ANSI X9.143 (TR-31) key block support

A X9.143 (TR-31) key block is a format defined by the American National Standards Institute (ANSI) to support the interchange of keys in a secure manner with key attributes included in the exchanged data. The TR-31 key block format has a set of defined key attributes that are securely bound to the key so that they can be transported together between any two systems that both understand the TR-31 format. ICSF enables applications to convert a CCA token to a TR-31 key block for export to another party, and to convert an imported TR-31 key block to a CCA token. This enables you to securely exchange keys and their attributes with non-CCA systems.

ICSF enables applications to generate and use operational (internal) TR-31 key blocks. TR-31 Create callable service allows keys and key pairs to be generated for use with ICSF callable services. See Table 1 for the list of services that support operational key blocks.

Although there is often a one-to-one correspondence between TR-31 key attributes and the attributes defined by CCA, there are also cases where the correspondence is many-to-one or one-to-many. Because there is not always a one-to-one mapping between the key attributes defined by TR-31 and those defined by CCA, the TR-31 Translate callable service and the TR-31 Import callable service provide rule array keywords that enable an application to specify the attributes to attach to the exported or imported key.

The TR-31 key block format defines a header section. The header contains metadata about the key, including its usage attributes. The header can also be extended with optional blocks, which can either have standardized content or proprietary information. Callable services are also provided for retrieving standard header or optional block information from a TR-31 key block without importing the key and for building an optional block.

Support for HMAC keys is introduced by APAR OA58880 for ICSF FMID HCR77D1 and later releases and licensed internal code for IBM z13, IBM z13s, and later servers. Standard ISO:20038 defines a key wrapping method for AES key-encrypting keys and the TR-31 Translate and TR-31 Import services have been updated to support the transport of HMAC keys using this method.