Generating master key data for master key entry

If you intend to use the key entry panels to enter master keys, you need to generate and record these values when you begin:
Note: If you are reentering master keys when they have been cleared, use the same master key part values as when you originally entered the keys. You should have saved the key part values in a secure place when you entered the master keys previously.

The DES master key (DES-MK) is 16 or 24 bytes long. ICSF defines these master keys by exclusive ORing two or more key parts. Each of the master key parts is also 16 or 24 bytes long. To enter a DES-MK, you must enter a first key part and a final key part. If you choose to, you can also enter one or more intermediate key parts when entering the first key part and the final key part.

Note: The combined DES-MK master key is forced to have odd parity, but the parity of the individual key parts can be odd, even or mixed. We refer to even or mixed parity keys as non-odd parity keys.
Attention: The cryptographic features will not allow certain 'weak' keys as DES and RSA master keys. The list of weak keys are documented in Questionable (Weak) Keys.

The AES master key (AES-MK) is 32 bytes long. ICSF defines these master keys by exclusive ORing two or more key parts.

The RSA master key (RSA-MK) is 24 bytes long. ICSF defines these master keys by exclusive ORing two or more key parts.

The ECC master key (ECC-MK) is 32-bytes long. ICSF defines these master keys by exclusive ORing two or more key parts. ECC master key support is available on the CEX3C.

If you are using ICSF to generate random numbers, generate a random number for each key part that you need to enter to create the master key.

A 16-byte key part consists of 32 hexadecimal digits. A 24-byte key part consists of 48 hexadecimal digits. To make this process easier, each part is broken into segments of 16 digits each. A 32-byte key part consists of 64 hexadecimal digits.

When you are manually entering the master key parts, you also enter a checksum that verifies whether you entered the key part correctly. A checksum is a two-digit result of putting a key part value through a series of calculations. The coprocessors calculate the checksum with the key part you enter and compare the one they calculated with the one you entered. The checksum verifies that you did not transpose any digits when entering the key part. If the checksums are equal, you have successfully entered the key.

When you enter a key part and its checksum for a DES-MK, the coprocessor calculates an eight-byte verification pattern and sixteen byte hash pattern. When you enter a key part and its checksum for a AES-MK, the coprocessor calculates an eight-byte verification pattern. When you enter a key part and its checksum for the RSA-MK, the coprocessor calculates a sixteen-byte verification pattern. When you enter a key part and its checksum for an ECC-MK, the coprocessor calculates an eight-byte verification pattern.

Before the verification and hash patterns can be calculated, the DES-MK master key must have been set.

The ICSF Master Key Entry panel displays the verification pattern. Check that the displayed verification pattern against the option verification pattern you may have generated at the time you generated the AES, DES, ECC, or RSA master key parts. The verification pattern checks whether you entered the key part correctly, and whether you entered the correct key type.

ICSF displays a verification and/or hash pattern for each master key part. It also displays a verification and/or hash pattern for the master key when you enter all the key parts. If the verification and hash patterns are the same, you have entered the key parts correctly.

To generate the value for a key part, you can use one of these methods:
Parent topic: Entering master key parts