Functions of symmetric cryptographic keys

ICSF provides functions to create, import, and export AES, DES, and HMAC keys. This topic gives an overview of these cryptographic keys. Detailed information about how ICSF organizes and protects keys is in z/OS Cryptographic Services ICSF Administrator's Guide.

ICSF supports two formats of symmetric key tokens: fixed-length and variable-length. In fixed-length format key tokens, key type and usage are defined by the control vector. In variable-length format key tokens, the key type and usage are defined in the associated data section. The control vector and associated data section are cryptographically bound to the encrypted key value in the token.

ICSF supports X9.14 (TR-31) key blocks. The key usage, algorithm, and mode of use are defined in the block header. The block header is cryptographically bound to the key block. Support for external key blocks with a key context field of '0' is available on all servers and releases of ICSF. Support for external key blocks with a key context field of '2' and operational (internal) key blocks is available on z16 and later servers with a CEX8 or later coprocessor and CCA release 8.1 or later licensed internal code.