004, Release 2.51 edition. Incorporated changes include: Addition of a [...]
-
Page 17
CCA Release 2.54 Revision History 1. Functions in support of EMV-compatible smart-cards. Support of the PIN Change/Unblock function described in the VISA Integrated Circuit Card Specification Manual , Section C.11 Support of the key-generation function used for secure messaging described in the VISA Integrated Circuit Card Specification Man[...]
-
Page 18
Revision History CCA Release 2.54 Eighth Edition, Revised, CCA Support Program, Release 2.41 This revised Release 2.41 manual incorporates additional information concerning access controls (see “CCA Access-Control” on page 2-2) and other minor editorial changes. Eighth Edition, CCA Support Program, Release 2.41 The major items changed, extended[...]
-
Page 19
CCA Release 2.54 Revision History can create an application to to clone keys having any of the CSS, CSR, and SA keys longer than 1024-bits. See “Establishing Master Keys” on page 2-13. The PKA_Key_Token_Change verb now returns return code 0 and reason code 0 if you request to update a key token that contains only a public key. A key token c[...]
-
Page 20
Revision History CCA Release 2.54 The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and PKA_Symmetric_Key_Import verbs are updated to include support of the “OAEP” key-wrapping technique as specified in the RSA PKCS#1-v2.0 specification. The action associated with the derivation-counter in control vector bits 12-14 in the Divers[...]
-
Page 21
CCA Release 2.54 Fifth Edition, CCA Support Program, Release 2.30 The fifth edition of the IBM 4758 CCA Basic Services Reference and Guide Version 2.30 for the IBM 4758 Models 002 and 023 technology and describes the Common Cryptographic Architecture (CCA) application programming interface (API) that is supported by the CCA Support Program, Release[...]
-
Page 22
CCA Release 2.54 Organization This manual includes: Chapter 1, “Introduction to Programming for the IBM CCA” presents an introduction to programming for the CCA application programming interface and products. Chapter 2, “CCA Node-Management and Access-Control” provides a basic explanation of the access-control system implemented wit[...]
-
Page 23
CCA Release 2.54 Related Publications In addition to the manuals listed below, you may wish to refer to other CCA product publications which may be of use with applications and systems you might develop for use with the IBM 4758 product. While there is substantial commonality in the API supported by the CCA products, and while this manual seeks to [...]
-
Page 24
CCA Release 2.54 IBM Journal of Research and Development Volume 38 Number 2, 1994 , G322-0191 USA Federal Information Processing Standard (FIPS): – Data Encryption Standard, 46-1-1988 – Secure Hash Algorithm, 180-1, May 31, 1994 – Cryptographic Module Security, 140-1. PKCS #1&v2.0: RSA Cryptography Standard , RSA Laboratories,[...]
-
Page 25
CCA Release 2.54 Chapter 1. Introduction to Programming for the IBM CCA This chapter introduces you to the IBM Common Cryptographic Architecture (CCA) application programming interface (API). This chapter explains some basic concepts you use to obtain cryptographic and other services from the PCI Cryptographic Coprocessor and its CCA Support Progra[...]
-
Page 26
CCA Release 2.54 An Overview of the CCA Environment Figure 1-1 on page 1-3 provides a conceptual framework for positioning the CCA Security API . Application programs make procedure calls to the API to obtain cryptographic and related I/O services. The CCA API is designed so that a call can be issued from essentially any high-level programming lang[...]
-
Page 27
CCA Release 2.54 Figure 1-1. CCA Security API, Access Layer, Cryptographic Engine IBM 4758 PCI Cryptographic Coprocessor: The Coprocessor provides a secure programming and hardware environment wherein DES and RSA processes are performed. The CCA support program enables applications to employ a set of DES- and RSA-based cryptographic services utiliz[...]
-
Page 28
CCA Release 2.54 Applications employ the CCA security API to obtain services from and to manage the operation of a cryptographic system that meets CCA architecture specifications. Cryptographic Engine: The CCA architecture defines a cryptographic subsystem that contains a cryptographic engine operating within a protected boundary. See Figure 1-1 on[...]
-
Page 29
CCA Release 2.54 Establishing a Master Key: To protect working keys, the master key must be generated and initialized in a secure manner. One method uses the internal random-number generator for the source of the master key. In this case, the master key is never external to the node as an entity, and no other node will have the same master key 2 un[...]
-
Page 30
CCA Release 2.54 The Coprocessor supports multiple logons by different users from different host processes. The Coprocessor also supports requests from multiple threads within a single host process. A user is logged on and off by the Logon_Control verb. During logon, the Logon_Control verb establishes a logon session key. This key is held in user-p[...]
-
Page 31
CCA Release 2.54 The security server and a directory server manage key storage . Applications can store locally used cryptographic keys in a key-storage facility. This is especially useful for long-life keys. Keys stored in key storage are referenced through the use of a key label . Before deciding whether to use the key-storage facility or to let [...]
-
Page 32
CCA Release 2.54 The Security API, Programming Fundamentals You obtain CCA cryptographic services from the PCI Cryptographic Coprocessor through procedure calls to the CCA security application programming interface (API). Most of the services provided are considered an implementation of the IBM Common Cryptographic Architecture (CCA). Most of the e[...]
-
Page 33
CCA Release 2.54 CSUA Cryptographic-node and hardware-control services. The last three letters in the entry-point name identify the specific service in a group and are often the first letters of the principal words in the verb pseudonym. Supported Environments: At the start of each verb description is a table that describes which CCA implementation[...]
-
Page 34
CCA Release 2.54 each verb. For descriptions of these parameters, see the definitions with the individual verbs. Variable Direction: The parameter descriptions use the following terms to identify the flow of information: Input The application program sends the variable to the verb (to the called routine) Output The verb returns the variable to the [...]
-
Page 35
CCA Release 2.54 Commonly Encountered Parameters Some parameters are common to all verbs, other parameters are used with many of the verbs. This section describes several groups of these parameters: Parameters common to all verbs Rule_array and other keyword parameters Key_identifiers, key_labels, and key_tokens. Parameters Common to Al[...]
-
Page 36
CCA Release 2.54 See Appendix A, “Return Codes and Reason Codes” for a detailed discussion of return codes and a complete list of all return and reason codes. Value Meaning 0 Indicates normal completion; a few nonzero reason codes are associated with this return code. 4 Indicates the verb processing completed, but without full success. For exam[...]
-
Page 37
CCA Release 2.54 External A key that is either in the clear, or is encrypted (wrapped) by some key-encrypting key other than the master key. Generally, when a key is to be transported from place to place, or is to be held for a significant period of time, it is required to encrypt the key with a transport key . A key wrapped by a transport key-encr[...]
-
Page 38
CCA Release 2.54 commands in the performance of the verb. Each of these commands has to be authorized for use. Access-control administration concerns managing these authorizations. Chapter 3, “RSA Key-Management” explains how you can generate and protect an RSA key-pair. The chapter also explains how you can control the distribution of the [...]
-
Page 39
CCA Release 2.54 Chapter 2. CCA Node-Management and Access-Control This chapter discusses: The access-control system that you can use to control who can perform various sensitive operations at what times Controlling the cryptographic facility Multi-Coprocessor support The CCA master-key, what it is, and how you manage the key Ho[...]
-
Page 40
CCA Release 2.54 CCA Access-Control This section describes these CCA access-control system topics: Understanding access control Role-based access control Initializing and managing the access-control system Logging on and logging off Protecting your transaction information. Understanding Access Control Access control is the proce[...]
-
Page 41
CCA Release 2.54 A role-based system is more efficient than one in which the authority is assigned individually for each user. In general, users can be segregated into just a few different categories of access rights. The use of roles allows the administrator to define each of these categories just once, in the form of a role. Understanding Roles E[...]
-
Page 42
CCA Release 2.54 Understanding Profiles Any user who needs to be authenticated to the Coprocessor must have a user profile . Users who only need the capabilities defined in the default role do not need a profile. A user profile defines a specific user to the CCA implementation. Each profile contains the following information: User ID This is the ?[...]
-
Page 43
CCA Release 2.54 Initializing and Managing the Access-Control System Before you can use a Coprocessor with newly loaded or initialized CCA support you should initialize roles, profiles, and other data. You may also need to update some of these values from time to time. Access-control initialization and management are the processes you will use to a[...]
-
Page 44
CCA Release 2.54 Take care to ensure that you define roles that have the authority to perform initialization, including the RQ-TOKEN and RQ-REINT options of the Cryptographic_Facility_Control (CSUACFC) verb. You must also ensure there are active profiles that use these roles. If you configure your Coprocessor so that initialization is not allowed, [...]
-
Page 45
CCA Release 2.54 Notes: 1. During the portions of the year when Daylight Savings Time is not in effect, the time difference between Eastern Standard Time and GMT is 5 hours. 2. In the OS/400 environment, no translation is provided for Role and Profile names. The Coprocessor will initialize the default role name to DEFAULT encoded in ASCII. OS/400 C[...]
-
Page 46
CCA Release 2.54 logged on, and frees resources you were using in the host system and in the Coprocessor. Use of Logon Context Information The Logon_Control verb offers the capability to save and restore logon context information through the GET-CNTX and PUT-CNTX rule-array keywords. The GET-CNTX keyword is used to retrieve a copy of your active lo[...]
-
Page 47
CCA Release 2.54 Protecting Your Transaction Information When you are logged on to the Coprocessor, the information transmitted to and from the CCA Coprocessor application is cryptographically protected using your session key. A message authentication code is used to ensure that the data was not altered during transmission. Since this code is calcu[...]
-
Page 48
CCA Release 2.54 used to establish the maximum strength of certain cryptographic functions, the environment identifier, and the maximum number of master-key-cloning shares, and the minimum number of shares needed to reconstitute a master key. Reset the intrusion latch. The intrusion latch circuit can be set by breaking an external circuit conne[...]
-
Page 49
CCA Release 2.54 Cryptographic_Resource_Allocate verb will fail if a cryptographic resource is already allocated. To determine the number of CCA Coprocessors installed in a machine, use the Cryptographic_Facility_Query verb with the STATCARD rule-array keyword. The verb returns the number of Coprocessors running CCA software. The count includes any[...]
-
Page 50
CCA Release 2.54 the Coprocessor device driver. 5 The host code then polls each Coprocessor in turn to determine which ones contain the CCA application. As each Coprocessor is evaluated, the CCA host code associates the identifiers CRP01, CRP02, and so forth to the Coprocessors with CCA. 6 In the absence of a specific Coprocessor allocation, the ho[...]
-
Page 51
CCA Release 2.54 PKA_Key_Token_Change verbs). Whenever a working key is encrypted for local use, it is encrypted using the current master-key. Symmetric and Asymmetric Master-Keys The CCA Version 2 implementation incorporates a second set of master-key registers. One register set is used to encrypt DES (symmetric) working-keys. The second register [...]
-
Page 52
CCA Release 2.54 The verb performs a one-way function on the key-of-interest, the result of which is either returned or compared to a known correct result. Establishing a master key from an internally generated random value. The Master_Key_Process verb can be used to randomly generate a new master-key within the cryptographic engine. The value of t[...]
-
Page 53
CCA Release 2.54 must also have been marked as suitable for operation with the Master_Key_Distribution verb when it was generated. When receiving a share, you must also supply the share-signing key in a certificate to the Master_Key_Distribution verb. The engine validates the certificate, and uses the validated public key to validate the individual[...]
-
Page 54
CCA Release 2.54 ┌──────────────────────────────────┐ │Share─Administration Control Point│ 3. │ │ ││ │ CERT{SA}(SA) H(CERT{SA}(SA)) │ │ ───────┬──── ───┬─────────── │ │ │ │ │ └─────?[...]
-
Page 55
CCA Release 2.54 7. In the target node, generate a retained key usable for master-key administration, the Coprocessor Share Receiving (CSR) key, and have this key certified by the SA key. 8. Once a master key has been established in the source node, perhaps through random master-key generation, obtain shares of the master key. Also obtain master-ke[...]
-
Page 56
CCA Release 2.54 AIX and Windows Multi-Coprocessor Master-Key Support: It is a general recommendation that all of the CCA Coprocessors within the system use the same current and old master keys. When setting a new master-key, it is essential that all of the changes are performed by a single program running on a single thread. If the thread-process [...]
-
Page 57
CCA Release 2.54 When all of the Coprocessors are newly initialized, that is, their current-master-key registers are empty, first install the same master key in each of the new-master-key registers. Then set the master key in each of the Coprocessors. Finally, if you are going to use key storage, initialize key storage. If all of the Coproc[...]
-
Page 58
CCA Release 2.54 Intentionally using different master keys in a set of Coprocessors. This situation becomes very complicated if you are using key storage with a subset of the Coprocessors. The preceding discussion provides information that you can use to manage this case. If you are not using key storage and have not initialized key storage files, [...]
-
Page 59
CCA Release 2.54 Access_Control_Initialization Access_Control_Initialization (CSUAACI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Access_Control_Initialization verb is used to initialize or update parameters and tables for the Access-Control system in the 4758 Cryptographic Coprocessor. You can use this verb to perform[...]
-
Page 60
Access_Control_Initialization CCA Release 2.54 verb_data_1_length The verb_data_1_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data_1 variable. verb_data_1 The verb_data_1 parameter is a pointer to a string variable containing data used by the verb. This field is used differently depending [...]
-
Page 61
CCA Release 2.54 Access_Control_Initialization verb_data_length_2 The verb_data_length_2 parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data_2 variable. verb_data_2 The verb_data_2 parameter is a pointer to a string variable containing data used by the verb. Authentication data structures are descri[...]
-
Page 62
Access_Control_Maintenance CCA Release 2.54 Access_Control_Maintenance (CSUAACM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Access_Control_Maintenance verb is used to query or control installed roles and user profiles. You can use this verb to perform the following services: Retrieve a list of the installed roles o[...]
-
Page 63
CCA Release 2.54 Access_Control_Maintenance name The name parameter is a pointer to a string variable containing the name of a role or user profile which is the target of the request. This field is used differently depending on the function being performed. Keyword Meaning Function to perform (one required) LSTPROFS Retrieves a list of the user pro[...]
-
Page 64
Access_Control_Maintenance CCA Release 2.54 output_data_length The output_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the output_data variable. The value must be a multiple of four bytes. On input, the output_data_length variable must be set to the total size of the variable pointed to by the [...]
-
Page 65
CCA Release 2.54 Access_Control_Maintenance Rule-Array Keyword Contents of output_data Variable GET-PROF Contains the non-secret portion of the selected user profile. This includes the following data, in the order listed. Profile version Two bytes containing 2 one-byte integer values, where the first byte contains the major version number and the s[...]
-
Page 66
Access_Control_Maintenance CCA Release 2.54 Rule-Array Keyword Contents of output_data Variable GET-ROLE The field contains the non-secret portion of the selected role. This includes the following data, in the order listed. Role version Two bytes containing integer values, where the first byte contains the major version number and the second byte c[...]
-
Page 67
CCA Release 2.54 Access_Control_Maintenance Required Commands The Access_Control_Maintenance verb requires the following commands to be enabled in the hardware: Read public access-control information (offset X ' 0116 ' ) with the LSTPROFS , LSTROLES , GET-PROF , GET-ROLE , and Q-NUM-RP keywords Delete a User Profile (offset X &apo[...]
-
Page 68
Cryptographic_Facility_Control CCA Release 2.54 Cryptographic_Facility_Control (CSUACFC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the Cryptographic_Facility_Control verb to perform the following services: Reinitialize the CCA application in the Coprocessor. Set the date and time in the Coprocessor clock. [...]
-
Page 69
CCA Release 2.54 Cryptographic_Facility_Control Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array [...]
-
Page 70
Cryptographic_Facility_Control CCA Release 2.54 verb_data_length The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data variable. On input, specify the size of the variable. The verb updates the variable with the size of the returned data. verb_data The verb_data parameter is a poi[...]
-
Page 71
CCA Release 2.54 Cryptographic_Facility_Control For SET-MOFN , verb_data is an input variable. The variable contents establish the minimum and maximum number of “cloning information” shares that are required and that can be used to pass sensitive information from one Coprocessor to another Coprocessor. The verb_data variable contains a two-[...]
-
Page 72
Cryptographic_Facility_Query CCA Release 2.54 Cryptographic_Facility_Query (CSUACFQ) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Facility_Query verb is used to retrieve information about the Cryptographic Coprocessor and the CCA application program in that Coprocessor. This information includes the followi[...]
-
Page 73
CCA Release 2.54 Cryptographic_Facility_Query On output, the verb sets the variable to the number of rule-array elements it returns to the application program. Note: With this verb, the number of returned rule-array elements can exceed the rule-array count that you specified on input. Be sure that you allocate adequate memory to receive all of the [...]
-
Page 74
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 1 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option STATCCA 1 NMK Status State of the New Master-Key register: One means the register is clear Two means the register contains a partially comple[...]
-
Page 75
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 2 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option STATCCAE 1 Symmetric NMK Status State of the Symmetric New Master-Key register: One means the register is clear Two means the register contai[...]
-
Page 76
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 3 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option STATCARD 1 Number of Installed Adapters The number of active Cryptographic Coprocessors installed in the machine. Note that this only includes Coproc[...]
-
Page 77
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 4 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description 12 Flash Memory Size A numeric character string containing the size of the flash EPROM memory on the Coprocessor, in 64-kilobyte increments. 13 DRAM Memory Size A numeric charact[...]
-
Page 78
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 5 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description 5 Low Voltage Detected A numeric character string containing a value to indicate whether a power supply voltage was below the minimum acceptable level. This may indicate an attem[...]
-
Page 79
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 6 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option STATEID (Environment Identifier) 1,2 EID The two elements when concatenated provide the 16-byte EID value. Output rule-array for option STATEXPT 1 Ba[...]
-
Page 80
Cryptographic_Facility_Query CCA Release 2.54 verb_data_length The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data variable. verb_data The verb_data parameter is a pointer to a string variable containing data sent to the Coprocessor for this verb, or received from the Coprocesso[...]
-
Page 81
CCA Release 2.54 Cryptographic_Facility_Query of this verb. Its use depends on the options specified by the host application program. The verb_data parameter is not currently used by this verb. Required Commands Cryptographic_Facility_Query is a universally authorized verb. There are no access-control restrictions on its use. Chapter 2. CCA Node-Ma[...]
-
Page 82
Cryptographic_Resource_Allocate CCA Release 2.54 Cryptographic_Resource_Allocate (CSUACRA) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Resource_Allocate verb is used to allocate a specific CCA Coprocessor for use by the thread or process, depending on the scope of the verb. For the OS/400, this verb is sco[...]
-
Page 83
CCA Release 2.54 Cryptographic_Resource_Allocate resource_name_length The resource_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the resource_name variable. The length must be within the range of 1 to 64. resource_name The resource_name parameter is a pointer to a string variable containing the [...]
-
Page 84
Cryptographic_Resource_Deallocate CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Resource_Deallocate verb is used to deallocate a specific CCA Coprocessor that is currently allocated by the thread or process, depending on the scope of the verb. For [...]
-
Page 85
CCA Release 2.54 Cryptographic_Resource_Deallocate resource_name_length The resource_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the resource_name variable. The length must be within the range of 1 to 64. resource_name The resource_name parameter is a pointer to a string variable containing th[...]
-
Page 86
Key_Storage_Designate CCA Release 2.54 Key_Storage_Designate (CSUAKSD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X The Key_Storage_Designate verb specifies the key-storage file used by the process. You select the type of key storage, for DES keys or for public keys, using a rule-array keyword. Restrictions None Format CSUAKSD ret[...]
-
Page 87
CCA Release 2.54 Key_Storage_Designate key_storage_file_name_length The key_storage_file_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_storage_file_name variable. The length must be within the range of 1 to 64. key_storage_file_name The key_storage_file_name parameter is a pointer to a s[...]
-
Page 88
Key_Storage_Initialization CCA Release 2.54 Key_Storage_Initialization (CSNBKSI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Storage_Initialization verb initializes a key-storage file using the current symmetric or asymmetric master-key. The initialized key storage will not contain any pre-existing key records. The [...]
-
Page 89
CCA Release 2.54 Key_Storage_Initialization key_storage_file_name_length The key_storage_file_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_storage_file_name variable. The length must be within the range of 1 to 64. key_storage_file_name The key_storage_file_name parameter is a pointer t[...]
-
Page 90
Logon_Control CCA Release 2.54 Logon_Control (CSUALCT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the Logon_Control verb to perform the following services: Log on to the Coprocessor, using your access-control profile Log off of the Coprocessor Save or restore logon content information. Select the service to[...]
-
Page 91
CCA Release 2.54 Logon_Control user_id The user_id parameter is a pointer to a string variable containing the ID string which identifies the user to the system. The user ID must be exactly eight characters in length. Shorter user IDs should be padded on the right with space characters. The user_id parameter is always used when logging on. It is als[...]
-
Page 92
Logon_Control CCA Release 2.54 On input, this field contains the length (in bytes) of the auth_data variable. When no usage is defined for the auth_data parameter, set the length variable to zero. On output, this field contains the number of bytes of data returned in the auth_data variable. auth_data The auth_data parameter is a pointer to a string[...]
-
Page 93
CCA Release 2.54 Master_Key_Distribution Master_Key_Distribution (CSUAMKD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Master_Key_Distribution verb is used to perform these operations related to the distribution of shares of the master key: Generate and distribute a share of the current master-key Receive a mast[...]
-
Page 94
Master_Key_Distribution CCA Release 2.54 – The private_key_name of the Coprocessor-retained key used to decrypt the clone_info_encrypting_key. This key must have the CLONE attribute set at the time of key generation. – The certifying_key_name of the public key already registered in the Coprocessor used to validate the following certificate – [...]
-
Page 95
CCA Release 2.54 Master_Key_Distribution Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variabl[...]
-
Page 96
Master_Key_Distribution CCA Release 2.54 clone_info_encrypting_key The clone_info_encrypting_key parameter is a pointer to a string variable containing the encrypted key used to recover the cloning information. clone_info_length The clone_info_length parameter is a pointer to an integer variable containing the number of bytes of data in the clone_i[...]
-
Page 97
CCA Release 2.54 Master_Key_Process Master_Key_Process (CSNBMKP) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Master_Key_Process verb operates on the three master-key registers: new, current, and old. Use the verb to: Clear the new and clear the old master-key registers Generate a random master-key value in the n[...]
-
Page 98
Master_Key_Process CCA Release 2.54 The master-key verification pattern (MKVP) of the new master-key is compared against the MKVP of the current and the old master-keys. If they are the same, the service fails with return code 8, reason code 704. If any of the eight-byte parts of the new master-key compares equal to one of the weak DES-keys[...]
-
Page 99
CCA Release 2.54 Master_Key_Process key_part The key_part parameter is a pointer to a string variable containing a 168-bit (3x56-bit, 24-byte) clear key-part that is used when you specify one of the keywords FIRST , MIDDLE , or LAST If you use the CLEAR , RANDOM , or SET keywords, the information in the variable is ignored, but you must declare the[...]
-
Page 100
Master_Key_Process CCA Release 2.54 – Clear Old PKA Master Key Register command (offset X ' 0061 ' ) with the CLR-OLD keyword – Load First PKA Master Key Part command (offset X ' 0053 ' ) with the FIRST keyword – Combine PKA Master Key Parts command (offset X ' 0054 ' ) with the MIDDLE or LAST keywords – Genera[...]
-
Page 101
CCA Release 2.54 Master_Key_Process FE 1 1 FE FE 1 1 FE / possibly semi-weak / E 1F 1 FE F1 E 1 FE / possibly semi-weak / E 1 1F FE F1 1 E FE / possibly semi-weak / FE 1F 1F FE FE E E FE / possibly semi-weak / 1F FE 1 E E FE 1 F1 / possibly semi-weak / 1 FE 1F E?[...]
-
Page 102
Random_Number_Tests CCA Release 2.54 Random_Number_Tests (CSUARNT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X The Random_Number_Tests verb invokes the USA NIST FIPS PUB 140-1 specified cryptographic operational tests. These tests, selected by a rule-array keyword, consist of: For random numbers: monobit test, poker test,[...]
-
Page 103
CCA Release 2.54 Random_Number_Tests Required Commands None. Chapter 2. CCA Node-Management and Access-Control 2-65[...]
-
Page 104
CCA Release 2.54 2-66 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 105
CCA Release 2.54 Chapter 3. RSA Key-Management This chapter describes the management of RSA public and private keys and how you can: Generate keys with various characteristics Import keys from other systems Protect and move a private key from one node to another. The verbs listed in Figure 3-1 are used to perform cryptographic functions[...]
-
Page 106
CCA Release 2.54 ────────────┬───────────────── ┌──────────────────┐ │PKA_Key_Token_Build├┐ └┬──────────────────┘│ ┌─────────┐ └──────┬───────┬[...]
-
Page 107
CCA Release 2.54 The PKA_Key_Generate verb either retains the generated private key within the Coprocessor, or the verb outputs the generated private key in one of three forms so you can control where the private key is deployed. You can request that the generated private key be retained within the secure cryptographic-engine through the use of the[...]
-
Page 108
CCA Release 2.54 restricted key usage. These systems can determine if a requesting process has the right to use the particular key name that is cryptographicly bound to the private key. You specify such a key name when you build the skeleton_key_token in the PKA_Key_Token_Build verb. For RSA keys, you decide if the key should be returned in modular[...]
-
Page 109
CCA Release 2.54 You provide or identify the operational transport key (key-encrypting key) and the encrypted private key with its associated public key to the import service. The service will return the private key encrypted under the current asymmetric master-key along with the public key. The Coprocessor is designed to generate and employ RSA CR[...]
-
Page 110
CCA Release 2.54 Using the Private Key at Multiple Nodes You can arrange to use a private key at multiple nodes if the nodes have the same asymmetric master-key, or if you arrange to have the same transport key installed at each of the target nodes. In the latter case, you need to arrange to have the transport key under which the private key is enc[...]
-
Page 111
CCA Release 2.54 PKA_Key_Generate PKA_Key_Generate (CSNDPKG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Generate verb is used to generate a public-private key-pair for use with the RSA algorithm. The skeleton_key_token specified to the verb determines the following characteristics of the generated key-pair: [...]
-
Page 112
PKA_Key_Generate CCA Release 2.54 Note: When using the RETAINED key option, the key label supplied in the skeleton key-token references the key storage within the Coprocessor, and in this case must not reference a record in the host-system key-storage. The rule-array keyword CLONE flags a generated and retained RSA private key as usable in an engin[...]
-
Page 113
CCA Release 2.54 PKA_Key_Generate Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The [...]
-
Page 114
PKA_Key_Generate CCA Release 2.54 skeleton_key_token The skeleton_key_token parameter is a pointer to a string variable containing a skeleton key-token. This information provides the characteristics for the PKA key-pair to be generated. A skeleton key-token can be created using the PKA_Key_Token_Build verb. transport_key_identifier The transport_ke[...]
-
Page 115
CCA Release 2.54 PKA_Key_Import PKA_Key_Import (CSNDPKI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Import verb is used to import a public-private key-pair. A private key must be accompanied by the associated public key. A source private-key may be in the clear or it may be enciphered. Generally you obtain the [...]
-
Page 116
PKA_Key_Import CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The va[...]
-
Page 117
CCA Release 2.54 PKA_Key_Import Required Commands The PKA_Key_Import verb requires the PKA Key Import command (offset X ' 0104 ' ) to be enabled in the hardware. Chapter 3. RSA Key-Management 3-13[...]
-
Page 118
PKA_Key_Token_Build CCA Release 2.54 PKA_Key_Token_Build (CSNDPKB) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Token_Build verb constructs a public-key architecture (PKA) key-token from the supplied information. This verb is used to create the following: A skeleton_key_token for use with the PKA_Key_Generate[...]
-
Page 119
CCA Release 2.54 PKA_Key_Token_Build Restrictions The RSA-OPT rule-array keyword is not supported with Version 2. Instead, use keyword RSA-CRT to obtain a X ' 08 ' private-key section type. The RSA key length is limited to the range of 512 to 2048 bits with specific formats restricted to 1024 bits maximum. When generating a ke[...]
-
Page 120
PKA_Key_Token_Build CCA Release 2.54 key_values_structure_length The key_values_structure_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_values_structure variable. The maximum length is 2500 bytes. key_values_structure The key_values_structure parameter is a pointer to a string variable contai[...]
-
Page 121
CCA Release 2.54 PKA_Key_Token_Build Figure 3-3 (Page 1 of 2). PKA_Key_Token_Build Key-Values-Structure Contents Offset (Bytes) Length (Bytes) Description RSA key-values structure, modulus-exponent form ( RSA-PRIV or RSA-PUBL ) 000 002 Length of the modulus in bits (512 to 1024 for RSA-PRIV, 512 to 2048 for RSA-PUBL) 002 002 Length of the modulus f[...]
-
Page 122
PKA_Key_Token_Build CCA Release 2.54 key_name_length The key_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the optional key_name variable. If this variable contains zero, the key-name section is not included in the target token. If a key name is to be included, the value must be 64 for this verb[...]
-
Page 123
CCA Release 2.54 PKA_Key_Token_Build reserved_x(s) The reserved_x parameters are each a pointer to a string variable that is reserved for future use. Each of the reserved_x parameters should contain a null pointer. token_length The token_length parameter is a pointer to an integer variable containing the number of bytes of data in the token variabl[...]
-
Page 124
PKA_Key_Token_Build CCA Release 2.54 Token Type Modulus Length in Bits Public Exponent Key-Values Structure (Hexadecimal) Structure Length (Bytes) RSA-CRT 512 Random (0) 0200 0000 0000 0000 0000 0000 0000 0000 0000 18 RSA-CRT 512 3 0200 0000 0001 0000 0000 0000 0000 0000 0000 03 19 RSA-CRT 512 65537 0200 0000 0003 0000 0000 0000 0000 0000 0000 0100[...]
-
Page 125
CCA Release 2.54 PKA_Key_Token_Build Required Commands None Chapter 3. RSA Key-Management 3-21[...]
-
Page 126
PKA_Key_Token_Change CCA Release 2.54 PKA_Key_Token_Change (CSNDKTC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Token_Change verb changes RSA private keys from encipherment with the old asymmetric master-key to encipherment with the current asymmetric master-key. You identify the task with the rule-array keywor[...]
-
Page 127
CCA Release 2.54 PKA_Key_Token_Change key_identifier_length The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_identifier variable. On output, the variable contains the length of the key token returned by the verb if a key token (not a key label) was specified. The maximum lengt[...]
-
Page 128
PKA_Public_Key_Extract CCA Release 2.54 PKA_Public_Key_Extract (CSNDPKX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Public_Key_Extract verb is used to extract a public key from a public-private key-pair. The public key is returned in a PKA public-key token. Both the public key and the related private key must be pr[...]
-
Page 129
CCA Release 2.54 PKA_Public_Key_Extract target_key_token_length The target_key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the target_key_token variable. On output, the variable contains the length of the key token returned by the verb. The maximum length is 2500 bytes. target_key_token The t[...]
-
Page 130
PKA_Public_Key_Hash_Register CCA Release 2.54 PKA_Public_Key_Hash_Register (CSNDPKH) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Public_Key_Hash_Register verb is used to register a hash value for a public key in anticipation of verifying the public key offered in a subsequent use of the PKA_Public_Key_Register verb.[...]
-
Page 131
CCA Release 2.54 PKA_Public_Key_Hash_Register hash_data_length The hash_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the hash_data variable. hash_data The hash_data parameter is a pointer to a string variable containing the SHA-1 hash of a public-key certificate that will be offered with the us[...]
-
Page 132
PKA_Public_Key_Register CCA Release 2.54 PKA_Public_Key_Register (CSNDPKR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Public_Key_Register verb is used to register a public key in the cryptographic engine. Keywords in the rule array designate the subsequent permissible uses of the registered public key. The public k[...]
-
Page 133
CCA Release 2.54 PKA_Public_Key_Register public_key_name The public_key_name parameter is a pointer to a string variable containing the name under which the registered public-key will be accessed. public_key_certificate_length The public_key_certificate_length parameter is a pointer to an integer variable containing the number of bytes of data in t[...]
-
Page 134
CCA Release 2.54 3-30 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 135
CCA Release 2.54 Chapter 4. Hashing and Digital Signatures This chapter discusses the data hashing and the digital signature techniques you can use to determine data integrity. A digital signature may also be used to establish the non-repudiation security property. (Another approach to data integrity based on DES message authentication codes is dis[...]
-
Page 136
CCA Release 2.54 The CCA products support the following hash functions: Secure Hash Algorithm-1 (SHA-1) The SHA-1 is defined in FIPS 180-1 and produces a 20-byte, 160-bit hash value. The algorithm performs best on big-endian, general purpose computers. This algorithm is usually preferred over MD5 if the application designers have a choice of algori[...]
-
Page 137
CCA Release 2.54 Anyone with access to your public key can verify your information as follows: 1. Hash the data using the same hashing algorithm that you used to create the digital signature. 2. Decrypt the digital signature using your public key. 3. Compare the decrypted results to the hash value obtained from hashing the data. An equal comparison[...]
-
Page 138
Digital_Signature_Generate CCA Release 2.54 Digital_Signature_Generate (CSNDDSG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Digital_Signature_Generate verb is used to generate a digital signature. You specify: The RSA private key For X9.31, the hash formatting method The hash value The address where the[...]
-
Page 139
CCA Release 2.54 Digital_Signature_Generate rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters. The rule_array keywords are shown below: Notes: 1. The hash for PKCS-1.1 and PKCS-1.0 sho[...]
-
Page 140
Digital_Signature_Generate CCA Release 2.54 hash_length The hash_length parameter is a pointer to an integer variable containing the number of bytes of data in the hash variable. hash The hash parameter is a pointer to a string variable containing the information to be signed. Notes: 1. For ISO-9796 , the information identified by the hash paramete[...]
-
Page 141
CCA Release 2.54 Digital_Signature_Verify Digital_Signature_Verify (CSNDDSV) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Digital_Signature_Verify verb is used to verify a digital signature. Provide the digital signature, the public key, the hash formatting method, and the hash of the data to be validated. The hash quant[...]
-
Page 142
Digital_Signature_Verify CCA Release 2.54 Notes: 1. The hash for PKCS-1.1 and PKCS-1.0 should have been created using MD5 or SHA-1 algorithms. 2. The hash for ISO-9796 and ZERO-PAD can be obtained by any hashing method. PKA_public_key_identifier_length The PKA_public_key_identifier_length parameter is a pointer to an integer variable containing the[...]
-
Page 143
CCA Release 2.54 Digital_Signature_Verify Notes: 1. For ISO-9796 , the information identified by the hash parameter must be less than or equal to one-half of the number of bytes required to contain the modulus of the RSA key. Although ISO 9796-1 allows messages of arbitrary bit length up to one-half of the modulus length, this verb requires the inp[...]
-
Page 144
MDC_Generate CCA Release 2.54 MDC_Generate (CSNBMDG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the MDC_Generate verb to create a 128-bit (16-byte) hash value on a data string whose integrity you intend to confirm. After using this verb to generate an MDC, you can compare the MDC to a known value or communicate the val[...]
-
Page 145
CCA Release 2.54 MDC_Generate Format CSNBMDG return_code Input Integer reason_code Input Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes text_length Input Integer text Input String text_length bytes rule_array_count Input Integer rule_array Input String array rule_array_count * 8 bytes chaining_vector In[...]
-
Page 146
MDC_Generate CCA Release 2.54 Chaining_Vector The chaining_vector parameter is a pointer to an 18-byte string variable the security server uses as a work area to hold segmented data between verb invocations. Note: When segmenting text, the application program must not change the data in this string between verb calls to the MDC_Generate verb. MDC T[...]
-
Page 147
CCA Release 2.54 One_Way_Hash One_Way_Hash (CSNBOWH) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The One_Way_Hash verb obtains a hash value from a text string using the MD5, SHA-1, or RIPEMD-160 hashing methods, as you specify in the rule_array. You can provide all of the data to be hashed in a single call to the verb, or y[...]
-
Page 148
One_Way_Hash CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The valu[...]
-
Page 149
CCA Release 2.54 One_Way_Hash hash_length The hash_length parameter is a pointer to an integer variable containing the number of bytes of data in the hash variable. This value must be at least 16 bytes for MD5, and at least 20 bytes for SHA-1. The maximum length is 128 bytes. hash The hash parameter is a pointer to a string variable containing the [...]
-
Page 150
CCA Release 2.54 4-16 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 151
CCA Release 2.54 Chapter 5. DES Key-Management This chapter describes verbs to perform basic CCA DES key-management functions. Figure 5-1 lists the verbs covered in this chapter. Introductory material is presented under these topics: Understanding CCA DES Key-Management Control vectors, key types, and key-usage restrictions Key tokens, [...]
-
Page 152
CCA Release 2.54 Figure 5-1 (Page 2 of 2). Basic CCA DES Key-Management Verbs Verb Page Service Entry Point Svc Lcn PKA_Decrypt 5-73 Uses an RSA private-key to decrypt a symmetric key formatted in an RSA DSI PKCS #1 block type 2 structure and return the symmetric key in the clear. CSNDPKD E PKA_Encrypt 5-75 Uses an RSA public-key to encrypt a clear[...]
-
Page 153
CCA Release 2.54 functions in which it can be used. The cryptographic subsystem uses a system of control vectors 1 to separate the cryptographic keys into a set of key types and restrict the use of a key. The subsystem enforces the use of a particular key type in each part of a cryptographic command. To control the use of a key, the control vector [...]
-
Page 154
CCA Release 2.54 A key that is multiply-enciphered under the master key is an operational key (OP). The key is operational because a cryptographic facility can use the master key to multiply-decipher it to obtain the original key-value. A key that is multiply-enciphered under a key-encrypting key (other than the master key) is called an external ke[...]
-
Page 155
CCA Release 2.54 Checking a Control Vector Before Processing a Cryptographic Command Before a CCA cryptographic facility processes a command that uses a multiply-enciphered key, the facility’s logic checks the control vector associated with the key. The control vector must indicate a valid key type for the requested command, and any control-vecto[...]
-
Page 156
CCA Release 2.54 Asymmetric DES keys. An asymmetric DES key is a key in a key pair in which the keys are used as opposites. – ENCIPHER and DECIPHER. Used to only encrypt data versus only to decrypt data. – MAC and MACVER. Used in generating (and verifying) a MAC versus only verifying a MAC. – PINGEN and PINVER. Used in generating (and ver[...]
-
Page 157
CCA Release 2.54 Figure 5-4 on page 5-9 shows the key-type, key subtype, and key-usage keywords that can be combined in the Control_Vector_Generate verb and the Key_Token_Build verb to build a control vector. The left column lists the key types, the middle column lists the subtype keywords, and the right column lists the key-usage keywords that fur[...]
-
Page 158
CCA Release 2.54 Figure 5-3 (Page 2 of 2). Key Types and Verb Usage Key Type Usable with Verbs IKEYXLAT, OKEYXLAT Key_Translate PIN Class These keys are used in the various financial-PIN processing commands. They are double-length keys. In operational form and in external form, these keys are associated with a control vector. PINGEN Clear_PIN_Gener[...]
-
Page 159
CCA Release 2.54 ├─Key_Type─┤├─Key_Subtype─┤├─Key_Usage──────────────────────────────────────────────────────────────────────┤ ┬─MAC ─────┐ Note: ANY is default ├?[...]
-
Page 160
CCA Release 2.54 Figure 5-5 (Page 1 of 3). Control Vector Key-Subtype and Key-Usage Keywords Keyword Meaning Key-Encrypting Keys OPIM IMPORTER keys that have a control vector with this attribute can be used in the Key_Generate verb when the key form is OPIM. IMEX IMPORTER and EXPORTER keys that have a control vector with this attribute can be used [...]
-
Page 161
CCA Release 2.54 Figure 5-5 (Page 2 of 3). Control Vector Key-Subtype and Key-Usage Keywords Keyword Meaning VISA-PVV Select the VISA-PVV PIN-calculation method. INBK-PIN Select the Interbank PIN-calculation method. NOOFFSET Indicates that a PINGEN or PINVER key cannot participate in the generation or verification of a PIN when an offset or the VIS[...]
-
Page 162
CCA Release 2.54 Figure 5-5 (Page 3 of 3). Control Vector Key-Subtype and Key-Usage Keywords Keyword Meaning DKYL5 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL4. DKYL6 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL5. DKYL7 A DKYGENKY key with this subt[...]
-
Page 163
CCA Release 2.54 8 16 32 6 63 ┌─────────┬─────────┬──────────────┬──────────────┬──────────────┬───────────┬─────┐ │Key- │Flags │Control Infor-│ Internal Key │Contro[...]
-
Page 164
CCA Release 2.54 External Key-Token: An external key-token contains an external key that is multiply-enciphered under a key formed by the exclusive-OR of a key-encrypting key and the control vector that was assigned when the key token was created or updated. An external key-token is specified in a verb call using a key_token parameter. An external [...]
-
Page 165
CCA Release 2.54 Using the Key-Processing and Key-Storage Verbs Figure 5-8 on page 5-16 shows key-processing and key-storage verbs and how they relate to key parts, internal and external key-tokens, and key storage. You can create keys in your application programs by using the Multiple_Clear_Key_Import, Diversified_Key_Generate, Key_Generate, Key_P[...]
-
Page 166
CCA Release 2.54 Random_Number_Generate Diversified_Key_Generate ┬┬ ┌────┴────┐ │ │ │ Clear_Key_ │ Key_Part_ Import │ Import ┬ ┌───────────────────┘ ┌─────────────────┐ ┬ │ │ ┴ │ │ │ │ ┌────┐ Symme[...]
-
Page 167
CCA Release 2.54 master key or a key-encrypting key. If you are generating a DES asymmetric key-type, the verb will multiply-encipher the random number a second time with the “opposite” key-type control-vector. The verb restricts the combination of control vectors used for the two encipherments and also places restrictions on the use of master-[...]
-
Page 168
CCA Release 2.54 Since the two halves are random numbers, it is unlikely that the result of the DOUBLE keyword will produce two halves with the same 64-bit values. Exporting and Importing Keys, Symmetric Techniques To operate on data with the same key at two different nodes, you must transport the key securely between the nodes. To do this, a trans[...]
-
Page 169
CCA Release 2.54 ┌──────────────┐ ┌──────────────┐ Operational │ Key to Be │ │ Imported │ Operational Form of Key │ Exported │ │ Key │ Form of Key at Node A └──────┬───────┘ └─────────────┘ at Node B │?[...]
-
Page 170
CCA Release 2.54 therefore it is very important to handle the key-generating key with a high degree of security lest the interactions with the whole population of cards be placed in jeopardy. In the current implementation, several methods of diversifying a key are supported: CLR8-ENC , TDES-ENC , TDES-DEC , SESS-XOR , TDES-XOR , and TDESEMV2 and TD[...]
-
Page 171
CCA Release 2.54 Security Precautions Be sure to see the “Observations on Secure Operations” chapter in the CCA Support Program Installation Manual . In order to maintain a secure cryptographic environment, each cryptographic node must be audited on a regular basis. This audit should be aimed at preventing inadvertent and malicious breaches of [...]
-
Page 172
Clear_Key_Import CCA Release 2.54 Clear_Key_Import (CSNBCKI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_Key_Import verb enciphers a clear, single-length DES key under a symmetric master-key. The resulting key is a DATA key because the service requires that the resulting internal key-token have a DATA control-vect[...]
-
Page 173
CCA Release 2.54 Clear_Key_Import Required Commands The Clear_Key_Import verb requires the Encipher Under Master Key command (command offset X ' 00C3 ' ) to be enabled in the active role. Chapter 5. DES Key-Management 5-23[...]
-
Page 174
Control_Vector_Generate CCA Release 2.54 Control_Vector_Generate (CSNBCVG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Control_Vector_Generate verb builds a control vector from keywords specified by the key_type and rule_array parameters. For descriptions of the keywords and for valid combinations of these keywords, see[...]
-
Page 175
CCA Release 2.54 Control_Vector_Generate rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-jus[...]
-
Page 176
Control_Vector_Translate CCA Release 2.54 Control_Vector_Translate (CSNBCVT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Control_Vector_Translate verb changes the control vector used to encipher an external key. See “Changing Control Vectors with the Control_Vector_Translate Verb” on page C-20 for additional informa[...]
-
Page 177
CCA Release 2.54 Control_Vector_Translate mask_array_left The mask_array_left parameter is a pointer to a string variable containing the mask array enciphered under the left-array key. array_key_right The array_key_right parameter is a pointer to a string variable containing an internal key-token or the key label of an internal key-token record tha[...]
-
Page 178
Control_Vector_Translate CCA Release 2.54 target_key_token The target_key_token parameter is a pointer to a string variable containing an external key-token with the new control-vector. This key token contains the key halves with the new control-vector. Required Commands The Control_Vector_Translate verb requires the Translate Control Vector comman[...]
-
Page 179
CCA Release 2.54 Cryptographic_Variable_Encipher Cryptographic_Variable_Encipher (CSNBCVE) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Variable_Encipher verb uses a CVARENC key to encrypt plaintext to produce ciphertext using the Cipher Block Chaining (CBC) method. The plaintext must be a multiple of eight[...]
-
Page 180
Cryptographic_Variable_Encipher CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. c-variable_encrypting_key_identifier The c-variable_encrypting_key_identifier parameter is a pointer to a string variable containing an[...]
-
Page 181
CCA Release 2.54 Data_Key_Export Data_Key_Export (CSNBDKX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Data_Key_Export verb exports a single-length or double-length internal DATA-key. The verb can export the key from an internal key-token in key storage or application storage. This verb, which is authorized with a diffe[...]
-
Page 182
Data_Key_Export CCA Release 2.54 target_key_token The target_key_token parameter is a pointer to a string variable containing the reencrypted source-key token. Any existing information in this variable will be overwritten. Required Commands The Data_Key_Export verb requires the Data Key Export command (command offset X ' 010A ' ) to be en[...]
-
Page 183
CCA Release 2.54 Data_Key_Import Data_Key_Import (CSNBDKM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Data_Key_Import verb imports an encrypted, source DES single-length or double-length DATA key and creates or updates a target internal key-token with the master-key-enciphered source key. The verb can import the key in[...]
-
Page 184
Data_Key_Import CCA Release 2.54 Restrictions Starting with Release 2.41, unless you enable the Unrestrict Data Key Import command (offset X ' 027C ' ), an IMPORTER transport key having replicated key-halves is not permitted to import a key having unequal key-halves. (Note that key parity bits are ignored.) Format CSNBDKM return_code Outp[...]
-
Page 185
CCA Release 2.54 Diversified_Key_Generate Diversified_Key_Generate (CSNBDKG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Diversified_Key_Generate verb generates a key based on a function of a key-generating key, the process rule, and data that you supply. The key-generating-key key-type enables you to restrict such keys[...]
-
Page 186
Diversified_Key_Generate CCA Release 2.54 Returns the diversified key, multiply-enciphered by the master key modified by the control vector. Restrictions The TDES-XOR rule-array keyword is available starting with Release 2.50. The TDESEMV2 and TDESEMV4 rule-array keywords are available starting with Release 2.51. Format CSNBDKG return_code Outp[...]
-
Page 187
CCA Release 2.54 Diversified_Key_Generate Keyword Meaning TDES-ENC Specifies that 8 or 16 bytes of clear (not encrypted) data shall be triple-DES en crypted with the generating key to create the generated key. If the generated_key_identifier variable specifies a single-length key, then 8 bytes of clear data is triple-DES encrypted. If the generated[...]
-
Page 188
Diversified_Key_Generate CCA Release 2.54 Keyword Meaning TDESEMV2, TDESEMV4 Note: These options are available starting with Release 2.51. Specifies that 10, 18, 26, or 34 bytes of clear data shall be processed to form an EMV card-unique key and then a session key as specified in the EMV 2000 Integrated Circuit Card Specification for Payment System[...]
-
Page 189
CCA Release 2.54 Diversified_Key_Generate Keyword Meaning TDES-XOR Note: This option is available starting with Release 2.50. Specifies that 10 or 18 bytes of clear (not encrypted) data shall be processed as described at “VISA and EMV-Related Smart Card Formats and Processes” on page E-17 to create the generated key. The data variable contains [...]
-
Page 190
Diversified_Key_Generate CCA Release 2.54 generating_key_identifier The generating_key_identifier parameter is a pointer to a string variable containing the key-generating-key key-token or key label of a key-token record. data_length The data_length parameter is a pointer to an integer variable containing the number of bytes of data in the data var[...]
-
Page 191
CCA Release 2.54 Diversified_Key_Generate effective single-length key) by enabling the Enable DKG Single Length Keys and Equal Halves for TDES-ENC, TDES-DEC command (offset X ' 0044 ' ). Chapter 5. DES Key-Management 5-41[...]
-
Page 192
Key_Export CCA Release 2.54 Key_Export (CSNBKEX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Export verb exports a source DES internal-key into a target external key-token. Existing information in the target key-token is overwritten. The target key is enciphered by the EXPORTER-key exclusive-ORed with the control ve[...]
-
Page 193
CCA Release 2.54 Key_Export Format CSNBKEX return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_type Input String 8 bytes source_key_identifier Input String 64 bytes exporter_key_identifier Input String 64 bytes target_key_token Output String 64 bytes Paramete[...]
-
Page 194
Key_Generate CCA Release 2.54 Key_Generate (CSNBKGN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Generate verb generates a random DES key and returns one or two enciphered copies of the key, ready to use or distribute. A control vector associated with each copy of the key defines the type of key and any specific res[...]
-
Page 195
CCA Release 2.54 Key_Generate Format CSNBKGN return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_form Input String 4 bytes key_length Input String 8 bytes key_type_1 Input String 8 bytes key_type_2 Input String 8 bytes KEK_key_identifier_1 Input String 64 byt[...]
-
Page 196
Key_Generate CCA Release 2.54 key_length The key_length parameter is a pointer to an eight-byte string variable, left-justified and padded on the right with space characters, containing the length of the new key or keys. Depending on key type, you can specify a single-length key or a double-length key. A double-length key consists of two eight-byte[...]
-
Page 197
CCA Release 2.54 Key_Generate unless you are using the TOKEN keyword, you must identify a null key-token on input. Required Commands Depending on your specification of key form, key type, and use of the SINGLE-R key length control, different commands are required to enable operation of the Key_Generate verb. If you specify the key-form and key-[...]
-
Page 198
Key_Generate CCA Release 2.54 can use to generate a single key copy with default control-vectors. Figure 5-12 on page 5-49 shows the key types you can use to generate two copies of a key. An ‘X’ indicates a permissible key type for a given key-form. An E indicates that a special (Extended) command is required as those keys require special handl[...]
-
Page 199
CCA Release 2.54 Key_Generate Figure 5-12. Key_Type and Key_Form Keywords for a Key Pair Key_Type_1 Key_Type_2 Key_ Form OPOP, OPIM, IMIM Key_ Form OPEX Key_ Form EXEX Key_ Form IMEX DATA MAC MAC MACVER DATAC * DATAM * DATAM * CIPHER CIPHER CIPHER DECIPHER DECIPHER ENCIPHER ENCIPHER KEYGENKY * DKYGENKY * DATA MAC MACVER MAC DATAC * DATAM * DATAMV *[...]
-
Page 200
Key_Generate CCA Release 2.54 key-length the verb uses when you supply eight space characters with the key_length parameter. Figure 5-13. Key Lengths by Key Type Key Type SINGLE KEYLN8 SINGLE-R DOUBLE KEYLN16 MAC MACVER X, D X, D X X DATA X, D X DATAC * DATAM * DATAMV * X X X X X X EXPORTER IMPORTER X X X, D X, D IKEYXLAT OKEYXLAT X X X, D X, D CIP[...]
-
Page 201
CCA Release 2.54 Key_Import Key_Import (CSNBKIM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Import verb imports a source DES key enciphered by the IMPORTER key-encrypting-key into a target internal key-token. The imported target-key is returned enciphered using the symmetric master-key. Specify the following: Key_t[...]
-
Page 202
Key_Import CCA Release 2.54 Restrictions Starting with Release 2.41, unless you enable the Unrestrict Reencipher to Master Key command (offset X ' 027B ' ), an IMPORTER key-encrypting-key having equal key-halves is not permitted to import a key having unequal key-halves. Note that key parity bits are ignored. Format CSNBKIM return_code Ou[...]
-
Page 203
CCA Release 2.54 Key_Import key-halves IMPORTER key-encrypting-key to import a key having unequal key-halves (key parity bits are ignored). Chapter 5. DES Key-Management 5-53[...]
-
Page 204
Key_Part_Import CCA Release 2.54 Key_Part_Import (CSNBKPI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Part_Import verb is used to accumulate “parts” of a key and store the result as an encrypted partial key or as the final key. Individual key-parts are exclusive-ORed together to form the accumulated key. On eac[...]
-
Page 205
CCA Release 2.54 Key_Part_Import of one bits, and there are no other problems, the verb will return reason code 2. Use of the ADD-PART keyword requires that the Add Key Part command be enabled in the access-control system. The key-part bit remains on in the control vector of the updated key token returned from the verb. With the COMPLETE keywor[...]
-
Page 206
Key_Part_Import CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The v[...]
-
Page 207
CCA Release 2.54 Key_Part_Import Required Commands The Key_Part_Import verb requires the following commands to be enabled in the active role: The Load First Key Part command (offset X ' 001B ' ) with the FIRST keyword. The Combine Key Parts command (offset X ' 001C ' ) with the MIDDLE and LAST keywords. The Add Key P[...]
-
Page 208
Key_Test CCA Release 2.54 Key_Test (CSNBKYT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X You use the Key_Test verb to verify the value of a key or key-part. Several verification algorithms are supported. The verb supports testing of clear keys, enciphered keys, master keys, and key-parts. The verification pattern and the ve[...]
-
Page 209
CCA Release 2.54 Key_Test Restrictions None Format CSNBKYT return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes rule_array_count Input Integer two, three, or four rule_array Input String array rule_array_count * 8 bytes key_identifier Input String 64 bytes random_[...]
-
Page 210
Key_Test CCA Release 2.54 key_identifier The key_identifier parameter is a pointer to a string variable containing an internal key-token, a key label that identifies an internal key-token record in key storage, or a clear key. The key token contains the key or the key part used to generate or verify the verification pattern. When you specify the KE[...]
-
Page 211
CCA Release 2.54 Key_Token_Build Key_Token_Build (CSNBKTB) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Token_Build verb assembles an external or internal key-token in application storage from information you supply. The verb can include a control vector you supply or can build a control vector based on the key type [...]
-
Page 212
Key_Token_Build CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. key_token The key_token parameter is a pointer to a string variable containing the assembled key-token. Note: This variable cannot contain a key label.[...]
-
Page 213
CCA Release 2.54 Key_Token_Build key_value The key_value parameter is a pointer to a string variable containing the encrypted key-value incorporated into the encrypted-key portion of the key token if you use the KEY rule_array keyword. Single-length keys must be left-justified in the variable and padded on the right (low-order) with eight bytes of [...]
-
Page 214
Key_Token_Change CCA Release 2.54 Key_Token_Change (CSNBKTC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the Key_Token_Change verb to reencipher a DES key from encryption under the old master-key to encryption under the current master-key and to update the keys in internal DES key-tokens. Note: An application system is [...]
-
Page 215
CCA Release 2.54 Key_Token_Change Key_Identifier The key_identifier parameter is a pointer to a string variable containing the DES internal key-token or the key label of an internal key-token record in key storage. Figure 5-16. Key_Token_Change Rule_Array Keywords Keyword Meaning RTCMK Reenciphers a DES key to the current master-key in an internal [...]
-
Page 216
Key_Token_Parse CCA Release 2.54 Key_Token_Parse (CSNBKTP) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Token_Parse verb disassembles a key token into separate pieces of information. The verb can disassemble an external key-token or an internal key-token in application storage. Use the key_token parameter to specify [...]
-
Page 217
CCA Release 2.54 Key_Token_Parse Note: You cannot use a key label for a key-token record in key storage. The key token must be in application storage. key_type The key_type parameter is a pointer to a string variable containing a keyword defining the key type. The keyword is eight bytes in length, and must be left-justified and padded on the right [...]
-
Page 218
Key_Token_Parse CCA Release 2.54 key_value The key_value parameter is a pointer to a string variable. If the verb returns the KEY keyword in the rule array, the key-value variable contains the 16-byte enciphered key. MKVP The MKVP parameter is a pointer to an integer variable. The verb writes zero into the variable except when parsing a version X &[...]
-
Page 219
CCA Release 2.54 Key_Translate Key_Translate (CSNBKTR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Translate verb uses one key-encrypting key to decipher an input key and then enciphers this key using another key-encrypting key within the secure environment. Specify the following key tokens to use this verb: The[...]
-
Page 220
Key_Translate CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. input_key_token The input_key_token parameter is a pointer to a string variable containing an external key-token. The external key-token contains the key[...]
-
Page 221
CCA Release 2.54 Multiple_Clear_Key_Import Multiple_Clear_Key_Import (CSNBCKM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Multiple_Clear_Key_Import verb multiply-enciphers a clear, single-length or double-length DES DATA key under a symmetric master-key. You can use this verb to create an internal key-token from a null[...]
-
Page 222
Multiple_Clear_Key_Import CCA Release 2.54 clear_key_length The clear_key_length parameter is a pointer to an integer variable containing the number of bytes of data in the clear_key variable. clear_key The clear_key parameter is a pointer to a string variable containing the single-length (8-byte) or double-length (16-byte) plaintext DES-key to be [...]
-
Page 223
CCA Release 2.54 PKA_Decrypt PKA_Decrypt (CSNDPKD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Decrypt verb decrypts (unwraps) input data using an RSA private-key. The decrypted data is examined to ensure it meets RSA DSI PKCS #1 block type 2 format specifications. See “PKCS #1 Formats” on page D-19. Restriction[...]
-
Page 224
PKA_Decrypt CCA Release 2.54 source_encrypted_key_length The source_encrypted_key_length parameter is a pointer to an integer variable containing the number of bytes of data in the source_encrypted_key variable. The maximum size allowed is 256 bytes. source_encrypted_key The source_encrypted_key parameter is a pointer to a string variable containin[...]
-
Page 225
CCA Release 2.54 PKA_Encrypt PKA_Encrypt (CSNDPKE) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Encrypt verb encrypts (wraps) input data using an RSA public key. The data that you encrypt may include: For keys, the encrypted data can be formatted according to RSA DSI PKCS #1 block type 2 format specifications. Se[...]
-
Page 226
PKA_Encrypt CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters. The rule_array keywords are shown below: clear_source_data_length The clear_source_data_length parameter[...]
-
Page 227
CCA Release 2.54 PKA_Encrypt target_data The target_data parameter is a pointer to a string variable containing the encrypted data returned by the verb. The returned encrypted target-data is the same length as the public-key modulus. Required Commands The PKA_Encrypt verb requires the RSA Public-Key Encipher Clear Key-Data command (offset X ' [...]
-
Page 228
PKA_Symmetric_Key_Export CCA Release 2.54 PKA_Symmetric_Key_Export (CSNDSYX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Symmetric_Key_Export verb enciphers a symmetric DES or CDMF default DATA-key using an RSA public key. Specify the symmetric key to be exported, the exporting RSA public-key, and a rule-array keywo[...]
-
Page 229
CCA Release 2.54 PKA_Symmetric_Key_Export Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variab[...]
-
Page 230
PKA_Symmetric_Key_Export CCA Release 2.54 RSA_enciphered_key The RSA_enciphered_key parameter is a pointer to a string variable containing the exported RSA-enciphered key returned by the verb. Required Commands The PKA_Symmetric_Key_Export verb requires these commands to be enabled in the hardware for exporting various key types: Symmetric Key [...]
-
Page 231
CCA Release 2.54 PKA_Symmetric_Key_Generate PKA_Symmetric_Key_Generate (CSNDSYG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Symmetric_Key_Generate verb generates a random DES-key and enciphers the key value. The key value is enciphered under an RSA public-key for distribution to a remote node (that has the associat[...]
-
Page 232
PKA_Symmetric_Key_Generate CCA Release 2.54 Key-encrypting keys, either effective single-length or true double-length, are generated with the details dependent on the keyword you use to control the key formatting technique. PKA92 With this keyword, the verb generates a key-encrypting key and returns two copies of the key. You must specify a pai[...]
-
Page 233
CCA Release 2.54 PKA_Symmetric_Key_Generate Format CSNDSYG return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes rule_array_count Input Integer one, two, or three rule_array Input String array rule_array_count * 8 bytes key_encrypting_key_identifier Input String 64[...]
-
Page 234
PKA_Symmetric_Key_Generate CCA Release 2.54 key_encrypting_key_identifier The key_encrypting_key_identifier parameter is a pointer to a string variable containing the key token or the key label of a key token in key storage with the key-encrypting key used to encipher one generated-key copy for DES-based key distribution. RSA_public_key_identifier_[...]
-
Page 235
CCA Release 2.54 PKA_Symmetric_Key_Generate RSA_enciphered_key_token_length The RSA_enciphered_key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the RSA_enciphered_key_token variable. On output, the variable is updated with the actual length of the RSA_enciphered_key_token variable. The maximum[...]
-
Page 236
PKA_Symmetric_Key_Import CCA Release 2.54 PKA_Symmetric_Key_Import (CSNDSYI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Symmetric_Key_Import verb recovers a symmetric DES (or CDMF) key that is enciphered by an RSA public key. The verb deciphers the RSA-enciphered symmetric-key to be imported by using an RSA private[...]
-
Page 237
CCA Release 2.54 PKA_Symmetric_Key_Import Restrictions 1. Private key key-usage controls can prevent use of specific private keys in this verb. See page 3-7. A key-usage flag bit (see offset 050 in the private-key section) must be on to permit use of the private key in the decryption of a symmetric key. 2. The RSA private-key modulus size (key size[...]
-
Page 238
PKA_Symmetric_Key_Import CCA Release 2.54 RSA_enciphered_key_length The RSA_enciphered_key_length parameter is a pointer to an integer containing the number of bytes of data in the RSA_enciphered_key variable. The maximum size allowed is 2500 bytes. RSA_enciphered_key The RSA_enciphered_key parameter is a pointer to a string variable containing the[...]
-
Page 239
CCA Release 2.54 PKA_Symmetric_Key_Import Symmetric Key Import ZERO-PAD command (command offset X ' 023D ' ) for DATA keys using the ZERO-PAD methods PKA92 Symmetric Key Import command (command offset X ' 0235 ' ) when importing key-generating keys using the PKA92 method PKA92 Symmetric Key Import command (command of[...]
-
Page 240
Prohibit_Export CCA Release 2.54 Prohibit_Export (CSNBPEX) Platform/ Product OS/2 AIX NT OS/400 IBM 4758-2/23 X X X X The Prohibit_Export verb modifies an operational key than can be exported so that it can no longer be exported. The verb does the following: Multiply-deciphers the key under a key formed by the exclusive-OR of the master key and[...]
-
Page 241
CCA Release 2.54 Random_Number_Generate Random_Number_Generate (CSNBRNG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Random_Number_Generate verb generates a random number for use as an initialization vector, clear key, or clear key-part. You specify whether the random number is 64 bits, or 56 bits with the low-order bit[...]
-
Page 242
Random_Number_Generate CCA Release 2.54 random_number The random_number parameter is a pointer to a string variable containing the random number returned by the verb. Required Commands The Random_Number_Generate verb requires the Generate Key command (offset X ' 008E ' ) to be enabled in the hardware. 5-92 IBM 4758 CCA Basic Services, Rel[...]
-
Page 243
CCA Release 2.54 Chapter 6. Data Confidentiality and Data Integrity This chapter describes the verbs that use the Data Encryption Standard (DES) algorithm to encrypt and decrypt data and to generate and verify a message authentication code (MAC). Figure 6-1. Data Confidentiality and Data Integrity Verbs Verb Page Service Entry Point Svc Lcn Deciphe[...]
-
Page 244
CCA Release 2.54 verbs also support the ANSI X9.23 mode of encryption. In X9.23 encryption, at least one byte of data and up to eight bytes of data are always added to the end of your plaintext. The last of the added bytes is a binary value equal to the number of added bytes. The ANSI X9.23 process ensures that the enciphered data is always a multi[...]
-
Page 245
CCA Release 2.54 Ensuring Data Integrity CCA offers three classes of services for ensuring data integrity: Message authentication code (MAC) techniques based on the DES algorithm Hashing techniques Digital signature techniques. This chapter includes the MAC verbs. For information on using hashing or digital signatures to ensure the inte[...]
-
Page 246
CCA Release 2.54 In each procedure call, a segmenting-control keyword indicates whether the call contains the first, middle, or last unit of segmented data; the chaining_vector parameter specifies the work area that the verb uses. (The default segmenting-control keyword ONLY specifies that segmenting is not used.) 6-4 IBM 4758 CCA Basic Services, R[...]
-
Page 247
CCA Release 2.54 Decipher Decipher (CSNBDEC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Decipher verb uses the Data Encryption Standard (DES) or the Commercial Data Masking Facility (CDMF) algorithm and a cipher key to decipher data (ciphertext). This verb results in data called plaintext. Performance can be enhanced i[...]
-
Page 248
Decipher CCA Release 2.54 ciphertext The ciphertext parameter is a pointer to a string variable containing the text to be deciphered. initialization_vector The initialization_vector parameter is a pointer to a string variable containing the initialization_vector the verb uses with the input data. rule_array_count The rule_array_count parameter is a[...]
-
Page 249
CCA Release 2.54 Decipher length of the plaintext when it returns. The length will be different when padding is removed. Required Commands The Decipher verb requires the Decipher command (offset X ' 000F ' ) to be enabled in the hardware. Chapter 6. Data Confidentiality and Data Integrity 6-7[...]
-
Page 250
Encipher CCA Release 2.54 Encipher (CSNBENC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encipher verb uses the DES algorithm and a secret key to encipher data. This verb returns data called ciphertext. The returned ciphertext can be as many as eight bytes longer than the plaintext due to padding. Ensure the ciphertext [...]
-
Page 251
CCA Release 2.54 Encipher text_length The text_length parameter is a pointer to an integer variable. On input, the text_length variable contains the number of bytes of data in the cleartext variable. On output, the text_length variable contains the number of bytes of data in the ciphertext variable. plaintext The plaintext parameter is a pointer to[...]
-
Page 252
Encipher CCA Release 2.54 chaining_vector The chaining_vector parameter is a pointer to a string variable containing a work area that the security server uses to carry segmented data between procedure-calls. Note: The application program must not change the data in this variable. ciphertext The ciphertext parameter is a pointer to a string variable[...]
-
Page 253
CCA Release 2.54 MAC_Generate MAC_Generate (CSNBMGN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The MAC_Generate verb generates a message authentication code (MAC) for a text string that you supply. For additional information about using the MAC generation and verification verbs, see “Ensuring Data Integrity” on page 6[...]
-
Page 254
MAC_Generate CCA Release 2.54 Format CSNBMGN return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_identifier Input String 64 bytes text_length Input Integer text Input String text_length bytes rule_array_count Input Integer zero, one, two, or three rule_array [...]
-
Page 255
CCA Release 2.54 MAC_Generate chaining_vector The chaining_vector parameter is a pointer to a string variable containing a work area the security server uses to carry segmented data between procedure calls. Note: The application program must not change the data in this variable. MAC The MAC parameter is a pointer to a string variable containing the[...]
-
Page 256
MAC_Verify CCA Release 2.54 MAC_Verify (CSNBMVR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The MAC_Verify verb verifies a message authentication code (MAC) for a text string that you supply. For additional information about using the MAC generation and verification verbs, see “Ensuring Data Integrity” on page 6-3. Per[...]
-
Page 257
CCA Release 2.54 MAC_Verify Format CSNBMVR return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_identifier Input String 64 bytes text_length Input Integer text Input String text_length bytes rule_array_count Input Integer zero, one, two, or three rule_array In[...]
-
Page 258
MAC_Verify CCA Release 2.54 chaining_vector The chaining_vector parameter is a pointer to a string variable containing a work area the security server uses to carry segmented data between procedure-calls. Note: The application program must not change the data in this variable. MAC The MAC parameter is a pointer to a string variable containing the t[...]
-
Page 259
CCA Release 2.54 Chapter 7. Key-Storage Verbs This chapter describes how you can use key-storage mechanisms and the associated verbs for creating, writing, reading, listing, and deleting records in key storage. Figure 7-1. Key-Storage-Record Services Verb Page Service Entry Point Svc Lcn DES_Key_Record_Create 7-4 Creates a key record in DES key-sto[...]
-
Page 260
CCA Release 2.54 Use the Key_Record_Delete verb to delete a key token from a key record, or to entirely delete the key record from key storage. Use the Key_Record_List verb to determine the existence of key records in key storage. The Key_Record_List verb creates a key-record-list data set with information about select key-records. The wild-card ch[...]
-
Page 261
CCA Release 2.54 Some verbs accept a key label containing a “wild card” represented by an asterisk (*). (X ' 2A ' in ASCII; X ' 5C ' in EBCDIC). When a verb permits the use of a wild card, the wild card can appear as the first character, as the last character, or as the only character in a name token. Any of the name tokens [...]
-
Page 262
DES_Key_Record_Create CCA Release 2.54 DES_Key_Record_Create (CSNBKRC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Create verb adds a key record with a null key-token to DES key-storage. It is identified by the key label specified using the key_label parameter. After creating a DES key-record, you can use[...]
-
Page 263
CCA Release 2.54 DES_Key_Record_Delete DES_Key_Record_Delete (CSNBKRD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Delete verb does either of the following tasks: Replaces the token in a key record with a null key-token Deletes an entire key record, including the key label, from key storage. Ident[...]
-
Page 264
DES_Key_Record_Delete CCA Release 2.54 key_label The key_label parameter is a pointer to a string variable containing the key label of a key-token record in key storage. In a key label, use a wild card (*) to identify multiple records in key storage. Required Commands The DES_Key_Record_Delete verb requires the Compute Verification Pattern command [...]
-
Page 265
CCA Release 2.54 DES_Key_Record_List DES_Key_Record_List (CSNBKRL) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_List verb creates a key-record-list data set containing information about specified key records in key storage. Information listed includes whether record validation is correct, the type of key, [...]
-
Page 266
DES_Key_Record_List CCA Release 2.54 data_set_name_length The data_set_name_length parameter is a pointer to an integer variable containing the number of bytes of data returned by the verb in the data_set_name variable. The maximum returned value is 64 bytes. data_set_name The data_set_name parameter is a pointer to a 64-byte string variable contai[...]
-
Page 267
CCA Release 2.54 DES_Key_Record_Read DES_Key_Record_Read (CSNBKRR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Read verb copies a key token from DES key-storage to application storage. The returned key-token can be null. Restrictions None Format CSNBKRR return_code Output Integer reason_code Output Intege[...]
-
Page 268
DES_Key_Record_Write CCA Release 2.54 DES_Key_Record_Write (CSNBKRW) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Write verb copies an internal DES key-token from application storage into DES key-storage. Before you use the DES_Key_Record_Write verb, use DES_Key_Record_Create to create a key record. Restri[...]
-
Page 269
CCA Release 2.54 PKA_Key_Record_Create PKA_Key_Record_Create (CSNDKRC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Create service adds a key record with a null key-token to PKA key-storage. The new key-record may be a null key-token or a valid PKA internal or external key-token. It is identified by the ke[...]
-
Page 270
PKA_Key_Record_Create CCA Release 2.54 key_token_length The key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_token variable. If the value of the key_token_length variable is zero, a record with a null PKA key-token is created. key_token The key_token parameter is a pointer to a string [...]
-
Page 271
CCA Release 2.54 PKA_Key_Record_Delete PKA_Key_Record_Delete (CSNDKRD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Delete verb does either of the following tasks: Replaces the token in a key record with a null key-token Deletes an entire key-record, including the key label, from key storage. Ident[...]
-
Page 272
PKA_Key_Record_Delete CCA Release 2.54 key_label The key_label parameter is a pointer to a string variable containing the key label of a key-token record in PKA key-storage. Use a wild card (*) in the key_label variable to identify multiple records in key storage. Required Commands The PKA_Key_Record_Delete verb requires the Compute Verification Pa[...]
-
Page 273
CCA Release 2.54 PKA_Key_Record_List PKA_Key_Record_List (CSNDKRL) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_List verb creates a key-record-list data set containing information about specified key records in PKA key-storage. Information includes whether record validation is correct, the type of key, and[...]
-
Page 274
PKA_Key_Record_List CCA Release 2.54 rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The value must be zero for this verb. rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight byt[...]
-
Page 275
CCA Release 2.54 PKA_Key_Record_Read PKA_Key_Record_Read (CSNDKRR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Read verb copies a key token from PKA key-storage to application storage. The returned key-token may be null. In this event, the key_length variable contains a value of eight and the key-token va[...]
-
Page 276
PKA_Key_Record_Read CCA Release 2.54 key_token The key_token parameter is a pointer to a string variable containing the key token read from PKA key-storage. This variable must be large enough to hold the PKA key-token being read. On successful completion, the key_token_length variable contains the actual length of the token being returned. Required[...]
-
Page 277
CCA Release 2.54 PKA_Key_Record_Write PKA_Key_Record_Write (CSNDKRW) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Write verb copies an internal or external PKA key-token from application storage into PKA key-storage. The verb performs either of these two processing options: Writes the new key-token onl[...]
-
Page 278
PKA_Key_Record_Write CCA Release 2.54 key_label The key_label parameter is a pointer to a string variable containing the key label that identifies the key record in PKA key-storage where the key token is to be written. key_token_length The key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the k[...]
-
Page 279
CCA Release 2.54 Retained_Key_Delete Retained_Key_Delete (CSNDRKD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Retained_Key_Delete verb deletes a PKA key that has been retained within the Coprocessor. You can retain both public and private keys within the Coprocessor through the use of verbs such as PKA_Key_Generate and[...]
-
Page 280
Retained_Key_List CCA Release 2.54 Retained_Key_List (CSNDRKL) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Retained_Key_List verb lists the key labels of those PKA keys that have been retained within the Coprocessor. You filter the set of key labels returned to your application through the use of the key label mask inpu[...]
-
Page 281
CCA Release 2.54 Retained_Key_List key_label_mask The key_label_mask parameter points to a string variable containing a key label mask that is used to filter the list of key names returned by the verb. You can use a wild card (*) to identify multiple keys retained within the Coprocessor. retained_keys_count The retained_keys_count parameter points [...]
-
Page 282
CCA Release 2.54 7-24 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 283
CCA Release 2.54 Chapter 8. Financial Services Support Verbs There are several classes of verbs described in this chapter: Finance industry PIN processing verbs. Information common to these verbs is described in the next section. Support for changing the acceptable PIN on a smart card based on VISA and EMV design concepts. SET-related v[...]
-
Page 284
CCA Release 2.54 Figure 8-1 (Page 2 of 2). Financial Services Support Verbs Verb Page Service Entry Point Svc Lcn PIN_Change/Unblock 8-52 Calculates a PIN for a smart card based on keys and data you supply according to VISA and EMV specifications. CSNBPCU E Secure_Messaging_for_Keys 8-59 Securely incorporates a key into a text block which is then e[...]
-
Page 285
CCA Release 2.54 – Create encrypted PIN blocks for transmission – Generate institution-assigned PINs – Generate an offset or a VISA PIN-validation value (PVV) – Create encrypted PIN blocks for a PIN-verification database – Change the PIN-block encrypting key or the PIN-block format – Verify PINs. Normally, a customer inserts a magnetic-[...]
-
Page 286
CCA Release 2.54 Account Customer─Entered PIN Customer─Selected PIN Number ──────────┬───────── ──────────┬────────── │ T─PIN │ │ Clear ┌───────────────────────┐ │ C─PIN PINGEN──Clear_PIN_[...]
-
Page 287
CCA Release 2.54 PIN-Verb Summary The following terms are used for the various “PIN” values: A-PIN The quantity derived from a function of the account number, and PIN-generating key, and other inputs such as a decimalization table . C-PIN The quantity that a customer should use to identify himself. In general, this can be a customer-selected or[...]
-
Page 288
CCA Release 2.54 PIN-Calculation Method and PIN-Block Format Summary As described in the following sections, you can use a variety of PIN calculation methods and a variety of PIN-block formats with the various PIN-processing verbs. Figure 8-3 provides a summary of the supported combinations. Figure 8-3. PIN Verb, PIN-Calculation Method, and PIN-Blo[...]
-
Page 289
CCA Release 2.54 Using Specific Key Types and Key-Usage Bits to Help Ensure PIN Security The control vectors (see Appendix C, “CCA Control-Vector Definitions and Key Encryption” on page C-1) associated with obtaining and verifying PINs enable you to minimize certain security exposures. The class of keys designated PINGEN operates in the verbs t[...]
-
Page 290
CCA Release 2.54 OPINENC (output PIN-block encrypting) key type The PIN verbs that encrypt a PIN block require the encrypting key to have a control vector that specifies an OPINENC key type. KEYGENKY (unique-key-per-transaction base key-generating key) key type The Encrypted_PIN_Translate and Encrypted_PIN_Verify verbs can derive a unique key from [...]
-
Page 291
CCA Release 2.54 Note: To avoid errors when using the IBM 3624 PIN-block format, you should not include in the decimalization table a decimal digit that is also used as a pad digit. For information about a pad digit, see “PIN Profile” on page 8-10. validation_data The second element in the data array for a PIN-calculation method supplies 1 [...]
-
Page 292
CCA Release 2.54 – Eleven (rightmost) digits of PAN data, excluding the check digit. For information about a PAN, see “Personal Account Number (PAN)” on page 8-13. – A constant, six. – A one-digit key index selector from one to six. – Three numeric characters of validation data. reserved The second and third elements in the data arr[...]
-
Page 293
CCA Release 2.54 Format Control Enforcement: The format-control level is the second element in a PIN profile. For the IBM 4758 implementation, this element must be set to NONE followed by four space characters. Pad Digit: The pad digit is the third element in a PIN profile. Certain PIN-block formats require a pad digit when a PIN is formatted or ex[...]
-
Page 294
CCA Release 2.54 The CKSN is the concatenation of a terminal identifier and a sequence number which together define a unique terminal (within the set of terminals associated with a given base key) and the sequence number of the transaction originated by that terminal. Each time the terminal completes a transaction, it increments the sequence number[...]
-
Page 295
CCA Release 2.54 Personal Account Number (PAN) A personal account number (PAN) identifies an individual and relates that individual to an account at the financial institution. The PAN consists of the following: Issuer identification number Customer account number One check digit. For the ISO-0 PIN-block format, the PIN verbs use a PAN t[...]
-
Page 296
CCA Release 2.54 The MAC_Generate and MAC_Verify verbs incorporate post-padding a X ' 80 ' ...X ' 00 ' string to a message as required for authenticating messages exchanged with EMV smart cards. 8-14 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 297
CCA Release 2.54 Clear_PIN_Encrypt Clear_PIN_Encrypt (CSNBCPE) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_PIN_Encrypt verb formats a PIN into one of the following PIN-block formats and encrypts the results (see “PIN-Block Formats” on page E-9): IBM 3624 format ISO-0 format (same as the ANSI X9.8, VISA[...]
-
Page 298
Clear_PIN_Encrypt CCA Release 2.54 Format CSNBCPE return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes PIN_encrypting_key_identifier Input String 64 bytes rule_array_count Input Integer zero or one rule_array Input String array rule_array_count * 8 bytes clear_PIN[...]
-
Page 299
CCA Release 2.54 Clear_PIN_Encrypt PIN_profile The PIN_profile parameter points to a string variable containing three 8-byte elements with: a PIN-block format keyword, a format control keyword ( NONE ), and a pad digit as required by certain formats. See “PIN Profile” on page 8-10. PAN_data The PAN_data parameter points to a personal account nu[...]
-
Page 300
Clear_PIN_Generate CCA Release 2.54 Clear_PIN_Generate (CSNBPGN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_PIN_Generate verb generates an A-PIN or an O-PIN by using one of the following calculation methods that you specify with a rule-array keyword (see “PIN-Calculation Methods” on page E-2): IBM 3624 PI[...]
-
Page 301
CCA Release 2.54 Clear_PIN_Generate Restrictions None Format CSNBPGN return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes PIN_generating_key_identifier Input String 64 bytes rule_array_count Input Integer one rule_array Input String array rule_array_count * 8 byte[...]
-
Page 302
Clear_PIN_Generate CCA Release 2.54 PIN_check_length The PIN_check_length parameter points to an integer variable in the range from 4 to 16 containing the length of the PIN offset. The verb uses the PIN check length if you specify the IBM-PINO keyword for the calculation method. Otherwise, ensure that this parameter points to a four-byte variable i[...]
-
Page 303
CCA Release 2.54 Clear_PIN_Generate_Alternate Clear_PIN_Generate_Alternate (CSNBCPA) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_PIN_Generate_Alternate verb is used to obtain a value, the “O-PIN” (offset or VISA-PVV), that will relate the institution-assigned PIN to the customer-known PIN. The verb supports th[...]
-
Page 304
Clear_PIN_Generate_Alternate CCA Release 2.54 Calculates the A-PIN. The verb uses the specified calculation method, the data_array variable, and the PIN_check_length variable to calculate the PIN. Calculates the O-PIN Returns the clear O-PIN in the variable identified by the returned_result parameter. Restrictions None Format CSNBCPA re[...]
-
Page 305
CCA Release 2.54 Clear_PIN_Generate_Alternate Note: When using the ISO-0 format, use the 12 rightmost PAN digits, excluding the check digit. encrypted_PIN_block The encrypted_PIN_block parameter points to a string variable containing the encrypted PIN-block of the (customer-selected) C-PIN value. rule_array_count The rule_array_count parameter is a[...]
-
Page 306
Clear_PIN_Generate_Alternate CCA Release 2.54 PIN_check_length The PIN_check_length parameter points to an integer variable in the range from 4 to 16 containing the number of digits of PIN information that the verb should check. The verb uses the PIN_check_length parameter if you specify the IBM-PINO keyword for the calculation method. Otherwise, e[...]
-
Page 307
CCA Release 2.54 Clear_PIN_Generate_Alternate When using the NL-PIN-1 keyword, identify the following elements in the data array: When using the VISA-PVV keyword, identify the following elements in the data array. For more information about transaction security data for the VISA-PVV calculation method, see “VISA PIN Validation Value (PVV) Calcula[...]
-
Page 308
Clear_PIN_Generate_Alternate CCA Release 2.54 returned_result The returned_result parameter points to a string variable containing the clear O-PIN returned by the verb. The 16-byte result will be left-justified and padded on the right with space characters. The length of the PIN offset in the returned result will be determined by the value that the[...]
-
Page 309
CCA Release 2.54 CVV_Generate CVV_Generate (CSNBCSG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The CVV_Generate verb supports the VISA card-verification value (CVV) and the MasterCard card-verification code (CVC) process as defined for track 2 by generating a CVV. For details about the CVV process, see “CVV and CVC Meth[...]
-
Page 310
CVV_Generate CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters. The rule_array keywords are shown below: PAN_data The PAN_data parameter points to a string variable co[...]
-
Page 311
CCA Release 2.54 CVV_Generate CVV_key-B_identifier The CVV_key-B_identifier parameter points a string variable containing an internal key-token or a key label of an internal key-token record in key storage. The internal key-token contains the key-B key that decrypts information in the CVV process. CVV_value The CVV_value parameter points to a strin[...]
-
Page 312
CVV_Verify CCA Release 2.54 CVV_Verify (CSNBCSV) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The CVV_Verify verb supports the VISA card-verification value (CVV) and the MasterCard card-verification code (CVC) process as defined for track 2 by verifying a CVV. For details about the CVV process, see “CVV and CVC Method” o[...]
-
Page 313
CCA Release 2.54 CVV_Verify Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The value [...]
-
Page 314
CVV_Verify CCA Release 2.54 expiration_date The expiration_date parameter points to a string variable containing the card expiration date. The date is in numeric character format. The application programmer must determine whether the CVV will be calculated as YYMM or MMYY. service_code The service_code parameter points to a string variable containi[...]
-
Page 315
CCA Release 2.54 Encrypted_PIN_Generate Encrypted_PIN_Generate (CSNBEPG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encrypted_PIN_Generate verb generates and formats a PIN and encrypts the PIN block. To generate the PIN, the verb uses one of the following PIN calculation methods: IBM 3624 PIN IBM German Bank Po[...]
-
Page 316
Encrypted_PIN_Generate CCA Release 2.54 – When using the ISO-0 PIN-block format, specify a PAN. For information about a personal account number (PAN), see “Personal Account Number (PAN)” on page 8-13. – When using another PIN-block format, specify a 12-byte variable in application storage. The information in the variable will not be used, b[...]
-
Page 317
CCA Release 2.54 Encrypted_PIN_Generate Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. PIN_generating_key_identifier The PIN_generating_key_identifier parameter points to a string variable containing an internal key-token or a key [...]
-
Page 318
Encrypted_PIN_Generate CCA Release 2.54 PIN_profile The PIN_profile parameter is a pointer to a string variable containing the PIN profile including the PIN-block format. See “PIN Profile” on page 8-10. PAN_data The PAN_data parameter is a pointer to a string variable containing 12 digits of Personal Account Number (PAN) data. The verb uses thi[...]
-
Page 319
CCA Release 2.54 Encrypted_PIN_Translate Encrypted_PIN_Translate (CSNBPTR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encrypted_PIN_Translate verb can change PIN block encryption, and optionally format a PIN into a different PIN-block format. You can use this verb in an interchange-network application, or to change the[...]
-
Page 320
Encrypted_PIN_Translate CCA Release 2.54 key serial number, and then uses ANSI X9.24-specified “special decryption.” Checks the control vector to ensure that for an IPINENC key that the TRANSLAT bit is valued to one for translate mode and/or the REFORMAT bit is valued to one for reformat mode, or for a KEYGENKY key that the UKPT bit is valued t[...]
-
Page 321
CCA Release 2.54 Encrypted_PIN_Translate Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. input_PIN_encrypting_key_identifier The input_PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an internal [...]
-
Page 322
Encrypted_PIN_Translate CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters. output_PIN_profile The output_PIN_profile parameter is a pointer to a string variable contai[...]
-
Page 323
CCA Release 2.54 Encrypted_PIN_Translate and optionally an additional 24 bytes containing the output current key serial number (CKSN). The strings are equivalent to 24-byte or 48-byte strings. For more information about a PIN profile, see “PIN Profile” on page 8-10. output_PAN_data The output_PAN_data parameter is a pointer to a string variable[...]
-
Page 324
Encrypted_PIN_Verify CCA Release 2.54 Encrypted_PIN_Verify (CSNBPVR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encrypted_PIN_Verify verb extracts a trial PIN (T-PIN) from an encrypted PIN-block and verifies this value by comparing it to an account PIN (A-PIN) calculated by using the specified PIN-calculation method. C[...]
-
Page 325
CCA Release 2.54 Encrypted_PIN_Verify The verb does the following: Decrypts the input PIN-block by using the supplied IPINENC key in ECB mode, or derives the decryption key using the specified KEYGENKY key and CKSN and uses ANSI X9.24-specified “special decryption.” The EPINVER bit must be valued to one in the IPINENC control vector, or the[...]
-
Page 326
Encrypted_PIN_Verify CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. PIN_encrypting_key_identifier The PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an internal key-token or a [...]
-
Page 327
CCA Release 2.54 Encrypted_PIN_Verify PIN_check_length The PIN_check_length parameter is a pointer to an integer variable containing the number of digits of PIN information that the verb should verify. The verb uses the value in the variable if you specify the IBM-PIN or IBM-PINO keyword for the calculation method. The specified number of digits is[...]
-
Page 328
Encrypted_PIN_Verify CCA Release 2.54 data_array The data_array parameter is a pointer to a string variable containing three 16-byte character strings, which are equivalent to a single 48-byte string. The values you specify in the data array depend on the PIN-calculation method. Each element is not always used, but you must always declare a complet[...]
-
Page 329
CCA Release 2.54 Encrypted_PIN_Verify When using the VISA-PVV or VISAPVV4 keywords, identify the following elements in the data array. For more information about these elements, and transaction security data for the VISA-PVV calculation method, see “VISA PIN Validation Value (PVV) Calculation Method” on page E-7. When using the INBK-PIN keyword[...]
-
Page 330
Encrypted_PIN_Verify CCA Release 2.54 Required Commands The Encrypted_PIN_Verify verb requires the following commands to be enabled in the hardware, based on the keyword specified for the PIN-calculation methods. The Encrypted_PIN_Translate verb also requires the Unique Key Per Transaction, ANSI X9.24 command (offset X ' 00E1 ' ) to be en[...]
-
Page 331
CCA Release 2.54 Key_Encryption_Translate | Key_Encryption_Translate (CSNBKET) | Platform/ | Product | OS/2 | AIX | Win NT/ | 2000 | OS/400 | IBM 4758-2/23 | X | The Key_Encryption_Translate verb is used to change the method of key | encryption. An input key can be a double-length external CCA DATA key or a | double-length CBC-encrypted key. The re[...]
-
Page 332
Key_Encryption_Translate CCA Release 2.54 | Format | CSNBKET | return_code | Output | Integer | reason_code | Output | Integer | exit_data_length | In/Output | Integer | exit_data | In/Output | String | exit_data_length bytes | rule_array_count | Input | Integer | one | rule_array | Input | String | array | rule_array_count * 8 bytes | kek_key_iden[...]
-
Page 333
CCA Release 2.54 Key_Encryption_Translate | key_out_length | The key_out_length parameter points to an integer variable. On input, you | should set the variable to at least 64 for the CBCTOECB translation or to at | least 16 for the ECBTOCBC translation. On successful completion, the verb | will set the variable to the length of the returned key_ou[...]
-
Page 334
PIN_Change/Unblock CCA Release 2.54 PIN_Change/Unblock (CSNBPCU) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-23 X Use the PIN_Change/Unblock verb to prepare an encrypted message-portion for communicating an original or replacement PIN for an EMV smart-card. The verb embeds the PIN(s) in an encrypted PIN-block from information that you s[...]
-
Page 335
CCA Release 2.54 PIN_Change/Unblock See “VISA and EMV-Related Smart Card Formats and Processes” on page E-17 which explains the derivation processes and PIN-block formation. The diversification_data_length to indicate the sum of the lengths of: – Data, 8 or 16 bytes, encrypted by the verb using the MDK keys – The 2-byte Application Tran[...]
-
Page 336
PIN_Change/Unblock CCA Release 2.54 Restrictions This verb is supported beginning with Release 2.50. Support for the TDESEMV2 and TDESEMV4 keywords begins with Release 2.51. Format CSNBPCU return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes rule_array_count Input[...]
-
Page 337
CCA Release 2.54 PIN_Change/Unblock authentication_key_identifier_length The authentication_key_identifier_length parameter points to an integer variable set to 64. This is the string length of the related key identifier. authentication_key_identifier The authentication_key_identifier parameter points to a string variable containing an internal key[...]
-
Page 338
PIN_Change/Unblock CCA Release 2.54 The first 8 or 16 bytes of data should contain the value used to form the smart-card-specific authentication value and the PIN-block encryption key. The next two bytes of data contain the 16-bit ATC counter used to further diversify the ENC-MDK key to form the session key used to encrypt the output PIN bl[...]
-
Page 339
CCA Release 2.54 PIN_Change/Unblock current_reference_PIN_profile The current_reference_PIN_profile parameter points to an array of three, 8-byte string variables. The contents of the variables are inspected when the VISAPCU2 rule-array keyword is present. The variables define which PIN block format is processed. For more information about a PIN pr[...]
-
Page 340
PIN_Change/Unblock CCA Release 2.54 When an MAC-MDK and/or ENC-MDK of key type DKYGENKY is specified with control vector bits (19-22) of B'1111', the Generate Diversified Key (DALL with DKYGENKY key type) command (offset X ' 0290 ' ) must also be enabled in the active role. PIN-block encrypting key-type Command Offset Command Co[...]
-
Page 341
CCA Release 2.54 Secure_Messaging_for_Keys Secure_Messaging_for_Keys (CSNBSKY) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-23 X Use the Secure_Messaging_for_Keys verb to decrypt a key you supply for incorporation into a text block you also supply. The text block is then encrypted within the verb to preserve the security of the key value[...]
-
Page 342
Secure_Messaging_for_Keys CCA Release 2.54 Returns the enciphered text. Restrictions This verb is supported beginning with Release 2.50. Format CSNBSKY return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes rule_array_count Input Integer zero or one rule_array I[...]
-
Page 343
CCA Release 2.54 Secure_Messaging_for_Keys input_key. You may also specify a key label of a key storage record for such a key. For an internal-form input_key, you may specify a null key-token. secmsg_key_identifier The secmsg_key_identifier parameter is a pointer to a string variable containing an internal key-token or the key label of an internal [...]
-
Page 344
Secure_Messaging_for_PINs CCA Release 2.54 Secure_Messaging_for_PINs (CSNBSPN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-23 X Use the Secure_Messaging_for_PINs verb to decrypt an input PIN-block, optionally reformat the PIN-block, and incorporate the PIN-block into a text block you also supply. The text block is then encrypted within [...]
-
Page 345
CCA Release 2.54 Secure_Messaging_for_PINs The Secure_Messaging_for_PINs verb: Deciphers the input PIN block Reformats the PIN block when the input and output PIN-block formats differ Self-encrypts the output PIN block as specified Places the PIN block within the supplied text at the specified offset Encrypts the updated text. I[...]
-
Page 346
Secure_Messaging_for_PINs CCA Release 2.54 input_PIN_block The input_PIN_block parameter is a pointer to an eight-byte string variable containing the input, encrypted PIN-block. PIN_encrypting_key_identifier The PIN_encrypting_key_identifier parameter is a pointer to a string variable containing an internal key-token or the key label of an internal[...]
-
Page 347
CCA Release 2.54 Secure_Messaging_for_PINs clear_text_length The clear_text_length parameter is a pointer to an integer containing the length of text to be encrypted. This must be a multiple of eight, and less than or equal to 4096. clear_text The clear_text parameter is a pointer to the text string to be updated with a PIN block and encrypted. ini[...]
-
Page 348
SET_Block_Compose CCA Release 2.54 SET_Block_Compose (CSNDSBC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The SET_Block_Compose verb creates a SET-protocol RSA-OAEP block and DES encrypts the data block in support of the SET protocols. Optionally the verb will compute the SHA-1 hash of the supplied data block and include t[...]
-
Page 349
CCA Release 2.54 SET_Block_Compose Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The[...]
-
Page 350
SET_Block_Compose CCA Release 2.54 The hash is an optional part of the OAEP block. No hash is computed or inserted into the OAEP block if the data_to_hash_length variable is zero. data_to_hash The data_to_hash parameter is a pointer to a string variable containing the data that is to be hashed and included in the OAEP block. If the data_to_hash_len[...]
-
Page 351
CCA Release 2.54 SET_Block_Compose with the data_to_encrypt variable). The starting address must not fall inside the data_to_encrypt area. Required Commands The SET_Block_Compose verb requires the SET Block Compose command (command offset X ' 010B ' ) to be enabled in the hardware. Chapter 8. Financial Services Support Verbs 8-69[...]
-
Page 352
SET_Block_Decompose CCA Release 2.54 SET_Block_Decompose (CSNDSBD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The SET_Block_Decompose verb decomposes the RSA-OAEP block and DES decrypts the data block in support of the SET protocols. Restrictions The maximum data block that can be supplied for DES decryption is the limit a[...]
-
Page 353
CCA Release 2.54 SET_Block_Decompose Format CSNDSBD return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes rule_array_count Input Integer one or two rule_array Input String array rule_array_count * 8 bytes RSA-OAEP_block_length Input Integer RSA-OAEP_block Input Str[...]
-
Page 354
SET_Block_Decompose CCA Release 2.54 RSA-OAEP_block_length The RSA-OAEP_block_length parameter is a pointer to an integer variable containing the number of bytes of data in the RSA-OAEP_block variable. This value must be 128 bytes. RSA-OAEP_block The RSA-OAEP_block parameter is a pointer to a string variable containing the RSA-OAEP block. DES_encry[...]
-
Page 355
CCA Release 2.54 SET_Block_Decompose of a 128-byte buffer. The first 64 bytes of the buffer are reserved for future use, and should be set to X ' 00 ' . The PIN encrypting-key token will be returned to the caller in the same buffer on completion of the verb. block_contents_identifier The block_contents_identifier parameter is a pointer to[...]
-
Page 356
SET_Block_Decompose CCA Release 2.54 Required Commands The SET_Block_Decompose verb requires the SET Block Decompose command (command offset X ' 010C ' ) to be enabled in the hardware. Two additional commands are used when encrypting PIN data with this verb. When using an IPINENC type key, the verb requires the SET_PIN_encrypt_IPINENC[...]
-
Page 357
CCA Release 2.54 Transaction_Validation Transaction_Validation (CSNBTRV) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2 X X X X The Transaction_Validation verb supports the generation and validation of American Express card security codes (CSC). The Transaction_Validation verb generates and verifies transaction values based on informatio[...]
-
Page 358
Transaction_Validation CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, left-justified, and padded on the right with space characters, as shown below. transaction_key_identifier_length The transaction_key_identifier_length parameter is a p[...]
-
Page 359
CCA Release 2.54 Transaction_Validation Operation Element Description Validation-Values Length GENERATE and CSC-345 555554444333 where: 55555 = CSC 5 value 4444 = CSC 4 value 333 = CSC 3 value 12 VERIFY and CSC-3 333 = CSC 3 value 3 VERIFY and CSC-4 4444 = CSC 4 value 4 VERIFY and CSC-5 55555 = CSC 5 value 5 Required Commands The Transaction_Valida[...]
-
Page 360
CCA Release 2.54 8-78 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 361
CCA Release 2.54 Appendix A. Return Codes and Reason Codes This appendix describes the return codes and the reason codes that a verb uses to report the results of processing. Each return code is associated with a reason code that supplies details about the result of verb processing. A successful result can include return code 0 and reason code 0 or[...]
-
Page 362
CCA Release 2.54 Figure A-2 on page A-2 shows the reason codes, listed in numeric sequence and grouped by their corresponding return code. The return codes appear in decimal form, and the reason codes appear in decimal and hexadecimal (hex) form. Return Code 0 Figure A-2. Reason Codes for Return Code 0 Return Code Dec Reason Code Dec (Hex) Meaning [...]
-
Page 363
CCA Release 2.54 Return Code 4 Figure A-3. Reason Codes for Return Code 4 Return Code Dec Reason Code Dec (Hex) Meaning 4 001 (001) The verification test failed. 4 013 (00D) The key token has an initialization vector, and the initialization_vector parameter value is nonzero. The verb uses the value in the key token. 4 016 (010) The rule array and t[...]
-
Page 364
CCA Release 2.54 Return Code 8 Figure A-4 (Page 1 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 012 (00C) The token-validation value in an external key token is not valid. 8 022 (016) The ID number in the request field is not valid. 8 023 (017) An access to the data area was outside the data-area boundary. 8 [...]
-
Page 365
CCA Release 2.54 Figure A-4 (Page 2 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 063 (03F) A key token had an invalid token header (for example, not an internal token). 8 064 (040) The RSA key is not permitted to perform the requested operation. Likely causes are key distribution usage is not enabled for the[...]
-
Page 366
CCA Release 2.54 Figure A-4 (Page 3 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 155 (09B) The value that the generated_key_identifier parameter specifies is not valid, or it is not consistent with the value that the key_form parameter specifies. 8 156 (09C) A keyword is not valid with the specified paramete[...]
-
Page 367
CCA Release 2.54 Figure A-4 (Page 4 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 343 (157) Either the data block or the buffer for the block is too small, or a variable has caused an attempt to create an internal data structure that is too large. 8 374 (176) Less data was supplied than expected or less data [...]
-
Page 368
CCA Release 2.54 Figure A-4 (Page 5 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 770 (302) The PKA key token has an invalid field. 8 771 (303) The user is not logged on. 8 772 (304) The requested role was not found. 8 773 (305) The requested profile was not found. 8 774 (306) The profile already exists. 8 77[...]
-
Page 369
CCA Release 2.54 Figure A-4 (Page 6 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 1102 (44E) Hardware device driver invalid buffer length. 8 1103 (44F) Hardware device driver too many opens. Cannot open device now. 8 1104 (450) Hardware device driver access denied. Cannot access device. 8 1105 (451) Hardware [...]
-
Page 370
CCA Release 2.54 Return Code 12 Figure A-5. Reason Codes for Return Code 12 Return Code Dec Reason Code Dec (Hex) Meaning 12 097 (061) File space in key storage is insufficient to complete the operation. 12 196 (0C4) The device driver, the security server, or the directory server is not installed, or is not active, or in AIX, file permissions are n[...]
-
Page 371
CCA Release 2.54 Return Code 16 Figure A-6. Reason Codes for Return Code 16 Return Code Dec Reason Code Dec (Hex) Meaning 16 099 (063) An unrecoverable error occurred in the security server; contact your IBM service representative. 16 336 (150) An error occurred in a cryptographic hardware or software component. 16 337 (151) A device software error[...]
-
Page 372
CCA Release 2.54 A-12 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 373
CCA Release 2.54 Appendix B. Data Structures This appendix describes the following data structures: Key tokens Chaining vector records Key-storage records Key record list data set Access-control data structures Master key shares Distributed function control vector. Key Tokens This section describes the DES and RSA key-to[...]
-
Page 374
CCA Release 2.54 An IBM 4758 does not permit the introduction of a new master key value that has the same verification value as either the current master-key or as the old master-key. Token-Validation Value and Record-Validation Value The Token-Validation Value (TVV) is a checksum that helps ensure that an application program-provided key token is [...]
-
Page 375
CCA Release 2.54 DES Key-Tokens DES key-token data structures are 64 bytes in length, contain an enciphered key, a control vector, various flag bits, version number, and token validation value. An internal key-token contains a key multiply-enciphered by a master key while an external key-token contains a key multiply-enciphered by some key-encrypti[...]
-
Page 376
CCA Release 2.54 Figure B-3 (Page 2 of 2). Internal DES Key-Token, Version 3 Format Offset Length Meaning 48-59 12 Reserved, binary zero 60-63 4 The token-validation value B-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 377
CCA Release 2.54 External DES Key-Token CCA implementations generally use a version X ' 00 ' external key-token. See Figure B-4. The IBM 4758 Version 2 CCA Support Program also uses a version X ' 01 ' external key-token to hold a double-length DATA key that is associated with a null (all-zero bits) control vector. See Figure B-5[...]
-
Page 378
CCA Release 2.54 DES Key-Token Flag Byte 1: DES Key-Token Flag Byte 2: Figure B-6. Key-Token Flag Byte 1 Bits (MSB...LSB) 1 Meaning 1xxx xxxx The encrypted key value and the Master Key Verification Pattern are present 0xxx xxxx An encrypted key is not present x0xx xxxx The control-vector value is not present x1xx xxxx The control-vector value is pr[...]
-
Page 379
CCA Release 2.54 Coprocessor but your application will encounter a performance penalty with each use of the key. Protection of the private key is provided by encrypting a confounder (a random number) and the private key information exclusive of the modulus. An encrypted private key in an external key-token is protected by a double-length transport [...]
-
Page 380
CCA Release 2.54 – Section identifier X ' 05 ' for a CRT-format key up to 1024 bits is accepted as input. A public-key section (RSA section identifier X ' 04 ' , see Figure B-13 on page B-16) see Figure B-13 on page B-16) An optional key-name section (section identifier X ' 10 ' , see Figure B-14 on page B-16[...]
-
Page 381
CCA Release 2.54 Figure B-8. RSA Key-Token Header Offset (Bytes) Length (Bytes) Description 000 001 Token identifier (a flag that indicates token type) X ' 1E ' External token; the optional private-key is either in cleartext or enciphered by a transport key-encrypting-key. X ' 1F ' Internal token; the private key is enciphered b[...]
-
Page 382
CCA Release 2.54 Figure B-9. RSA Private Key, 1024-Bit Modulus-Exponent Format Offset (Bytes) Length (Bytes) Description 000 001 X ' 02 ' Section identifier, RSA private key, modulus-exponent format (RSA-PRIV). This section type is created by selected IBM 4755 Cryptographic Adapters and the IBM 4758 Version 1 CCA Support Program. Version [...]
-
Page 383
CCA Release 2.54 Figure B-10 (Page 1 of 2). Private Key, 2048-Bit Chinese-Remainder Format Offset (Bytes) Length (Bytes) Description 000 001 X ' 05 ' Section identifier, RSA private key, CRT (RSA-OPT) format. This section type is created by the IBM 4758 Version 1 CCA Support Program. 001 001 The version number (X ' 00 ' ) 002 00[...]
-
Page 384
CCA Release 2.54 Figure B-10 (Page 2 of 2). Private Key, 2048-Bit Chinese-Remainder Format Offset (Bytes) Length (Bytes) Description 076 +ppp +qqq rrr d p = d mod(p-1) 076 +ppp +qqq +rrr sss d q = d mod(q-1) 076 +ppp +qqq +rrr +sss ttt A p = q p-1 mod(n) 076 +ppp +qqq +rrr +sss +ttt uuu A q = (n+1-A p ) 076 +ppp +qqq +rrr +sss +ttt +uuu xxx X &apos[...]
-
Page 385
CCA Release 2.54 Figure B-11. RSA Private Key, 1024-Bit Modulus-Exponent Format with OPK Offset (Bytes) Length (Bytes) Description 000 001 X ' 06 ' Section identifier, RSA private key, modulus-exponent format (RSA-PRIV). This section type is created by the IBM 4758 Version 2 CCA Support Program. This section type provides compatibility an[...]
-
Page 386
CCA Release 2.54 Figure B-12 (Page 1 of 2). RSA Private Key, Chinese-Remainder Format with OPK Offset (Bytes) Length (Bytes) Description 000 001 X ' 08 ' Section identifier, RSA private key, CRT format (RSA-CRT). This section type is created by the IBM 4758 Version 2 CCA Support Program. 001 001 The version number (X ' 00 ' ) 00[...]
-
Page 387
CCA Release 2.54 Figure B-12 (Page 2 of 2). RSA Private Key, Chinese-Remainder Format with OPK Offset (Bytes) Length (Bytes) Description 124 Start of the (optionally) encrypted subsection. External token: When offset 028 is X ' 40 ' , the subsection is not encrypted When offset 028 is X ' 42 ' , the subsection is encrypted b[...]
-
Page 388
CCA Release 2.54 Figure B-13. RSA Public Key Offset (Bytes) Length (Bytes) Description 000 001 X ' 04 ' , Section identifier, RSA public key 001 001 The version number (X ' 00 ' ) 002 002 Section length, 12+xxx+yyy 004 002 Reserved, binary zero 006 002 RSA public-key exponent field length in bytes, “xxx” 008 002 Public-key m[...]
-
Page 389
CCA Release 2.54 RSA Public-Key Certificate Section: An optional public key certificate(s) section can be included in an RSA key-token. The section consists of: The section header (identifier X ' 40 ' ) A public key subsection (identifier X ' 41 ' ) An optional certificate information subsection (identifier X ' [...]
-
Page 390
CCA Release 2.54 Figure B-17. RSA Public-Key Certificate(s) Optional Information Subsection Header Offset (Bytes) Length (Bytes) Description 000 001 X ' 42 ' , Information Subsection Header 001 001 The version number (X ' 00 ' ) 002 002 Subsection length, 4+iii 004 iii The information field that will contain any of the includabl[...]
-
Page 391
CCA Release 2.54 Figure B-21. RSA Public-Key Certificate(s) Signature Subsection Offset (Bytes) Length (Bytes) Description 000 001 X ' 45 ' , Signature Subsection Header 001 001 The version number (X ' 00 ' ) 002 002 Subsection length, 70+sss 004 001 Hashing algorithm identifier; X ' 01 ' signifies use of the SHA-1 has[...]
-
Page 392
CCA Release 2.54 RSA Private-Key Blinding Information: Figure B-22. RSA Private-Key Blinding Information Offset (Bytes) Length (Bytes) Description 000 001 X ' FF ' , Section identifier, private-key blinding information. Used with internal key-tokens created by the CCA Support Program, Version 1 (having section identifiers X ' 02 &apo[...]
-
Page 393
CCA Release 2.54 Key-Storage Records Key storage exists as an online, Direct Access Storage Device (DASD)-resident data set for the storage of key records. Key records contain a key label, space for a key token, and control information. The stored key tokens are accessed using the key label. DES and PKA key tokens are held in independent key storag[...]
-
Page 394
CCA Release 2.54 Figure B-24. Key-Storage-File Header, Record 1 (not OS/400) Offset Length Meaning 00 04 The total length of this key record. 04 04 The record validation value. 08 64 The key label without separators. $$FORTRESS$REL01$MASTER$KEY$VERIFY$PATTERN . 72 15 The date and time of when this record was created. The date string consists of an [...]
-
Page 395
CCA Release 2.54 Figure B-25. Key-Storage File Header, Record 2 (not OS/400) Offset Length Meaning 00 04 The total length of this key record. 04 04 The record validation value. 08 64 The key label without separators. For the DES key-storage file the key label is $$FORTRESS$DES$REL01$KEY$STORAGE$FILE$HEADER . For the PKA key-storage file the key lab[...]
-
Page 396
CCA Release 2.54 Figure B-27. DES Key-Record Format, OS/400 Key Storage Offset Length Meaning 00 56 The key label without separators. 56 02 Reserved 58 64 The DES key token. 122 04 The date and time of when this record was created. This field has the same format as the created date in Figure B-24 on page B-21. 126 04 The date and time of when this [...]
-
Page 397
CCA Release 2.54 Key_Record_List Data Set There are two Key_Record_List verbs, one for the DES key store and one for the PKA key store. Each creates an internal data set that contains information about specified key records in key storage. Both verbs return the list in a data set, KYRLT nnn .LST, where nnn is the numeric portion of the name and nnn[...]
-
Page 398
CCA Release 2.54 Figure B-29 (Page 2 of 2). Key-Record-List Data Set Format (Other Than OS/400) Offset Length Meaning Detail Record (Part 1) 0 1 This field contains an asterisk (*) if the key-storage record did not have a correct record validation value; this record should be considered to be a potential error. 1 2 This field contains spaces for se[...]
-
Page 399
CCA Release 2.54 Figure B-30 (Page 1 of 2). Key-Record-List Data Set Format (OS/400 only) Offset Length Meaning Header Record 0 24 This field contains the installation-configured listing header (the default value for the DES key store is DES KEY-RECORD-LIST and for the PKA key store is PKA KEY-RECORD-LIST). 24 2 This field contains spaces for separ[...]
-
Page 400
CCA Release 2.54 Figure B-30 (Page 2 of 2). Key-Record-List Data Set Format (OS/400 only) Offset Length Meaning Detail Record 0 1 This field contains an asterisk (*) if the key-storage record did not have a correct record validation value; this record should be considered to be a potential error. 1 2 This field contains spaces for separation. 3 64 [...]
-
Page 401
CCA Release 2.54 Role Structure This section describes the data structures used with roles. Basic Structure of a Role The following figure describes how the Role data is structured. This is the format used when role data is transferred to or from the Coprocessor, using verbs CSUAACI or CSUAACM. Bytes Field ┌───────┐ 2 │ │ Role[...]
-
Page 402
CCA Release 2.54 Aggregate Role Structure A set of zero one or more role definitions are sent in a single data structure. This structure consists of a header , followed by one or more role structures as defined in “Basic Structure of a Role” on page B-29. The header defines the number of roles which follow in the rest of the structure. Its layo[...]
-
Page 403
CCA Release 2.54 The entire access-control-point structure is comprised of a header, followed by one or more access-control-point segments. The header indicates how many segments are contained in the entire structure. The layout of this structure is illustrated in Figure B-33. Bytes Field ┌───────┐ ──┐ 2 │ │ Number of se[...]
-
Page 404
CCA Release 2.54 Figure B-34 (Page 2 of 2). Functions Permitted in Default Role Code Function Name X ' 0113 ' Change the expiration date in a user profile X ' 0114 ' Change the authentication data (for example, passphrase) in a user profile X ' 0115 ' Reset the logon failure count in a user profile X ' 0116 '[...]
-
Page 405
CCA Release 2.54 The checksum is defined as the exclusive-OR (XOR) of each byte in the profile structure. The high-order byte of the checksum field is set to zero (X ' 00 ' ), and the exclusive-OR result is put in the low-order byte. Note: The checksum value is not used in the current profile structure. It may be verified by the Cryptogra[...]
-
Page 406
CCA Release 2.54 The header is followed by individual sets of authentication data, each containing the data for one authentication mechanism. This layout is shown pictorially in Figure B-38 on page B-34. Figure B-38. Layout of the Authentication Data Field The content of the individual Authentication Data structures is shown in Figure B-39 below. B[...]
-
Page 407
CCA Release 2.54 Figure B-39 (Page 1 of 2). Authentication Data for Each Authentication Mechanism Field name Length (bytes) Description Length 2 The size of this set of authentication mechanism data, in bytes. The length field includes all bytes of mechanism data following the length field itself. Mechanism ID 2 An identifier which describes the au[...]
-
Page 408
CCA Release 2.54 Authentication Data for Passphrase Authentication: For passphrase authentication, the mechanism data field contains the 20-byte SHA-1 hash of the user's passphrase. The hash is computed in the host, where it is used to construct the profile that is downloaded to the Coprocessor. Figure B-39 (Page 2 of 2). Authentication Data f[...]
-
Page 409
CCA Release 2.54 1 5a 2d 2 53 61 6d 7 6c 65 2 5 72 6f ...Z- Sample Pro 66 69 6c 65 2 31 2 2d ab cd 4a 5f 53 6d file 1 -....J_Sm 69 74 68 2 41 44 4d 49 4e 31 2 2 7 cd 6 1 ith ADMIN1 .... 7 cd c 1f 24 1 2 1 1 8 7 ce ....."... ..[...]
-
Page 410
CCA Release 2.54 1 1 5a 2d 2 53 61 ...........Z- Sa 6d 7 6c 65 2 5 72 6f 66 69 6c 65 2 31 2 2d mple Profile 1 - ab cd 4a 5f 53 6d 69 74 68 2 41 44 4d 49 ....J_Smith ADMI 4e 31 2 2 7 cd 6 1 7 cd c 1f 24 1 N1 .[...]
-
Page 411
CCA Release 2.54 00 03 The number of bytes of data in the access-control points for this segment. There are 3 bytes, for the access-control points from 512 through 535. 00 00 A reserved field, which must be filled with zeros. 8F 99 FE This is the second set of access-control points, with one bit corresponding to each point. Thus, the first byte con[...]
-
Page 412
CCA Release 2.54 Aggregate Role Data Structure Figure B-45 shows the an aggregate role data structure, like you would load using the CSUAACI verb. 1 1 62 2a 4e 65 77 ............New 2 64 65 66 61 75 6c 74 2 72 6f 6c 65 2 31 2a default role 1 ab cd 44 4[...]
-
Page 413
CCA Release 2.54 Master Key Shares Data Formats Master key shares, and potentially other information to be “cloned” from one Coprocessor to another Coprocessor are packed into a data structure as described in Figure B-46. Figure B-46. Cloning Information Token Data Structure Offset (Bytes) Length (Bytes) Description 000 001 X ' 1D ' ,[...]
-
Page 414
CCA Release 2.54 Function Control Vector The export (distribution) of cryptographic implementations by USA companies is controlled under USA Government export regulations. An IBM 4758 becomes a practical cryptographic engine when it accepts and validates digitally signed software. IBM has chosen to export the IBM 4758 as a non-cryptographic product[...]
-
Page 415
CCA Release 2.54 Figure B-49 (Page 2 of 2). FCV Distribution Structure Offset Decimal (Hex) Length Decimal Meaning FCV Supplied to Coprocessor (offset 470 above) 470 (1D6) 1 Record ID, X ' 06 ' 471 (1D7) 1 Version, X ' 00 ' 472 (1D8) 2 Padding, X ' 0000 ' 474 (1DA) 4 FCV record structure length, X ' CC ' , li[...]
-
Page 416
CCA Release 2.54 B-44 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 417
CCA Release 2.54 Appendix C. CCA Control-Vector Definitions and Key Encryption This appendix describes the following: DES control-vector values 1 Specifying a control-vector-base value Changing control vectors CCA key encryption and decryption processes. In the Common Cryptographic Architecture (CCA), a control vector is a non-secre[...]
-
Page 418
CCA Release 2.54 Usually there is a default control-vector associated with each of the key types just listed; see Figure C-2 on page C-3. The bits in positions 16-22 and 33-37 generally have different meanings for every key class. Many of the remaining bits in a control vector have a common meaning. Most of the DES key-management services permit yo[...]
-
Page 419
CCA Release 2.54 You can use the default control-vector for a key type, or you can create a more restrictive control-vector. The default control-vector for a key type provides basic key-separation functions. Optional usage restrictions can further tighten the security of the system. The cryptographic subsystem creates a default control vector for a[...]
-
Page 420
CCA Release 2.54 Figure C-2 (Page 2 of 2). Key Type Default Control-Vector Values Key Type Control Vector Hexadecimal Value for Single-length Key or Left Half of Double-Length Key Control Vector Hexadecimal Value for Right Half of Double-Length Key EXPORTER 00 41 7D 00 03 41 00 00 00 41 7D 00 03 21 00 00 IKEYXLAT 00 42 42 00 03 41 00 00 00 42 42 00[...]
-
Page 421
CCA Release 2.54 Control─Vector─Base Bits │ │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 │ │ 2 4 6 │8 2 4 │6 8 2 │4 6 8 │2 4 6 8 │ 2 4 6 │8 2 4 │6 8 2 │ │ │ │ │ │ │ │ │ │ │└─Most Significant Bit │ │ │ Least Signif[...]
-
Page 422
CCA Release 2.54 Control─Vector─Base Bits │ │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 │ │ 2 4 6 │8 2 4 │6 8 2 │4 6 8 │2 4 6 8 │ 2 4 6 │8 2 4 │6 8 2 │ │ │ │ │ │ │ │ │ │ │SECMSG │ │ │ │ │ │ │ │ │uu?[...]
-
Page 423
CCA Release 2.54 Key-Form Bits, ‘fff’ and ‘FFF’ The key-form bits, 40-42...and for a double-length key, bits 104-106...are designated ‘fff’ and ‘FFF’ in the preceding diagram. These bits can have these values: 000 Single-length key (only ‘fff’, not ‘FFF’) 010 Double-length key, left half 001 Double-length key, right half And[...]
-
Page 424
CCA Release 2.54 2. For key-encrypting keys, set the following bits: The Key-Encrypting Key-limiting bits, previously described as bits “hhh, bits 35 to 37,” are not supported in any current release of the Coprocessor CCA support. The key-generating usage bits (gks, bits 18 to 20). Set the gks bits to B ' 111 ' to indicate tha[...]
-
Page 425
CCA Release 2.54 The MAC control bits (bits 20 and 21). For a MAC generation key, set bits 20 and 21 to B ' 11 ' . For a MAC verification key, set bits 20 and 21 to B ' 01 ' . The key-form bits (fff, bits 40 to 42). For a single-length key, set the bits to B ' 000 ' . For a double-length key, set the bits to B [...]
-
Page 426
CCA Release 2.54 9. For the IPINENC (inbound) and OPINENC (outbound) PIN-block ciphering keys, do the following: Set the TRANSLAT bit (t, bit 21) to 1 to permit the key to be used in the PIN_Translate verb. The Control_Vector_Generate verb can set the TRANSLAT bit to 1 when you supply the TRANSLAT keyword. Set the REFORMAT bit (r, bit 22) t[...]
-
Page 427
CCA Release 2.54 13. For all keys, set the following bits: The export bit (E, bit 17). If set to 0, the export bit prevents a key from being exported. By setting this bit to 0, you can prevent the receiver of a key from exporting or translating the key for use in another cryptographic subsystem. Once this bit is set to 0, it cannot be set to 1 [...]
-
Page 428
CCA Release 2.54 CCA Key Encryption and Decryption Processes This section describes the CCA key-encryption processes: CCA DES key encryption CCA RSA private key encryption Encipherment of DES keys under RSA in “PKA92” format Encipherment of a DES key-encrypting key under RSA in “NL-EPP-5” format. CCA DES Key Encryption and D[...]
-
Page 429
CCA Release 2.54 ┌──────────────┬──────────────┬──────────────┐ ┌──────────────┬──────────────┐ │ Master Key │ │ Control Vector │ └────│─────────┴───?[...]
-
Page 430
CCA Release 2.54 PKA92 Key Format and Encryption Process The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and the PKA_Symmetric_Key_Import verbs optionally support a PKA92 method of encrypting a DES or CDMF key with an RSA public key. This format is adapted from the IBM Transaction Security System (TSS) 4753 and 4755 product's impleme[...]
-
Page 431
CCA Release 2.54 Decrypting Sub-process: RSA decrypt the AS External Key Block using an RSA private key and call the result of the decryption PKR. The private key must be usable for key management purposes. Validating Sub-process: Verify that the high-order two bits of the PKR record are valued to B ' 01 ' . and that the low-order four bi[...]
-
Page 432
CCA Release 2.54 Encrypting a Key_Encrypting Key in the NL-EPP-5 Format The PKA_Symmetric_Key_Generate verb supports a NL-EPP-5 method of encrypting a DES key-encrypting key with an RSA public key. The verb returns an encrypted key block by RSA encrypting a key record formed in the following manner: 1. Format the key and other data per Figure C-6 2[...]
-
Page 433
CCA Release 2.54 you can enter another part that is set to the value of the pre-exclusive-OR quantity (which quantity is discussed later). Use the Key_Generate verb to generate an IMPORTER/EXPORTER pair of KEKs, with the KEY-PART control vector bit set on. Then use the Key_Part_Import verb to enter an additional key part that is set to the valu[...]
-
Page 434
CCA Release 2.54 Note that if you are processing a double-length key, you almost certainly will have to process the key twice, using the key-encrypting key modified by different values each appropriate to a key half. Then you concatenate the resulting two correct key-halves. ┌───────────────────────?[...]
-
Page 435
CCA Release 2.54 CVil is the control vector for the left half of the target input PIN-block encrypting key. e*Km ⊕ CViml(Kt ⊕ CVir) e*Km ⊕ CVimr(Kt ⊕ CVir) where: CVir is the control vector for the right half of the target input PIN-block encrypting key. 2. Use the Key_Token_Build verb to build source (external) and target (inte[...]
-
Page 436
CCA Release 2.54 Changing Control Vectors with the Control_Vector_Translate Verb Do the following when using the Control_Vector_Translate verb: Provide the control information for testing the control vectors of the source, target, and key-encrypting keys to ensure that only sanctioned changes can be performed Select the key-half processing [...]
-
Page 437
CCA Release 2.54 This expression tests whether the control vectors associated with the source key and the target key meet your criteria for the desired translation. Encipher two copies of the mask array, each under a different cryptographic-variable key (key type CVARENC). To encipher each copy of the mask array, use the Cryptographic_Variable_Enci[...]
-
Page 438
CCA Release 2.54 For expression 1: KEK CV ┌─┬─┬─┬─┬─────┬─┬─┬─┬─┬───────────────────────────┐ Control Vector 2: Source CV ││1││1│... ││1││1│... │ Under Test 3: Target CV └─┴─┴─┴─┴─────?[...]
-
Page 439
CCA Release 2.54 Selecting the Key-Half Processing Mode The Control_Vector_Translate verb rule-array keywords determine which key halves are processed in the verb call, as shown in Figure C-9. Keyword SINGLE Keyword RIGHT Keyword BOTH Keyword LEFT ┌─────────┬─────────┐ ┌─────────┬─?[...]
-
Page 440
CCA Release 2.54 The verb first processes the source and target tokens as with the SINGLE keyword. Then the source token is processed using the single-length enciphered key and the source token right-half control vector to obtain the actual key value. The key value is then enciphered using the KEK and the control vector in the target token for the [...]
-
Page 441
CCA Release 2.54 Appendix D. Algorithms and Processes This appendix provides processing details for the following aspects of the CCA design: Cryptographic key-verification techniques Ciphering methods Triple-DES algorithms, EDE2 and EDE3 MAC calculation methods Access-control algorithms Master-key splitting algorithm RSA[...]
-
Page 442
CCA Release 2.54 S/390 Based Master Key Verification Method When the first and third portions of the symmetric master key have the same value, the master key is effectively a double-length DES key. In this case, the master key verification pattern (MKVP) is based on this algorithm: C = X ' 4545454545454545 ' IR = MK first-part ⊕[...]
-
Page 443
CCA Release 2.54 The CCA DES key verification algorithm does the following: 1. Sets KKR ′ = KKR exclusive-OR RN 2. Sets K1 = X ' 4545454545454545 ' 3. Sets X1 = DES encoding of KKL using key K1 4. Sets K2 = X1 exclusive-OR KKL 5. Sets X2 = DES encoding of KKR ′ using key K2 6. Sets VP = X2 exclusive-OR KKR ′ . where: RN Is the rando[...]
-
Page 444
CCA Release 2.54 When the keywords PADMDC-2 and PADMDC-4 are used, the supplied text is always padded as follows: If the supplied text is less than 16 bytes in length, pad bytes are appended to make the text length equal to 16 bytes. If the supplied text is at least 16 bytes in length, pad bytes are appended to make the text length equal to[...]
-
Page 445
CCA Release 2.54 MDC-2 Calculation The MDC-2 calculation consists of the following procedure: MDC-2 (n, text, KEY1, KEY2, MDC); For i := 1,2,...,n do Call MDC-1(KEY1, KEY2, T8<i>, T8<i>, OUT1, OUT2) Set KEY1 := OUT1 Set KEY2 := OUT2 End do Set output MDC := (KEY1 || KEY2). End procedure MDC-4 Calculation The MDC-4 calculation consists o[...]
-
Page 446
CCA Release 2.54 General Data Encryption Processes Although the fundamental concepts of ciphering (enciphering and deciphering) data are simple, different methods exist to process data strings that are not a multiple of eight bytes in length. Two widely used methods for enciphering general data are defined in these ANSI standards: ANSI X3.106 ([...]
-
Page 447
CCA Release 2.54 ANSI X3.106 Cipher Block Chaining (CBC) Method ANSI standard X3.106 defines four modes of operation for ciphering. One of these modes, Cipher Block Chaining (CBC), defines the basic method for ciphering multiple eight-byte data strings. Figure D-3 and Figure D-4 on page D-8 show Cipher Block Chaining using the Encipher and the Deci[...]
-
Page 448
CCA Release 2.54 ┌──────────────┐ │Verb Parameter│ └──────┬───────┘ │ ┌─────────────┐ ────── Plaintext from Application Program ──────────── │Initialization│ ┌─────────────?[...]
-
Page 449
CCA Release 2.54 ┌──────────────┐ │Verb Parameter│ └──────┬───────┘ │ ┌─────────────┐ ── Plaintext from Application Program ─── │Initialization│ ┌────────────────┐ ┌────────[...]
-
Page 450
CCA Release 2.54 Triple-DES Ciphering Algorithms Triple-DES is used to encrypt keys, PIN blocks, and general data. Several techniques are employed: T-DES ECB DES keys, when triple encrypted under a double-length DES key, are ciphered using an e-d-e scheme without feedback. SeeFigure C-4 on page C-13. Triple-DES CBC Encryption of general data, and R[...]
-
Page 451
CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐ │ T164 │ T264 │ T364 │ │ Tn64 │ └──────┬──────┴──────┬──────┴?[...]
-
Page 452
CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐ EDE2 EDE3 EDE5 │ T1<64> │ T2<64> │ T3<64> │ │ Tn<64> │ └──────┬──────┴──────┬[...]
-
Page 453
CCA Release 2.54 MAC Calculation Methods With CCA Release 2.51, three variations of DES based message authentication are supported by the MAC_Generate and MAC_Verify verbs: ANSI X9.9 ANSI X9.19 optional Procedure 1 EMV post-padding of X ' 80 ' . The Financial Institution (Wholesale) Message Authentication Standard (ANSI X9.9-1[...]
-
Page 454
CCA Release 2.54 T1 T2 Tn-1 Tn │ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ ││ │ │ │ │ │ │ ┌──┤ XOR │ ┌──┤ XOR │ ┌──┤ XOR │ │ │ ││ │ ││ │ ││ │ │ └──┬──┘ │ └──┬──┘ │ └──┬──┘ │ ?[...]
-
Page 455
CCA Release 2.54 RSA Key-Pair Generation RSA key-pair generation is determined based on user input of the modulus bit length, public exponent, and key type. The output is based on creating primes p and q in conformance with ANSI X9.31 requirements as follows: prime p bit length = ((modulus_bit_length +1)/2) prime q bit length = modulus_bit_[...]
-
Page 456
CCA Release 2.54 Access-Control Algorithms The following sections describe algorithms and protocols used by the access-control system. Passphrase Verification Protocol This section describes the process used to log a user on to the Cryptographic Coprocessor. Design Criteria The passphrase verification protocol is designed to meet the following crit[...]
-
Page 457
CCA Release 2.54 3. The client workstation generates a random number, RN (64 bits). Note: Note: The random-number RN is not used inside the Cryptographic Coprocessor. It is only included in the protocol to guarantee that the cleartext of the logon request is different every time. 4. The client workstation sends a logon request to the Cryptographic [...]
-
Page 458
CCA Release 2.54 Master-Key-Splitting Algorithm This section describes the mathematical and cryptographic basis for the m-of-n key shares scheme. The key splitting is based on Shamir's secret sharing algorithm: The value to be shared is the master key, Km, which is a triple-DES key and thus 168 bits long. Let P be the first prime number larger[...]
-
Page 459
CCA Release 2.54 Formatting Hashes and Keys in Public-Key Cryptography The Digital_Signature_Generate and Digital_Signature_Verify verbs support several methods for formatting a hash, and in some cases a descriptor for the hashing method, into a bit-string to be processed by the cryptographic algorithm. This section discusses the ANSI X9.31 and PKC[...]
-
Page 460
CCA Release 2.54 – RSASSA-PKCS1-v1_5, the newer name for the block-type 1 format. In CCA, keyword PKCS-1.1 is used to invoke this formatting technique. – The PKCS #1 specification no longer discusses use of block-type 0. In CCA, keyword PKCS-1.0 is used to invoke this formatting technique. Use of block-type 0 is discouraged. Using the terminolo[...]
-
Page 461
CCA Release 2.54 Appendix E. Financial System Verbs Calculation Methods and Data Formats This appendix describes the following: PIN-calculation methods PIN-block formats Unique-key-per-transaction calculation methods MasterCard and VISA card verification techniques VISA and EMV smart card PIN-related formats and processes. The P[...]
-
Page 462
CCA Release 2.54 PIN-Calculation Methods The financial PIN verbs support some or all of these PIN-calculation methods, see Figure 8-3 on page 8-6: IBM 3624 PIN (IBM-PIN) IBM 3624 PIN Offset (IBM-PINO) Netherlands PIN-1 (NL-PIN-1). IBM German Bank Pool Institution PIN VISA PIN Validation Value (PVV) Interbank PIN In the descr[...]
-
Page 463
CCA Release 2.54 IBM 3624 PIN-Calculation Method The IBM 3624 PIN-calculation method calculates a PIN that is from 4 to 16 digits in length. The IBM 3624 PIN-calculation method consists of the following steps to create the A-PIN: 1. Encrypt the hexadecimal validation data with a key that has a control vector that specifies the PINGEN (or PINVER) ke[...]
-
Page 464
CCA Release 2.54 IBM 3624 PIN Offset Calculation Method The IBM 3624 PIN Offset calculation method is the same as the IBM 3624 PIN-calculation method except that a step is added after the A-PIN is calculated to calculate or use an offset, O-PIN: To calculate an O-PIN, the additional step subtracts (digit-by-digit, modulo 10, with no carry) the [...]
-
Page 465
CCA Release 2.54 Netherlands PIN-1 Calculation Method The Netherlands PIN-1 (NL-PIN-1) calculation method calculates a PIN that is 4 digits in length. The method consists of the following steps to create the A-PIN: 1. Encrypt the hexadecimal validation data with a key that has a control vector that specifies the PINGEN (or PINVER) key type to produ[...]
-
Page 466
CCA Release 2.54 IBM German Bank Pool Institution PIN-Calculation Method The IBM German Bank Pool Institution PIN calculation method calculates an institution PIN that is 4 digits in length. The German Bank Pool Institution PIN-calculation method consists of the following steps: 1. Encrypt the hexadecimal validation data with an institution key tha[...]
-
Page 467
CCA Release 2.54 VISA PIN Validation Value (PVV) Calculation Method The VISA-PVV calculation method calculates a VISA-PVV that is 4 digits in length. The VISA PIN Validation Value (PVV) calculation method consists of the following steps: 1. Let X denote the transaction_security_parameter element. This parameter is the result of concatenating the 12[...]
-
Page 468
CCA Release 2.54 Interbank PIN-Calculation Method The Interbank PIN-calculation method consists of the following steps: 1. Let X denote the transaction_security_parameter element converted to an array of sixteen 4-bit numeric values. This parameter consists of (in the following sequence) the 11 rightmost digits of the customer PAN (excluding the ch[...]
-
Page 469
CCA Release 2.54 PIN-Block Formats The PIN verbs support one or more of the following PIN-block formats: IBM 3624 format ISO-0 format (same as the ANSI X9.8, VISA-1, and ECI formats). ISO-1 format (same as the ECI-4 format) ISO-2 format 3624 PIN-Block Format The 3624 PIN-block format supports a PIN from 1 to 16 digits in length. A P[...]
-
Page 470
CCA Release 2.54 ISO-0 PIN-Block Format An ISO-0 PIN-block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1 PIN-block formats. The ISO-0 PIN-block format supports a PIN from 4 to 12 digits in length. A PIN that is longer than 12 digits is truncated on the right. The following are the formats of the intermediate PIN-block, the PAN block, and[...]
-
Page 471
CCA Release 2.54 ISO-1 PIN-Block Format The ISO-1 PIN-block format is equivalent to an ECI-4 PIN-block format. The ISO-1 PIN-block format supports a PIN from 4 to 12 digits in length. A PIN that is longer than 12 digits is truncated on the right. The following is the ISO-1 PIN-block format: 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 ┌───┬?[...]
-
Page 472
CCA Release 2.54 ISO-2 PIN-Block Format The ISO-2 PIN-block format supports a PIN from 4 to 12 digits in length. A PIN that is longer than 12 digits is truncated on the right. The following is the ISO-2 PIN-block format: 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 ┌───┬───┬───┬───┬───┬───┬───┬?[...]
-
Page 473
CCA Release 2.54 UKPT Calculation Methods This section describes the calculation methods for deriving the unique-key-per-transaction (UKPT) key according to ANSI X9.24 and performing the special encryption and special decryption processes. 1 Deriving an ANSI X9.24 Unique-Key-Per-Transaction Key To determine the current-transaction encrypting key us[...]
-
Page 474
CCA Release 2.54 a. Move the rightmost 8 bytes of the current key serial number to a work area ( W a ). b. Move the rightmost 3 bytes of W a to another work area ( C a ). c. Perform an AND operation with the rightmost 3 bytes of W a with X ' E00000 ' . This operation clears the encryption counter from W a . d. Perform an AND operation wit[...]
-
Page 475
CCA Release 2.54 The following is an example of calculating the current PIN encrypting key: W a = X'4567 89AB CDE ' C a = X'11' S a 1 = X'1' T a 1 = X'4567 89AB CDF ' T b 1 = X'6489 F5A3 1618 2AB' T c 1 = X'F9AC C638 1939 44BC' K a 2[...]
-
Page 476
CCA Release 2.54 CVV and CVC Method Figure E-6 2 shows the method used to generate a card-verification value (CVV) for track 2. Each (decimal) digit is represented as a 4-bit, binary value and packed two digits per byte. ┌─────────────────┬──────────┬─────────────[...]
-
Page 477
CCA Release 2.54 VISA and EMV-Related Smart Card Formats and Processes The VISA and EMV specifications for performing secure messaging with an EMV compliant smart card are covered in these documents: EMV 2000 Integrated Circuit Card Specification for Payment Systems Version 4.0 (EMV4.0) Book 2 Design VISA Integrated Circuit Card Specificati[...]
-
Page 478
CCA Release 2.54 3. Set the second digit of block-2 to the length of the new PIN (4 to 12), followed by the new PIN, and padded to the right with X ' F ' . 4. Include any current PIN by placing it into the leftmost digits of block-3. 5. Exclusive-OR blocks -1, -2, and -3 to form the 8-byte PIN block. 6. Pad the PIN block with other portio[...]
-
Page 479
CCA Release 2.54 TDESEMV2 causes processing with a branch factor of 2 and a height of 16. TDESEMV4 causes processing with a branch factor of 4 and a height of 8. PIN-Block Self-encryption In the Secure_Messaging_for_PINs (CSNBSPN) verb, you can use the SELFENC rule-array keyword to specify that the eight-byte PIN block shall be used as a DE[...]
-
Page 480
CCA Release 2.54 E-20 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 481
CCA Release 2.54 Appendix F. Verb List This appendix lists the verbs supported by the CCA Support Program feature for the IBM 4758 PCI Cryptographic Coprocessor. Figure F-1 lists each verb by the verb’s pseudonym and entry-point name and shows the operating environment under which the verb is supported. A check ( √ ) in the operating environmen[...]
-
Page 482
CCA Release 2.54 Figure F-1 (Page 2 of 3). Security API Verbs in Supported Environments Pseudonym Entry-Point OS/2 AIX NT OS/400 Page Data Confidentiality and Data Integrity Verbs Decipher CSNBDEC √ √ √ √ 6-5 Digital_Signature_Generate CSNDDSG √ √ √ √ 4-4 Digital_Signature_Verify CSNDDSV √ √ √ √ 4-7 Encipher CSNBENC √ √ [...]
-
Page 483
CCA Release 2.54 Figure F-1 (Page 3 of 3). Security API Verbs in Supported Environments Pseudonym Entry-Point OS/2 AIX NT OS/400 Page Financial Services Support Verbs Clear_PIN_Encrypt CSNBCPE √ √ √ √ 8-15 Clear_PIN_Generate CSNBPGN √ √ √ √ 8-18 Clear_PIN_Generate_Alternate CSNBCPA √ √ √ √ 8-21 CVV_Generate CSNBCSG √ √ ?[...]
-
Page 484
CCA Release 2.54 F-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 485
CCA Release 2.54 Appendix G. Access-Control-Point Codes The table in this appendix lists the CCA access-control commands (“control points”). The role to which a user is assigned determines the commands available to that user. Important: By default, you should disable commands. Do not enable a command unless you know why you are enabling it. The[...]
-
Page 486
CCA Release 2.54 Figure G-1 (Page 1 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 000E ' Encipher Encipher CSNBENC O X ' 000F ' Decipher Decipher CSNBDEC O X ' 0010 ' Generate MAC MAC_Generate CSNBMGN O X ' 0011 ' Verify MAC MAC_Verify CSNBMVR O X ' 0012 ' Reencipher to[...]
-
Page 487
CCA Release 2.54 Figure G-1 (Page 2 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 008E ' Generate Key Key_Generate ‡ Random_Number_Generate CSNBKGN CSNBRNG R X ' 0090 ' Reencipher to Current Master Key Key_Token_Change CSNBKTC R X ' 00A0 ' Generate Clear 3624 PIN Clear_PIN_Generate CSNBP[...]
-
Page 488
CCA Release 2.54 Figure G-1 (Page 3 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 0109 ' Data Key Import Data_Key_Import CSNBDKM O X ' 010A ' Data Key Export Data_Key_Export CSNBDKX O X ' 010B ' Compose SET Block SET_Block_Compose CSNDSBC O X ' 010C ' Decompose SET Block SET_Bloc[...]
-
Page 489
CCA Release 2.54 Figure G-1 (Page 4 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 0230 ' List Retained Key Retained_Key_List CSNDRKL O X ' 0231 ' Generate Clear NL-PIN-1 Offset Clear_PIN_Generate_Alternate † CSNBCPA O X ' 0232 ' Verify Encrypted NL-PIN-1 Encrypted_PIN_Verify † CSNBPVR [...]
-
Page 490
CCA Release 2.54 G-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 491
CCA Release 2.54 List of Abbreviations ANSI American National Standards Institute ACF/VTAM Advanced Communications Function for the Virtual Telecommunications Access Method AIX Advanced Interactive Executive operating system APF Authorized Program Facility API Application Programming Interface ASCII American National Standard Code for Information I[...]
-
Page 492
CCA Release 2.54 ROM Read-Only Memory RPQ Request for Price Quotation RSA Rivest, Shamir, and Adleman SAA Systems Application Architecture SAF System Authorization Facility SHA Secure Hashing Algorithm SNA Systems Network Architecture TLV Tag, Length, Value TSS Transaction Security System UKPT Unique-Key-Per-Transaction VM Virtual Machine X-2 IBM 4[...]
-
Page 493
CCA Release 2.54 Glossary This glossary includes some terms and definitions from the IBM Dictionary of Computing , New York: McGraw Hill, 1994. This glossary also includes some terms and definitions from: The American National Standard Dictionary for Information Systems , ANSI X3.172-1990, copyright 1990 by the American National Standards Insti[...]
-
Page 494
CCA Release 2.54 B bus . In a processor, a physical facility along which data is transferred. byte . (1) A binary character operated on as a unit and usually shorter than a computer word. (A) (2) A string that consists of a number of bits, treated as a unit, and representing a character. (3) A group of eight adjacent binary digits that represents o[...]
-
Page 495
CCA Release 2.54 decipher . (1) To convert enciphered data into clear data. (2) Synonym for decrypt . (3) Contrast with encipher . decode . (1) To convert data by reversing the effect of some previous encoding. (A) (I) (2) In the CCA products, decode and encode relate to the Electronic Code Book mode of the Data Encryption Standard (DES). (3) Contr[...]
-
Page 496
CCA Release 2.54 H host . (1) In this publication, same as host computer or host processor. The machine in which the Coprocessor resides. (2) In a computer network, the computer that usually performs network-control functions and provides end-users with services such as computation and database access. (T) I IMPORTER key . (1) In the CCA implementa[...]
-
Page 497
CCA Release 2.54 N National Institute of Science and Technology (NIST) . This is the current name for the US National Bureau of Standards. network . (1) A configuration of data-processing devices and software programs connected for information interchange. (2) An arrangement of nodes and connecting branches. (T) Network Security Processor (IBM 4753[...]
-
Page 498
CCA Release 2.54 reason code . (1) A value that provides a specific result as opposed to a general result. (2) Contrast with return code . replicated key-half . In the CCA implementation, a double-length DES key where the two halves of the clear-key value are equal. Resource Access Control Facility (RACF) . RACF is an IBM licensed program that enab[...]
-
Page 499
CCA Release 2.54 U Unique Key Per Transaction (UKPT) . UKPT is a cryptographic process that can be used to decipher PIN blocks in a transaction. user-exit routine . A user-written routine that receives control at predefined user-exit points. user ID . User identification. userid . A string of characters that uniquely identifies a user to the system[...]
-
Page 500
CCA Release 2.54 X-10 IBM 4758 CCA Basic Services, Release 2.54, February 2005[...]
-
Page 501
CCA Release 2.54 Index A Access Control, CCA 2-2 Access_Control_Initialization (CSUAACI) 2-21 Access_Control_Maintenance (CSUAACM) 2-24 American Express transaction validation verb 8-75 American National Standards Institute (ANSI) X3.106 (CBC) method D-7 X9.19 method D-13 X9.23 method D-7 X9.9 method D-13 ANSI X9.24 DUKPT 8-37, 8-42 ANSI X9.31 hash[...]
-
Page 502
CCA Release 2.54 CSNBCPA (Clear_PIN_Generate_Alternate) 8-21 CSNBCPE (Clear_PIN_Encrypt) 8-15 CSNBCSG (CVV_Generate) 8-27 CSNBCSV (CVV_Verify) 8-30 CSNBCVE (Cryptographic_Variable_Encipher) 5-29 CSNBCVG (Control_Vector_Generate) 5-24 CSNBCVT (Control_Vector_Translate) 5-26 CSNBDEC (Decipher) 6-5 CSNBDKG (Diversified_Key_Generate) 5-35 CSNBDKM (Data[...]
-
Page 503
CCA Release 2.54 E EMV (Europay, Mastercard, VISA) application transaction counter (ATC) E-18 MAC padding method D-13 PIN-block self-encryption E-19 PIN_Change/Unblock verb 8-52 Secure_Messaging_for_Keys verb 8-59 Secure_Messaging_for_PINs verb 8-62 session key derivation, TDES-XOR E-18 session-key tree-based key-diversification E-18 smart-card-spe[...]
-
Page 504
CCA Release 2.54 I IM (importable) keys 5-4 importable (IM) keys 5-4 importing, description 5-18, C-17 initializing key storage 2-48, 2-50 input/output (I/O) parameters 1-10 installing keys 5-15 intermediate PIN-block (IPB) E-10 internal 5-14 key tokens building 5-61 copying into application storage 7-9 copying into key storage 7-10, 7-19 format B-[...]
-
Page 505
CCA Release 2.54 keys activating 3-22 asymmetric 5-6 ciphering 5-7, 5-10 clear 5-16 control vectors 5-4 deactivating 3-22 deleting 3-22, 7-13, 7-21 double-length 5-6 exportable (EX) 5-4 exporting, asymmetric techniques 5-19 exporting, symmetric techniques 5-18 external 5-4 generating, DES 5-16 generating, RSA D-15 identifiers 5-14 importable (IM) 5[...]
-
Page 506
CCA Release 2.54 listing keys 7-22 loading a master key 2-59, 2-64 Logging on and logging off 2-7 logon context information 2-8 Logon Control (CSUALCT) 2-52 Logon_Control (CSUALCT) 2-52 M m-of-n master-key shares 2-14 MAC_Generate (CSNBMGN) 6-3 MAC_Verify (CSNBMVR) 6-3 MACVER key type, MAC_Verify verb 5-7 managing DES keys Common Cryptographic Arch[...]
-
Page 507
CCA Release 2.54 reenciphering keys 3-22 replicated key-half export restriction 5-34, 5-42, 5-52 export restriction an EXPORTER transport key 5-31 Required Commands Description B-30 List of access-control-point codes G-1 Overview 2-3 Retained_Key_Delete (CSNDRKD) 7-21 Retained_Key_List (CSNDRKL) 7-22 return_code parameter 1-11 roles, access control[...]
-
Page 508
IBM CCA Release 2.54 PDF File[...]