To enter a master key or operational key manually, you enter key
parts. When you enter a key part, ICSF displays a verification pattern
for that key part on a panel. To verify that you entered the key part
correctly, you can use the value of the key part you enter to calculate
the verification pattern. Check that the verification pattern you
calculate matches the verification ICSF calculates.
To calculate this verification pattern
for DES
operational keys and the 16-byte DES master key, use this algorithm:
- If the key part is an operational key part, exclusive OR the key
part with the control vector for the key part's key type. See Control Vector Table, for a listing of control vectors by
key type. If the key part is a master key part, do not exclusive OR
it with a control vector.
- Use the DES algorithm to encrypt the left half of the
key part (either master key part or modified operational key part)
under the key 4545 4545 4545 4545.
- Exclusive OR the result of step 2 with
the left half of the key part.
- Use the result of step 3 as the
DES key in the DES algorithm to encrypt the right half of the key
part.
- Exclusive OR the result of step 4 with the
right half of the key part.
The resulting 64-bit value is the verification pattern.
To calculate this verification pattern for the 24-byte
DES master key, use this algorithm:
- Appending X'01' to the clear key value of 24-byte master key (01
|| key value)
- Generating the SHA-1 hash of the 25-byte string
The first eight bytes of the hash is the verification
pattern.
The verification pattern for the master key appears on the Coprocessor
Selection and Hardware Status panels. If a master key register is
full, the panels display the master key verification pattern. The
verification patterns for two identical master keys are the same.
You can use the verification patterns to verify that master keys in
two different key storage units are the same.
ICSF records a master key verification pattern in the SMF record
when you enter a master key part or activate a master key. The ICSF SMF
record also records a verification pattern when you enter an operational
key part.