Cryptographic Key Data Set (CKDS) formats

There are three formats of the CKDS: a fixed length record format (supported by all releases of ICSF), a variable length record format (supported by HCR7780 and later releases), and KDSR record format which is common to all KDS types (supported by HCR77A1 and later releases). The variable length record format is only required if AES or HMAC variable-length key tokens are to be stored in the CKDS. The variable length record format can be used to store all existing symmetric keys and the AES and HMAC variable-length key tokens. KDSR is a variable length record format and supports all the function of the original variable length record format and also allows ICSF to track key usage if so configured.

Format of the CKDS header record

Table 1. Cryptographic Key Data Set Header Record Format
Offset (Dec) Number of Bytes Field Name Description
0 72 Constant

The field is set to binary zeros and is not used for the header record.

72 8 Creation date

The date the CKDS was initialized in the format yyyymmdd.

80 8 Creation time

The initial time the CKDS was created in the format hhmmssth.

88 8 Last update date

The most recent date the CKDS was updated, in the format yyyymmdd.

96 8 Last update time

The most recent time the CKDS was updated, in the format hhmmssth.

104 2 Sequence number

Initially zero in binary. Incremented each time the data set is processed, unless HDRDATE(NO) is specified in the ICSF options dataset.

106 2 CKDS header flag bytes Flag bytes.
Bit
Meaning When Set On
0
The DES master key verification pattern is valid.
1
Reserved.
2
The AES master key verification pattern is valid.
3–8
Reserved.
9
The record format is variable. Set on for either variable length record format or KDSR record format.
10
CKDS not completely written, missing records.
11–15
Reserved.
Note: After the bits are set on, the given values remain constant in ICSF.
108 8 DES master key verification pattern

The system DES master key verification pattern.

116 8 Reserved
124 8 AES master key verification pattern. The AES master key verification pattern.
132 4 Record length

Length of the record in bytes. X'00000000' for fixed length record format. X'000000FC' for either variable length record format or KDSR record format.

136 1 Record version Version number of the CKDS in binary. Set to X'00' for fixed length record format or variable length record format. Set to X'02' or greater for KDSR record format.
137 59 Reserved  
196 52 Installation data

Installation data associated with the CKDS record, as supplied by an installation exit.

248 4 Authentication code

The code generated by the authentication process that ensures that the CKDS record has not been modified since the last update. The authentication code is placed in the CKDS header record when the CKDS is initialized. ICSF verifies the CKDS header record authentication code whenever a CKDS is reenciphered, refreshed, or converted from PCF to ICSF format.This field is not used when the record level authentication flag is set in the CKDS header flag bytes field of the CKDS header record.

Format of the fixed-length CKDS record

Table 2. Cryptographic Key Data Set Record Format
Offset (Dec) Number of Bytes Field Name Description
0 64 Key label

The key label specified by the KGUP control statement or Clear Key Input panel when the record was created. When using KGUP and the callable services, you can specify the label to identify the record. The key label is the first field of the key index.

64 8 Key type

The type of key the record contains. The master key variant for the key type enciphers the key. A KGUP control statement or Clear Key Input panel specifies the key type when the record is created. The key type is the second field of the key index.

72 8 Creation date

The initial date the CKDS record was created in the format yyyymmdd.

80 8 Creation time

The initial time the CKDS record was created in the format hhmmssth.

88 8 Last update date

The most recent date the CKDS record was updated in the format yyyymmdd.

96 8 Last update time

The most recent time the CKDS record was updated in the format hhmmssth.

104 64 Key token

The internal key token. A key token contains the key value. Refer to DES internal key token for the format of the internal key token.

168 2 CKDS flag bytes Flag bytes.
Bit
Meaning When Set On
0
The key within the key token field (offset 104) is a partial key. You can enter key parts through the key entry hardware. A partial key is a key whose final key part has not been entered yet.
1
Reserved.
2
CKDS label must be unique.
3–7
Reserved.
Note: When bit 0 is off, the key within the key token field (offset 104) is an entire key.
170 26 Reserved Reserved.
196 52 Installation data

Installation data associated with the CKDS record as supplied by an installation exit.

248 4 Authentication code

The code generated by the authentication process that ensures the CKDS record has not been modified since the last update. The authentication code is placed in the CKDS record when the record is created. When you refresh, reencipher, or convert a CKDS, ICSF verifies each CKDS record as ICSF performs the action. This field is not used when the record level authentication flag is set in the CKDS header flag bytes field of the CKDS header record.

Format of the variable-length CKDS record

The following table presents the format of each variable-length data set record.

Table 3. Variable-Length Cryptographic Key Data Set Record Format
Offset (Dec) Number of Bytes Field Name Description
0 64 Key label

The label or name of this CKDS record. The key label is the first field of the key index.

64 8 Key type

The type of key the record contains. The key type is the second field of the key index.

72 8 Creation date

The initial date the CKDS record was created in the format yyyymmdd.

80 8 Creation time

The initial time the CKDS record was created in the format hhmmssth.

88 8 Last update date

The most recent date the CKDS record was updated in the format yyyymmdd.

96 8 Last update time

The most recent time the CKDS record was updated in the format hhmmssth.

104 4 Record length

Length of the entire record including the key token.

108 60   Reserved.
168 2 CKDS flag bytes Flag bytes.
Bit
Meaning When Set On
0
The key within the key token field is a partial key.
1
Reserved.
2
CKDS label must be unique.
3
The record format is variable — always 1
4–7
Reserved.
Note: When bit 0 is off, the key within the key token field (offset 104) is an entire key.
170 26   Reserved.
196 52 Installation data  
248 20 Authentication code

The record authentication code.

268 variable Key token The key token.

Format of KDSR CKDS record

See KDSR record format for more information on this CKDS record.