You can determine the value of a control vector by working through
the following series of questions:
- Begin with a field of 64 bits (eight bytes) set to B'0'.
The most significant bit is referred to as bit 0. Define the key type
and subtype (bits 8 to 14), as follows:
- The main key type bits (bits 8 to 11). Set bits 8 to 11 to one
of the following values:
Bits 8 to 11 | Main Key Type |
---|
0000 | Data operation keys | 0010 | PIN keys | 0011 | Cryptographic variable-encrypting keys | 0100 | Key-encrypting keys | 0101 | Key-generating keys |
- The key subtype bits (bits 12 to 14). Set bits 12 to 14 to one
of the following values:
Note:
For Diversified Key Generating
Keys, the subtype field specifies the hierarchical level of the DKYGENKY.
If the subtype is non-zero, then the DKYGENKY can only generate another
DKYGENKY key with the hierarchy level decremented by one. If the subtype
is zero, the DKYGENKY can only generate the final diversified key
( a non-DKYGENKY key) with the key type specified by the usage bits.
Bits 12 to 14 | Key Subtype |
---|
Data Operation
Keys | 000 | Compatibility key (DATA) | 001 | Confidentiality key (CIPHER, DECIPHER, or ENCIPHER) | 010 | MAC key (MAC or MACVER) | Key-Encrypting
Keys | 000 | Transport-sending keys (EXPORTER and OKEYXLAT) | 001 | Transport-receiving keys (IMPORTER and IKEYXLAT) | PIN Keys | 001 | PIN-generating key (PINGEN, PINVER) | 000 | Inbound PIN-block decrypting key (IPINENC) | 010 | Outbound PIN-block encrypting key (OPINENC) | Cryptographic
Variable-Encrypting Keys | 111 | Cryptographic variable-encrypting key (CVAR....) | Diversified
Key Generating Keys | 000 | DKY Subtype 0 | 001 | DKY Subtype 1 | 010 | DKY Subtype 2 | 011 | DKY Subtype 3 | 100 | DKY Subtype 4 | 101 | DKY Subtype 5 | 110 | DKY Subtype 6 | 111 | DKY Subtype 7 |
- For key-encrypting keys, set the following bits:
- The key-generating usage bits (gks, bits 18 to 20). Set the gks
bits to B'111' to indicate that the Key Generate callable
service can use the associated key-encrypting key to encipher generated
keys when the Key Generate callable service is generating various
key-pair key-form combinations (see the Key-Encrypting Keys section
of Figure 8). Without any of the gks bits
set to 1, the Key Generate callable service cannot use the associated
key-encrypting key. The Key Token Build callable service can set the
gks bits to 1 when you supply the OPIM, IMEX, IMIM, OPEX,
and EXEX keywords.
- The IMPORT and EXPORT bit and the XLATE bit (ix, bits 21 and 22).
If the ‘i’ bit is set to 1, the associated key-encrypting
key can be used in the Data Key Import, Key Import, Data Key Export,
and Key Export callable services. If the ‘x’ bit is set to
1, the associated key-encrypting key can be used in the Key Translate
callable service.
- The key-form bits (fff, bits 40 to 42). The key-form bits indicate
how the key was generated and how the control vector participates
in multiple-enciphering. To indicate that the parts can be the same
value, set these bits to B'010'. For information about the
value of the key-form bits in the right half of a control vector,
see Step 8.
- For MAC and MACVER keys, set the following bits:
- The MAC control bits (bits 20 and 21). For a MAC-generate key,
set bits 20 and 21 to B'11'. For a MAC-verify key, set bits
20 and 21 to B'01'.
- The key-form bits (fff, bits 40 to 42). For a single-length key,
set the bits to B'000'. For a double-length key, set the bits
to B'010'.
- For PINGEN and PINVER keys, set the following bits:
- The PIN calculation method bits (aaaa, bits 0 to 3). Set these
bits to one of the following values:
Bits 0 to 3 | Calculation Method Keyword | Description |
---|
0000 | NO-SPEC | A key with this control vector can be used with
any PIN calculation method. | 0001 | IBM-PIN or IBM-PINO | A key with this control vector can be used only
with the IBM PIN or PIN Offset calculation method. | 0010 | VISA-PVV | A key with this control vector can be used only
with the VISA-PVV calculation method. | 0100 | GBP-PIN or GBP-PINO | A key with this control vector can be used only
with the German Banking Pool PIN or PIN Offset calculation method. | 0011 | INBK-PIN | A key with this control vector can be used only
with the Interbank PIN calculation method. | 0101 | NL-PIN-1 | A key with this control vector can be used only
with the NL-PIN-1, Netherlands PIN calculation method. |
- The prohibit-offset bit (o, bit 37) to restrict operations to
the PIN value. If set to 1, this bit prevents operation with the IBM
3624 PIN Offset calculation method and the IBM German Bank Pool PIN
Offset calculation method.
- For PINGEN, IPINENC, and OPINENC keys, set bits 18 to 22 to indicate
whether the key can be used with the following callable services
Service Allowed | Bit Name | Bit |
---|
Clear PIN Generate | CPINGEN | 18 | Encrypted PIN Generate Alternate | EPINGENA | 19 | Encrypted PIN Generate | EPINGEN | 20 for PINGEN
19 for OPINENC | Clear PIN Generate Alternate | CPINGENA | 21 for PINGEN
20 for IPINENC | Encrypted Pin Verify | EPINVER | 19 | Clear PIN Encrypt | CPINENC | 18 |
- For the IPINENC (inbound) and OPINENC (outbound) PIN-block ciphering
keys, do the following:
- Set the TRANSLAT bit (t, bit 21) to 1 to permit the key to be
used in the PIN Translate callable service. The Control Vector Generate
callable service can set the TRANSLAT bit to 1 when you supply the TRANSLAT keyword.
- Set the REFORMAT bit (r, bit 22) to 1 to permit the key to be
used in the PIN Translate callable service. The Control Vector Generate
callable service can set the REFORMAT bit and the TRANSLAT bit to
1 when you supply the REFORMAT keyword.
- For the cryptographic variable-encrypting keys (bits 18 to 22),
set the variable-type bits (bits 18 to 22) to one of the following
values:
Bits
18 to
22 | Generic Key Type | Description |
---|
00000 | CVARPINE | Used in the Encrypted PIN Generate Alternate service
to encrypt a clear PIN. | 00010 | CVARXCVL | Used in the Control Vector Translate callable
service to decrypt the left mask array. | 00011 | CVARXCVR | Used in the Control Vector Translate callable
service to decrypt the right mask array. | 00100 | CVARENC | Used in the Cryptographic Variable Encipher callable
service to encrypt an unformatted PIN. |
- For key-generating keys, set the following bits:
- For KEYGENKY, set bit 18 for UKPT usage and bit 19 for CLR8-ENC
usage.
- For DKYGENKY, bits 12–14 will specify the hierarchical level
of the DKYGENKY key. If the subtype CV bits are non-zero, then the
DKYGENKY can only generate another DKYGENKY key with the hierarchical
level decremented by one. If the subtype CV bits are zero, the DKYGENKY
can only generate the final diversified key (a non-DKYGENKY key)
with the key type specified by usage bits.
To specify the subtype
values of the DKYGENKY, keywords DKYL0, DKYL1, DKYL2, DKYL3, DKYL4,
DKYL5, DKYL6 and DKYL7 will be used.
- For DKYGENKY, bit 18 is reserved and must be zero.
- Usage bits 18-22 for the DKYGENKY key type are defined as follows.
They will be encoded as the final key type that the DKYGENKY key generates.
Bits
19 to
22 | Keyword | Usage |
---|
0001 | DDATA | DATA, DATAC, single or double length | 0010 | DMAC | MAC, DATAM | 0011 | DMV | MACVER, DATAMV | 0100 | DIMP | IMPORTER, IKEYXLAT | 0101 | DEXP | EXPORTER, OKEYXLAT | 0110 | DPVR | PINVER | 1000 | DMKEY | Secure message key for encrypting keys | 1001 | DMPIN | Secure message key for encrypting PINs | 1111 | DALL | All key types may be generated except DKYGENKY
and KEYGENKY keys. Usage of the DALL keyword is controlled by a separate
access control point. |
- For secure messaging keys, set the following bits:
- Set bit 18 to 1 if the key will be used in the secure messaging
for PINs service. Set bit 19 to 1 if the key will be used in the secure
messaging for keys service.
- For all keys, set the following bits:
- The export bit (E, bit 17). If set to 0, the export bit prevents
a key from being exported. By setting this bit to 0, you can prevent
the receiver of a key from exporting or translating the key for use
in another cryptographic subsystem. Once this bit is set to 0, it
cannot be set to 1 by any service other than Control Vector Translate.
The Prohibit Export callable service can reset the export bit.
- The key-part bit (K, bit 44). Set the key-part bit to 1 in a control
vector associated with a key part. When the final key part is combined
with previously accumulated key parts, the key-part bit in the control
vector for the final key part is set to 0. The Control Vector Generate
callable service can set the key-part bit to 1 when you supply the KEY-PART keyword.
- The anti-variant bits (bit 30 and bit 38). Set bit 30 to 0 and
bit 38 to 1. Many cryptographic systems have implemented a system
of variants where a 7-bit value is exclusive-ORed with each 7-bit
group of a key-encrypting key before enciphering the target key. By
setting bits 30 and 38 to opposite values, control vectors do not
produce patterns that can occur in variant-based systems.
- Control vector bits 64 to 127. If bits 40 to 42 are B'000'
(single-length key), set bits 64 to 127 to 0. Otherwise, copy bits
0 to 63 into bits 64 to 127 and set bits 105 and 106 to B'01'.
- Set the parity bits (low-order bit of each byte, bits 7, 15, ...,
127). These bits contain the parity bits (P) of the control vector.
Set the parity bit of each byte so the number of zero-value bits in
the byte is an even number.
- For secure messaging keys, usage bit 18 on will enable the encryption
of keys in a secure message and usage bit 19 on will enable the encryption
of PINs in a secure message.
- The ENH-ONLY bit (H, bit 56). Set the ENH-ONLY bit to 1 in a control
vector to require the key value be encrypted with the enhanced wrapping.
method. The Control Vector Generate callable service can set the ENH-ONLY
bit to 1 when you supply the ENH-ONLY keyword.
|