This glossary defines terms and abbreviations used in Integrated Cryptographic Service Facility (ICSF). If you do not find the term you are looking for, refer to the index of the appropriate Integrated Cryptographic Service Facility document or view IBM Glossary of Computing Terms located at:

http://www.ibm.com/ibm/terminology

This glossary includes terms and definitions from:

• IBM Glossary of Computing Terms. Definitions are identified by the symbol (D) after the definition.
• The American National Standard Dictionary for Information Systems, ANSI X3.172-1990, copyright 1990 by the American National Standards Institute (ANSI). Copies can be purchased from the American National Standards Institute, 11 West 42nd Street, New York, New York 10036. Definitions are identified by the symbol (A) after the definition.
• The Information Technology Vocabulary, developed by Subcommittee 1, Joint Technical Committee 1, of the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC JTC1/SC1). Definitions of published parts of this vocabulary are identified by the symbol (I) after the definition; definitions taken from draft international standards, committee drafts, and working papers being developed by ISO/IEC JTC1/SC1 are identified by the symbol (T) after the definition, indicating that final agreement has not yet been reached among the participating National Bodies of SC1.

Definitions specific to the Integrated Cryptographic Services Facility are labeled “In ICSF.”

A

access method services (AMS)

The facility used to define and reproduce VSAM key-sequenced data sets (KSDS). (D)

Advanced Encryption Standard (AES)

In computer security, the National Institute of Standards and Technology (NIST) Advanced Encryption Standard (AES) algorithm. The AES algorithm is documented in a draft Federal Information Processing Standard.

AES

Advanced Encryption Standard.

American National Standard Code for Information Interchange (ASCII)

The standard code using a coded character set consisting of 7-bit characters (8 bits including parity check) that is used for information exchange among data processing systems, data communication systems, and associated equipment. The ASCII set consists of control characters and graphic characters.

ANSI key-encrypting key (AKEK)

A 64- or 128-bit key used exclusively in ANSI X9.17 key management applications to protect data keys exchanged between systems.

ANSI X9.17

An ANSI standard that specifies algorithms and messages for DES key distribution.

ANSI X9.19

An ANSI standard that specifies an optional double-MAC procedure which requires a double-length MAC key.

application program

(1) A program written for or by a user that applies to the user's work, such as a program that does inventory control or payroll.

(2) A program used to connect and communicate with stations in a network, enabling users to perform application-oriented activities. (D)

application program interface (API)

(1) A functional interface supplied by the operating system or by a separately orderable licensed program that allows an application program written in a high-level language to use specific data or functions of the operating system or the licensed program. (D)

(2) In ICSF, a callable service.

asymmetric cryptography

Synonym for public key cryptography. (D)

authentication pattern

An 8-byte pattern that ICSF calculates from the master key when initializing the cryptographic key data set. ICSF places the value of the authentication pattern in the header record of the cryptographic key data set.

authorized program facility (APF)

A facility that permits identification of programs authorized to use restricted functions. (D)

C

callable service

A predefined sequence of instructions invoked from an application program, using a CALL instruction. In ICSF, callable services perform cryptographic functions and utilities.

CBC

Cipher block chaining.

CCA

Common Cryptographic Architecture.

CCF

Cryptographic Coprocessor Feature.

CDMF

Commercial Data Masking Facility.

CEDA

A CICS transaction that defines resources online. Using CEDA, you can update both the CICS system definition data set (CSD) and the running CICS system.

CEX2A

Crypto Express2 Accelerator

CEX2C

Crypto Express2 Coprocessor

CEX3A

Crypto Express3 Accelerator

CEX3C

Crypto Express3 Coprocessor

checksum

(1) The sum of a group of data associated with the group and used for checking purposes. (T)

(2) In ICSF, the data used is a key part. The resulting checksum is a two-digit value you enter when you use the key-entry unit to enter a master key part or a clear key part into the key-storage unit.

Chinese Remainder Theorem (CRT)

A mathematical theorem that defines a format for the RSA private key that improves performance.

CICS

Customer Information Control System.

cipher block chaining (CBC)

A mode of encryption that uses the data encryption algorithm and requires an initial chaining vector. For encipher, it exclusively ORs the initial block of data with the initial control vector and then enciphers it. This process results in the encryption both of the input block and of the initial control vector that it uses on the next input block as the process repeats. A comparable chaining process works for decipher.

ciphertext

(1) In computer security, text produced by encryption.

(2) Synonym for enciphered data. (D)

CKDS

Cryptographic Key Data Set.

clear key

Any type of encryption key not protected by encryption under another key.

CMOS

Complementary metal oxide semiconductor.

coexistence mode

An ICSF method of operation during which CUSP or PCF can run independently and simultaneously on the same ICSF system. A CUSP or PCF application program can run on ICSF in this mode if the application program has been reassembled.

Commercial Data Masking Facility (CDMF)

A data-masking algorithm using a DES-based kernel and a key that is shortened to an effective key length of 40 DES key-bits. Because CDMF is not as strong as DES, it is called a masking algorithm rather than an encryption algorithm. Implementations of CDMF, when used for data confidentiality, are generally exportable from the USA and Canada.

Common Cryptographic Architecture: Cryptographic Application Programming Interface

Defines a set of cryptographic functions, external interfaces, and a set of key management rules that provide a consistent, end-to-end cryptographic architecture across different IBM platforms.

compatibility mode

An ICSF method of operation during which a CUSP or PCF application program can run on ICSF without recompiling it. In this mode, ICSF cannot run simultaneously with CUSP or PCF.

complementary keys

A pair of keys that have the same clear key value, are different but complementary types, and usually exist on different systems.

console

A part of a computer used for communication between the operator or maintenance engineer and the computer. (A)

control-area split

In systems with VSAM, the movement of the contents of some of the control intervals in a control area to a newly created control area in order to facilitate insertion or lengthening of a data record when there are no remaining free control intervals in the original control area. (D)

control block

(1) A storage area used by a computer program to hold control information. (I) Synonymous with control area.

(2) The circuitry that performs the control functions such as decoding microinstructions and generating the internal control signals that perform the operations requested. (A)

control interval

A fixed-length area of direct-access storage in which VSAM stores records and creates distributed free space. Also, in a key-sequenced data set or file, the set of records pointed to by an entry in the sequence-set index record. The control interval is the unit of information that VSAM transmits to or from direct access storage. A control interval always comprises an integral number of physical records. (D)

control interval split

In systems with VSAM, the movement of some of the stored records in a control interval to a free control interval to facilitate insertion or lengthening of a record that does not fit in the original control interval. (D)

control statement input data set

A key generator utility program data set containing control statements that a particular key generator utility program job will process.

control statement output data set

A key generator utility program data set containing control statements to create the complements of keys created by the key generator utility program.

control vector

In ICSF, a mask that is exclusive ORed with a master key or a transport key before ICSF uses that key to encrypt another key. Control vectors ensure that keys used on the system and keys distributed to other systems are used for only the cryptographic functions for which they were intended.

CPACF

CP Assist for Cryptographic Functions

CP Assist for Cryptographic Functions

Implemented on all z890, z990, z9 EC, z9 BC, z10 EC and z10 BC processors to provide SHA-1 secure hashing.

cross memory mode

Synchronous communication between programs in different address spaces that permits a program residing in one address space to access the same or other address spaces. This synchronous transfer of control is accomplished by a calling linkage and a return linkage.

CRT

Chinese Remainder Theorem.

Crypto Express2 Coprocessor

An asynchronous cryptographic coprocessor available on the z890, z990, z9 EC, z9 BC, z10 EC and z10 BC.

Crypto Express3 Coprocessor

An asynchronous cryptographic coprocessor available on z10 EC and z10 BC.

cryptographic adapter (4755 or 4758)

An expansion board that provides a comprehensive set of cryptographic functions for the network security processor and the workstation in the TSS family of products.

cryptographic coprocessor

A microprocessor that adds cryptographic processing functions to specific z890, z990, z9 EC, z9 BC, z10 EC and z10 BC processors. The Cryptographic Coprocessor Feature is a tamper-resistant chip built into the processor board.

cryptographic key data set (CKDS)

(1) A data set that contains the encrypting keys used by an installation. (D)

(2) In ICSF, a VSAM data set that contains all the cryptographic keys. Besides the encrypted key value, an entry in the cryptographic key data set contains information about the key.

cryptography

(1) The transformation of data to conceal its meaning.

(2) In computer security, the principles, means, and methods for encrypting plaintext and decrypting ciphertext. (D)

(3) In ICSF, the use of cryptography is extended to include the generation and verification of MACs, the generation of MDCs and other one-way hashes, the generation and verification of PINs, and the generation and verification of digital signatures.

CUSP (Cryptographic Unit Support Program)

The IBM cryptographic offering, program product 5740-XY6, using the channel-attached 3848. CUSP is no longer in service.

CUSP/PCF conversion program

A program, for use during migration from CUSP or PCF to ICSF, that converts a CUSP or PCF cryptographic key data set into a ICSF cryptographic key data set.

Customer Information Control System (CICS)

An IBM licensed program that enables transactions entered at remote terminals to be processed concurrently by user written application programs. It includes facilities for building, using, and maintaining databases.

CVC

Card verification code used by MasterCard.

CVV

Card verification value used by VISA.

D

data encryption algorithm (DEA)

In computer security, a 64-bit block cipher that uses a 64-bit key, of which 56 bits are used to control the cryptographic process and 8 bits are used for parity checking to ensure that the key is transmitted properly. (D)

data encryption standard (DES)

In computer security, the National Institute of Standards and Technology (NIST) Data Encryption Standard, adopted by the U.S. government as Federal Information Processing Standard (FIPS) Publication 46, which allows only hardware implementations of the data encryption algorithm. (D)

data key or data-encrypting key

(1) A key used to encipher, decipher, or authenticate data. (D)

(2) In ICSF, a 64-bit encryption key used to protect data privacy using the DES algorithm or the CDMF algorithm. AES data keys are now supported by ICSF.

data set

The major unit of data storage and retrieval, consisting of a collection of data in one of several prescribed arrangements and described by control information to which the system has access. (D)

data-translation key

A 64-bit key that protects data transmitted through intermediate systems when the originator and receiver do not share the same key.

DEA

Data encryption algorithm.

decipher

(1) To convert enciphered data in order to restore the original data. (T)

(2) In computer security, to convert ciphertext into plaintext by means of a cipher system.

(3) To convert enciphered data into clear data. Contrast with encipher. Synonymous with decrypt. (D)

decode

(1) To convert data by reversing the effect of some previous encoding. (I) (A)

(2) In ICSF, to decipher data by use of a clear key.

decrypt

See decipher.

DES

Data Encryption Standard.

diagnostics data set

A key generator utility program data set containing a copy of each input control statement followed by a diagnostic message generated for each control statement.

digital signature

In public key cryptography, information created by using a private key and verified by using a public key. A digital signature provides data integrity and source nonrepudiation.

Digital Signature Algorithm (DSA)

A public key algorithm for digital signature generation and verification used with the Digital Signature Standard.

Digital Signature Standard (DSS)

A standard describing the use of algorithms for digital signature purposes. One of the algorithms specified is DSA (Digital Signature Algorithm).

domain

(1) That part of a network in which the data processing resources are under common control. (T)

(2) In ICSF, an index into a set of master key registers.

double-length key

A key that is 128 bits long. A key can be either double- or single-length. A single-length key is 64 bits long.

DSA

Digital Signature Algorithm.

DSS

Digital Signature Standard.

E

ECB

Electronic codebook.

ECI

Eurochèque International S.C., a financial institution consortium that has defined three PIN block formats.

EID

Environment Identification.

electronic codebook (ECB) operation

(1) A mode of operation used with block cipher cryptographic algorithms in which plaintext or ciphertext is placed in the input to the algorithm and the result is contained in the output of the algorithm. (D)

(2) A mode of encryption using the data encryption algorithm, in which each block of data is enciphered or deciphered without an initial chaining vector. It is used for key management functions and the encode and decode callable services.

electronic funds transfer system (EFTS)

A computerized payment and withdrawal system used to transfer funds from one account to another and to obtain related financial data. (D)

encipher

(1) To scramble data or to convert data to a secret code that masks the meaning of the data to any unauthorized recipient. Synonymous with encrypt.

(2) Contrast with decipher. (D)

enciphered data

Data whose meaning is concealed from unauthorized users or observers. (D)

encode

(1) To convert data by the use of a code in such a manner that reconversion to the original form is possible. (T)

(2) In computer security, to convert plaintext into an unintelligible form by means of a code system. (D)

(3) In ICSF, to encipher data by use of a clear key.

encrypt

See encipher.

exit

(1) To execute an instruction within a portion of a computer program in order to terminate the execution of that portion. Such portions of computer programs include loops, subroutines, modules, and so on. (T)

(2) In ICSF, a user-written routine that receives control from the system during a certain point in processing—for example, after an operator issues the START command.

exportable form

A condition a key is in when enciphered under an exporter key-encrypting key. In this form, a key can be sent outside the system to another system. A key in exportable form cannot be used in a cryptographic function.

exporter key-encrypting key

A 128-bit key used to protect keys sent to another system. A type of transport key.

F

file

A named set of records stored or processed as a unit. (T)

G

GBP

German Bank Pool.

German Bank Pool (GBP)

A German financial institution consortium that defines specific methods of PIN calculation.

H

hashing

An operation that uses a one-way (irreversible) function on data, usually to reduce the length of the data and to provide a verifiable authentication value (checksum) for the hashed data.

header record

A record containing common, constant, or identifying information for a group of records that follows. (D)

I

ICSF

Integrated Cryptographic Service Facility.

importable form

A condition a key is in when it is enciphered under an importer key-encrypting key. A key is received from another system in this form. A key in importable form cannot be used in a cryptographic function.

importer key-encrypting key

A 128-bit key used to protect keys received from another system. A type of transport key.

initial chaining vector (ICV)

A 64-bit random or pseudo-random value used in the cipher block chaining mode of encryption with the data encryption algorithm.

initial program load (IPL)

(1) The initialization procedure that causes an operating system to commence operation.

(2) The process by which a configuration image is loaded into storage at the beginning of a work day or after a system malfunction.

(3) The process of loading system programs and preparing a system to run jobs. (D)

input PIN-encrypting key

A 128-bit key used to protect a PIN block sent to another system or to translate a PIN block from one format to another.

installation exit

See exit.

Integrated Cryptographic Service Facility (ICSF)

A licensed program that runs under MVS/System Product 3.1.3, or higher, or OS/390 Release 1, or higher, or z/OS, and provides access to the hardware cryptographic feature for programming applications. The combination of the hardware cryptographic feature and ICSF provides secure high-speed cryptographic services.

International Organization for Standardization

An organization of national standards bodies from many countries, established to promote the development of standards to facilitate the international exchange of goods and services and to develop cooperation in intellectual, scientific, technological, and economic activity. ISO has defined certain standards relating to cryptography and has defined two PIN block formats.

ISO

International Organization for Standardization.

J

job control language (JCL)

A control language used to identify a job to an operating system and to describe the job's requirements. (D)

K

key-encrypting key (KEK)

(1) In computer security, a key used for encryption and decryption of other keys. (D)

(2) In ICSF, a master key or transport key.

key generator utility program (KGUP)

A program that processes control statements for generating and maintaining keys in the cryptographic key data set.

key output data set

A key generator utility program data set containing information about each key that the key generator utility program generates except an importer key for file encryption.

key part

A 32-digit hexadecimal value that you enter for ICSF to combine with other values to create a master key or clear key.

key part register

A register in the key storage unit that stores a key part while you enter the key part.

key store policy

Ensures that only authorized users and jobs can access secure key tokens that are stored in one of the ICSF key stores - the CKDS or the PKDS.

key store policy controls

Resources that are defined in the XFACILIT class. A control can verify the caller has authority to use a secure token and identify the action to take when the secure token is not stored in the CKDS or PKDS.

L

linkage

The coding that passes control and parameters between two routines.

load module

All or part of a computer program in a form suitable for loading into main storage for execution. A load module is usually the output of a linkage editor. (T)

LPAR mode

The central processor mode that enables the operator to allocate the hardware resources among several logical partitions.

M

MAC generation key

A 64-bit or 128-bit key used by a message originator to generate a message authentication code sent with the message to the message receiver.

MAC verification key

A 64-bit or 128-bit key used by a message receiver to verify a message authentication code received with a message.

magnetic tape

A tape with a magnetizable layer on which data can be stored. (T)

master key

(1) In computer security, the top-level key in a hierarchy of key-encrypting keys.

(2) ICSF uses master keys to encrypt operational keys. Master keys are known only to the cryptographic coprocessors and are maintained in tamper proof cryptographic coprocessors. Examples of cryptographic coprocessors are CCF, PCICC, PCIXCC, CEX2C, and CEX3C. Some of the master keys that ICSF supports are a 128-bit DES master key, a 192-bit signature master key, and the 192-bit key management master key, a 192-bit symmetric master key (that is, DES), a 192-bit asymmetric master key, and a 256-bit AES master key.

master key concept

The idea of using a single cryptographic key, the master key, to encrypt all other keys on the system.

master key register

A register in the cryptographic coprocessors that stores the master key that is active on the system.

master key variant

A key derived from the master key by use of a control vector. It is used to force separation by type of keys on the system.

MD4

Message Digest 4. A hash algorithm.

MD5

Message Digest 5. A hash algorithm.

message authentication code (MAC)

(1) The cryptographic result of block cipher operations on text or data using the cipher block chain (CBC) mode of operation. (D)

(2) In ICSF, a MAC is used to authenticate the source of the message, and verify that the message was not altered during transmission or storage.

modification detection code (MDC)

(1) A 128-bit value that interrelates all bits of a data stream so that the modification of any bit in the data stream results in a new MDC.

(2) In ICSF, an MDC is used to verify that a message or stored data has not been altered.

multiple encipherment

The method of encrypting a key under a double-length key-encrypting key.

N

new master key register

A register in the key storage unit that stores a master key before you make it active on the system.

NIST

U.S. National Institute of Science and Technology.

NOCV processing

Process by which the key generator utility program or an application program encrypts a key under a transport key itself rather than a transport key variant.

noncompatibility mode

An ICSF method of operation during which CUSP or PCF can run independently and simultaneously on the same z/OS, OS/390 or MVS system. You cannot run a CUSP or PCF application program on ICSF in this mode.

nonrepudiation

A method of ensuring that a message was sent by the appropriate individual.

notarization

The ANSI X9.17 process involving the coupling of an ANSI key-encrypting key (AKEK) with ASCII character strings containing origin and destination identifiers and then exclusive ORing (or offsetting) the result with a binary counter.

O

OAEP

Optimal asymmetric encryption padding.

offset

The process of exclusively ORing a counter to a key.

old master key register

A register in the key storage unit that stores a master key that you replaced with a new master key.

operational form

The condition of a key when it is encrypted under the master key so that it is active on the system.

output PIN-encrypting key

A 128-bit key used to protect a PIN block received from another system or to translate a PIN block from one format to another.

P

PAN

Personal Account Number.

parameter

Data passed between programs or procedures. (D)

parmlib

A system parameter library, either SYS1.PARMLIB or an installation-supplied library.

partial notarization

The ANSI X9.17 standard does not use the term partial notarization. IBM has divided the notarization process into two steps and defined the term partial notarization as a process during which only the first step of the two-step ANSI X9.17 notarization process is performed. This step involves the coupling of an ANSI key-encrypting key (AKEK) with ASCII character strings containing origin and destination identifiers.

partitioned data set (PDS)

A data set in direct access storage that is divided into partitions, called members, each of which can contain a program, part of a program, or data. (D)

PCI Cryptographic Coprocessor

The 4758 model 2 standard PCI-bus card supported on the field upgraded IBM S/390 Parallel Enterprise Server - Generation 5, the IBM S/390 Parallel Enterprise Server - Generation 6 and the IBM zSeries.

PCICA

PCI Cryptographic Accelerator.

PCICC

PCI Cryptographic Coprocessor.

PCI X Cryptographic Coprocessor

An asynchronous cryptographic coprocessor available on the IBM zSeries 990 and IBM zSeries 800.

PCIXCC

PCI X Cryptographic Coprocessor.

Personal Account Number (PAN)

A Personal Account Number identifies an individual and relates that individual to an account at a financial institution. It consists of an issuer identification number, customer account number, and one check digit.

personal identification number (PIN)

The 4- to 12-digit number entered at an automatic teller machine to identify and validate the requester of an automatic teller machine service. Personal identification numbers are always enciphered at the device where they are entered, and are manipulated in a secure fashion.

Personal Security card

An ISO-standard “smart card” with a microprocessor that enables it to perform a variety of functions such as identifying and verifying users, and determining which functions each user can perform.

PIN block

A 64-bit block of data in a certain PIN block format. A PIN block contains both a PIN and other data.

PIN generation key

A 128-bit key used to generate PINs or PIN offsets algorithmically.

PIN key

A 128-bit key used in cryptographic functions to generate, transform, and verify the personal identification numbers.

PIN offset

For 3624, the difference between a customer-selected PIN and an institution-assigned PIN. For German Bank Pool, the difference between an institution PIN (generated with an institution PIN key) and a pool PIN (generated with a pool PIN key).

PIN verification key

A 128-bit key used to verify PINs algorithmically.

PKA

Public Key Algorithm.

PKCS

Public Key Cryptographic Standards (RSA Data Security, Inc.)

PKDS

Public key data set (PKA cryptographic key data set).

plaintext

Data in normal, readable form.

primary space allocation

An area of direct access storage space initially allocated to a particular data set or file when the data set or file is defined. See also secondary space allocation. (D)

private key

In computer security, a key that is known only to the owner and used with a public key algorithm to decrypt data or generate digital signatures. The data is encrypted and the digital signature is verified using the related public key.

processor complex

A configuration that consists of all the machines required for operation.

Processor Resource/Systems Manager

Enables logical partitioning of the processor complex, may provide additional byte-multiplexer channel capability, and supports the VM/XA System Product enhancement for Multiple Preferred Guests.

Programmed Cryptographic Facility (PCF)

(1) An IBM licensed program that provides facilities for enciphering and deciphering data and for creating, maintaining, and managing cryptographic keys. (D)

(2) The IBM cryptographic offering, program product 5740-XY5, using software only for encryption and decryption. This product is no longer in service; ICSF is the replacement product.

PR/SM

Processor Resource/Systems Manager.

public key

In computer security, a key made available to anyone who wants to encrypt information using the public key algorithm or verify a digital signature generated with the related private key. The encrypted data can be decrypted only by use of the related private key.

public key algorithm (PKA)

In computer security, an asymmetric cryptographic process in which a public key is used for encryption and digital signature verification and a private key is used for decryption and digital signature generation.

public key cryptography

In computer security, cryptography in which a public key is used for encryption and a private key is used for decryption. Synonymous with asymmetric cryptography.

R

RACE Integrity Primitives Evaluatiuon Message Digest

A hash algorithm.

RDO

Resource definition online.

record chaining

When there are multiple cipher requests and the output chaining vector (OCV) from the previous encipher request is used as the input chaining vector (ICV) for the next encipher request.

Resource Access Control Facility (RACF)

An IBM licensed program that provides for access control by identifying and verifying the users to the system, authorizing access to protected resources, logging the detected unauthorized attempts to enter the system, and logging the detected accesses to protected resources. (D)

retained key

A private key that is generated and retained within the secure boundary of the PCI Cryptographic Coprocessor.

return code

(1) A code used to influence the execution of succeeding instructions. (A)

(2) A value returned to a program to indicate the results of an operation requested by that program. (D)

Rivest-Shamir-Adleman (RSA) algorithm

A process for public key cryptography that was developed by R. Rivest, A. Shamir, and L. Adleman.

RMF

Resource Manager Interface.

RMI

Resource Measurement Facility.

RSA

Rivest-Shamir-Adleman.

S

SAF

Security Authorization Facility.

save area

Area of main storage in which contents of registers are saved. (A)

secondary space allocation

In systems with VSAM, area of direct access storage space allocated after primary space originally allocated is exhausted. See also primary space allocation. (D)

Secure Electronic Transaction

A standard created by Visa International and MasterCard for safe-guarding payment card purchases made over open networks.

secure key

A key that is encrypted under a master key. When ICSF uses a secure key, it is passed to a cryptographic coprocessor where the coprocessor decrypts the key and performs the function. The secure key never appears in the clear outside of the cryptographic coprocessor.

Secure Sockets Layer

A security protocol that provides communications privacy over the Internet by allowing client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

sequential data set

A data set whose records are organized on the basis of their successive physical positions, such as on magnetic tape. (D)

SET

Secure Electronic Transaction.

SHA (Secure Hash Algorithm, FIPS 180)

(Secure Hash Algorithm, FIPS 180) The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). The first member of the family, published in 1993, is officially called SHA. However, today, it is often unofficially called SHA-0 to avoid confusion with its successors. Two years later, SHA-1, the first successor to SHA, was published. Four more variants, have since been published with increased output ranges and a slightly different design: SHA-224, SHA-256, SHA-384, and SHA-512 (all are sometimes referred to as SHA-2).

SHA-1 (Secure Hash Algorithm 1, FIPS 180)

A hash algorithm required for use with the Digital Signature Standard.

SHA-2 (Secure Hash Algorithm 2, FIPS 180)

Four additional variants to the SHA family, with increased output ranges and a slightly different design: SHA-224, SHA-256, SHA-384, and SHA-512 (all are sometimes referred to as SHA-2).

SHA-224

One of the SHA-2 algorithms.

SHA-256

One of the SHA-2 algorithms.

SHA-384

One of the SHA-2 algorithms.

SHA-512

One of the SHA-2 algorithms.

single-length key

A key that is 64 bits long. A key can be single- or double-length. A double-length key is 128 bits long.

smart card

A plastic card that has a microchip capable of storing data or process information.

special secure mode

An alternative form of security that allows you to enter clear keys with the key generator utility program or generate clear PINs.

SSL

Secure Sockets Layer.

supervisor state

A state during which a processing unit can execute input/output and other privileged instructions. (D)

System Authorization Facility (SAF)

An interface to a system security system like the Resource Access Control Facility (RACF).

system key

A key that ICSF creates and uses for internal processing.

System Management Facility (SMF)

A base component of z/OS that provides the means for gathering and recording information that can be used to evaluate system usage. (D)

T

TDEA

Triple Data Encryption Algorithm.

TKE

Trusted key entry.

Transaction Security System

An IBM product offering including both hardware and supporting software that provides access control and basic cryptographic key-management functions in a network environment. In the workstation environment, this includes the 4755 Cryptographic Adapter, the Personal Security Card, the 4754 Security Interface Unit, the Signature Verification feature, the Workstation Security Services Program, and the AIX Security Services Program/6000. In the host environment, this includes the 4753 Network Security Processor and the 4753 Network Security Processor MVS Support Program.

transport key

A 128-bit key used to protect keys distributed from one system to another. A transport key can either be an exporter key-encrypting key, an importer key-encrypting key, or an ANSI key-encrypting key.

transport key variant

A key derived from a transport key by use of a control vector. It is used to force separation by type for keys sent between systems.

TRUE

Task-related User Exit (CICS). The CICS-ICSF Attachment Facility provides a CSFATRUE and CSFATREN routine.

U

UAT

UDX Authority Table.

UDF

User-defined function.

UDK

User-derived key.

UDP

User Developed Program.

UDX

User Defined Extension.

V

verification pattern

An 8-byte pattern that ICSF calculates from the key parts you enter when you enter a master key or clear key. You can use the verification pattern to verify that you have entered the key parts correctly and specified a certain type of key.

Virtual Storage Access Method (VSAM)

An access method for indexed or sequential processing of fixed and variable-length records on direct-access devices. The records in a VSAM data set or file can be organized in logical sequence by means of a key field (key sequence), in the physical sequence in which they are written on the data set or file (entry-sequence), or by means of relative-record number.

Virtual Telecommunications Access Method (VTAM)

An IBM licensed program that controls communication and the flow of data in an SNA network. It provides single-domain, multiple-domain, and interconnected network capability. (D)

VISA

A financial institution consortium that has defined four PIN block formats and a method for PIN verification.

VISA PIN Verification Value (VISA PVV)

An input to the VISA PIN verification process that, in practice, works similarly to a PIN offset.

Numerics

3621

A model of an IBM Automatic Teller Machine that has a defined PIN block format.

3624

A model of an IBM Automatic Teller Machine that has a defined PIN block format and methods of PIN calculation.

4753

The Network Security processor. The IBM 4753 is a processor that uses the Data Encryption Algorithm and the RSA algorithm to provide cryptograpic support for systems requiring secure transaction processing (and other cryptographic services) at the host computer. The NSP includes a 4755 cryptographic adapter in a workstation which is channel attached to a S/390 host computer.

4758

The IBM PCI Cryptographic processor provides a secure programming and hardware environment where DES and RSA processes are performed.