Table of Contents (exploded view)
Cryptographic Services ICSF: Application Programmer's Guide
Summary of changes
Changes made in Enhanced Cryptographic Support for z/OS V1R13 - z/OS V2R1 (FMID HCR77B0)
Changes made in Cryptographic Support for z/OS V1R13 - z/OS V2R1 (FMID HCR77A1) as updated June 2014
Changes made in Cryptographic Support for z/OS V1R13-V2R1 (FMID HCR77A1)
Changes made in Cryptographic Support for z/OS V1R12-R13 (FMID HCR77A0)
Changes made in Cryptographic Support for z/OS V1R11-R13 (FMID HCR7790)
IBM CCA Programming
Introducing Programming for the IBM CCA
ICSF Callable Services Naming Conventions
Callable Service Syntax
Callable Services with ALET Parameters
Rules for Defining Parameters and Attributes
Parameter Definitions
Return and Reason Codes
Exit Data Length and Exit Data
Key Identifier for Key Token
Key Label
Invocation Requirements
Security Considerations
Performance Considerations
Special Secure Mode
Using the Callable Services
When the Call Succeeds
When the Call Does Not Succeed
Linking a Program with the ICSF Callable Services
Introducing symmetric key cryptography and using symmetric key callable services
Functions of symmetric cryptographic keys
Key separation
Master key variant for fixed-length tokens
Transport key variant for fixed-length tokens
Key forms
Key flow
Key token
Key wrapping
Payload format
Types of keys
Other considerations
DES key types
AES key types
HMAC key types
Clear keys
Key strength and wrapping of key
Key strength and key wrapping access control points
DES master key
DK PIN methods support
DK Deterministic PIN Generate (CSNBDDPG and CSNEDDPG)
DK Migrate PIN (CSNBDMP and CSNEDMP)
DK PAN Modify in Transaction (CSNBDPMT and CSNEDPMT)
DK PAN Translate (CSNBDPT and CSNEDPT)
DK PIN Change (CSNBDPC and CSNEDPC)
DK PIN Verify (CSNBDPV and CSNEDPV)
DK PRW Card Number Update (CSNBDPNU and CSNEDPNU)
DK PRW CMAC Generate (CSNBDPCG and CSNEDPCG)
DK Random PIN Generate (CSNBDRPG and CSNEDRPG)
DK Regenerate PRW (CSNBDRP and CSNEDRP)
Generating and Managing Symmetric Keys
Key Generator Utility Program
Common Cryptographic Architecture DES Key Management Services
Clear Key Import Callable Service (CSNBCKI and CSNECKI)
Control Vector Generate Callable Service (CSNBCVG and CSNECVG)
Control Vector Translate Callable Service (CSNBCVT and CSNECVT)
Cryptographic Variable Encipher Callable Service (CSNBCVE and CSNECVE)
Data Key Export Callable Service (CSNBDKX and CSNEDKX)
Data Key Import Callable Service (CSNBDKM and CSNEDKM)
Diversified Key Generate Callable Service (CSNBDKG and CSNEDKG)
Key Export Callable Service (CSNBKEX and CSNEKEX)
Key Generate Callable Service (CSNBKGN and CSNEKGN)
Key Import Callable Service (CSNBKIM and CSNEKIM)
Key Part Import Callable Service (CSNBKPI and CSNEKPI)
Key Test Callable Service (CSNBKYT, CSNEKYT, CSNBKYTX, and CSNEKYTX)
Key Token Build Callable Service (CSNBKTB and CSNEKTB)
Key Translate Callable Service (CSNBKTR and CSNEKTR)
Key Translate2 Callable Service (CSNBKTR2 and CSNEKTR2)
Multiple Clear Key Import Callable Service (CSNBCKM and CSNECKM)
Multiple Secure Key Import Callable Service (CSNBSKM and CSNESKM)
Prohibit Export Callable Service (CSNBPEX and CSNEPEX)
Prohibit Export Extended Callable Service (CSNBPEXX and CSNEPEXX)
Random Number Generate Callable Service (CSNBRNG, CSNERNG, CSNBRNGL, and CSNERNGL)
Remote Key Export Callable Service (CSNDRKX and CSNFRKX)
Restrict Key Attribute Callable Service (CSNBRKA and CSNERKA)
Secure Key Import Callable Service (CSNBSKI and CSNESKI)
Symmetric Key Export Callable Service (CSNDSYX, CSNFSYX and CSNDSXD)
Symmetric Key Generate Callable Service (CSNDSYG, CSNFSYG)
Symmetric Key Import Callable Service (CSNDSYI and CSNFSYI)
Trusted Block Create Callable Service (CSNDTBC and CSNFTBC)
Unique Key Derive Callable Service (CSFBUKD and CSFEUKD)
Common Cryptographic Architecture AES Key Management Services
Diversified Key Generate2 Callable Service (CSNBDKG2 and CSNEDKG2)
Key Generate Callable Service (CSNBKGN and CSNEKGN)
Key Generate2 Callable Service (CSNBKGN2 and CSNEKGN2)
Key Part Import2 Callable Service (CSNBKPI2 and CSNEKPI2)
Key Test2 Callable Service (CSNBKYT2 and CSNEKYT2)
Key Token Build Callable Service (CSNBKTB and CSNEKTB)
Key Token Build2 Callable Service (CSNBKTB2 and CSNEKTB2)
Multiple Clear Key Import Callable Service (CSNBCKM and CSNECKM)
Multiple Secure Key Import Callable Service (CSNBSKM and CSNESKM)
Restrict Key Attribute Callable Service (CSNBRKA and CSNERKA)
Secure Key Import2 Callable Service (CSNBSKI2 and CSNESKI2)
Symmetric Key Export Callable Service (CSNDSYX, CSNFSYX, CSNDSXD, and CSNFSXD)
Symmetric Key Generate Callable Service (CSNDSYG and CSNFSYG)
Symmetric Key Import Callable Service (CSNDSYI and CSNFSYI)
Symmetric Key Import2 Callable Service (CSNDSYI2 and CSNFSYI2)
Common Cryptographic Architecture HMAC Key Management Services
Key Generate2 callable service (CSNBKGN2 and CSNEKGN2)
Key Part Import2 callable service (CSNBKPI2 and CSNEKPI2)
Key Test2 callable service (CSNBKYT2 and CSNEKYT2)
Key Token Build2 callable service (CSNBKTB2 and CSNEKTB2)
Restrict Key Attribute callable service (CSNBRKA and CSNERKA)
Secure Key Import2 callable service (CSNBSKI2 and CSNESKI2)
Symmetric Key Export Callable Service (CSNDSYX and CSNFSYX)
Symmetric Key Import2 Callable Service (CSNDSYI2 and CSNFSYI2)
ECC Diffie-Hellman Key Agreement Models
Token Agreement Scheme
Obtaining the Raw “Z” value
Improved remote key distribution
Remote Key Loading
Old remote key loading example
New remote key loading methods
Trusted block
Changes to the CCA API
The RKX key token
Using trusted blocks
Creating a trusted block
Exporting keys with Remote_Key_Export
Generating keys with Remote_Key_Export
Remote key distribution scenario
Usage example
Remote key distribution benefits
Diversifying keys
Callable services for managing the CKDS
CKDS Key Record Create callable service (CSNBKRC and CSNEKRC)
CKDS Key Record Create2 callable service (CSNBKRC2 and CSNEKRC2)
CKDS Key Record Delete callable service (CSNBKRD and CSNEKRD)
CKDS Key Record Read callable service (CSNBKRR and CSNEKRR)
CKDS Key Record Read2 callable service (CSNBKRR2 and CSNEKRR2)
CKDS Key Record Write callable service (CSNBKRW and CSNEKRW)
CKDS Key Record Write2 callable service (CSNBKRW2 and CSNEKRW2)
Coordinated KDS Administration callable service (CSFCRC and CSFCRC6)
ICSF Multi-Purpose Service callable service (CSFMPS and CSFMPS6)
Key Data Set List callable service (CSFKDSL and CSFKDL6)
Key Data Set Metadata Read callable service (CSFKDMR and CSFKDMR6)
Key Data Set Metadata Write callable service (CSFKDMW and CSFKDMW6)
Callable Services that Support Secure Sockets Layer (SSL)
PKA Decrypt Callable Service (CSNDPKD)
PKA Encrypt Callable Service (CSNDPKE)
Enciphering and deciphering data
Encoding and Decoding Data (CSNBECO, CSNEECO, CSNBDCO, and CSNEDCO)
Translating Ciphertext (CSNBCTT2 or CSNBCTT3 and CSNECTT2 or CSNECTT3)
Managing Data Integrity and Message Authentication
Message Authentication Code Processing
HMAC Generation Callable Service (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1)
HMAC Verification Callable Service (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1)
MAC Generation Callable Service (CSNBMGN or CSNBMGN1 and CSNEMGN or CSNEMGN1)
MAC Generation2 Callable Service (CSNBMGN2 or CSNBMGN3 and CSNEMGN2 or CSNEMGN3)
MAC Verification Callable Service (CSNBMVR or CSNBMVR1 and CSNEMVR or CSNEMVR1)
MAC Verification2 Callable Service (CSNBMVR2 or CSNBMVR3 and CSNEMVR2 or CSNEMVR3)
Symmetric MAC Generate Callable Service (CSNBSMG, CSNBSMG1, CSNESMG and CSNESMG1)
Symmetric MAC Verify Callable Service (CSNBSMV, CSNBSMV1, CSNESMV and CSNESMV1)
Hashing Functions
One-Way Hash Generate Callable Service (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)
MDC Generation Callable Service (CSNBMDG or CSNBMDG1 and CSNEMDG or CSNEMDG1)
Managing Personal Authentication
Verifying Credit Card Data
Clear PIN Encrypt Callable Service (CSNBCPE and CSNECPE)
Clear PIN Generate Alternate Callable Service (CSNBCPA and CSNECPA)
Clear PIN Generate Callable Service (CSNBPGN and CSNEPGN)
CVV Key Combine Callable Service (CSNBCKC and CSNECKC)
Encrypted PIN Generate Callable Service (CSNBEPG and CSNEEPG)
Encrypted PIN Translate Callable Service (CSNBPTR and CSNEPTR)
Encrypted PIN Verify Callable Service (CSNBPVR and CSNEPVR)
FPE decipher (CSNBFPED and CSNEFPED)
FPE encipher (CSNBFPEE and CSNEFPEE)
FPE translate (CSNBFPET and CSNEFPET)
PIN Change/Unblock Callable Service (CSNBPCU and CSNEPCU)
Transaction Validation Callable Service (CSNBTRV and CSNETRV)
Recover PIN From Offset (CSNBPFO and CSNEPFO)
Authentication Parameter Generate (CSNBAPG and CSNEAPG)
ANSI TR-31 key block support
TR-31 Export Callable Service (CSNBT31X and CSNET31X)
TR-31 Import Callable Service (CSNBT31I and CSNET31I)
TR-31 Parse Callable Service (CSNBT31P and CSNET31P)
TR-31 Optional Data Read Callable Service (CSNBT31R and CSNET31R)
TR-31 Optional Data Build Callable Service (CSNBT31O and CSNET31O)
Secure Messaging
Trusted Key Entry (TKE) Support
Utilities
Character/Nibble Conversion Callable Services (CSNBXBC and CSNBXCB)
Code Conversion Callable Services (CSNBXEA and CSNBXAE)
X9.9 Data Editing Callable Service (CSNB9ED)
ICSF Query Algorithm Callable Service (CSFIQA)
ICSF Query Facility Callable Service (CSFIQF)
ICSF Query Facility2 Callable Service (CSFIQF2)
Typical Sequences of ICSF Callable Services
Key Forms and Types Used in the Key Generate Callable Service
Generating an Operational Key
Generating an Importable Key
Generating an Exportable Key
Examples of Single-Length Keys in One Form Only
Examples of OPIM Single-Length, Double-Length, and Triple-Length Keys in Two Forms
Examples of OPEX Single-Length, Double-Length, and Triple-Length Keys in Two Forms
Examples of IMEX Single-Length and Double-Length Keys in Two Forms
Examples of EXEX Single-Length and Double-Length Keys in Two Forms
Using the Ciphertext Translate2 Callable Service
Summary of callable services
Introducing PKA Cryptography and Using PKA Callable Services
PKA Key Algorithms
PKA Master Keys
Operational private keys
Key Strength and Wrapping of Key
Key Strength and Key Wrapping Access Control Points
RSA Private Key Tokens
PKA Callable Services
Callable Services Supporting Digital Signatures
Digital Signature Generate Callable Service (CSNDDSG and CSNFDSG)
Digital Signature Verify Callable Service (CSNDDSV and CSNFDSG)
Callable Services for PKA Key Management
PKA Key Generate Callable Service (CSNDPKG and CSNFPKG)
PKA Key Import Callable Service (CSNDPKI and CSNFPKI)
PKA Key Token Build Callable Service (CSNDPKB and CSNFPKB)
PKA Key Token Change Callable Service (CSNDKTC and CSNFKTC)
PKA Key Translate (CSNDPKT and CSNFPKT)
PKA Public Key Extract Callable Service (CSNDPKX and CSNFPKX)
Callable services to manage the Public Key Data Set (PKDS)
Coordinated KDS Administration callable service (CSFCRC and CSFCRC6)
ICSF Multi-Purpose Service callable service (CSFMPS and CSFMPS6)
Key Data Set List callable service (CSFKDSL and CSFKDL6)
Key Data Set Metadata Read callable service (CSFKDMR and CSFKDMR6)
Key Data Set Metadata Write callable service (CSFKDMW and CSFKDMW6)
PKDS Key Record Create Callable Service (CSNDKRC and CSNFKRC)
PKDS Key Record Delete Callable Service (CSNDKRD and CSNFKRD)
PKDS Key Record Read Callable Service (CSNDKRR and CSNFKRR)
PKDS Key Record Write Callable Service (CSNDKRW and CSNFKRW)
Callable Services for Working with Retained Private Keys
Retained Key Delete Callable Service (CSNDRKD and CSNFRKD)
Retained Key List Callable Service (CSNDRKL and CSNFKRL)
Clearing the retained keys on a coprocessor
Callable Services for SET Secure Electronic Transaction
SET Block Compose Callable Service (CSNDSBC and CSNFSBC)
SET Block Decompose Callable Service (CSNDSBD and CSNFSBD)
PKA Key Tokens
PKA Key Management
Security and Integrity of the Token
Key Identifier for PKA Key Token
Key Label
Key Token
Summary of the PKA callable services
Introducing PKCS #11 and using PKCS #11 callable services
PKCS #11 Services
Attribute List
Handles
CCA Callable Services
Managing Symmetric Cryptographic Keys
Clear Key Import (CSNBCKI and CSNECKI)
Control Vector Generate (CSNBCVG and CSNECVG)
Control Vector Translate (CSNBCVT and CSNECVT)
Cryptographic Variable Encipher (CSNBCVE and CSNECVE)
Data Key Export (CSNBDKX and CSNEDKX)
Data Key Import (CSNBDKM and CSNEDKM)
Diversified Key Generate (CSNBDKG and CSNEDKG)
Diversified Key Generate2 Callable Service (CSNBDKG2 and CSNEDKG2)
ECC Diffie-Hellman (CSNDEDH and CSNFEDH)
Key Export (CSNBKEX and CSNEKEX)
Key Generate (CSNBKGN and CSNEKGN)
Key Generate2 (CSNBKGN2 and CSNEKGN2)
Key Import (CSNBKIM and CSNEKIM)
Key Part Import (CSNBKPI and CSNEKPI)
Key Part Import2 (CSNBKPI2 and CSNEKPI2)
Key Test (CSNBKYT and CSNEKYT)
Key Test2 (CSNBKYT2 and CSNEKYT2)
Key Test Extended (CSNBKYTX and CSNEKTX)
Key Token Build (CSNBKTB and CSNEKTB)
Key Token Build2 (CSNBKTB2 and CSNEKTB2)
Key Translate (CSNBKTR and CSNEKTR)
Key Translate2 (CSNBKTR2 and CSNEKTR2)
Multiple Clear Key Import (CSNBCKM and CSNECKM)
Multiple Secure Key Import (CSNBSKM and CSNESKM)
PKA Decrypt (CSNDPKD and CSNFPKD)
PKA Encrypt (CSNDPKE and CSNFPKE)
Prohibit Export (CSNBPEX and CSNEPEX)
Prohibit Export Extended (CSNBPEXX and CSNEPEXX)
Random Number Generate (CSNBRNG, CSNERNG, CSNBRNGL and CSNERNGL)
Remote Key Export (CSNDRKX and CSNFRKX)
Restrict Key Attribute (CSNBRKA and CSNERKA)
Secure Key Import (CSNBSKI and CSNESKI)
Secure Key Import2 (CSNBSKI2 and CSNESKI2)
Symmetric Key Export (CSNDSYX and CSNFSYX)
Symmetric Key Export with Data (CSNDSXD and CSNFSXD)
Symmetric Key Generate (CSNDSYG and CSNFSYG)
Symmetric Key Import (CSNDSYI and CSNFSYI)
Symmetric Key Import2 (CSNDSYI2 and CSNFSYI2)
Trusted Block Create (CSNDTBC and CSNFTBC)
TR-31 Export (CSNBT31X and CSNET31X)
TR-31 Import (CSNBT31I and CSNET31I)
TR-31 Optional Data Build (CSNBT31O and CSNET31O)
TR-31 Optional Data Read (CSNBT31R and CSNET31R)
TR-31 Parse (CSNBT31P and CSNET31P)
Unique Key Derive (CSNBUKD and CSNEUKD)
Protecting Data
Modes of Operation
Electronic Code Book (ECB) Mode
Cipher Block Chaining (CBC) Mode
Cipher Feedback (CFB) Mode
Output Feedback (OFB) Mode
Galois/Counter Mode (GCM)
Triple DES Encryption
Ciphertext Translate2 (CSNBCTT2, CSNBCTT3, CSNECTT2, CSNECTT3)
Decipher (CSNBDEC or CSNBDEC1 and CSNEDEC or CSNEDEC1)
Decode (CSNBDCO and CSNEDCO)
Encipher (CSNBENC or CSNBENC1 and CSNEENC or CSNEENC1)
Encode (CSNBECO and CSNEECO)
Symmetric Algorithm Decipher (CSNBSAD or CSNBSAD1 and CSNESAD or CSNESAD1)
Symmetric Algorithm Encipher (CSNBSAE or CSNBSAE1 and CSNESAE or CSNESAE1)
Symmetric Key Decipher (CSNBSYD or CSNBSYD1 and CSNESYD or CSNESYD1)
Symmetric Key Encipher (CSNBSYE or CSNBSYE1 and CSNESYE or CSNESYE1)
Verifying Data Integrity and Authenticating Messages
How MACs are Used
How Hashing Functions Are Used
How MDCs Are Used
HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1)
HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1)
MAC Generate (CSNBMGN or CSNBMGN1 and CSNEMGN or CSNEMGN1)
MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3)
MAC Verify (CSNBMVR or CSNBMVR1 and CSNEMVR or CSNEMVR1)
MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3)
MDC Generate (CSNBMDG or CSNBMDG1 and CSNEMDG or CSNEMDG1)
One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)
Symmetric MAC Generate (CSNBSMG or CSNBSMG1 and CSNESMG or CSNESMG1)
Symmetric MAC Verify (CSNBSMV or CSNBSMV1 and CSNESMV or CSNESMV1)
Financial Services
How Personal Identification Numbers (PINs) are Used
How VISA Card Verification Values Are Used
Translating Data and PINs in Networks
Working with Europay–MasterCard–Visa smart cards
PIN Callable Services
Generating a PIN
Encrypting a PIN
Generating a PIN Validation Value from an Encrypted PIN Block
Verifying a PIN
Translating a PIN
Algorithms for Generating and Verifying a PIN
Using PINs on Different Systems
PIN-Encrypting Keys
Derived unique key per transaction algorithms
Encrypted PIN Translate
Encrypted PIN Verify
For more information
ANSI X9.8 PIN Restrictions
ANSI X9.8 PIN - Enforce PIN block restrictions
ANSI X9.8 PIN - Allow modification of PAN
ANSI X9.8 PIN - Allow only ANSI PIN blocks
ANSI X9.8 PIN – Use stored decimalization tables only
The PIN Profile
PIN Block Format
PIN Block Format and PIN Extraction Method Keywords
Enhanced PIN Security Mode
Format Control
Pad Digit
Recommendations for the Pad Digit
Current Key Serial Number
Decimalization Tables
Format preserving encryption
Authentication Parameter Generate (CSNBAPG and CSNEAPG)
Clear PIN Encrypt (CSNBCPE and CSNECPE)
Clear PIN Generate (CSNBPGN and CSNEPGN)
Clear PIN Generate Alternate (CSNBCPA and CSNECPA)
CVV Key Combine (CSNBCKC and CSNECKC)
Encrypted PIN Generate (CSNBEPG and CSNEEPG)
Encrypted PIN Translate (CSNBPTR and CSNEPTR)
Encrypted PIN Verify (CSNBPVR and CSNEPVR)
Field level decipher (CSNBFLD and CSNEFLD)
Field level encipher (CSNBFLE and CSNEFLE)
FPE decipher (CSNBFPED and CSNEFPED)
FPE encipher (CSNBFPEE and CSNEFPEE)
FPE translate (CSNBFPET and CSNEFPET)
PIN Change/Unblock (CSNBPCU and CSNEPCU)
Recover PIN from Offset (CSNBPFO and CSNEPFO)
Secure Messaging for Keys (CSNBSKY and CSNESKY)
Secure Messaging for PINs (CSNBSPN and CSNESPN)
SET Block Compose (CSNDSBC and CSNFSBC)
SET Block Decompose (CSNDSBD and CSNFSBD)
Transaction Validation (CSNBTRV and CSNETRV)
VISA CVV Service Generate (CSNBCSG and CSNECSG)
VISA CVV Service Verify (CSNBCSV and CSNECSV)
Financial Services for DK PIN Methods
Weak PIN table
DK PIN methods
DK Deterministic PIN Generate (CSNBDDPG and CSNEDDPG)
DK Migrate PIN (CSNBDMP and CSNEDMP)
DK PAN Modify in Transaction (CSNBDPMT and CSNEDPMT)
DK PAN Translate (CSNBDPT and CSNEDPT)
DK PIN Change (CSNBDPC and CSNEDPC)
DK PIN Verify (CSNBDPV and CSNEDPV)
DK PRW Card Number Update (CSNBDPNU and CSNEDPNU)
DK PRW CMAC Generate (CSNBDPCG and CSNEDPCG)
DK Random PIN Generate (CSNBDRPG and CSNEDRPG)
DK Regenerate PRW (CSNBDRP and CSNEDRP)
Using Digital Signatures
Digital Signature Generate (CSNDDSG and CSNFDSG)
Digital Signature Verify (CSNDDSV and CSNFDSV)
Managing PKA Cryptographic Keys
PKA Key Generate (CSNDPKG and CSNFPKG)
PKA Key Import (CSNDPKI and CSNFPKI)
PKA Key Token Build (CSNDPKB and CSNFPKB)
PKA Key Token Change (CSNDKTC and CSNFKTC)
PKA Key Translate (CSNDPKT and CSNFPKT)
PKA Public Key Extract (CSNDPKX and CSNFPKX)
Retained Key Delete (CSNDRKD and CSNFRKD)
Retained Key List (CSNDRKL and CSNFRKL)
Key data set management
Metadata for key data set records
CKDS Key Record Create (CSNBKRC and CSNEKRC)
CKDS Key Record Create2 (CSNBKRC2 and CSNEKRC2)
CKDS Key Record Delete (CSNBKRD and CSNEKRD)
CKDS Key Record Read (CSNBKRR and CSNEKRR)
CKDS Key Record Read2 (CSNBKRR2 and CSNEKRR2)
CKDS Key Record Write (CSNBKRW and CSNEKRW)
CKDS Key Record Write2 (CSNBKRW2 and CSNEKRW2)
Coordinated KDS Administration (CSFCRC and CSFCRC6)
ICSF Multi-Purpose Service (CSFMPS and CSFMPS6)
Key Data Set List (CSFKDSL and CSFKDSL6)
Key Data Set Metadata Read (CSFKDMR and CSFKDMR6)
Key Data Set Metadata Write (CSFKDMW and CSFKDMW6)
PKDS Key Record Create (CSNDKRC and CSNFKRC)
PKDS Key Record Delete (CSNDKRD and CSNFKRD)
PKDS Key Record Read (CSNDKRR and CSNFKRR)
PKDS Key Record Write (CSNDKRW and CSNFKRW)
Utilities
Character/Nibble Conversion (CSNBXBC and CSNBXCB)
Code Conversion (CSNBXEA and CSNBXAE)
ICSF Query Algorithm (CSFIQA and CSFIQA6)
ICSF Query Facility (CSFIQF and CSFIQF6)
ICSF Query Facility2 (CSFIQF2 and CSFIQF26)
SAF ACEE Selection (CSFACEE and CSFACEE6)
X9.9 Data Editing (CSNB9ED)
Trusted Key Entry Workstation Interfaces
PCI Interface Callable Service (CSFPCI and CSFPCI6)
PKCS #11 Callable Services
Using PKCS #11 tokens and objects
PKCS #11 Derive multiple keys (CSFPDMK and CSFPDMK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Derive key (CSFPDVK and CSFPDVK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Get attribute value (CSFPGAV and CSFPGAV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Generate key pair (CSFPGKP and CSFPGKP6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Generate secret key (CSFPGSK and CSFPGSK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Generate HMAC (CSFPHMG and CSFPHMG6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Verify HMAC (CSFPHMV and CSFPHMV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 One-way hash, sign, or verify (CSFPOWH and CSFPOWH6)
PKCS #11 Private key sign (CSFPPKS and CSFPPKS6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Public key verify (CSFPPKV and CSFPPKV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Pseudo-random function (CSFPPRF and CSFPPRF6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Set attribute value (CSFPSAV and CSFPSAV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Secret key decrypt (CSFPSKD and CSFPSKD6)
PKCS #11 Secret key encrypt (CSFPSKE and CSFPSKE6)
PKCS #11 Token record create (CSFPTRC and CSFPTRC6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Token record delete (CSFPTRD and CSFPTRD6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Token record list (CSFPTRL and CSFPTRL6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Unwrap key (CSFPUWK and CSFPUWK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Wrap key (CSFPWPK and CSFPWPK6)
Format
Parameters
Authorization
Usage Notes
ICSF and cryptographic coprocessor return and reason codes
Return codes and reason codes
Return codes
Reason codes for return code 0 (0)
Reason codes for return code 4 (4)
Reason codes for return code 8 (8)
Reason codes for return code C (12)
Reason codes for return code 10 (16)
Key Token Formats
AES Key Token Formats
AES internal key token
Token Validation Value
DES Key Token Formats
DES internal key token
DES external key token
External RKX DES Key Token
DES null key token
Variable-length Symmetric Key Token Formats
Variable-length symmetric key token
Variable-length symmetric null key token
PKA Key Token Formats
PKA null key token
RSA Key Token Formats
RSA public key token
RSA private external key token
RSA private internal key token
RSA Private Key Token, 1024-bit Modulus-Exponent Internal Form
RSA Private Key Token, 1024-bit Modulus-Exponent internal form with encrypted blinding
RSA private key, 4096-bit Modulus-Exponent format with AES encrypted OPK section internal form
RSA private key, 4096-bit Chinese Remainder Theorem format with AES encrypted OPK section internal form
RSA Private Key Token, 4096-bit Chinese Remainder Theorem Internal Form
ECC key token format
Associated data format for ECC token
AESKW wrapped payload format for ECC private key token
Trusted block key token
Trusted block sections
Trusted block integrity
Number representation in trusted blocks
Format of trusted block sections
Trusted block section X'11'
Trusted block section X'12'
Trusted block section X'13'
Trusted block section X'14'
Trusted block section X'15'
Control Vectors and Changing Control Vectors with the CVT Callable Service
Control Vector Table
Specifying a Control-Vector-Base Value
Changing Control Vectors with the Control Vector Translate Callable Service
Providing the Control Information for Testing the Control Vectors
Mask Array Preparation
Selecting the Key-Half Processing Mode
When the Target Key Token CV Is Null
Control Vector Translate Example
Coding Examples
C
COBOL
Assembler H
PL/1
Cryptographic Algorithms and Processes
PIN Formats and Algorithms
PIN Notation
PIN Block Formats
ANSI X9.8
ISO Format 1
ISO Format 2
ISO Format 3
VISA Format 2
VISA Format 3
IBM 4700 Encrypting PINPAD Format
IBM 3624 Format
IBM 3621 Format
ECI Format 2
ECI Format 3
PIN Extraction Rules
Encrypted PIN Verify Callable Service
Clear PIN Generate Alternate Callable Service
Encrypted PIN Translate Callable Service
PIN Change/Unblock Callable Service
IBM PIN Algorithms
3624 PIN Generation Algorithm
German Banking Pool PIN Generation Algorithm
PIN Offset Generation Algorithm
3624 PIN Verification Algorithm
German Banking Pool PIN Verification Algorithm
VISA PIN Algorithms
PVV Generation Algorithm
PVV Verification Algorithm
Interbank PIN Generation Algorithm
Cipher Processing Rules
CBC and ANSI INCITS 106
ANSI X9.23 and IBM 4700
Segmenting
Cipher Last-Block Rules
CUSP
The Information Protection System (IPS)
PKCS Padding Method
PKCS Padding Method (Example 1)
PKCS Padding Method (Example 2)
Wrapping Methods for Symmetric Key Tokens
ECB Wrapping of DES Keys (Original Method)
CBC Wrapping of AES Keys
Enhanced CBC Wrapping of DES Keys (Enhanced Method)
Wrapping key derivation for enhanced wrapping of DES keys
Variable length token (AESKW method)
PKA92 Key Format and Encryption Process
Formatting Hashes and Keys in Public-Key Cryptography
ANSI X9.31 Hash Format
PKCS #1 Formats
Visa and EMV-related smart card formats and processes
Deriving the smart-card-specific authentication code
Constructing the PIN-block for transporting an EMV smart-card PIN
Deriving the CCA TDES-XOR session key
Deriving the EMV TDESEMVn tree-based session key
PIN-block self-encryption
Key Test Verification Pattern Algorithms
DES Algorithm (single- and double-length keys)
SHAVP1 Algorithm
SHA-256 algorithm
EBCDIC and ASCII Default Conversion Tables
Access control points and callable services