ICSF supports two methods of wrapping the key value in a fixed-length symmetric key token: the original ECB wrapping and an enhanced CBC wrapping method which is ANSI X9.24 compliant.

The key value in a symmetric key token may be wrapped in two ways. The original method has been used by ICSF since it was first released. The key value in DES key tokens are encrypted using triple DES encryption and key parts are encrypted separately. The key value in AES tokens are encrypted using AES encryption and cipher block chaining mode.

The enhanced method of key wrapping, introduced in HCR7780, is ANSI X9.24 compliant. The key value of all keys are bundled with other token data and encrypted using triple DES or AES encryption and cipher block chaining mode. The enhanced method requires a z196 with a CEX3C.

Your installation’s system programmer can, while customizing installation options data set as described in the z/OS Cryptographic Services ICSF System Programmer’s Guide, use the DEFAULTWRAP parameter to specify the default key wrapping for symmetric keys. Application programs can override this default method using the WRAP-ENH (use enhanced method) and WRAP-ECB (use original ECB key-wrapping method) rule array keywords.