DES key usage restrictions

In addition to a key type and subtype, a DES control vector contains key usage values that further restrict the use of a key. Most key types define a default set of key usage restrictions in a control vector. Table 1 and Table 2 list the key types that have a default control vector, and show the default values of the control vector bits. DES key usage restrictions can be varied by using keywords when constructing control vector values using the Key Token Build verb or the Control Vector Generate verb, or by manually setting key-usage bits in the control vector.
Table 2 describes the usage keywords related to generating a control vector, building a control vector in a key token, or parsing the control vector of a key token. For information about the meaning of the bits of a DES control vector, see Table 1.
Part of the control vector of a DES key-token identifies the key type. The key type controls how a key in the key token can be used. Each DES key type falls under one of the following key classes:
  • Cipher (data operation)
  • PIN processing
  • Cryptographic variable encrypting key
  • Key encrypting key
  • Key generating key
Table 1 lists all of the DES key types, grouped by key class, along with a reference to a figure to determine the valid rule-array keyword combinations for a particular DES key type. These keywords are used when generating a control vector ( Control Vector Generate, CSNBCVG), constructing a key token (Key Token Build, CSNBKTB), or parsing a key token ( Key Token Parse, CSNBKTP).
Table 1. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations by DES key type

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations by DES key type

Key class DES key type Keyword combinations flowchart
Cipher (data operation) CIPHER Figure 1
DECIPHER, ENCIPHER Figure 2
CIPHERXI, CIPHERXL, CIPHERXO Figure 3
DATA Figure 4
DATAC, DATAM, DATAMV Figure 5
MAC, MACVER Figure 6
SECMSG Figure 7

PIN processing

IPINENC Figure 8
OPINENC Figure 9
PINGEN Figure 10
PINVER Figure 11
Cryptographic variable encrypting key CVARDEC, CVARENC, CVARPINE, CVARXCVL, CVARXCVR Figure 17
Key encrypting key EXPORTER Figure 12
IMPORTER Figure 13
IKEYXLAT, OKEYXLAT Figure 14
Key generating key DKYGENKY Figure 15
KEYGENKY Figure 16

Figure 1 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types CIPHER, DECIPHER, and ENCIPHER. Beginning with Release 5.4 and Release 6.2, these key types support three-key Triple-DES (keywords TRIPLE and TRIPLE-O).

Figure 1. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES CIPHER keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES CIPHER keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. SINGLE and KEYLN8 are not valid when COMP-TAG is specified. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default when COMP-TAG is specified. Otherwise, the default is SINGLE.

Figure 2 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types DECIPHER and ENCIPHER.

Figure 2. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DECIPHER and ENCIPHER keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DECIPHER and ENCIPHER keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. SINGLE and KEYLN8 are not valid when COMP-TAG is specified. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default when COMP-TAG is specified. Otherwise, the default is SINGLE.

Figure 3 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types CIPHERXI, CIPHERXL, and CIPHERXO .

Figure 3. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES CIPHERXI, CIPHERXL, and CIPHERXO keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES CIPHERXI, CIPHERXL, and CIPHERXO keys

Figure 4 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type DATA.

Figure 4. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DATA keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DATA keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. SINGLE is the default.

Figure 5 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types DATAC, DATAM, and DATAMV.

Figure 5. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DATAC, DATAM, and DATAMV keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DATAC, DATAM, and DATAMV keys
Note: KEYLN16 and MIXED are synonymous with DOUBLE. DOUBLE is the default.

Figure 6 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types MAC and MACVER.

Figure 6. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES MAC and MACVER keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES MAC and MACVER keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. SINGLE is the default.

Figure 7 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type SECMSG.

Figure 7. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES SECMSG keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES SECMSG keys
Note: KEYLN16 and MIXED are synonymous with DOUBLE. DOUBLE is the default.

Figure 8 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type IPINENC.

Figure 8. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES IPINENC keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES IPINENC keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. All keywords in this group are defaults unless one or more of these keywords are specified.
  4. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.

Figure 9 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type OPINENC.

Figure 9. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES OPINENC keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES OPINENC keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. All keywords in this group are defaults unless one or more of these keywords are specified.
  4. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.

Figure 10 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type PINGEN.

Figure 10. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES PINGEN keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES PINGEN keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. All keywords in this group are defaults unless one or more of these keywords are specified.
  4. NOOFFSET has no effect with NO-SPEC, but is supported for backward compatibility. There is no default.
  5. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.

Figure 11 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type PINVER.

Figure 11. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES PINVER keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES PINVER keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. NOOFFSET has no effect with NO-SPEC, but is supported for backward compatibility. There is no default.
  4. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.

Figure 12 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type EXPORTER.

Figure 12. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES EXPORTER keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES EXPORTER keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. All keywords in this group are defaults unless one or more of these keywords are specified.
  4. Keyword ANY has been deprecated. Using ANY has no effect, but is allowed for backward compatibility.
  5. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.

Figure 13 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type IMPORTER.

Figure 13. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES IMPORTER keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES IMPORTER keys
Note:
  1. WRAPENH2 is only valid for TRIPLE or TRIPLE-O. If TRIPLE or TRIPLE-O is specified, WRAPENH2 is the default. Otherwise, WRAP-ECB is the default.
  2. ENH-ONLY is only valid with WRAP-ENH, WRAPENH2, or WRAPENH3. It is the default for WRAPENH3. ENH-ONLY is also the default for TRIPLE or TRIPLE-O. Otherwise there is no default.
  3. All keywords in this group are defaults unless one or more of these keywords are specified.
  4. Keyword ANY has been deprecated. Using ANY has no effect, but is allowed for backward compatibility.
  5. KEYLN16 and MIXED are synonymous with DOUBLE. TRIPLE and TRIPLE-O are not valid with WRAP-ECB or WRAP-ENH. DOUBLE is the default.

Figure 14 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types IKEYXLAT and OKEYXLAT.

Figure 14. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES IKEYXLAT and OKEYXLAT keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES IKEYXLAT and OKEYXLAT keys
Note:
  1. Keyword ANY has been deprecated. Using ANY has no effect, but is allowed for backward compatibility.
  2. KEYLN16 and MIXED are synonymous with DOUBLE. DOUBLE is the default.

Figure 15 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type DKYGENKY.

Figure 15. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DKYGENKY keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES DKYGENKY keys
Note: KEYLN16 and MIXED are synonymous with DOUBLE. DOUBLE is the default.

Figure 16 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key type KEYGENKY.

Figure 16. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES KEYGENKY keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES KEYGENKY keys
Note: KEYLN16 and MIXED are synonymous with DOUBLE. DOUBLE is the default.

Figure 17 shows the Control Vector Generate, Key Token Build, and Key Token Parse keyword combinations for DES key types CVARDEC, CVARENC, CVARPINE, CVARXCVL, and CVARXCVR.

Figure 17. CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES CVARDEC, CVARENC, CVARPINE, CVARXCVL, and CVARXCVR keys

CSNBCVG, CSNBKTB, and CSNBKTP keyword combinations for DES CVARDEC, CVARENC, CVARPINE, CVARXCVL, and CVARXCVR keys
Note: KEYLN8 is synonymous with SINGLE. KEYLN16 and MIXED are synonymous with DOUBLE. SINGLE is the default. The Cryptographic Variable Encipher service only supports single length keys, so do not specify DOUBLE, DOUBLE-O, KEYLN16, or MIXED if the key is to be used by this service.
Table 2. DES control vector key-subtype and key-usage keywords

DES control vector key-subtype and key-usage keywords. A table with two columns, describing the keywords and their meaning

Keyword Meaning
Key-encrypting keys
OPIM IMPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is OPIM.
IMEX IMPORTER and EXPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is IMEX.
IMIM IMPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is IMIM.
IMPORT IMPORTER keys that have a control vector with this attribute can be used to import a key in the Key Import verb.
OPEX EXPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is OPEX.
EXEX EXPORTER keys that have a control vector with this attribute can be used in the Key Generate verb when the key form is EXEX.
EXPORT EXPORTER keys that have a control vector with this attribute can be used to export a key in the Key Export verb.
XLATE IMPORTER and EXPORTER keys that have a control vector with this attribute can be used in the Key Translate or Key Translate2 verbs.
ANY Key-encrypting keys that have a control vector with this attribute can be used to transport any type of key. The meaning of this keyword has been discontinued, and its usage is allowed for backward compatibility reasons only.
NOT-KEK Key-encrypting keys that have a control vector with this attribute formerly could not be used to transport key-encrypting keys. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only.
DATA Key-encrypting keys that have a control vector with this attribute formerly could only be used to transport keys with a key type of DATA, CIPHER, ENCIPHER, DECIPHER, MAC, and MACVER. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only.
PIN Key-encrypting keys that have a control vector with this attribute formerly could only be used to transport keys with a key type of PINVER, IPINENC, and OPINENC. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only.
LMTD-KEK Key-encrypting keys that have a control vector with this attribute formerly could only be used to exchange keys with key-encrypting keys that carry NOT-KEK, PIN, or DATA key-type ciphering restrictions. The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only.
MAC keys
ANY-MAC Any MAC verb can use this key.
ANSIX9.9 The meaning of this keyword has been discontinued and its usage is allowed for backward compatibility reasons only.
CVVKEY-A Restricts the usage to single-length key-A key or double-length key-A and key-B keys for the CVV Generate and CVV Verify verbs.
CVVKEY-B Restricts the usage to single-length key-B key for the CVV Generate and CVV Verify verbs.
Data operation keys
SMKEY Enable the encryption of keys in an EMV secure message.
SMPIN Enable the encryption of PINs in an EMV secure message.
PIN keys
NO-SPEC The control vector does not require a specific PIN-calculation method.
IBM-PIN Select the IBM 3624 PIN-calculation method.
IBM-PINO Select the IBM 3624 PIN-calculation method with offset processing.
GBP-PIN Select the IBM German Bank Pool PIN-calculation method.
GBP-PINO Select the IBM German Bank Pool PIN-calculation method with institution-PIN input or output.
VISA-PVV Select the Visa PVV PIN-calculation method.
INBK-PIN Select the InterBank PIN-calculation method.
NOOFFSET Indicates that a PINGEN or PINVER key cannot participate in the generation or verification of a PIN when an offset process is requested.
CPINGEN The key can participate in the Clear PIN Generate verb.
CPINGENA The key can participate in the Clear PIN Generate Alternate verb.
EPINGEN The key can participate in the Encrypted PIN Generate verb.
EPINVER The key can participate in the Encrypted PIN Verify verb.
CPINENC The key can participate in the Clear PIN Encrypt verb.
REFORMAT The key can participate in the Encrypted PIN Translate verb in the Reformat mode.
TRANSLAT The key can participate in the Encrypted PIN Translate verb in the Translate mode.
Key-generating keys
CLR8-ENC The key can be used to multiply encrypt eight bytes of clear data with a generating key.
DALL The key can be used to generate keys with the following key types: DATA, DATAC, DATAM, DATAMV, DMKEY, DMPIN, EXPORTER, IKEYXLAT, IMPORTER, MAC, MACVER, OKEYXLAT, and PINVER.
DDATA The key can be used to generate a single-length or double-length DATA or DATAC key.
DEXP The key can be used to generate an EXPORTER or an OKEYXLAT key.
DIMP The key can be used to generate an IMPORTER or an IKEYXLAT key.
DMAC The key can be used to generate a MAC or DATAM key.
DMKEY The key can be used to generate a SECMSG with SMKEY secure messaging key for encrypting keys.
DMPIN The key can be used to generate a SECMSG with SMPIN secure messaging key for encrypting PINs.
DMV The key can be used to generate a MACVER or DATAMV key.
DPVR The key can be used to generate a PINVER key.
DKYL0 A DKYGENKY key with this subtype can be used to generate a key based on the key-usage bits.
DKYL1 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL0.
DKYL2 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL1.
DKYL3 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL2.
DKYL4 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL3.
DKYL5 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL4.
DKYL6 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL5.
DKYL7 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL6.
Key lengths
MIXED Indicates that the key can be either a replicated single-length key or a double-length key with two different, random 8-byte values.
SINGLE, KEYLN8 Specifies the key as a single-length key.
DOUBLE, KEYLN16 Specifies the key as a double-length key.
TRIPLE Specifies the key as a triple-length key.
Miscellaneous attributes
XPORT-OK Permits the key to be exported by Key Export or Data Key Export. Also permits the key to be exported by the TR31 Translate verb, unless keyword NOT31XPT is set (CV bit 27 = B'1').
NO-XPORT Prohibits the key from being exported by Key Export or Data Key Export.
KEY-PART Specifies the control vector is for a key part.
ENH-ONLY Prohibits the key from being wrapped with the legacy method once it has been wrapped with the enhanced method.
T31XPTOK Permits the key to be exported by the TR31 Translate verb.
NOT31XPT Prohibits the key from being exported by the TR31 Translate verb.