Mask array preparation

Edit online

A mask array consists of seven 8-byte elements: A1, B1, A2, B2, A3, B3, and B4.

You choose the values of the array elements such that each of the following four expressions evaluates to a string of binary zeros. (See Figure 1.) Set the A bits to the value you require for the corresponding control vector bits. In expressions 1 through 3, set the B bits to select the control vector bits to be evaluated. In expression 4, set the B bits to select the source and target control vector bits to be evaluated. Also, use the following control vector information:
  • C1 is the control vector associated with the left half of the KEK.
  • C2 is the control vector associated with the source key or selected source-key half/halves.
  • C3 is the control vector associated with the target key or selected target-key half/halves.
  1. (C1 XOR A1) logical-AND B1

    This expression tests whether the KEK used to encipher the key meets your criteria for the desired translation.

  2. (C2 XOR A2) logical-AND B2

    This expression tests whether the control vector associated with the source key meets your criteria for the desired translation.

  3. (C3 XOR A3) logical-AND B3

    This expression tests whether the control vector associated with the target key meets your criteria for the desired translation.

  4. (C2 XOR C3) logical-AND B4

    This expression tests whether the control vectors associated with the source key and the target key meet your criteria for the desired translation.

Encipher two copies of the mask array, each under a different cryptographic-variable key (key type CVARENC). Use two different keys so the enciphered-array copies are unique values. When using the Control Vector Translate verb, the mask_array_left parameter and the mask_array_right parameter identify the enciphered mask arrays. The array_key_left parameter and the array_key_right parameter identify the internal keys for deciphering the mask arrays. The array_key_left parameter must have a key type of CVARXCVL and the array_key_right parameter must have a key type of CVARXCVR. The cryptographic process deciphers the arrays and compares the results; for the service to continue, the deciphered arrays must be equal. If the results are not equal, the service returns the return and reason code for data that is not valid (8/385).

Use the Key Generate verb to create the key pairs CVARENC-CVARXCVL and CVARENC-CVARXCVR. Each key in the key pair must be generated for a different node. The CVARENC keys are generated for, or imported into, the node where the mask array will be enciphered. After enciphering the mask array, you should destroy the enciphering key. The CVARXCVL and CVARXCVR keys are generated for, or imported into, the node where the Control Vector Translate verb will be performed.

If using the BOTH keyword to process both halves of a double-length key, remember that bits 41, 42, 104, and 105 are different in the left and right halves of the CCA control vector and must be ignored in your mask-array tests (that is, make the corresponding B2 and/or B3 bits equal to zero).

When the control vectors pass the masking tests, the verb does the following:
  • Deciphers the source key. In the decipher process, the service uses a key that is formed by the XOR of the KEK and the control vector in the key token variable the source_key_token parameter identifies.
  • Enciphers the deciphered source key. In the encipher process, the verb uses a key that is formed by the XOR of the KEK and the control vector in the key token variable the target_key_token parameter identifies.
  • Places the enciphered key in the key field in the key token variable the target_key_token parameter identifies.
Figure 1. Control Vector Translate verb mask_array processing
verb mask_array processing