Key-generating keys

Key-generating keys are used to derive unique-key-per transaction keys.

Table 1. DES key-generating keys
DES keys Callable services
Key-generate key class:
  • These keys are used to derive keys.
  • The keys are double-length keys.
  • The key usage flags in the control vector determine which services the KEYGENKY key may be used with.
KEYGENKY Diversified Key Generate, Encrypted PIN Translate, Encrypted PIN Translate2, Encrypted PIN Translate Enhanced, Encrypted PIN Verify, Encrypted PIN Verify2, FPE Decipher, FPE Encipher, FPE Translate, Unique Key Derive
DKYGENKY Derive ICC MK, Derive Session Key, Diversified Key Generate, EMV Scripting Service, EMV Transaction (ARQC/ARPC) Service, EMV Verification Functions, Generate Issuer MK, PIN Change/Unblock
Table 2. AES key-generating keys
AES keys Callable services
Key-generate key class:
  • These keys are used to derive keys.
  • The keys can be 128, 192, or 256 bits in length.
DKYGENKY Diversified Key Generate2, Encrypted PIN Translate2, Encrypted PIN Translate Enhanced, Encrypted PIN Verify, Encrypted PIN Verify2, FPE Decipher, FPE Encipher, FPE Translate, PIN Change/Unblock, Unique Key Derive
KDKGENKY Diversify Directed Key
Availability notes: AES DKYGENKY keys require IBM z114 or IBM z196 systems with a CEX3C coprocessor with the November 2013 or later licensed internal code (LIC) , or zEC12, zBC12, and later systems with a CEX3C, CEX4C, or later coprocessor with September 2013 or later licensed internal code (LIC). AES KDKGENKY keys require IBM z13, IBM z13s, or later servers with the July 2019 or later licensed internal code (LIC) or IBM z14 or later servers with the December 2018 or later licensed internal code (LIC).