Usage notes
Usage notes for CSNBCTT2.
The initialization vectors must have already been established between the communicating applications or must be passed with the data.
Table 1 outlines the restrictions
for the cipher_text_in_length and
cipher_text_out_length parameters. The DES blocks referred to in this
table are 8 bytes. The AES blocks referred to in this table are 16 bytes.
| Input cipher method | Output cipher method | Input ciphertext length restriction(s) | Output ciphertext length restriction(s) |
|---|---|---|---|
| DES CBC | DES CBC X9.23 | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the sum of the length of the input ciphertext and a DES block. |
| DES CBC | AES CBC PKCSPAD | Input ciphertext must be a multiple of a DES block. | If the input ciphertext is not a multiple of an AES block, then the output ciphertext length must be greater than or equal to the sum of the input ciphertext length and a DES block. If the input ciphertext is a multiple of an AES block, then the output ciphertext length must be greater than or equal to the sum of the input ciphertext length and an AES block. |
| DES CBC | DES CUSP or IPS | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC | DES CBC | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC | AES CBC | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC | AES CBC | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC CUSP or IPS | DES CBC CUSP or IPS | No restrictions | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC CUSP or IPS | DES CBC | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC CUSP or IPS | AES CBC or ECB | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC CUSP or IPS | DES CBC X9.23 | No restrictions | Output ciphertext length must be greater than or equal to the sum of the input ciphertext length and a DES block. |
| DES CBC CUSP or IPS | AES CBC PKCSPAD | No restrictions | Output ciphertext length must be greater than or equal to the sum of the input ciphertext length and an AES block. |
| DES CBC X9.23 | DES CBC X9.23 | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC X9.23 | AES CBC PKCSPAD | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the sum of the input ciphertext length and a DES bock. |
| DES CBC X9.23 | DES CBC CUSP or IPS | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| DES CBC X9.23 | DES CBC | Input ciphertext must be a multiple of a DES block. | Output ciphertext length must be greater than or equal to the input ciphertext length.
Note: This operation is not possible if the padding is determined by the adapter to be from 1-7
bytes.
|
| DES CBC X9.23 | AES CBC | Input ciphertext must be a multiple of a DES block but must not be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length.
Note: This operation is not possible if the padding is determined by the adapter to be from 1-7
bytes.
|
| DES CBC X9.23 | AES ECB | Input ciphertext must be a multiple of a DES block but must not be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length.
Note: This operation is not possible if the padding is determined by the adapter to be from 1-7
bytes.
|
| AES CBC or ECB | DES CBC X9.23 | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the sum of the input ciphertext length and a DES bock. |
| AES CBC or ECB | AES CBC PKCSPAD | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the sum of the input ciphertext length and an AES bock. |
| AES CBC or ECB | DES CBC CUSP or IPS | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| AES CBC or ECB | DES CBC | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| AES CBC or ECB | AES CBC | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| AES CBC or ECB | AES ECB | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| AES CBC PKCSPAD | DES CBC X9.23 | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| AES CBC PKCSPAD | AES CBC PKCSPAD | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length. |
| AES CBC PKCSPAD | DES CBC CUSP or IPS | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length minus 1. |
| AES CBC PKCSPAD | DES CBC | Input ciphertext must be a multiple of an AES block. Output ciphertext length must be greater than or equal | Output ciphertext length must be greater than or equal to the input ciphertext length minus
the length of a DES block. Note: This operation is not possible if the padding is determined by the
adapter to be from 1-7 bytes or 9-15 bytes.
|
| AES CBC PKCSPAD | AES CBC | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length minus
the length of a AES block. Note: This operation is not possible if the padding is determined by the
adapter to be from 1-15 bytes.
|
| AES CBC PKCSPAD | AES ECB | Input ciphertext must be a multiple of an AES block. | Output ciphertext length must be greater than or equal to the input ciphertext length minus
the length of an AES block. Note: This operation is not possible if the padding is determined by the
adapter to be from 1-15 bytes.
|
There are requirements for the keys for the key_identifier_in and key_identifier_out parameters. The key_identifier_in key must be able to decipher text. The key_identifier_out key must be able to encipher text.
Table 2 table shows the valid key
types which are allowed for the key_identifier_in and
key_identifier_out parameters. In the table, a variable length key
token cipher key is denoted by vCIPHER. vCIPHER is the default which has the ENCRYPT and
DECRYPT bits on in the usage field. vCIPHERe has only the ENCRYPT bit on in the usage field.
vCIPHERd has only the DECRYPT bit on in the usage field. Adding x to
either of the preceding names means the TRANSLAT bit is on in the usage field for that key.
For example, vCIPHERex means a variable length token with the ENCRYPT and TRANSLAT bits
turned on.
AESDATA is the 64-byte AES DATA key type.
| key_identifier_in (DEC bit except DATA and AESDATA) | key_identifier_out (ENC bit except DATA and AESDATA) |
|---|---|
|
DATA
CIPHER DECIPHER CIPHERXI CIPHERXL |
DATA
CIPHER ENCIPHER CIPHERXO CIPHERXL AESDATA vCIPHER vCIPHERe vCIPHERex vCIPHERedx |
|
AESDATA
vCIPHER vCIPHERd vCIPHERdx vCIPHERdex |
DATA (must be at least double-length
key with ACP) CIPHER (requires ACP to be enabled) ENCIPHER (requires ACP to be enabled) CIPHERXO (requires ACP to be enabled) CIPHERXL (requires ACP to be enabled) AESDATA vCIPHER vCIPHERe vCIPHERex vCIPHERedx |
Note:
- Translation from stronger encryption to single-key DES is not allowed.
- Translation from a triple-length DES key to a double-length DES key requires the Cipher Text Translate2 - Allow translate to weaker DES access control point (offset X'01C3') to be enabled.
- When the Cipher Text Translate2 - Allow only cipher text translate types access control point (offset X'01C4') is enabled, only CIPHERXI, CIPHERXL, and CIPHERXO DES key types are allowed and AES key tokens with key type CIPHER must be set to allow data translate (C-XLATE).