Key wrapping

ICSF supports two methods of wrapping the key value in a fixed-length token: ECB wrapping and an enhanced CBC wrapping method which is ANSI X9.24 compliant.

The key value in AES tokens is always encrypted using AES encryption and cipher block chaining (CBC) mode.

The key value in DES tokens may be wrapped in two ways:

The original (ECB) method which has been used by ICSF since it was first released. For this method, the key value is encrypted using triple DES encryption and key parts are encrypted separately.
The enhanced (CBC) method which was added later. For this method, the key value is bundled with other token data and encrypted using triple DES encryption and cipher block chaining mode. This enhanced method requires a IBM zEnterprise 196, zEnterprise 114, or later with a CCA cryptographic coprocessor that is a CEX3C or later.

Your installation's system programmer can, while customizing installation options data set as described in the z/OS Cryptographic Services ICSF System Programmer's Guide z/OS Cryptographic Services ICSF System Programmer's Guide z/OS Cryptographic Services ICSF System Programmer's Guide, use the DEFAULTWRAP parameter to specify the default key wrapping for symmetric keys. Application programs can override this default method using the WRAP-ENH (use enhanced method) and WRAP-ECB (use original ECB key-wrapping method) rule array keywords.

Note: All variable-length tokens are wrapped using the AESKW wrapping method defined in ANSI X9.102 and are not affected by the DEFAULTWRAP setting.