MAC keys

Message authentication is the process of verifying the integrity of transmitted messages. Message authentication code (MAC) processing enables you to verify that a message has not been altered. You can use a MAC to check that a message you receive is the same one the message originator sent. The message itself may be in clear or encrypted form.

MAC keys can be used to generate and verify MACs, or can be restricted to just verify MACs.

DES supports the ANSI X9.9-1 procedure, ANSI X9.19 optional double key MAC procedure, and EMV Specification and ISO 16609 for encrypted keys.

DES MAC keys can be used to generate CVVs and CSCs for PIN transactions.

AES supports ciphered message authentication code (CMAC) for encrypted keys and CBC-MAC and XCBC-MAC for clear keys.

HMAC supports FIPS-198 hashed message authentication code (HMAC) for encrypted keys.

Table 1. DES MAC keys
DES keys	Callable services
MAC class (data operation keys): These keys are used to generate and verify MACs, CVVs, and CSCs. The keys can be single-length or double-length keys.
MAC	CVV Key Combine, MAC Generate, MAC Verify, Transaction Validation, VISA CVV Generate, VISA CVV Verify
MACVER	CVV Key Combine, MAC Verify, Transaction Validation, VISA CVV Verify

Table 2. AES MAC keys
AES keys	Callable services
MAC class (data operation keys): These keys are used to generate and verify MACs. The keys can be 128, 192, or 256 bits in length. The key usage flags in the associated data can be used to restrict usage to only generate MACs or to only verify MACs.
MAC	DK Deterministic PIN Generate, DK PIN Change, DK PAN Modify in Transaction, DK PAN Translate, DK PRW Card Number Update, DK PRW CMAC Generate, DK Random PIN Generate, DK Regenerate PRW, MAC Generate2, MAC Verify2

Availability notes: AES MAC class keys require z114 or z196 systems with a CEX3C coprocessor with the March 2014 or later licensed internal code or zEC12, zBC12, and later systems with a CEX3C, CEX4C, or later coprocessor with March 2014 or later licensed internal code.

Table 3. HMAC MAC keys
HMAC keys	Callable services
MAC class (data operation keys): These keys are used to generate and verify a keyed hash message authentication code (HMAC). The keys are variable-length keys (80-2024 bits) and are encrypted under the AES master key. The key usage flags in the associated data can be used to restrict usage to verify only.
MAC	HMAC Generate, HMAC Verify, MAC Generate2, MAC Verify2

Availability notes: HMAC keys require z114, z196, or later systems with a CEX3C or later coprocessor with the November 2010 or later licensed internal code.