Types of keys
The cryptographic keys are grouped into these classes based on the functions they perform.
- Master keys - DES and AES
- Master keys are used to encipher operational keys. The ICSF administrator installs and changes
the master keys (see z/OS Cryptographic Services ICSF Administrator's Guide for details). The administrator does this by using the Master Key Entry panels
or the optional Trusted Key Entry (TKE) workstation.
The master key always remains in a secure area in the cryptographic coprocessors.
The master keys are used only to encipher and decipher keys. Other keys also encipher and decipher keys and are mostly used to protect cryptographic keys you transmit on external links. These keys, while on the system, are also encrypted under the master keys.
- Data-encrypting keys
- Data-encrypting keys are used to protect data privacy. There are two classes of data-encrypting keys:
- DATA keys can be either encrypted under the master key or in the clear (See Clear keys for details on using clear keys). DATA key can be used to encrypt data and generate MACs.
- CIPHER keys are encrypted under the master key. CIPHER keys can only be used to encrypt data.
- Cipher text translation keys
- Cipher text translation keys protect data that is transmitted through intermediate systems when the originator and receiver do not share a common key. Data that is enciphered under one cipher text translation key is reenciphered under another cipher text translation key on the intermediate node. During this process, the data never appears in the clear.
- MAC keys
- Message authentication is the process of verifying the integrity
of transmitted messages. Message authentication code (MAC) processing
enables you to verify that a message has not been altered. You can
use a MAC to check that a message you receive is the same one the
message originator sent. The message itself may be in clear or encrypted
form.
MAC keys can be used to generate and verify MACs or can be restricted to just verify MACs.
DES supports the ANSI X9.9-1 procedure, ANSI X9.19 optional double key MAC procedure, and EMV Specification and ISO 16609 for encrypted keys.
DES MAC keys can be used to generate CVVs and CSCs for PIN transactions.
AES supports ciphered message authentication code (CMAC) for encrypted keys and CBC-MAC and XCBC-MAC for clear keys.
HMAC supports FIPS-198 hashed message authentication code (HMAC) for encrypted keys.
- PIN keys
- Personal authentication is the process of validating personal
identities in a financial transaction system. The personal identification
number (PIN) is the basis for verifying the identity of a customer
across the financial industry networks. A PIN is a number that the
bank customer enters into an automatic teller machine (ATM) to identify
and validate a request for an ATM service.
You can use ICSF to generate PINs and PIN offsets. A PIN offset is a value that is the difference between two PINs. For example, a PIN offset may be the difference between a PIN that is chosen by the customer and one that is assigned by an institution. You can use ICSF to verify the PIN that was generated by ICSF. You can also use ICSF to protect PIN blocks that are sent between systems and to translate PIN blocks from one format to another. A PIN block contains a PIN and non-PIN data. You use PIN keys to generate and verify PINs and PIN offsets and to protect and translate PIN blocks.
Managing personal authentication gives an overview of the PIN algorithms you need to know to write your own application programs.
- Key-encrypting keys
- Key-encrypting keys protect a key that is sent to another system,
received from another system, or stored with data in a file. A variation
of transport keys are also used to rewrap a key from one key-encrypting
key to another key-encrypting key.
Key-encrypting keys are always generated in pairs. Both keys have the same clear key value, but have a different encrypted key value due to the control vector or the associated data.
- Exporter key-encrypting key
- An exporter key-encrypting key protects keys that are sent from
your system to another system. The exporter key at the originator
has the same clear value as the importer key at the receiver. An exporter
key is paired with an importer key-encrypting key.
DES OKEYXLAT keys must be used when rewrapping a key under a key-encrypting key. The AES EXPORTER must have the TRANSLAT key usage enabled when rewrapping a key.
- Importer key-encrypting key
- An importer key-encrypting key protects keys that are sent from
another system to your system. It also protects keys that you store
externally in a file that you can import to your system later. The
importer key at the receiver has the same clear value as the exporter
key at the originator. An importer key is paired with an exporter
key-encrypting key.
DES IKEYXLAT keys must be used when rewrapping a key under a key-encrypting key. The AES IMPORTER must have the TRANSLAT key usage enabled when rewrapping a key.
Note:- Key-encrypting keys replace local, remote, and cross keys used by PCF.
- A key-encrypting key should be as strong or stronger than the key it is wrapping.
- DES NOCV key-encrypting keys
- DES NOCV importers and exporters are key-encrypting keys used
to transport keys with systems that do not recognize CCA control vectors.
There are some requirements and restrictions for the use of NOCV key-encrypting
keys:
- Use of NOCV IMPORTERs and EXPORTERs is controlled by access control points.
- Only programs in system or supervisor state can use the NOCV key-encrypting key in the form of tokens in callable services. Any problem program may use NOCV key-encrypting key with label names from the CKDS.
- NOCV key-encrypting key on the CKDS should be protected by RACF.
- NOCV key-encrypting key can be used to encrypt single, double, or triple length keys for any key type.
- Key-generating keys
- Key-generating keys are used to derive unique-key-per transaction keys.
- Cryptographic-variable keys
- These DES keys are used to encrypt special control values in DES key management.
- Secure messaging keys
- Secure messaging keys used to encrypt keys and PINs for incorporation into a text block. The text block is then encrypted to preserve the security of the key value. The encrypted text block, normally the value field in a TLV item, can be incorporated into a message sent to an EMV smart card.