A mask array consists of seven 8-byte elements: A₁, B₁, A₂, B₂, A₃, B₃, and B₄. You choose the values of the array elements such that each of the following four expressions evaluates to a string of binary zeros. (See Figure 12.) Set the A bits to the value that you require for the corresponding control vector bits. In expressions 1 through 3, set the B bits to select the control vector bits to be evaluated. In expression 4, set the B bits to select the source and target control vector bits to be evaluated. Also, use the following control vector information:

• C₁ is the control vector associated with the left half of the KEK.
• C₂ is the control vector associated with the source key, or selected source-key half/halves.
• C₃ is the control vector associated with the target key or selected target-key half/halves.

1. (C₁ exclusive-OR A₁) logical-AND B₁

   This expression tests whether the KEK used to encipher the key meets your criteria for the desired translation.

2. (C₂ exclusive-OR A₂) logical-AND B₂

   This expression tests whether the control vector associated with the source key meets your criteria for the desired translation.

3. (C₃ exclusive-OR A₃) logical-AND B₃

   This expression tests whether the control vector associated with the target key meets your criteria for the desired translation.

4. (C₂ exclusive-OR C₃) logical-AND B₄

   This expression tests whether the control vectors associated with the source key and the target key meet your criteria for the desired translation.

Encipher two copies of the mask array, each under a different cryptographic-variable key (key type CVARENC). To encipher each copy of the mask array, use the Cryptographic Variable Encipher callable service. Use two different keys so that the enciphered-array copies are unique values. When using the Control Vector Translate callable service, the mask_array_left parameter and the mask_array_right parameter identify the enciphered mask arrays. The array_key_left parameter and the array_key_right parameter identify the internal keys for deciphering the mask arrays. The array_key_left key must have a key type of CVARXCVL and the array_key_right key must have a key type of CVARXCVR. The cryptographic process deciphers the arrays and compares the results; for the service to continue, the deciphered arrays must be equal. If the results are not equal, the service returns the return and reason code for data that is not valid (8/385).

Use the Key Generate callable service to create the key pairs CVARENC-CVARXCVL and CVARENC-CVARXCVR. Each key in the key pair must be generated for a different node. The CVARENC keys are generated for, or imported into, the node where the mask array will be enciphered. After enciphering the mask array, you should destroy the enciphering key. The CVARXCVL and CVARXCVR keys are generated for, or imported into, the node where the Control Vector Translate callable service will be performed.

If using the BOTH keyword to process both halves of a double-length key, remember that bits 41, 42, 104, and 105 are different in the left and right halves of the CCA control vector and must be ignored in your mask-array tests (that is, make the corresponding B₂ and/or B₃ bits equal to zero).

When the control vectors pass the masking tests, the verb does the following:

• Deciphers the source key. In the decipher process, the service uses a key that is formed by the exclusive-OR of the KEK and the control vector in the key token variable the source_key_token parameter identifies.
• Enciphers the deciphered source key. In the encipher process, the service uses a key that is formed by the exclusive-OR of the KEK and the control vector in the key token variable the target_key_token parameter identifies.
• Places the enciphered key in the key field in the key token variable the target_key_token parameter identifies.

Figure 12. Control Vector Translate Callable Service Mask_Array Processing