ICSF summary of interface changes

The following tables describe new and changed services for Cryptographic Support for z/OS®

Table 1. Summary of new and changed ICSF callable services for z/OS V2R2
Callable service FMID, Release Description
Authentication Parameter Generate z/OS V2R2 (FMID HCR77A1) New: Generate an authentication parameter (AP) and return it encrypted under a supplied encrypting key.
Field level decipher z/OS V2R2 (FMID HCR77B0) New: Decrypts payment related data base fields that have been previously encrypted using the field level encipher callable service.
Field level encipher z/OS V2R2 (FMID HCR77B0) New: Encrypts payment related data base fields, preserving the format of the fields.
FPE decipher z/OS V2R2 (FMID HCR77B0) New: Decrypts payment card data for the Visa Data Secure Platform (Visa DSP) processing.
FPE encipher z/OS V2R2 (FMID HCR77B0) New: Encrypts payment card data for the Visa Data Secure Platform (Visa DSP) processing.
FPE translate z/OS V2R2 (FMID HCR77B0) New: Translates payment data from encryption under one key to encryption under another key with a possibly different format.
ICSF Multi-Purpose Service z/OS V2R2 (FMID HCR77B0) New: Validates the keys in the active CKDS or PKDS.
ICSF Query Algorithm z/OS V2R2 (FMID HCR77B0) Changed: Usage notes have been updated.
ICSF Query Facility z/OS V2R2 (FMID HCR77B0) Changed: The returned_data parameter has been updated.
ICSF Query Facility 2 z/OS V2R2 (FMID HCR77A1) New: Provides information on the cryptographic environment as currently known by ICSF.
Key Data Set List z/OS V2R2 (FMID HCR77B0) New: Generates a list or count of CKDS and PKDS labels or TKDS object handles.
Key Data Set Metadata Read z/OS V2R2 (FMID HCR77B0) New: Use to obtain metadata of a CKDS, PKDS, or TKDS record.
Key Data Set Metadata Write z/OS V2R2 (FMID HCR77B0) New: Adds, deletes, or modifies metadata of a set of records in the active CKDS, PKDS, or TKDS.
PCI Interface callable service z/OS V2R2 (FMID HCR77B0) Changed: The rule_array parameter has been updated.
PKA Key Token Change z/OS V2R2 (FMID HCR77B0) Changed: Usage notes have been updated.
PKCS #11 One-way hash generate z/OS V2R2 (FMID HCR77B0) Changed: Legacy hash rules added.
PKCS11 One-way hash, sign, or verify z/OS V2R2 (FMID HCR77B0) Changed: Legacy hash rules added.
Recover PIN From Offset z/OS V2R2 (FMID HCR77A1) New: Calculate an encrypted customer-entered PIN from a PIN generating key, account information, and an offset, returning the PIN properly formatted and encrypted under a PIN encryption key.
Symmetric Key Export with Data z/OS V2R2 (FMID HCR77A1) New: Export a symmetric key encrypted using an RSA key, inserted in a PKCS#1 block type 2, with some extra data supplied by the application.
Table 2. Summary of new and changed ICSF callable services for z/OS V2R1
Callable service FMID, Release Description
Cipher Text Translate2 and Cipher Text Translate2 with alet z/OS V2R1 (FMID HCR77A0) New: Translates the user-supplied ciphertext from one key to another key.
Clear PIN Generate z/OS V2R1 (FMID HCR7790) Changed: Increased X9.8 PIN block security, stored PIN decimalization tables support.
Clear PIN Generate Alternate z/OS V2R1 (FMID HCR7790) Changed: Increased X9.8 PIN block security, stored PIN decimalization tables support.
Control Vector Generate z/OS V2R1 (FMID HCR77A0) Changed:
  • Support CIPHERXI, CIPHERXL and CIPHERXO key types.
  • Support DOUBLE-O rule_array keyword.
z/OS V2R1 (FMID HCR7790) Changed: ANSI TR-31 key block support.
Coordinated KDS Administration z/OS V2R1 (FMID HCR7790) New: Support for a coordinated CKDS refresh or a coordinated CKDS reencipher and master key change.
CVV Key Combine z/OS V2R1 (FMID HCR7790) New: Double-length CVV key support.
Digital Signature Verify z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
ECC Diffie-Hellman z/OS V2R1 (FMID HCR77A0) Changed:
  • Support CIPHERXI, CIPHERXL and CIPHERXO key types.
  • Support creation of DES keys with guaranteed unique key halves.
z/OS V2R1 (FMID HCR7790) New: Creation of:
  • Symmetric key material from a pair of ECC keys using the Elliptic Curve Diffie-Hellman protocol using the Static Unified Model.
  • “Z” - The “secret” material output from D-H process.
Encrypted PIN Generate z/OS V2R1 (FMID HCR7790) Changed: Increased X9.8 PIN block security, stored PIN decimalization tables support.
Encrypted PIN Verify z/OS V2R1 (FMID HCR7790) Changed: Increased X9.8 PIN block security, stored PIN decimalization tables support.
ICSF Query Algorithm z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
ICSF Query Facility z/OS V2R1 (FMID HCR7790) Changed:
  • Increased X9.8 PIN block security, stored PIN decimalization tables support.
  • ECC Diffie-Hellman (ECCDH) and ECC key wrapping support.
  • 4096-bit RSA clear key hardware support.
Key Export z/OS V2R1 (FMID HCR77A0) Changed: Support CIPHERXI, CIPHERXL and CIPHERXO key types.
Key Generate z/OS V2R1 (FMID HCR77A0) Changed:
  • Support CIPHERXI, CIPHERXL and CIPHERXO key types.
  • Support DOUBLE-O key_length.
Key Generate2 z/OS V2R1 (FMID HCR77A0) Changed: Support generating AES CIPHER keys for use in Cipher Text Translate2 callable service.
z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Key Import z/OS V2R1 (FMID HCR77A0) Changed: Support CIPHERXI, CIPHERXL and CIPHERXO key types.
Key Part Import2 z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Key Test2 z/OS V2R1 (FMID HCR7790) Changed:
  • AES key type support.
  • ANSI TR-31 key block support.
Key Token Build z/OS V2R1 (FMID HCR77A0) Changed:
  • Support CIPHERXI, CIPHERXL and CIPHERXO key types.
  • Support DOUBLE-O rule_array keyword.
z/OS V2R1 (FMID HCR7790) Changed: ANSI TR-31 key block support.
Key Token Build2 z/OS V2R1 (FMID HCR77A0) Changed: Support C-XLATE keyword for AES CIPHER key type.
z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Key Translate2 z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Multiple Secure Key Import z/OS V2R1 (FMID HCR77A0) Changed: Support CIPHERXI, CIPHERXL and CIPHERXO key types.
PKA Decrypt z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
PKA Encrypt z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
PKA Key Generate z/OS V2R1 (FMID HCR77A0) Changed: Support generating RSA keys that can be wrapped by AES keys.
z/OS V2R1 (FMID HCR7790) Changed: Support for External ECC Keys (ECC Keys encrypted by an AES KEK).
PKA Key Import z/OS V2R1 (FMID HCR77A0) Changed: Support importing RSA keys that are wrapped by an AES key-encrypting key.
z/OS V2R1 (FMID HCR7790) Changed: Support for External ECC Keys (ECC Keys encrypted by an AES KEK).
PKA Key Token Build z/OS V2R1 (FMID HCR77A0) Changed: Support building RSA-AESC and RSA-AESM skeleton tokens.
PKA Key Token Change z/OS V2R1 (FMID HCR77A0) Changed: Support reenciphering RSA keys wrapped by an ECC master key.
PKA Key Translate z/OS V2R1 (FMID HCR77A0) Changed: Support translating the object protection key (OPK) in a RSA private key token from a DES key to an AES key.
PKCS #11 Derive key z/OS V2R1 (FMID HCR7790) Changed: Support for hardware generated “z” value.
PKCS #11 Derive multiple keys z/OS V2R1 (FMID HCR7790) Changed: Support for hardware generated “z” value.
PKCS #11 Private key sign z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
PKCS #11 Public key verify z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
PKCS #11 Unwrap key z/OS V2R1 (FMID HCR7790) Changed: 4096-bit RSA clear key hardware support.
Restrict Key Attribute z/OS V2R1 (FMID HCR77A0) Changed:
  • Support C-XLATE rule_array keyword for AES CIPHER keys.
  • Support DOUBLE-O rule_array keyword for DES keys.
z/OS V2R1 (FMID HCR7790) Changed:
  • AES key type support.
  • ANSI TR-31 key block support.
Secure Key Import z/OS V2R1 (FMID HCR77A0) Changed: Support CIPHERXI, CIPHERXL and CIPHERXO key types.
Secure Key Import2 z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Symmetric Algorithm Decipher z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Symmetric Algorithm Encipher z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
Symmetric Key Export z/OS V2R1 (FMID HCR7790) Changed:
  • AES key type support.
  • Support for PKCS#1 OAEP data block formatting with the SHA-256 hash method.
Symmetric Key Generate z/OS V2R1 (FMID HCR7790) Changed: Support for PKCS#1 OAEP data block formatting with the SHA-256 hash method.
Symmetric Key Import z/OS V2R1 (FMID HCR7790) Changed: Support for PKCS#1 OAEP data block formatting with the SHA-256 hash method.
Symmetric Key Import2 z/OS V2R1 (FMID HCR7790) Changed: AES key type support.
TR-31 Export z/OS V2R1 (FMID HCR7790) New: ANSI TR-31 key block support.
TR-31 Import z/OS V2R1 (FMID HCR7790) New: ANSI TR-31 key block support.
TR-31 Optional Data Build z/OS V2R1 (FMID HCR7790) New: ANSI TR-31 key block support.
TR-31 Optional Data Read z/OS V2R1 (FMID HCR7790) New: ANSI TR-31 key block support.
TR-31 Parse z/OS V2R1 (FMID HCR7790) New: ANSI TR-31 key block support.
Unique Key Derive z/OS V2R1 (FMID HCR77A0) New: Use the Unique Key Derive callable service to derive a key using the Base Derivation Key and the Derivation Data. The following key types can be derived:
  • CIPHER
  • ENCIPHER
  • DECIPHER
  • MAC
  • MACVER
  • IPINENC
  • OPINENC
  • DATA token containing a PIN Key
VISA CVV Service Verify z/OS V2R1 (FMID HCR7790) Changed: Double-length CVV key support.
VISA CVV Service Generate z/OS V2R1 (FMID HCR7790) Changed: Double-length CVV key support.
Table 3. Summary of new and changed ICSF callable services for z/OS V1R13
Callable service FMID, Release Description
ANSI X9.17 EDC Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
ANSI X9.17 Key Export z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
ANSI X9.17 Key Import z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
ANSI X9.17 Key Translate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
ANSI X9.17 Transport Key Partial Notarize z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Ciphertext Translate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Clear PIN Encrypt z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Clear PIN Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Clear PIN Generate Alternate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Control Vector Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Control Vector Translate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Cryptographic Variable Encipher z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Data Key Export z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Data Key Import z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Decipher z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Decode z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Digital Signature Generate z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
Digital Signature Verify z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
Diversified Key Generate z/OS V1R13 (FMID HCR7780) Changed:
  • Support for invocation in AMODE(64).
  • New rule array keywords to support enhanced key wrapping method.
Encipher z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Encode z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Encrypted PIN Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Encrypted PIN Translate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Encrypted PIN Verify z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
HMAC Generate z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
HMAC Verify z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Export z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Generate2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Import z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Part Import z/OS V1R13 (FMID HCR7780) Changed:
  • Support for invocation in AMODE(64).
  • New rule array keywords to support enhanced key wrapping method.
Key Part Import2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Record Create z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Record Create2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Record Delete z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Record Read z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Record Read2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Record Write z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Record Write2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Test z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Test Extended z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Test2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Token Build z/OS V1R13 (FMID HCR7780) Changed:
  • Support for invocation in AMODE(64).
  • New rule array keywords to support enhanced key wrapping method.
Key Token Build2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Key Translate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Key Translate2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
MAC Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
MAC Verify z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
MDC Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Multiple Clear Key Import z/OS V1R13 (FMID HCR7780) Changed: New rule array keywords to support enhanced key wrapping method.
Multiple Secure Key Import z/OS V1R13 (FMID HCR7780) Changed:
  • Support for invocation in AMODE(64).
  • New rule array keywords to support enhanced key wrapping method.
One-Way Hash Generate z/OS V1R13 (FMID HCR7780) New: Support for invocation in AMODE(64).
PIN Change/Unblock z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
PKA Key Generate z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
PKA Key Import z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
PKA Key Token Build z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
PKA Key Token Change z/OS V1R13 (FMID HCR7780) Changed:
  • Elliptic Curve Cryptography (ECC) support.
  • Support for invocation in AMODE(64).
PKA Public Key Extract z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
PKDS Record Create z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
PKDS Record Delete z/OS V1R13 (FMID HCR7780) Changed: Elliptic Curve Cryptography (ECC) support.
PKDS Record Read z/OS V1R13 (FMID HCR7780) Changed:
  • Elliptic Curve Cryptography (ECC) support.
  • Support for invocation in AMODE(64).
PKDS Record Write z/OS V1R13 (FMID HCR7780) Changed:
  • Elliptic Curve Cryptography (ECC) support.
  • Support for invocation in AMODE(64).
Prohibit Export z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Prohibit Export Extended z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Remote Key Export z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Restrict Key Attribute z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Secure Key Import z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Secure Key Import2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Secure Messaging for Keys z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Secure Messaging for PINS z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
SET Block Compose z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
SET Block Decompose z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Symmetric Key Decipher z/OS V1R13 (FMID HCR7780) Changed: Additional modes of operation for protecting data.
Symmetric Key Encipher z/OS V1R13 (FMID HCR7780) Changed: Additional modes of operation for protecting data.
Symmetric Key Export z/OS V1R13 (FMID HCR7780) Changed: Support for CCA key management of HMAC keys.
Symmetric Key Generate z/OS V1R13 (FMID HCR7780) Changed:
  • Support for invocation in AMODE(64).
  • New rule array keywords to support enhanced key wrapping method.
Symmetric Key Import z/OS V1R13 (FMID HCR7780) Changed: New rule array keywords to support enhanced key wrapping method.
Symmetric Key Import2 z/OS V1R13 (FMID HCR7780) New: Support for CCA key management of HMAC keys.
Transaction Validation z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Transform CDMF Key z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Trusted Block Create z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
User Derived Key z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
VISA CVV Service Generate z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
VISA CVV Service Verify z/OS V1R13 (FMID HCR7780) Changed: Support for invocation in AMODE(64).
Parent topic: Cryptographic Services summary of interface changes