DES key types
The DES keys are 64-bit, 128-bit, and 192-bit keys that use the DES algorithm to perform the cryptographic function. A 64-bit key is referred to as a single-length key. A 128-bit key is referred to as a double-length key. Triple-length keys are 192-bits in length.
Additional triple-length DES key support is introduced by APAR OA55184 for ICSF FMID HCR77C1 and later releases and licensed internal code for the z13, z13s, z14, and later servers. In general, any service where a double-length key can be used, a triple-length key can be used as well. The service description should be checked for any restrictions.
For installations that do not support double-length key-encrypting keys, effective single-length keys are provided. For an effective single-length key, the clear key value of the left key half equals the clear key value of the right key half.
| DES key type | Usable with services |
|---|---|
DATA class (data operation keys)
These key are used to encrypt and decrypt data. Single-length keys can be used to generate and verify MACs and CVVs. DATA keys can be single-length, double-length, or triple-length. DATAM and DATAMV keys are double-length. CLRDES keys are DATA keys. |
|
| DATA | Authentication Parameter Generate, Cipher Text Translate2, CVV Key Combine, Decipher, Encipher, EMV Verification Functions, Field Level Decipher, Field Level Encipher, MAC Generate, MAC Verify, Symmetric Key Encipher, Symmetric Key Decipher, VISA CVV Generate, VISA CVV Verify |
| DATAM | MAC Generate, MAC Verify |
| DATAMV | MAC Verify |
Cipher class (data operation keys)
These key are used to encrypt and decrypt data. The keys can be single-length, double-length, or triple-length. |
|
| CIPHER | Cipher Text Translate2, Decipher, Encipher, Encrypted PIN Translate Enhanced, FPE Decipher, FPE Encipher, FPE Translate |
| DECIPHER | Cipher Text Translate2, Decipher, Encrypted PIN Translate Enhanced, FPE Decipher, FPE Translate |
| ENCIPHER | Cipher Text Translate2, Encipher, FPE Encipher, FPE Translate |
CIPHERXL class (cipher text translate keys)
These key are used to translate cipher text. The keys are double-length. |
|
| CIPHERXI | Cipher Text Translate2 (translate inbound key only) |
| CIPHERXL | Cipher Text Translate2 (translate inbound and outbound key) |
| CIPHERXO | Cipher Text Translate2 (translate outbound key only) |
MAC class (data operation keys)
These keys are used to generate and verify MACs, CVVs, and CSCs. The keys can be single-length, double-length, or triple-length. |
|
| MAC | CVV Key Combine, MAC Generate, MAC Verify, Transaction Validation, VISA CVV Generate, VISA CVV Verify |
| MACVER | CVV Key Combine, MAC Verify, Transaction Validation, VISA CVV Verify |
PIN class
These keys are used generate and verify PINs and PIN offsets. The keys can be double-length or triple-length. |
|
| PINGEN | Clear PIN Generate, Clear PIN Generate Alternate, Encrypted PIN Generate, Recover PIN from Offset |
| PINVER | Encrypted PIN Verify |
|
These keys are used wrap and unwrap PIN blocks:
The keys can be double-length or triple-length. |
|
| IPINENC | Authentication Parameter Generate, Clear PIN Generate Alternate, EMV Scripting Service, Encrypted PIN Translate, Encrypted PIN Translate2, Encrypted PIN Translate Enhanced, Encrypted PIN Verify, PIN Change/Unblock, Secure Messaging for PINs |
| OPINENC | Clear PIN Encrypt, Clear PIN Generate Alternate, EMV Scripting Service, Encrypted PIN Generate, Encrypted PIN Translate, Encrypted PIN Translate2, Encrypted PIN Translate Enhanced, PIN Change/Unblock, Recover PIN from Offset |
|
Key-encrypting key class
These keys are used to wrap other keys. EXPORTER, IMPORTER, and IMP-PKA keys can be double-length or triple-length. The other key types are double-length keys. |
|
| EXPORTER | Control Vector Translate, Data Key Export, Derive ICC MK, ECC Diffie-Hellman, Generate Issuer MK, Key Encryption Translate, Key Export, Key Generate, Key Test2, Key Test Extended, Key Translate, Key Translate2, PKA Key Generate, PKA Key Translate, Prohibit Export Extended, Remote Key Export, Secure Messaging for Keys, Symmetric Key Generate, TR-31 Export, TR-31 Import, TR-34 Key Distribution, Unique Key Derive |
| IMPORTER | Control Vector Translate, Data Key Import, ECC Diffie-Hellman, Generate Issuer MK, Key Encryption Translate, Key Generate, Key Import, Key Test2, Key Test Extended, Key Translate, Key Translate2, Multiple Secure Key Import, PKA Key Generate, PKA Key Import, PKA Key Translate, Prohibit Export Extended, Remote Key Export, Restrict Key Attribute, Secure Key Import, Secure Messaging for Keys, Symmetric Key Generate, TR-31 Export, TR-31 Import |
| IMP-PKA | PKA Key Import, Remote Key Export, Trusted Block Create |
| IKEYXLAT, OKEYXLAT | Control Vector Translate, Key Translate, Key Translate2, TR-31 Export,TR-31 Import |
Key-generate key class
These keys are used to derive keys. The keys are double-length keys. The key usage flags in the control vector determine which services the KEYGENKY key may be used with. |
|
| KEYGENKY | Diversified Key Generate, Encrypted PIN Translate, Encrypted PIN Translate2, Encrypted PIN Translate Enhanced, Encrypted PIN Verify, FPE Decipher, FPE Encipher, FPE Translate, Unique Key Derive |
| DKYGENKY | Derive ICC MK, Derive Session Key, Diversified Key Generate, EMV Scripting Service, EMV Transaction (ARQC/ARPC) Service, EMV Verification Functions, Generate Issuer MK, PIN Change/Unblock |
Cryptographic-variable class
These keys are used in the special verbs that operate with cryptographic variables The keys are single-length keys. |
|
| CVARENC | Cryptographic Variable Encipher |
| CVARXCVL | Control Vector Translate |
| CVARXCVR | Control Vector Translate |
Secure-messaging class (data operation keys)
These keys are used to encrypt keys or PINs. The keys are double-length keys. The key usage flags in the control vector determine which services the key may be used with. |
|
| SECMSG | Diversified Key Generate, Secure Messaging for Keys, Secure Messaging for PINs |