In order to comply with cryptographic standards, including ANSI X9.24 Part 1 and PCI-HSM, ICSF will provide a way to ensure that a key is not wrapped with a key weaker than itself. ICSF will provide a set of access control points in the ICSF role to control the wrapping of keys. ICSF administrators can use these access control points to meet the customers individual requirements.
There are new and existing access control points that control the wrapping of keys by master and key-encrypting keys. These ACP will either prohibit the wrapping of a key by a key of weaker strength or warning (return code 0, reason code non-zero) when a key is wrapped by a weaker key. All of these access control points are disabled by default in the ICSF role.
The processing of callable services will be affected by these access control points. Here is a description of the access control points, the wrapping it controls and the affect on services. These access control points apply to symmetric and asymmetric keys.
When the Prohibit weak wrapping - Transport keys access control point is enabled, any service that attempts to wrap a key with a weaker transport key will fail.
When the Prohibit weak wrapping - Master keys access control point is enabled, any service that wraps a key under a master key will fail if the master key is weaker than the key being wrapped.
When the Warn when weak wrap - Transport keys access control point is enabled, any service that attempts to wrap a key with a weaker transport key will succeed with a warning reason code.
When the Warn when weak wrap - Master keys access control point is enabled, any service that attempts to wrap a key with a weaker master key will succeed with a warning reason code.
24-byte DATA keys with a zero control vector can be wrapped with a 16-byte key, the DES master key or a key-encrypting key, which violates the wrapping requirements. The Prohibit weak wrapping – Transport keys and Prohibit weak wrapping – Master keys ACPs do not cause services to fail for this case. The Disallow 24-byte DATA wrapped with 16-byte Key ACP does control this wrapping. When enabled, services will fail. The Warn when weak wrap – Transport keys and Warn when weak wrap – Master keys ACPs will cause the warning to be returned when the ACPs are enabled.
When the TBC – Disallow triple-length MAC key ACP is enabled, CSNDRKX will fail to import a triple-length MAC key under a double-length key-encrypting key. CSNBTBC will not wrap a triple-length MAC key under a double-length key-encrypting key. The Prohibit weak wrapping – Transport keys and Prohibit weak wrapping – Master keys ACPs do not cause services to fail for this case. The Warn when weak wrap – Transport keys and Warn when weak wrap – Master keys ACPs will cause the warning to be returned when the ACPs are enabled.
If the Prohibit Weak Wrap ACP is enabled, RSA private keys may not be wrapped using a weaker DES key-encrypting key. Enabling the Allow weak DES wrap of RSA private key ACP will override this restriction.