Required commands
The CSNDEDH required commands.
This table describes access control points that the EC Diffie-Hellman verb must have enabled in the active role under certain circumstances.
| Command | Offset | When required |
|---|---|---|
| ECC Diffie-Hellman | X'0360' | When using the EC Diffie-Hellman verb |
| ECC Diffie-Hellman - Allow Hybrid QSA Scheme | X'035D' | When using the QSA-ECDH rule array keyword |
| ECC Diffie-Hellman - Allow DRIV02 | X'035F' | When using the DERIV02 rule array keyword |
| ECC Diffie-Hellman - Allow key wrap override | X'0362' | If the output_key_identifier parameter identifies a DES key-token, and the wrapping method specified is WRAP-ECB or WRAP-ENH. |
|
Prohibit weak wrapping - Transport keys This command affects multiple verbs. See Access control points and verbs. |
X'0328' | To disable the wrapping of a stronger key with a weaker transport key |
| Warn when weak wrap - Transport keys The command Prohibit weak wrapping - Transport keys (offset X'0328') overrides this command. |
X'032C' | To receive a warning against the wrapping of a stronger key with a weaker transport key |
| ECC Diffie-Hellman - Prohibit weak key generate | X'036F' | To disable a weaker key from being used to generate a stronger key |
| ECC Diffie-Hellman - Allow PASSTHRU | X'0361' | When specifying the PASSTHRU rule-array keyword. |
Depending on curve type, each length of p in bits contained in the ECC private-key section and the ECC public-key section must have the following command enabled in the active role:
| Curve type | Length of prime p in bits | Offset | Command |
|---|---|---|---|
| Brainpool | 160 (X'00A0') | X'0368' | ECC Diffie-Hellman - Allow BP Curve 160 |
| 192 (X'00C0') | X'0369' | ECC Diffie-Hellman - Allow BP Curve 192 | |
| 224 (X'00E0') | X'036A' | ECC Diffie-Hellman - Allow BP Curve 224 | |
| 256 (X'0100') | X'036B' | ECC Diffie-Hellman - Allow BP Curve 256 | |
| 320 (X'0140') | X'036C' | ECC Diffie-Hellman - Allow BP Curve 320 | |
| 384 (X'0180') | X'036D' | ECC Diffie-Hellman - Allow BP Curve 384 | |
| 512 (X'0200') | X'036E' | ECC Diffie-Hellman - Allow BP Curve 512 | |
| Prime | 192 (X'00C0') | X'0363' | ECC Diffie-Hellman - Allow Prime Curve 192 |
| 224 (X'00E0') | X'0364' | ECC Diffie-Hellman - Allow Prime Curve 224 | |
| 256 (X'0100') | X'0365' | ECC Diffie-Hellman - Allow Prime Curve 256 | |
| 384 (X'0180') | X'0366' | ECC Diffie-Hellman - Allow Prime Curve 384 | |
| 521 (X'0209') | X'0367' | ECC Diffie-Hellman - Allow Prime Curve 521 | |
| Koblitz | 256 (X'0100') | X'035E' | ECC Diffie-Hellman - Allow Koblitz Curve 256 |
To disable the wrapping of a key with a weaker master key, the Prohibit weak wrapping - Master keys command (offset X'0333') must be enabled in the active role.
To receive a warning when wrapping a key with a weaker master key, enable the Warn when weak wrap - Master keys command (offset X'0332') in the active role. The Prohibit weak wrapping - Master keys command overrides this command.