DES key usage restrictions
- Cipher (data operation)
- PIN processing
- Cryptographic variable encrypting key
- Key encrypting key
- Key generating key
| Key class | DES key type | Keyword combinations flowchart |
|---|---|---|
| Cipher (data operation) | CIPHER | Figure 1 |
| DECIPHER, ENCIPHER | Figure 2 | |
| CIPHERXI, CIPHERXL, CIPHERXO | Figure 3 | |
| DATA | Figure 4 | |
| DATAC, DATAM, DATAMV | Figure 5 | |
| MAC, MACVER | Figure 6 | |
| SECMSG | Figure 7 | |
|
PIN processing |
IPINENC | Figure 8 |
| OPINENC | Figure 9 | |
| PINGEN | Figure 10 | |
| PINVER | Figure 11 | |
| Cryptographic variable encrypting key | CVARDEC, CVARENC, CVARPINE, CVARXCVL, CVARXCVR | Figure 17 |
| Key encrypting key | EXPORTER | Figure 12 |
| IMPORTER | Figure 13 | |
| IKEYXLAT, OKEYXLAT | Figure 14 | |
| Key generating key | DKYGENKY | Figure 15 |
| KEYGENKY | Figure 16 |
Figure 1 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types CIPHER, DECIPHER, and ENCIPHER. Beginning with Release 5.4 and Release 6.2, these key types support three-key Triple-DES (keywords TRIPLE and TRIPLE-O).

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. SINGLE and KEYLN8 are not valid when COMP-TAG is specified. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default when COMP-TAG is specified. Otherwise, the default is SINGLE.
Figure 2 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types DECIPHER and ENCIPHER.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. SINGLE and KEYLN8 are not valid when COMP-TAG is specified. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default when COMP-TAG is specified. Otherwise, the default is SINGLE.
Figure 3 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types CIPHERXI, CIPHERXL, and CIPHERXO .

Figure 4 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type DATA.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. SINGLE is the default.
Figure 5 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types DATAC, DATAM, and DATAMV.

Figure 6 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types MAC and MACVER.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. SINGLE is the default.
Figure 7 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type SECMSG.

Figure 8 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type IPINENC.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- All keywords in this group are defaults unless one or more of these keywords are specified.
- KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.
Figure 9 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type OPINENC.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- All keywords in this group are defaults unless one or more of these keywords are specified.
- KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.
Figure 10 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type PINGEN.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- All keywords in this group are defaults unless one or more of these keywords are specified.
- NOOFFSET has no effect with NO-SPEC, but is supported for backward compatibility. There is no default.
- KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.
Figure 11 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type PINVER.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- NOOFFSET has no effect with NO-SPEC, but is supported for backward compatibility. There is no default.
- KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.
Figure 12 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type EXPORTER.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- All keywords in this group are defaults unless one or more of these keywords are specified.
- Keyword ANY has been deprecated. Using ANY has no effect, but is allowed for backward compatibility.
- KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.
Figure 13 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type IMPORTER.

- WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
- ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
- All keywords in this group are defaults unless one or more of these keywords are specified.
- Keyword ANY has been deprecated. Using ANY has no effect, but is allowed for backward compatibility.
- KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.
Figure 14 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types IKEYXLAT and OKEYXLAT.

- Keyword ANY has been deprecated. Using ANY has no effect, but is allowed for backward compatibility.
- KEYLN16 and MIXED are synonymous with DOUBLE. DOUBLE is the default.
Figure 15 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type DKYGENKY.

Figure 16 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type KEYGENKY.

Figure 17 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types CVARDEC, CVARENC, CVARPINE, CVARXCVL, and CVARXCVR.

| Keyword | Meaning |
|---|---|
| Key-encrypting keys | |
| OPIM | IMPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is OPIM. |
| IMEX | IMPORTER and EXPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is IMEX. |
| IMIM | IMPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is IMIM. |
| IMPORT | IMPORTER keys that have a control vector with this attribute can be used to import a key in the Key Import verb. |
| OPEX | EXPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is OPEX. |
| EXEX | EXPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is EXEX. |
| EXPORT | EXPORTER keys that have a control vector with this attribute can be used to export a key in the Key Export verb. |
| XLATE | IMPORTER and EXPORTER keys that have a control vector with this attribute can be used in the Key Translate or Key Translate2 verbs. |
| ANY | Key-encrypting keys that have a control vector with this attribute can be used to transport any type of key. The meaning of this keyword has been discontinued, and its usage is allowed for backward compatibility reasons only. |
| NOT-KEK | Key-encrypting keys that have a control vector with this attribute formerly could not be used to transport key-encrypting keys. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only. |
| DATA | Key-encrypting keys that have a control vector with this attribute formerly could only be used to transport keys with a key type of DATA, CIPHER, ENCIPHER, DECIPHER, MAC, and MACVER. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only. |
| PIN | Key-encrypting keys that have a control vector with this attribute formerly could only be used to transport keys with a key type of PINVER, IPINENC, and OPINENC. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only. |
| LMTD-KEK | Key-encrypting keys that have a control vector with this attribute formerly could only be used to exchange keys with key-encrypting keys that carry NOT-KEK, PIN, or DATA key-type ciphering restrictions. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only. |
| MAC keys | |
| ANY-MAC | Any MAC verb can use this key. |
| ANSIX9.9 | The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only. |
| CVVKEY-A | Restricts the usage to single-length key-A key or double-length key-A and key-B keys for the CVV Generate and CVV Verify verbs. |
| CVVKEY-B | Restricts the usage to single-length key-B key for the CVV Generate and CVV Verify verbs. |
| Data operation keys | |
| SMKEY | Enable the encryption of keys in an EMV secure message. |
| SMPIN | Enable the encryption of PINs in an EMV secure message. |
| PIN keys | |
| NO-SPEC | The control vector does not require a specific PIN-calculation method. |
| IBM-PIN | Select the IBM 3624 PIN-calculation method. |
| IBM-PINO | Select the IBM 3624 PIN-calculation method with offset processing. |
| GBP-PIN | Select the IBM German Bank Pool PIN-calculation method. |
| GBP-PINO | Select the IBM German Bank Pool PIN-calculation method with institution-PIN input or output. |
| VISA-PVV | Select the Visa PVV PIN-calculation method. |
| INBK-PIN | Select the InterBank PIN-calculation method. |
| NOOFFSET | Indicates that a PINGEN or PINVER key cannot participate in the generation or verification of a PIN when an offset process is requested. |
| CPINGEN | The key can participate in the Clear PIN Generate verb. |
| CPINGENA | The key can participate in the Clear PIN Generate Alternate verb. |
| EPINGEN | The key can participate in the Encrypted PIN Generate verb. |
| EPINVER | The key can participate in the Encrypted PIN Verify verb. |
| CPINENC | The key can participate in the Clear PIN Encrypt verb. |
| REFORMAT | The key can participate in the Encrypted PIN Translate verb in the Reformat mode. |
| TRANSLAT | The key can participate in the Encrypted PIN Translate verb in the Translate mode. |
| Key-generating keys | |
| CLR8-ENC | The key can be used to multiply encrypt eight bytes of clear data with a generating key. |
| DALL | The key can be used to generate keys with the following key types: DATA, DATAC, DATAM, DATAMV, DMKEY, DMPIN, EXPORTER, IKEYXLAT, IMPORTER, MAC, MACVER, OKEYXLAT, and PINVER. |
| DDATA | The key can be used to generate a single-length or double-length DATA or DATAC key. |
| DEXP | The key can be used to generate an EXPORTER or an OKEYXLAT key. |
| DIMP | The key can be used to generate an IMPORTER or an IKEYXLAT key. |
| DMAC | The key can be used to generate a MAC or DATAM key. |
| DMKEY | The key can be used to generate a SECMSG with SMKEY secure messaging key for encrypting keys. |
| DMPIN | The key can be used to generate a SECMSG with SMPIN secure messaging key for encrypting PINs. |
| DMV | The key can be used to generate a MACVER or DATAMV key. |
| DPVR | The key can be used to generate a PINVER key. |
| DKYL0 | A DKYGENKY key with this subtype can be used to generate a key based on the key-usage bits. |
| DKYL1 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL0. |
| DKYL2 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL1. |
| DKYL3 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL2. |
| DKYL4 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL3. |
| DKYL5 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL4. |
| DKYL6 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL5. |
| DKYL7 | A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL6. |
| Key lengths | |
| MIXED | Indicates that the key can be either a replicated single-length key or a double-length key with two different, random 8-byte values. |
| SINGLE, KEYLN8 | Specifies the key as a single-length key. |
| DOUBLE, KEYLN16 | Specifies the key as a double-length key. |
| TRIPLE | Specifies the key as a triple-length key. |
| Miscellaneous attributes | |
| XPORT-OK | Permits the key to be exported by Key Export or Data Key Export. Also permits the key to be exported by the TR31 Translate verb, unless keyword NOT31XPT is set (CV bit 27 = B'1'). |
| NO-XPORT | Prohibits the key from being exported by Key Export or Data Key Export. |
| KEY-PART | Specifies the control vector is for a key part. |
| ENH-ONLY | Prohibits the key from being wrapped with the legacy method once it has been wrapped with the enhanced method. |
| T31XPTOK | Permits the key to be exported by the TR31 Translate verb. |
| NOT31XPT | Prohibits the key from being exported by the TR31 Translate verb. |