Control Vector Table

Note: The Control Vectors used in ICSF are exactly the same as documented in CCA and the TSS documents.

The master key enciphers all keys operational on your system. A transport key enciphers keys that are distributed off your system. Before a master key or transport key enciphers a key, ICSF exclusive ORs both halves of the master key or transport key with a control vector. The same control vector is exclusive ORed to the left and right half of a master key or transport key.

Also, if you are entering a key part, ICSF exclusive ORs each half of the key part with a control vector before placing the key part into the CKDS.

Each type of key on ICSF (except the master key) has either one or two unique control vectors associated with it. The control vector that ICSF exclusive ORs the master key or transport key with depends on the type of key the master key or transport key is enciphering. For double-length keys, a unique control vector exists for each half of a specific key type. For example, there is a control vector for the left half of an input PIN-encrypting key, and a control vector for the right half of an input PIN-encrypting key.

If you are entering a key part into the CKDS, ICSF exclusive ORs the key part with the unique control vector or vectors associated with the key type. ICSF also enciphers the key part with two master key variants for a key part. One master key variant enciphers the left half of the key part, and another master key variant enciphers the right half of the key part. ICSF creates the master key variants for a key part by exclusive ORing the master key with the control vectors for key parts. These procedures protect key separation.

Table 1 displays the default value of the control vector that is associated with each type of key. Some key types do not have a default control vector. For keys that are double-length, ICSF enciphers a unique control vector on each half.

Table 1. Default Control Vector Values
Key Type Control Vector Value (Hexadecimal Value for Left Half of Double-length Key) Control Vector Value (Hexadecimal Value for Right Half of Double-length Key)
CIPHER 00 03 71 00 03 00 00 00  
CIPHER (double length) 00 03 71 00 03 41 00 00 00 03 71 00 03 21 00 00
CIPHERXI 00 0C 50 00 03 C0 00 00 00 0C 50 00 03 A0 00 00
CIPHERXO 00 0C 60 00 03 C0 00 00 00 0C 60 00 03 A0 00 00
CIPHERXL 00 0C 71 00 03 C0 00 00 00 0C 71 00 03 A0 00 00
CVARDEC 00 3F 42 00 03 00 00 00  
CVARENC 00 3F 48 00 03 00 00 00  
CVARPINE 00 3F 41 00 03 00 00 00  
CVARXCVL 00 3F 44 00 03 00 00 00  
CVARXCVR 00 3F 47 00 03 00 00 00  
DATA (external) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA (internal) 00 00 7D 00 03 41 00 00 00 00 7D 00 03 21 00 00
DATA 00 00 00 00 00 00 00 00  
DATAC 00 00 71 00 03 41 00 00 00 00 71 00 03 21 00 00
DATAM generation key (external) 00 00 4D 00 03 41 00 00 00 00 4D 00 03 21 00 00
DATAM key (internal) 00 05 4D 00 03 00 00 00 00 05 4D 00 03 00 00 00
DATAMV MAC verification key (external) 00 00 44 00 03 41 00 00 00 00 44 00 03 21 00 00
DATAMV MAC verification key (internal) 00 05 44 00 03 00 00 00 00 05 44 00 03 00 00 00
DECIPHER 00 03 50 00 03 00 00 00  
DECIPHER (double-length) 00 03 50 00 03 41 00 00 00 03 50 00 03 21 00 00
DKYGENKY 00 71 44 00 03 41 00 00 00 71 44 00 03 21 00 00
ENCIPHER 00 03 60 00 03 00 00 00  
ENCIPHER (double-length) 00 03 60 00 03 41 00 00 00 03 60 00 03 21 00 00
EXPORTER 00 41 7D 00 03 41 00 00 00 41 7D 00 03 21 00 00
IKEYXLAT 00 42 42 00 03 41 00 00 00 42 42 00 03 21 00 00
IMP-PKA 00 42 05 00 03 41 00 00 00 42 05 00 03 21 00 00
IMPORTER 00 42 7D 00 03 41 00 00 00 42 7D 00 03 21 00 00
IPINENC 00 21 5F 00 03 41 00 00 00 21 5F 00 03 21 00 00
MAC 00 05 4D 00 03 00 00 00  
MAC (double-length) 00 05 4D 00 03 41 00 00 00 05 4D 00 03 21 00 00
MACVER 00 05 44 00 03 00 00 00  
MACVER (double-length) 00 05 44 00 03 41 00 00 00 05 44 00 03 21 00 00
OKEYXLAT 00 41 42 00 03 41 00 00 00 41 42 00 03 21 00 00
OPINENC 00 24 77 00 03 41 00 00 00 24 77 00 03 21 00 00
PINGEN 00 22 7E 00 03 41 00 00 00 22 7E 00 03 21 00 00
PINVER 00 22 42 00 03 41 00 00 00 22 42 00 03 21 00 00
Note: The external control vectors for DATAC, DATAM MAC generation and DATAMV MAC verification keys are also referred to as data compatibility control vectors.
Figure 1. Control Vector Base Bit Map (Common Bits and Key-Encrypting Keys)
Figure 2. Control Vector Base Bit Map (Data Operation Keys)
Figure 3. Control Vector Base Bit Map (PIN Processing Keys and Cryptographic Variable-Encrypting Keys)
Figure 4. Control Vector Base Bit Map (Key Generating Keys)
Key Form Bits, 'fff' - The key form bits, 40-42, and for a double-length key, bits 104-106, are designated 'fff' in the preceding illustration. These bits can have these values:
000
Single length key
010
Double length key, left half
001
Double length key. right half
110
Double-length key, left half, halves guaranteed unique
101
Double-length key, right half, halves guaranteed unique
Parent topic: Control Vectors and Changing Control Vectors with the CVT Callable Service