Summary of the AES, DES, and HMAC verbs
View a table that lists the AES, DES, and HMAC verbs described in this document. The table also references the chapter that describes the verb.
| Entry point | Verb name | Description | Topic/Page |
|---|---|---|---|
| Managing AES, DES, and HMAC cryptographic keys | |||
| CSNBCKI | Clear Key Import | Imports an 8-byte clear DATA key, enciphers it under the master key, and places the result into an internal key token. This verb converts the clear key into operational form as a DATA key. | Clear Key Import (CSNBCKI) |
| CSNBCKM | Multiple Clear Key Import | Imports a single-length, double-length, or triple-length clear DATA key that is used to encipher or decipher data. It accepts a clear key and enciphers the key under the host master key, returning an encrypted DATA key in operational form in an internal key token. | Multiple Clear Key Import (CSNBCKM) |
| CSNBCVG | Control Vector Generate | Builds a control vector from keywords specified by the key_type and rule_array parameters. | Control Vector Generate (CSNBCVG) |
| CSNBCVT | Control Vector Translate | Changes the control vector used to encipher an external DES key. | Control Vector Translate (CSNBCVT) |
| CSNBCVE | Cryptographic Variable Encipher | Encrypts plaintext using a CVARENC key to produce ciphertext using the Cipher Block Chaining (CBC) method. | Cryptographic Variable Encipher (CSNBCVE) |
| CSNBDKX | Data Key Export | Re-enciphers a DATA key from encryption under the master key to encryption under an exporter key-encrypting key, making it suitable for export to another system. | Data Key Export (CSNBDKX) |
| CSNBDKM | Data Key Import | Imports an encrypted source DES single-length or double-length DATA key and creates or updates a target internal key token with the master key enciphered source key. | Data Key Import (CSNBDKM) |
| CSNBDKG | Diversified Key Generate | Generates a key based upon the key-generating key, the processing method, and the parameter data that is supplied. The control vector of the key-generating key also determines the type of target key that can be generated. | Diversified Key Generate (CSNBDKG) |
| CSNBDKG2 | Diversified Key Generate2 | Generates an AES key based on a function of a key-generating key, the process rule, and data that you supply. | Diversified Key Generate2 (CSNBDKG2) |
| CSNBDDK | Diversify Directed Key | Selectively generates and derives a pair of associated keys in connection with a directed key diversification key scheme. | Diversify Directed Key (CSNBDDK) |
| CSNDEDH | EC Diffie-Hellman | Creates symmetric key material from a pair of Elliptic Curve Cryptography (ECC) keys using the Elliptic Curve Diffie-Hellman (ECDH) protocol. | EC Diffie-Hellman (CSNDEDH) |
| CSNBKEX | Key Export | Re-enciphers a key from encryption under a master key variant to encryption under the same variant of an exporter key-encrypting key, making it suitable for export to another system. | Key Export (CSNBKEX) |
| CSNBKGN | Key Generate | Generates a 64-bit, 128-bit, 192-bit, or 256-bit odd parity key, or a pair of keys; and returns them in encrypted forms (operational, exportable, or importable). Key Generate does not produce keys in plaintext. | Key Generate (CSNBKGN) |
| CSNBKGN2 | Key Generate2 | Generates either one or two AES or HMAC keys. This verb does not
produce keys in clear form and all keys are returned in encrypted form. When two keys are generated,
each key has the same clear value, although this clear value is not exposed outside the secure
cryptographic feature. This verb returns variable-length CCA key tokens and uses the AESKW wrapping method. Operational keys will be encrypted under the AES master key. |
Key Generate2 (CSNBKGN2) |
| CSNBKIM | Key Import | Re-enciphers a key from encryption under an importer key-encrypting key to encryption under the master key. The re-enciphered key is in the operational form. | Key Import (CSNBKIM) |
| CSNBKPI | Key Part Import | Combines the clear key parts of any key type and returns the combined key value in an internal key token or an update to the CCA key storage file. | Key Part Import (CSNBKPI) |
| CSNBKPI2 | Key Part Import2 | Combines the clear key parts of any key type and returns the combined key value either in a variable-length internal key token, TR-31 key token, or as an update to the key storage file. | Key Part Import2 (CSNBKPI2) |
| CSNBKYT | Key Test | Generates or verifies (depending on keywords in the rule_array) a secure verification pattern for keys. This verb requires the tested key to be in the clear or encrypted under the master key. | Key Test (CSNBKYT) |
| CSNBKYT2 | Key Test2 | Generates or verifies (depending on keywords in the rule_array) a secure cryptographic verification pattern for keys contained in a variable-length symmetric key-token. The key to test can be in the clear or encrypted under a master key. Requires the tested key to be in the clear or encrypted under the master key. | Key Test2 (CSNBKYT2) |
| CSNBKYTX | Key Test Extended | This verb is essentially the same as Key Test, except for the following:
|
Key Test Extended (CSNBKYTX) |
| CSNBKTB | Key Token Build | Builds an internal or external token from the supplied parameters. You can use this verb to build CCA key tokens for all key types that CCA supports. The resulting token can be used as input to the Key Generate, and Key Part Import verbs. | Key Token Build (CSNBKTB) |
| CSNBKTB2 | Key Token Build2 | Builds variable-length internal or external key tokens for all key types that the coprocessor
supports. The key token is built based on parameters that you supply. The resulting token can be
used as input to the Key Generate2, and
Key Part Import2 verbs. A clear key token
built by this verb can be used as input to the Key Test2 verb. This verb supports internal HMAC tokens, both as clear key tokens and as skeleton tokens containing no key. |
Key Token Build2 (CSNBKTB2) |
| CSNBKTC | Key Token Change | Re-enciphers a DES key from encryption under the old master key to encryption under the current master key, and to update the keys in internal DES key-tokens. | Key Token Change (CSNBKTC) |
| CSNBKTC2 | Key Token Change2 | Re-enciphers a variable-length HMAC key from encryption under the old master key to encryption under the current master key. This verb also updates the keys in internal HMAC key-tokens. | Key Token Change2 (CSNBKTC2) |
| CSNBKTP | Key Token Parse | Disassembles a key token into separate pieces of information. This verb can disassemble an external key-token or an internal key-token in application storage. | Key Token Parse (CSNBKTP) |
| CSNBKTP2 | Key Token Parse2 | Disassembles a variable-length symmetric key-token into separate pieces of information. The verb can disassemble an external or internal variable-length symmetric key-token in application storage. The verb returns some of the key-token information in a set of variables identified by individual parameters, and returns the remaining information as keywords in the rule array. | Key Token Parse2 (CSNBKTP2) |
| CSNBKTR | Key Translate | Uses one key-encrypting key to decipher an input key and then enciphers this key using another key-encrypting key within the secure environment. | Key Translate (CSNBKTR) |
| CSNBKTR2 | Key Translate2 | Uses one key-encrypting key to decipher an input key and then enciphers this key using another key-encrypting key within the secure environment. This verb differs from the Key Translate verb in that Key Translate2 can process both fixed-length and variable-length symmetric key tokens. | Key Translate2 (CSNBKTR2) |
| CSNDPKD | PKA Decrypt | Uses an RSA private key to decrypt the RSA-encrypted key value and return the clear key value to the application. | PKA Decrypt (CSNDPKD) |
| CSNDPKE | PKA Encrypt | Encrypts a supplied clear key value under an RSA public key. The supplied key can be formatted using the PKCS 1.2 or ZERO-PAD methods prior to encryption. | PKA Encrypt (CSNDPKE) |
| CSNBPEX | Prohibit Export | Modifies the control vector of a CCA key token so that the key cannot be exported. This verb operates only on internal key tokens. | Prohibit Export (CSNBPEX) |
| CSNBPEXX | Prohibit Export Extended | Modifies an external DES key-token so that the key can no longer be exported after it has been imported. This verb operates only on internal key tokens. | Prohibit Export Extended (CSNBPEXX) |
| CSNBRKA | Restrict Key Attribute | Modifies an operational variable-length key so that it cannot be exported. | Restrict Key Attribute (CSNBRKA) |
| CSNBRNG | Random Number Generate | Generates an 8-byte cryptographic-quality random number suitable for use as an encryption key or for other purposes. The output can be specified in three forms of parity: RANDOM, ODD, and EVEN. | Random Number Generate (CSNBRNG) |
| CSNBRNGL | Random Number Generate Long | Generates a cryptographic-quality random number suitable for use as an encryption key or for other purposes, ranging from 1 - 8192 bytes in length. The output can be specified in three forms of parity: RANDOM, ODD, and EVEN. | Random Number Generate Long (CSNBRNGL) |
| CSNDSYX | Symmetric Key Export | Transfer an application-supplied symmetric key (a DATA key) from encryption under the AES, DES or HMAC master key to encryption under an application-supplied RSA public key. The application-supplied DATA key must be an AES, DES or HMAC internal key token, or the label of an AES or DES key token in the CCA key storage file. The Symmetric Key Import and Symmetric Key Import2 verb can import the PKA-encrypted key form at the receiving node. Support for HMAC key was added beginning with CCA 4.1.0. | Symmetric Key Export (CSNDSYX) |
| CSNDSXD | Symmetric Key Export with Data | Export a symmetric key, along with some application supplied data, encrypted using an RSA key. | Symmetric Key Export with Data (CSNDSXD) |
| CSNDSYG | Symmetric Key Generate | Generate a symmetric key (a DATA key) and return the key in two forms: DES-encrypted and encrypted under an RSA public key. The DES-encrypted key can be an internal token encrypted under a host DES master key, or an external form encrypted under a KEK. (You can use the Symmetric Key Import verb to import the PKA-encrypted form.) | Symmetric Key Generate (CSNDSYG) |
| CSNDSYI | Symmetric Key Import | Import a symmetric AES or DES DATA key enciphered under an RSA public key into operational form enciphered under a DES master key. | Symmetric Key Import (CSNDSYI) |
| CSNDSYI2 | Symmetric Key Import2 | Use this verb to import an HMAC key that has been previously formatted and enciphered under an RSA public key by the Symmetric Key Export verb. The formatted and RSA-enciphered key is contained in an external variable-length symmetric key-token. The key is deciphered using the associated RSA private-key. The recovered HMAC key is re-enciphered under the AES master-key. The re-enciphered key is then returned in an internal variable-length symmetric key-token. The key algorithm for this verb is HMAC. | Symmetric Key Import2 (CSNDSYI2) |
| CSNBUKD | Unique Key Derive | Performs the key derivation process as defined in ANSI X9.24 Part 1. The process derives keys from two values: the base derivation key (BDK) and the derivation data. Rule array keywords determine the types and number of keys derived on a particular call. | |
| Protecting data | |||
| CSNBDEC | Decipher | Deciphers data using cipher block chaining mode of DES. The result is called plaintext. | Decipher (CSNBDEC) |
| CSNBENC | Encipher | Enciphers data using the cipher block chaining mode of DES. The result is called ciphertext. | Encipher (CSNBENC) |
| CSNBSAD | Symmetric Algorithm Decipher | Deciphers data using the AES cipher block chaining mode. | Symmetric Algorithm Decipher (CSNBSAD) |
| CSNBSAE | Symmetric Algorithm Encipher | Enciphers data using the AES cipher block chaining mode | Symmetric Algorithm Encipher (CSNBSAE) |
| CSNBCTT2 | Cipher Text Translate2 | Deciphers encrypted data (ciphertext) under one ciphertext translation key and re-enciphers it under another ciphertext translation key without having the data appear in the clear outside the cryptographic coprocessor. | Cipher Text Translate2 (CSNBCTT2) |
| Verifying data integrity and authenticating messages | |||
| CSNBHMG | HMAC Generate | Generates a keyed hash message authentication code (HMAC) for the text string provided as input. See Verifying data integrity and authenticating messages. | HMAC Generate (CSNBHMG) |
| CSNBHMV | HMAC Verify | Verifies a keyed hash message authentication code (HMAC) for the text string provided as input. See Verifying data integrity and authenticating messages. | HMAC Verify (CSNBHMV) |
| CSNBMGN | MAC Generate | Generates a 4, 6, or 8-byte Message Authentication Code (MAC) for a text string that the application program supplies. The MAC is computed using either the ANSI X9.9-1 algorithm or the ANSI X9.19 optional double key algorithm and padding could be applied according to the EMV specification. | MAC Generate (CSNBMGN) |
| CSNBMGN2 | MAC Generate2 | Generates a keyed hash message authentication code (HMAC) or a ciphered message authentication code (CMAC) for the message string provided as input. A MAC key with key usage that can be used for generate is required to calculate the MAC. | MAC Generate2 (CSNBMGN2) |
| CSNBMVR | MAC Verify | Verifies a 4, 6, or 8-byte Message Authentication Code (MAC) for a text string that the application program supplies. The MAC is computed using either the ANSI X9.9-1 algorithm or the ANSI X9.19 optional double key algorithm and padding could be applied according to the EMV specification. The computed MAC is compared with a user-supplied MAC. | MAC Verify (CSNBMVR) |
| CSNBMVR2 | MAC Verify2 | Verifies a keyed hash message authentication code (HMAC) or a ciphered message authentication code (CMAC) for the message text provided as input. A MAC key with key usage that can be used for verify is required to verify the MAC. | MAC Verify2 (CSNBMVR2) |
| CSNBMDG | MDC Generate | Creates a 128-bit hash value (Modification Detection Code) on a data string whose integrity you intend to confirm. | MDC Generate (CSNBMDG) |
| CSNBOWH | One-Way Hash | Generates a one-way hash on specified text. | One-Way Hash (CSNBOWH) |
| Financial services | |||
| CSNBAPG | Authentication Parameter Generate | Generates an authentication parameter (AP) and returns it encrypted using the key supplied in an input parameter. | Authentication Parameter Generate (CSNBAPG) |
| CSNBCPE | Clear PIN Encrypt | Formats a PIN into a PIN block format and encrypts the results. You can also use this verb to create an encrypted PIN block for transmission. With the RANDOM keyword, you can have the verb generate random PIN numbers. | Clear PIN Encrypt (CSNBCPE) |
| CSNBPGN | Clear PIN Generate | Generates a clear personal identification number (PIN), a PIN
verification value (PVV), or an offset using one of the following algorithms:
|
Clear PIN Generate (CSNBPGN) |
| CSNBCPA | Clear PIN Generate Alternate | Generates a clear VISA PIN validation value (PVV) from an input encrypted PIN block. The PIN block might have been encrypted under either an input or output PIN encrypting key. The IBM-PINO algorithm is supported to produce a 3624 offset from a customer selected encrypted PIN. The PIN block must be encrypted under either an input PIN-encrypting key (IPINENC) or output PIN-encrypting key (OPINENC). | Clear PIN Generate Alternate (CSNBCPA) |
| CSNBCSG | CVV Generate | Generates a VISA Card Verification Value (CVV) or a MasterCard Card Verification Code (CVC) as defined for track 2. | CVV Generate (CSNBCSG) |
| CSNBCKC | CVV Key Combine | Combine two single-length operational DES keys that are suitable for use with the CVV (card-verification value) algorithm into one operational TDES key. | CVV Key Combine (CSNBCKC) |
| CSNBCSV | CVV Verify | Verifies a VISA Card Verification Value (CVV) or a MasterCard Card Verification Code (CVC) as defined for track 2. | CVV Verify (CSNBCSV) |
| CSNBEPG | Encrypted PIN Generate | Generates and formats a PIN and encrypts the PIN block. | Encrypted PIN Generate (CSNBEPG) |
| CSNBPTR | Encrypted PIN Translate | Re-enciphers a PIN block from one PIN-encrypting key to another and, optionally, changes the PIN block format. UKPT keywords are supported. You must identify the input PIN-encrypting key that originally enciphers the PIN. You also need to specify the output PIN-encrypting key that you want the verb to use to encipher the PIN. If you want to change the PIN block format, specify a different output PIN block format from the input PIN block format. | Encrypted PIN Translate (CSNBPTR) |
| CSNBPTR2 | Encrypted PIN Translate2 | This verb is a superset of the Encrypted PIN Translate (CSNBPTR) verb. It provides all the functions of CSNBPTR and, in addition, supports the AES encrypted ISO-4 PIN-block (as defined in ISO 9564-1) and authenticated PAN change support (which only applies to ISO-4 to ISO-4 PIN-block format translations). | Encrypted PIN Translate2 (CSNBPTR2) |
| CSNBPTRE | Encrypted PIN Translate Enhanced | Reformats a PIN into a different PIN-block format using an enciphered PAN field. You can use this verb in an interchange-network application, or to change the PIN block to conform to the format and encryption key used in a PIN-verification database. | Encrypted PIN Translate Enhanced (CSNBPTRE) |
| CSNBPVR | Encrypted PIN Verify | Verifies a supplied PIN using one of the following algorithms:
UKPT keywords are supported. |
Encrypted PIN Verify (CSNBPVR) |
| CSNBFPED | FPE Decipher | Decrypts payment card data for the Visa Data Secure Platform (VDSP) processing. | FPE Decipher (CSNBFPED) |
| CSNBFPEE | FPE Encipher | Encrypts payment card data for the Visa Data Secure Platform (VDSP) processing. | FPE Encipher (CSNBFPEE) |
| CSNBFPET | FPE Translate | Translates payment data from encryption under one key to encryption under another key with a possibly different format. | FPE Translate (CSNBFPET) |
| CSNBPCU | PIN Change/Unblock | Supports the PIN change algorithms specified in the VISA Integrated Circuit Card Specification; available only on an IBM z890 or IBM z990 with May 2004 or later version of Licensed Internal Code (LIC). | PIN Change/Unblock (CSNBPCU) |
| CSNBPFO | Recover PIN from Offset | Calculates the encrypted customer-entered PIN from a PIN generating key, account information, and an IBM-PINO Offset. | Recover PIN from Offset (CSNBPFO) |
| CSNBSKY | Secure Messaging for Keys | Encrypts a text block, including a clear key value decrypted from an internal or external DES token. | Secure Messaging for Keys (CSNBSKY) |
| CSNBSPN | Secure Messaging for PINs | Encrypts a text block, including a clear PIN block recovered from an encrypted PIN block. | Secure Messaging for PINs (CSNBSPN) |
| CSNBTRV | Transaction Validation | Supports the generation and validation of American Express® card security codes; available only on an IBM z890 or IBM z990 with May 2004 or later version of Licensed Internal Code (LIC). | Transaction Validation (CSNBTRV) |