Trusted Block Create (CSNDTBC)
The verb creates an external trusted block under dual control. A trusted block is an extension of CCA PKA key tokens using new section identifiers.
Trusted blocks are an integral part of a remote key-loading process. They contain various items, some of which are optional, and some of which can be present in different forms. Tokens are composed of concatenated sections. For a detailed description of a trusted block, including its format and field values, see Trusted blocks.
Creating an external trusted block: Create an active external trusted block in two steps:
- Create an inactive external trusted block using the INACTIVE rule_array keyword. This step requires the Trusted Block Create - Create Block in inactive form command (offset X'030F') to be enabled in the active role.
- Complete the creation process by activating (promoting) an inactive external trusted block using the ACTIVE rule_array keyword. This step requires the Trusted Block Create - Activate an inactive block command (offset X'0310') to be enabled in the active role. Changing an external trusted block from inactive to active effectively approves the trusted block for further use.
The creation of an external trusted block typically takes place in a highly secure environment. Use PKA Key Import (CSNDPKI) to import an active external trusted block into the desired node. The imported internal trusted block can then be used as input to Remote Key Export (CSNDRKX) in order to generate or export DES keys.
- An uninitialized trusted block. The trusted block is complete except that it does not have MAC protection.
- An inactive trusted block. The trusted block is external, and it is in inactive form. MAC protection is present due to recycling of an existing inactive trusted block.
- An active trusted block. The trusted block is internal or external, and it is in active form. MAC protection is present due to recycling of an existing active trusted block.
This verb randomly generates a confounder and triple-length MAC key, and uses a variant of the MAC key to calculate an ISO 16609 CBC mode TDES MAC of the trusted block contents. To protect the MAC key, the verb encrypts the confounder and MAC key using a variant of an IMP-PKA key. The calculated MAC and the encrypted confounder and MAC key are embedded in the output trusted block. Use the transport_key_identifier parameter to identify the key token that contains the IMP-PKA key.
On input, set the trusted_block_identifier_length variable to the length of the key label or at least the size of the output trusted block. The output trusted block is returned in the key-token identified by the trusted_block_identifier parameter, and the verb updates the trusted_block_identifier_length variable to the size of the key token if a key label is not specified.
Creating an active external trusted block: To create an active external trusted block, use a rule_array_count of 1 and a rule_array keyword of ACTIVE. Identify the input trusted block using the input_block_identifier parameter, and set the input_block_identifier_length variable to the length of the key label or the key token of the input block. The input block must be an inactive external trusted block that was created using the INACTIVE rule_array keyword.
Use the transport_key_identifier parameter to identify the key token that contains the IMP-PKA key.
On input, set the trusted_block_identifier_length variable to the length of the key label or at least the size of the output trusted block. The verb returns an error if the input trusted block is not valid. Otherwise, it changes the flag in the trusted block information section from the inactive state to the active state, recalculates the MAC, and embeds the updated MAC value in the output trusted block.
The output trusted block is returned in the key-token identified by the trusted_block_identifier parameter, and the verb updates the trusted_block_identifier_length variable to the size of the key token if a key label is not specified.
This verb does not need to document any Usage notes.