z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF

Diversifying keys

z/OS Cryptographic Services ICSF Application Programmer's Guide

CCA supports several methods for diversifying a key using the diversified key generate callable service. Key-diversification is a technique often used in working with smart cards. In order to secure interactions with a population of cards, a "key-generating key" is used with some data unique to a card to derive ("diversify") keys for use with that card. The data is often the card serial number or other quantity stored on the card. The data is often public, and therefore it is very important to handle the key-generating key with a high degree of security lest the interactions with the whole population of cards be placed in jeopardy.

In the current implementation, several methods of diversifying a key are supported: CLR8-ENC, TDES-ENC, TDES-DEC, SESS-XOR, TDES-XOR, TDESEMV2 and TDESEMV4. The first two methods triple-encrypt data using the generating_key to form the diversified key. The diversified key is then multiply-enciphered by the master key modified by the control vector for the output key. The TDES-DEC method is similar except that the data is triple-decrypted.

The SESS-XOR method provides a means for modifying an existing DATA, DATAC, MAC, DATAM, or MACVER, DATAMV single- or double-length key. The provided data is exclusive-ORed into the clear value of the key. This form of key diversification is specified by several of the credit card associations.

The TDES-ENC and TDES-DEC methods permit the production of either another key-generating key, or a final key. Control-vector bits 19 - 22 associated with the key-generating key specify the permissible type of final key. (See DKYGENKY in Figure 11.) Control-vector bits 12 - 14 associated with the key-generating key specify if the diversified key is a final key or another in a series of key-generating keys. Bits 12 - 14 specify a counter that is decreased by one each time the diversified key generate service is used to produce another key-generating key. For example, if the key-generating key that you specify has this counter set to B'010', then you must specify the control vector for the generated_key with a DKYGENKY key type having the counter bits set to B'001' and specifying the same final key type in bits 19 - 22. Use of a generating_key with bits 12 - 14 set to B'000' results in the creation of the final key. Thus you can control both the number of diversifications required to reach a final key, and you can closely control the type of the final key.

The TDESEMV2, TDESEMV4, and TDES-XOR methods also derive a key by encrypting supplied data including a transaction counter value received from an EMV smart card. The processes are described in detail at Visa and EMV-related smart card formats and processes. Refer to Working with Europay-MasterCard-Visa smart cards to understand the various verbs you can use to operate with EMV smart cards.

Go to the previous page Go to the next page

Copyright IBM Corporation 1990, 2014