Key separation for DES keys is controlled by the control vector. The control vector has fields for the key type, key usage, and key management. See Appendix B. Control Vectors and Changing Control Vectors with the CVT Callable Service in z/OS Cryptographic Services ICSF Application Programmer's Guide for details on control vectors. The control vector is cryptographically bound to the encrypted key value when the key is encrypted under the master key or a transport key.
The cryptographic coprocessor encrypts each operational key under a unique variation of the DES master key. Each variation encrypts a different type of key. Although you define only one master key, in effect you have a unique master key to encrypt each type of key that is used in DES services.
DES keys can be single-length or double-length keys, depending on their key type. A single-length key is 64 bits and a double-length key is 128 bits. For double-length keys, one control vector exists for the left half of the key and another control vector for the right half of the key. Therefore, ICSF creates a master key variant or transport key variant for each half of the key the master key or transport key will protect. Triple-length DATA keys do not have a control vector.
A key that is protected under the master key is in operational form, which means that ICSF can use it in cryptographic functions on the system. As is shown in Figure 1, all secure keys that you want ICSF to use in cryptographic functions are enciphered under the master key.
Whenever the master key is used to encipher a key, the cryptographic coprocessor produces a variation of the master key according to the type of key that is being enciphered. These variations are called master key variants. The cryptographic coprocessor creates a master key variant by exclusive ORing a fixed pattern, called a control vector, with the master key. Each type of key that is used in DES services has a unique control vector associated with it. For example, the cryptographic coprocessor uses one control vector when the master key enciphers a PIN generation key and a different control vector when the master key enciphers a PIN verification key.
When systems want to share keys, transport keys can be used to protect keys sent outside of systems. A key that is enciphered under a transport key cannot be used in a cryptographic function. The key must first be brought into a system, deciphered from under the transport key, and enciphered under the system's master key.
ICSF creates variations of a transport key to encrypt a key according to its type. Whenever a transport key is used to encipher a key, the cryptographic feature produces the variation of the transport key according to the type of key that is being enciphered. This allows for key separation when a key is transported off the system.
A transport key variant, also called a key-encrypting key variant, is created in the same way as a master key variant. The transport key is exclusive ORed with a control vector that is associated with the key type of the key it protects. See Control Vector Table for a listing of the control vector that is used for each key type.