Callable services

ICSF provides access to cryptographic functions through callable services. A callable service is a routine that receives control from a CALL statement in an application language. Each callable service performs one or more cryptographic functions or a utility function. Many of these callable services comply with IBM's Common Cryptographic Architecture (CCA), while others are extensions to the CCA.

The callable services available to your applications depend on your processor or server. For a list of the callable services available with each configuration, see Summary of callable service support by hardware configuration.

The ICSF Query Facility (CSFIQF) and ICSF Query Facility 2 (CSFIQF2) will return general information about ICSF. ICSF Query Facility (CSFIQF) also returns coprocessor information. The ICSF Query Algorithm (CSFIQA) returns the cryptographic and hash algorithms available.

The application programs can be written in high-level languages such as C, COBOL, FORTRAN, and PL/I, and in Assembler. ICSF callable services allow applications to perform these tasks:

Enciphering and deciphering data by using the DES, TDES, AES algorithms. Many encryption modes are supported including cipher block chaining (CBC), Galois/Counter Mode (GCM), cipher feedback (CFB) and counter mode (CTR).
Translating ciphertext from encryption under one key to encryption under another key by use of the Ciphertext translate callable service.
This service securely deciphers the text that was enciphered under one key and then enciphers it under another key. The service supports many encryption modes and AES and DES algorithms.
Generating DES cryptographic keys of all types for use by application programs.
Generating AES cryptographic keys for use by application programs.
Importing and exporting keys.
Exchanging symmetric keys and their attributes with non-CCA systems using the TR-31 key block.
Generating PKA keys.
Application programs can use the PKA key generate callable service to generate ECC and RSA private keys.
Listing and deleting retained RSA private keys.
Application programs can list and delete RSA private keys retained within the secure boundaries of a cryptographic feature coprocessors.
Generating random numbers.
Application programs can use a callable service to generate a random number for use in cryptography or for other general use. The callable service uses the cryptographic feature to generate a random number for use in encryption. The foundation for the random number generator is a time-variant input with a low probability of recycling.
Generating and verifying PINs and translating PIN blocks.
An application program can use the callable services in generating and verifying PINs. In addition, use the Encrypted PIN translate callable service to reencrypt a PIN block from one PIN-encrypting key to another, or to reformat a PIN block.
Generating and verifying DES MACs.
An application can use single-length or double-length MAC or MACVER keys, or single-length DATA keys to generate and verify message authentication codes.
Generating and verifying AES MACs.
An application can use an AES DATA key to generate and verify message authentication codes.
Generating and verifying HMAC MACs.
An application can use an HMAC key to generate and verify message authentication codes.
Generating MDCs, SHA-1, SHA-2 and other hashes.
Generating and verifying Visa CVVs, MasterCard CVCs, Diner's Club CVVs, American Express CSCs.
Developing EMV ICC applications.
Enabling exploitation of clear key AES and DES encryption on CPACF supporting many modes of encryption.
Writing Diffie-Hellman applications.
Updating the CKDS and PKDS dynamically.
ICSF provides callable services that application programs can use to create, read, write, and delete records in the CKDS and PKDS.
Distributing DATA keys enciphered under an RSA key.
Generating and verifying digital signatures.
Composing and decomposing SET blocks.
PKA-encrypting and PKA-decrypting any PKCS 1.2-formatted symmetric key data.