Control Vector Table

Note: The Control Vectors used in ICSF are exactly the same as in CCA and the TSS publication.

The master key enciphers all keys operational on your system. A transport key enciphers keys that are distributed off your system. Prior to a master key or transport key enciphering a key, ICSF exclusive ORs both halves of the master key or transport key with a control vector. The same control vector is exclusive ORed to the left and right half of a master key or transport key.

Also, if you are entering a key part, ICSF exclusive ORs each half of the key part with a control vector prior to placing the key part into the CKDS.

Each type of key on ICSF (except the master key) has either one or two unique control vectors associated with it. The control vector that ICSF exclusive ORs the master key or transport key with depends on the type of key the master key or transport key is enciphering. For double-length keys, a unique control vector exists for each half of a specific key type. For example, there is a control vector for the left half of an input PIN-encrypting key, and a control vector for the right half of an input PIN-encrypting key.

If you are entering a key part into the CKDS, ICSF exclusive ORs the key part with the unique control vector or vectors associated with the key type. ICSF also enciphers the key part with two master key variants for a key part. One master key variant enciphers the left half of the key part, and another master key variant enciphers the right half of the key part. ICSF creates the master key variants for a key part by exclusive ORing the master key with the control vectors for key parts. These procedures protect key separation.

Table 1 displays the default value of the control vector that is associated with each type of key. For keys that are double-length, ICSF enciphers a unique control vector on each half.

Table 1. Default Control Vector Values
Key Type Control Vector Value (Hex) Value for Single-length Key or Left Half of Double-length Key Control Vector Value (Hex) Value for Right Half of Double-length Key
CIPHER 00 03 71 00 03 00 00 00  
CIPHER (double length) 00 03 71 00 03 41 00 00 00 03 71 00 03 21 00 00
CIPHERXI 00 0C 50 00 03 C0 00 00 00 0C 50 00 03 A0 00 00
CIPHERXO 00 0C 60 00 03 C0 00 00 00 0C 60 00 03 A0 00 00
CIPHERXL 00 0C 71 00 03 C0 00 00 00 0C 71 00 03 A0 00 00
CVARDEC 00 3F 42 00 03 00 00 00  
CVARENC 00 3F 48 00 03 00 00 00  
CVARPINE 00 3F 41 00 03 00 00 00  
CVARXCVL 00 3F 44 00 03 00 00 00  
CVARXCVR 00 3F 47 00 03 00 00 00  
DATA 00 00 00 00 00 00 00 00  
DATA (internal) 00 00 7D 00 03 41 00 00 00 00 7D 00 03 21 00 00
DATA (external) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATAC 00 00 71 00 03 41 00 00 00 00 71 00 03 21 00 00
DATAM generation key (external) 00 00 4D 00 03 41 00 00 00 00 4D 00 03 21 00 00
DATAM key (internal) 00 05 4D 00 03 00 00 00 00 05 4D 00 03 00 00 00
DATAMV MAC verification key (external) 00 00 44 00 03 41 00 00 00 00 44 00 03 21 00 00
DATAMV MAC verification key (internal) 00 05 44 00 03 00 00 00 00 05 44 00 03 00 00 00
DECIPHER 00 03 50 00 03 00 00 00  
DECIPHER (double-length) 00 03 50 00 03 41 00 00 00 03 50 00 03 21 00 00
DKYGENKY 00 71 44 00 03 41 00 00 00 71 44 00 03 21 00 00
ENCIPHER 00 03 60 00 03 00 00 00  
ENCIPHER (double-length) 00 03 60 00 03 41 00 00 00 03 60 00 03 21 00 00
EXPORTER 00 41 7D 00 03 41 00 00 00 41 7D 00 03 21 00 00
IKEYXLAT 00 42 42 00 03 41 00 00 00 42 42 00 03 21 00 00
IMP-PKA 00 42 05 00 03 41 00 00 00 42 05 00 03 21 00 00
IMPORTER 00 42 7D 00 03 41 00 00 00 42 7D 00 03 21 00 00
IPINENC 00 21 5F 00 03 41 00 00 00 21 5F 00 03 21 00 00
MAC 00 05 4D 00 03 00 00 00  
MAC (double-length) 00 05 4D 00 03 41 00 00 00 05 4D 00 03 21 00 00
MACVER 00 05 44 00 03 00 00 00  
MACVER (double-length) 00 05 44 00 03 41 00 00 00 05 44 00 03 21 00 00
OKEYXLAT 00 41 42 00 03 41 00 00 00 41 42 00 03 21 00 00
OPINENC 00 24 77 00 03 41 00 00 00 24 77 00 03 21 00 00
PINGEN 00 22 7E 00 03 41 00 00 00 22 7E 00 03 21 00 00
PINVER 00 22 42 00 03 41 00 00 00 22 42 00 03 21 00 00
Note:
  1. The external control vectors for DATAC, double-length MAC generation and MAC verification keys are also referred to as data compatibility control vectors.