CVV Key Combine (CSNBCKC)

Edit online

Use the CVV Key Combine verb to combine two operational DES keys into one operational TDES key.

The verb accepts as input two single-length keys that are suitable for use with the CVV (card-verification value) algorithm. The resulting double-length key meets a more recent industry standard of using TDES to support PIN-based transactions. In addition, the double-length key is in a format that can be wrapped using the TR31 Translate verb.

The CVV Generate and CVV Verify verbs use the CVV algorithm to generate and verify card security codes required by Visa (CVV) and MasterCard (CVC). Previously, these verbs only accepted as input two single-length MAC-capable keys. These verbs will additionally accept as input a double-length MAC or MAC-capable DATA key that contains key-A as the left half of the key, and key-B as the right half of the key. The double-length key must be usable with either the CVV Generate verb, the CVV Verify verb, or both.

The CVV Key Combine verb allows combining most pairs of single-length DES keys that formerly functioned as a separate key-A and key-B into one double-length CVVKEY-A key. The CVVKEY-A attribute in the control vector is now changed to mean single-length CVV key containing key-A or double-length CVV key containing key-A and key-B.

To use this verb, specify the following:
  • Up to two optional rule-array keywords:
    1. A key wrapping method keyword that specifies whether to use the new enhanced wrapping method, the original wrapping method, or the wrapping method defined as the default according to a configuration setting.
    2. A translation control keyword that restricts the translation method to the enhanced method.
  • A single-length operational DES key for key-A

    Identify a single-length operational DES key that has a key type of MAC or DATA. The key identifier length must be 64, which is the length of a DES key-token or a key label. This parameter identifies the key-A key used with the CVV algorithm. It is placed in the left half of the double-length output key. When a MAC key is identified, it must have as its subtype extension ANY-MAC (CV bits 0 - 3 = B'0000') or CVVKEY-A (CV bits 0 - 3 = B'0010'). If a DATA key is identified, it must have its MAC generate bit on (CV bit 20), its MAC verify bit on (CV bit 21), or both bits on.

  • A single-length operational DES key for key-B

    Identify a single-length operational DES key that has a key type of MAC or DATA. The key identifier length must be 64, which is the length of a DES key-token or a key label. This parameter identifies the key-B key used with the CVV algorithm. It is placed in the right half of the double-length output key. When a MAC key is identified, it must have as its subtype extension ANY-MAC (CV bits 0 - 3 = B'0000') or CVVKEY-B (CV bits 0 - 3 = B'0011'). If a DATA key is identified, it must have its MAC generate bit on (CV bit 20), its MAC verify bit on (CV bit 21), or both bits on.

  • An output key identifier

    Identify a null key-token in a 64-byte buffer, or the key label of a DES null key-token. If the input parameter identifies a key label, the output key is placed in DES key-storage. otherwise, the output is returned in the buffer provided.

    The following table shows the various output combinations that are returned for the MAC generate and MAC verify attributes. These results are based on the three possible MAC generate and MAC verify control-vector-bit combinations (bits 20 - 21) that the pair of input keys can have.

    Combinations that are returned for the MAC generate and MAC verify attributes
    CV bits 20 - 21 of input key key-A, single length CV bits 20 - 21 of input key key-B, single length
    MAC generate andMAC verify MAC generate only,single length MAC verify only
    MAC generate andMAC verify MAC generate and MAC verifydouble-length key-A MAC generate only double-length key-A MAC verify only double-length key-A
    MAC generate only MAC generate onlydouble-length key-A MAC generate only double-length key-A Invalid combination, control vector conflict
    MAC verify only MAC verify onlydouble-length key-A Invalid combination, control vector conflict MAC verify only double-length key-A