Control vector translate example

Edit online

As an example, consider the case of receiving a single-length PIN-block encrypting key from a non-CCA system.

Often such a key will be encrypted by an unmodified transport key (no control vector or variant is used). In a CCA system, an inbound PIN encrypting key is double-length.

First use the Key Token Build verb to insert the single-length key value into the left-half key-space in a key token. Specify USE-CV as a key type and a control vector value set to 16 bytes of X'00'. Also specify EXTERNAL, KEY, and CV keywords in the rule_array. This key token will be the source key key-token.

Second, the target key token can also be created using the Key Token Build verb. Specify a key type of IPINENC and the NO-EXPORT rule_array keyword.

Then call the Control Vector Translate verb and specify a rule_array keyword of LEFT. The mask arrays can be constructed as follows:
  • A1 is set to the value of the KEK's control vector, most likely the value of an IMPORTER key, perhaps with the NO-EXPORT bit set. B1 is set to eight bytes of X'FF' so all bits of the KEK's control vector will be tested.
  • A2 is set to eight bytes of X'00', the (null) value of the source key control vector. B2 is set to eight bytes of X'FF' so all bits of the source-key control vector are tested.
  • A3 is set to the value of the target key's left-half control vector. B3 is set to X'FFFF FFFF FF9F FFFF'. This causes all bits of the control vector to be tested except for the two (fff) bits used to distinguish between the left-half and right-half target-key control vector.
  • B4 is set to eight bytes of X'00' so no comparison is made between the source and target control vectors.