Control vector table

The control vector values that CCA uses to XOR key halves depend on the type of key.

The master key enciphers all keys operational on your system. A transport key enciphers keys distributed off your system. Before a master key or transport key enciphers a key, CCA XORs both halves of the master key or transport key with a control vector. The same control vector is XORed to the left and right half of a master key or transport key.

Also, if you are entering a key part, CCA XORs each half of the key part with a control vector before placing the key part into the key storage file.

Each type of CCA key (except the master key) has either one or two unique control vectors associated with it. The master key or transport key CCA XORs with the control vector depending on the type of key the master key or transport key is enciphering. For double-length keys, a unique control vector exists for each half of a specific key type. For example, there is a control vector for the left half of an input PIN-encrypting key, and a control vector for the right half of an input PIN-encrypting key.

If you are entering a cleartext key part, CCA XORs the key part with the unique control vector(s) associated with the key type. CCA also enciphers the key part with two master key variants for a key part. One master key variant enciphers the left half of the key part and another master key variant enciphers the right half of the key part. CCA creates the master key variants for a key part by XORing the master key with the control vectors for key parts. These procedures protect key separation.

Table 1 displays the default value of the control vector associated with each type of key. Some key types do not have a default control vector. For keys that are double-length, CCA enciphers using a unique control vector on each half.

Table 1. Default control vector values
Default control vector values
Key Type	Control Vector Value (Hex) Value for Single-length Key or Left Half of Double-length Key	Control Vector Value (Hex) Value for Right Half of Double-length Key
AES	00 00 00 00 00 00 00 00	00 00 00 00 00 00 00 00
AESTOKEN	00 00 00 00 00 00 00 00	00 00 00 00 00 00 00 00
CIPHERXI	00 0C 50 00 03 C0 00 00	00 0C 50 00 03 A0 00 00
CIPHERXO	00 0C 60 00 03 C0 00 00	00 0C 60 00 03 A0 00 00
CIPHERXL	00 0C 71 00 03 C0 00 00	00 0C 71 00 03 A0 00 00
CIPHER	00 03 71 00 03 00 00 00
CIPHER (double length)	00 03 71 00 03 41 00 00	00 03 71 00 03 21 00 00
CVARDEC	00 3F 42 00 03 00 00 00
CVARENC	00 3F 48 00 03 00 00 00
CVARPINE	00 3F 41 00 03 00 00 00
CVARXCVL	00 3F 44 00 03 00 00 00
CVARXCVR	00 3F 47 00 03 00 00 00
DATA (external)	00 00 00 00 00 00 00 00	00 00 00 00 00 00 00 00
DATA (internal)	00 00 7D 00 03 41 00 00	00 00 7D 00 03 21 00 00
DATA	00 00 00 00 00 00 00 00
DATAC	00 00 71 00 03 41 00 00	00 00 71 00 03 21 00 00
DATAM generation key (external and internal)	00 00 4D 00 03 41 00 00	00 00 4D 00 03 21 00 00
DATAM key (internal, deprecated)	00 00 4D 00 03 00 00 00	00 00 4D 00 03 00 00 00
DATAMV MAC verification key (external and internal)	00 00 44 00 03 41 00 00	00 00 44 00 03 21 00 00
DATAMV MAC verification key (internal, deprecated)	00 00 44 00 03 00 00 00	00 00 44 00 03 00 00 00
DATAXLAT	00 06 71 00 03 00 00 00
DECIPHER	00 03 50 00 03 00 00 00
DECIPHER (double-length)	00 03 50 00 03 41 00 00	00 03 50 00 03 21 00 00
DKYGENKY	00 71 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL0	This control vector has the DKYL0 set by default.
DKYL1	00 72 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL2	00 74 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL3	00 77 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL4	00 78 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL5	00 7B 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL6	00 7D 44 00 00 03 41 00	00 71 44 00 03 21 00 00
DKYL7	00 7E 44 00 00 03 41 00	00 71 44 00 03 21 00 00
ENCIPHER	00 03 60 00 03 00 00 00
ENCIPHER (double-length)	00 03 60 00 03 41 00 00	00 03 60 00 03 21 00 00
EXPORTER	00 41 7D 00 03 41 00 00	00 41 7D 00 03 21 00 00
IKEYXLAT	00 42 42 00 03 41 00 00	00 42 42 00 03 21 00 00
IMP-PKA	00 42 05 00 03 41 00 00	00 42 05 00 03 21 00 00
IMPORTER	00 42 7D 00 03 41 00 00	00 42 7D 00 03 21 00 00
IPINENC	00 21 5F 00 03 41 00 00	00 21 5F 00 03 21 00 00
MAC	00 05 4D 00 03 00 00 00
MAC (double-length)	00 05 4D 00 03 41 00 00	00 05 4D 00 03 21 00 00
MACVER	00 05 44 00 03 00 00 00
MACVER (double-length)	00 05 44 00 03 41 00 00	00 05 44 00 03 21 00 00
OKEYXLAT	00 41 42 00 03 41 00 00	00 41 42 00 03 21 00 00
OPINENC	00 24 77 00 03 41 00 00	00 24 77 00 03 21 00 00
PINGEN	00 22 7E 00 03 41 00 00	00 22 7E 00 03 21 00 00
PINVER	00 22 42 00 03 41 00 00	00 22 42 00 03 21 00 00
SECMSG with SMPIN set	00 0A 50 00 03 41 00 00	00 0A 50 00 03 21 00 00
SECMSG with SMKEY set	00 0A 60 00 03 41 00 00	00 0A 60 00 03 21 00 00

Note: The external control vectors for DATAC, DATAM MAC generation, and DATAMV MAC verification keys are also referred to as data compatibility control vectors.

For the default control vector values for triple-length DES keys, see Table 2. For key generation, use key length keyword TRIPLE-O to indicate the key parts ARE guaranteed to be unique (ignoring parity bits). Use TRIPLE to indicate that the key parts are NOT guaranteed to be unique.

Table 2. Default control vectors for triple-length DES keys
Default control vectors for triple-length DES keys. A table with four columns: Key type, ey length, CV base of left part of triple-length key, and CV extension of middle part of triple-length key
Key type (see Note 1)	Key length	Default control vector in hexadecimal (see Note 2)
Key type (see Note 1)	Key length	CV base of left part of triple-length key	CV extension of middle part of triple-length key
Key encrypting keys
EXPORTER	TRIPLE	`00 41 7D 00 03 60 00 81`	Same as CV base.
EXPORTER	TRIPLE-O	`00 41 7D 00 03 E1 00 81`	Same as CV base.
IMPORTER	TRIPLE	`00 42 7D 00 03 60 00 81`	Same as CV base.
IMPORTER	TRIPLE-O	`00 42 7D 00 03 E1 00 81`	Same as CV base.
Data operation keys
DATA	TRIPLE	`00 00 7D 00 03 60 00 81`	Same as CV base.
	TRIPLE-O	`00 00 7D 00 03 E1 00 81`
	ZEROCV24 External Version X'01' key token, token marks = B'0010 0000'	`00 00 00 00 00 00 00 00`
	ZEROCV24 Internal Version X'00' key token. Only applies to internal key of an external/internal key pair (CSNBKGN OPEX or OPIM).	Same as TRIPLE.
CIPHER	TRIPLE	`00 03 71 00 03 60 00 81`	Same as CV base.
CIPHER	TRIPLE-O	`00 03 71 00 03 E1 00 81`	Same as CV base.
DECIPHER	TRIPLE	`00 03 50 00 03 60 00 81`	Same as CV base.
DECIPHER	TRIPLE-O	`00 03 50 00 03 E1 00 81`	Same as CV base.
ENCIPHER	TRIPLE	`00 03 60 00 03 60 00 81`	Same as CV base.
ENCIPHER	TRIPLE-O	`00 03 60 00 03 E1 00 81`	Same as CV base.
MAC	TRIPLE	`00 05 4D 00 03 60 00 81`	Same as CV base.
MAC	TRIPLE-O	`00 05 4D 00 03 E1 00 81`	Same as CV base.
MACVER	TRIPLE	`00 05 44 00 03 60 00 81`	Same as CV base.
MACVER	TRIPLE-O	`00 05 44 00 03 E1 00 81`	Same as CV base.
PIN processing keys
IPINENC	TRIPLE	`00 21 5F 00 03 60 00 81`	Same as CV base.
IPINENC	TRIPLE-O	`00 21 5F 00 03 E1 00 81`	Same as CV base.
OPINENC	TRIPLE	`00 24 77 00 03 60 00 81`	Same as CV base.
OPINENC	TRIPLE-O	`00 24 77 00 03 E1 00 81`	Same as CV base.
PINGEN	TRIPLE	`00 22 7E 00 03 60 00 81`	Same as CV base.
PINGEN	TRIPLE-O	`00 22 7E 00 03 E1 00 81`	Same as CV base.
PINVER	TRIPLE	`00 22 42 00 03 60 00 81`	Same as CV base.
PINVER	TRIPLE-O	`00 22 42 00 03 E1 00 81`	Same as CV base.
Note: Only the key types shown in this table are allowed to be triple length in Release 5.4. and Release 6.2 A triple-length key in a Version X'00' fixed-length DES key-token is required to have CV bit 56 = B'1' (ENH-ONLY).