These changes have been made to the CCA API to support remote key
loading using trusted blocks:
- A new Trusted Block Create (CSNDTBC and CSNETBC) callable service
has been developed to securely create trusted blocks under dual control.
- A new Remote Key Export (CSNDRKX and CSNFRKX) callable service
has been developed to generate or export DES and TDES keys under control
of the rules contained in a trusted block.
- The Digital Signature Verify (CSNDDSV) callable service has been
enhanced so that, in addition to verifying ordinary CCA RSA keys,
it can use the RSA public key contained in a trusted block to verify
digital signatures.
- The PKA Key Import (CSNDPKI) callable service has been enhanced
so it can import an RSA key into the CCA domain. In addition, the
verb can import an external format trusted block into an internal
format trusted block, ready to be used in the local system.
- The PKA Key Token Change (CSNDKTC and CSNFKTC) callable service
has been enhanced so that it can update trusted blocks to the current
PKA master key when the master key is changed. A trusted block contains
an embedded MAC key enciphered under the PKA master key. When the
PKA master key is changed, the outdated MAC key and the trusted block
itself need to be updated to reflect the current PKA master key.
- The MAC Generate (CSNBMGN) and MAC Verify (CSNBMVR) callable services
have been enhanced to add ISO 16609 TDES MAC support in which the
text will be CBC-TDES encrypted using a double-length key and the
MAC will be extracted from the last block.
- The PKA key storage callable services support trusted blocks.