Types of keys

The master key always remains in a secure area in the cryptographic coprocessors.

The master keys are used only to encipher and decipher keys. Other keys also encipher and decipher keys and are mostly used to protect cryptographic keys you transmit on external links. These keys, while on the system, are also encrypted under the master keys.

• DATA keys can be either encrypted under the master key or in the clear (See Clear keys for details on using clear keys). DATA key can be used to encrypt data and generate MACs.
• CIPHER keys are encrypted under the master key. CIPHER keys can only be used to encrypt data.

MAC keys can be used to generate and verify MACs or can be restricted to just verify MACs.

DES supports the ANSI X9.9-1 procedure, ANSI X9.19 optional double key MAC procedure, and EMV Specification and ISO 16609 for encrypted keys.

DES MAC keys can be used to generate CVVs and CSCs for PIN transactions.

AES supports ciphered message authentication code (CMAC) for encrypted keys and CBC-MAC and XCBC-MAC for clear keys.

HMAC supports FIPS-198 hashed message authentication code (HMAC) for encrypted keys.

You can use ICSF to generate PINs and PIN offsets. A PIN offset is a value that is the difference between two PINs. For example, a PIN offset may be the difference between a PIN that is chosen by the customer and one that is assigned by an institution. You can use ICSF to verify the PIN that was generated by ICSF. You can also use ICSF to protect PIN blocks that are sent between systems and to translate PIN blocks from one format to another. A PIN block contains a PIN and non-PIN data. You use PIN keys to generate and verify PINs and PIN offsets and to protect and translate PIN blocks.

Managing personal authentication gives an overview of the PIN algorithms you need to know to write your own application programs.

Key-encrypting keys are always generated in pairs. Both keys have the same clear key value, but have a different encrypted key value due to the control vector or the associated data.

Exporter key-encrypting key

An exporter key-encrypting key protects keys that are sent from your system to another system. The exporter key at the originator has the same clear value as the importer key at the receiver. An exporter key is paired with an importer key-encrypting key.

DES OKEYXLAT keys must be used when rewrapping a key under a key-encrypting key. The AES EXPORTER must have the TRANSLAT key usage enabled when rewrapping a key.

Importer key-encrypting key

An importer key-encrypting key protects keys that are sent from another system to your system. It also protects keys that you store externally in a file that you can import to your system later. The importer key at the receiver has the same clear value as the exporter key at the originator. An importer key is paired with an exporter key-encrypting key.

DES IKEYXLAT keys must be used when rewrapping a key under a key-encrypting key. The AES IMPORTER must have the TRANSLAT key usage enabled when rewrapping a key.

Note:

• Key-encrypting keys replace local, remote, and cross keys used by PCF.
• A key-encrypting key should be as strong or stronger than the key it is wrapping.

DES NOCV key-encrypting keys

DES NOCV importers and exporters are key-encrypting keys used to transport keys with systems that do not recognize CCA control vectors. There are some requirements and restrictions for the use of NOCV key-encrypting keys:

• Use of NOCV IMPORTERs and EXPORTERs is controlled by access control points.
• Only programs in system or supervisor state can use the NOCV key-encrypting key in the form of tokens in callable services. Any problem program may use NOCV key-encrypting key with label names from the CKDS.
• NOCV key-encrypting key on the CKDS should be protected by RACF.
• NOCV key-encrypting key can be used to encrypt single, double, or triple length keys for any key type.