Specifying a control-vector-base value

Edit online

You can determine the value of a control vector by working through a series of questions.

Procedure

Work through this series of questions:
  1. Begin with a field of 64 bits (eight bytes) set to B'0'. The most significant bit is referred to as bit 0. Define the key type and subtype (bits 8 - 14) as follows:
    • The main key type bits (bits 8 - 11). Set bits 8 - 11 to one of the following values:
      Table 1. Main key type bits

      Main key type bits
      Bits 8 - 11 Main Key Type
      0000 Data operation keys
      0010 PIN keys
      0011 Cryptographic variable-encrypting keys
      0100 Key-encrypting keys
      0101 Key-generating keys
      0111 Diversified key-generating keys
    • The key subtype bits (bits 12 - 14). Set bits 12 - 14 to one of the following values:
      Note: For Diversified Key Generating Keys, the subtype field specifies the hierarchical level of the DKYGENKY. If the subtype is nonzero, the DKYGENKY can generate only another DKYGENKY key with the hierarchy level decremented by one. If the subtype is zero, the DKYGENKY can generate only the final diversified key (a non-DKYGENKY key) with the key type specified by the usage bits.
      Table 2. Key subtype bits

      Key subtype bits
      Bits 12 - 14 Key Subtype
      Data Operation Keys
      000 Compatibility key (DATA)
      001 Confidentiality key (CIPHER, DECIPHER, or ENCIPHER)
      010 MAC key (MAC or MACVER)
      101 Secure messaging keys
      Key-Encrypting Keys
      000 Transport-sending keys (EXPORTER and OKEYXLAT)
      001 Transport-receiving keys (IMPORTER and IKEYXLAT)
      PIN Keys
      001 PIN-generating key (PINGEN, PINVER)
      000 Inbound PIN-block decrypting key (IPINENC)
      010 Outbound PIN-block encrypting key (OPINENC)
      Cryptographic Variable-Encrypting Keys
      111 Cryptographic variable-encrypting key (CVAR....)
      Diversified Key Generating Keys
      000 DKY Subtype 0
      001 DKY Subtype 1
      010 DKY Subtype 2
      011 DKY Subtype 3
      100 DKY Subtype 4
      101 DKY Subtype 5
      110 DKY Subtype 6
      111 DKY Subtype 7
  2. For key-encrypting keys, set the following bits:
    • The key-generating usage bits (gks, bits 18 - 20). Set the gks bits to B'111' to indicate the Key Generate verb can use the associated key-encrypting key to encipher generated keys when the Key Generate verb is generating various key-pair key-form combinations (see the Key-Encrypting Keys section of Figure 2). Without any of the gks bits set to B'1', the Key Generate verb cannot use the associated key-encrypting key. The Key Token Build verb can set the gks bits to B'1' when you supply the OPIM, IMEX, IMIM, OPEX, and EXEX keywords.
    • The IMPORT and EXPORT bit and the XLATE bit (ix, bits 21 and 22). If the ‘i’ bit is set to B'1', the associated key-encrypting key can be used in the Data Key Import, Key Import, Data Key Export, and Key Export verbs. If the ‘x’ bit is set to B'1', the associated key-encrypting key can be used in the Key Translate and Key Translate2 verbs.
    • The key-form bits (fff, bits 40 - 42). The key-form bits indicate how the key was generated and how the control vector participates in multiple-enciphering. To indicate the parts can be the same value, set these bits to B'010'. For information about the value of the key-form bits in the right half of a control vector, see Step 8.
  3. For MAC and MACVER keys, set the following bits:
    • The MAC control bits (bits 20 and 21). For a MAC-generate key, set bits 20 and 21 to B'11'. For a MAC-verify key, set bits 20 and 21 to B'01'.
    • The key-form bits (fff, bits 40 - 42). For a single-length key, set the bits to B'000'. For a double-length key, set the bits to B'010'.
  4. For PINGEN and PINVER keys, set the following bits:
    • The PIN calculation method bits (aaaa, bits 0 - 3). Set these bits to one of the following values:
      Table 3. Calculation method keyword bits

      Calculation method keyword bits
      Bits 0 - 3 Calculation Method Keyword Description
      0000 NO-SPEC A key with this control vector can be used with any PIN calculation method.
      0001 IBM-PIN or IBM-PINO A key with this control vector can be used only with the IBM® PIN or PIN Offset calculation method.
      0010 VISA-PVV A key with this control vector can be used only with the VISA-PVV calculation method.
      0100 GBP-PIN or GBP-PINO A key with this control vector can be used only with the German Banking Pool PIN or PIN Offset calculation method.
      0011 INBK-PIN A key with this control vector can be used only with the Interbank PIN calculation method.
    • The prohibit-offset bit (o, bit 37) to restrict operations to the PIN value. If set to B'1', this bit prevents operation with the IBM 3624 PIN Offset calculation method and the IBM German Bank Pool PIN Offset calculation method.
  5. For PINGEN, IPINENC, and OPINENC keys, set bits 18 - 22 to indicate whether the key can be used with the following verbs:
    Table 4. INGEN, IPINENC, and OPINENC key bits

    INGEN, IPINENC, and OPINENC key bits
    Service Allowed Bit Name Bit
    Clear PIN Generate CPINGEN 18
    Encrypted PIN Generate Alternate EPINGENA** 19
    Encrypted PIN Generate EPINGEN 20 for PINGEN

    19 for OPINENC
    Clear PIN Generate Alternate CPINGENA 21 for PINGEN

    20 for IPINENC
    Encrypted PIN Verify EPINVER 19
    Clear PIN Encrypt CPINENC 18
    ** EPINGENA is no longer supported, although the bit retains this definition for compatibility There is no Encrypted Pin Generate Alternate verb.
  6. For the IPINENC (inbound) and OPINENC (outbound) PIN-block ciphering keys, do the following:
    • Set the TRANSLAT bit (t, bit 21) to B'1' to permit the key to be used in the PIN Translate verb. The Control Vector Generate verb can set the TRANSLAT bit to B'1' when you supply the TRANSLAT keyword.
    • Set the REFORMAT bit (r, bit 22) to B'1' to permit the key to be used in the PIN Translate verb. The Control Vector Generate verb can set the REFORMAT bit and the TRANSLAT bit to B'1' when you supply the REFORMAT keyword.
  7. For the cryptographic variable-encrypting keys (bits 18 - 22), set the variable-type bits (bits 18 - 22) to one of the following values:
    Table 5. Generic key type bits
    Bits 18 - 22 Generic Key Type Description
    00000 CVARPINE Used in the Encrypted PIN Generate Alternate verb to encrypt a clear PIN.
    00010 CVARXCVL Used in the Control Vector Translate verb to decrypt the left mask array.
    00011 CVARXCVR Used in the Control Vector Translate verb to decrypt the right mask array.
  8. For key-generating keys, set the following bits:
    • For KEYGENKY, set bit 18 for UKPT usage and bit 19 for CLR8-ENC usage.
    • For DKYGENKY, bits 12–14 will specify the hierarchical level of the DKYGENKY key. If the subtype CV bits are nonzero, the DKYGENKY can generate only another DKYGENKY key with the hierarchical level decremented by one. If the subtype CV bits are zero, the DKYGENKY can generate only the final diversified key (a non-DKYGENKY key) with the key type specified by usage bits.

      To specify the subtype values of the DKYGENKY, keywords DKYL0, DKYL1, DKYL2, DKYL3, DKYL4, DKYL5, DKYL6, and DKYL7 will be used.

    • For DKYGENKY, bit 18 is reserved and must be zero.
    • Usage bits 18-22 for the DKYGENKY key type are defined as follows. They will be encoded as the final key type that the DKYGENKY key generates.
      Table 6. DKYGENKY key type bits

      DKYGENKY key type bits
      Bits 19 - 22 Keyword Usage
      0001 DDATA DATA, DATAC, single or double length
      0010 DMAC MAC, DATAM
      0011 DMV MACVER, DATAMV
      0100 DIMP IMPORTER, IKEYXLAT
      0101 DEXP EXPORTER, OKEYXLAT
      0110 DPVR PINVER
      1000 DMKEY Secure message key for encrypting keys
      1001 DMPIN Secure message key for encrypting PINs
      1111 DALL All key types can be generated except DKYGENKY and KEYGENKY keys. Usage of the DALL keyword is controlled by a separate access control point.
  9. For secure messaging keys, set the following bits:
    • Set bit 18 to B'1' if the key will be used in the secure messaging for PINs service. Set bit 19 to B'1' if the key will be used in the secure messaging for keys service.
  10. For CIPHER keys, set the CPACF exportable bit (XPRTCPAC, F – bit 59) to 1 to allow the key token to be exportable to the CPACF protected key format.
  11. For all keys, set the following bits:
    • The export bit (E, bit 17). If set to B'0', the export bit prevents a key from being exported. By setting this bit to B'0', you can prevent the receiver of a key from exporting or translating the key for use in another cryptographic subsystem. After this bit is set to B'0', it cannot be set to B'1' by any service other than Control Vector Translate. The Prohibit Export verb can reset the export bit.
    • The key-part bit (K, bit 44). Set the key-part bit to B'1' in a control vector associated with a key part. When the final key part is combined with previously accumulated key parts, the key-part bit in the control vector for the final key part is set to B'0'. The Control Vector Generate verb can set the key-part bit to B'1' when you supply the KEY-PART keyword.
    • The anti-variant bits (bit 30 and bit 38). Set bit 30 to B'0' and bit 38 to B'1'. Many cryptographic systems have implemented a system of variants where a 7-bit value is XORed with each 7-bit group of a key-encrypting key before enciphering the target key. By setting bits 30 and 38 to opposite values, control vectors do not produce patterns that can occur in variant-based systems.
    • Control vector bits 64 - 127. If bits 40 - 42 are B'000' (single-length key), set bits 64 - 127 to B'0'. Otherwise, copy bits 0 - 63 into bits 64 - 127 and set bits 105 and 106 to B'01'.
    • Set the parity bits (low-order bit of each byte, bits 7, 15, …, 127). These bits contain the parity bits (P) of the control vector. Set the parity bit of each byte so the number of zero-value bits in the byte is an even number.
    • For secure messaging keys, usage bit 18 on will enable the encryption of keys in a secure message and usage bit 19 on will enable the encryption of PINs in a secure message.
    • The ENH-ONLY bit (H, bit 56). Set the ENH-ONLY bit to 1 in a control vector to require the key value be encrypted with the enhanced wrapping. method. The Control Vector Generate callable service can set the ENH-ONLY bit to 1 when you supply the ENH-ONLY keyword.
    • The NOT31XPT bit (T, bit 57). Set T31XPOK bit to 1 to prevent the key from being exported by the TR-31 Export service. Once this bit is set to 1, it cannot be set to 0 by any service. The Restrict Key Attribute service can set the bit to 1.
    • The compliance-tagged bit (COMP-TAG, C - bit 58). Set the COMP-TAG bit to 1 to prevent the token from being used in a non-compliant manner. Once this bit has been set to 1, it cannot be reset to 0. Key tokens may be created with the COMP-TAG bit set or the Key Translate2 (CSNBKTR2) service can be used to set the bit in an existing key token.