A triple-DES (TDES) algorithm is used to encrypt keys,
PIN blocks, and general data.
Several techniques are employed:
TDES ECB
DES keys, when triple encrypted under a double-length DES key, are ciphered using an e-d-e
scheme without feedback.
TDES CBC
Encryption of general data, and RSA section type X'08' CRT-format private keys and OPK
keys, employs the scheme depicted in Figure 1 and Figure 2. This is often referred to as outer CBC mode.
This CCA technique supports
double-length DES keys for triple-DES data encryption using the Encipher and Decipher verbs. The triple-length asymmetric
master key is used to CBC encrypt CRT-format OPK keys.
EDEx / DEDx
CCA employs EDEx processes
for encrypting several of the RSA private key formats (section types X'02', X'05', and X'06') and
the OPK key in section type X'06'. The EDEx processes make successive use of single-key DES
CBC processes. EDE2, EDE3, and EDE5 processes have been defined, based on the number of keys and
initialization vectors used in the process. See Figure 3 and
Figure 4. K1, K2, and K3 are true keys while K4 and
K5 are initialization vectors. See Figure 3 and Figure 4.
Figure 1. Triple-DES CBC encryption processFigure 2. Triple-DES CBC decryption processFigure 3. EDE algorithmFigure 4. DED process
