Use the Control Vector Translate callable service to change a control
vector associated with a key. Rule-array keywords determine which
key halves are processed in the call, as shown in Figure 13.
- Keyword
- Meaning
- SINGLE
- This keyword causes the control vector of the left half of the
source key to be changed. The updated key half is placed into the
left half of the target key in the target key token. The right half
of the target key is unchanged.
The SINGLE keyword is
useful when processing a single-length key, or when first processing
the left half of a double-length key (to be followed by processing
the right half).
- RIGHT
- This keyword causes the control vector of the right half of
the source key to be changed. The updated key half is placed into
the right half of the target key of the target key token. The left
half of the source key is copied unchanged into the left half of the
target key in the target key token.
- BOTH
- This keyword causes the control vector of both halves of the
source key to be changed. The updated key is placed into the target
key in the target key token.
A single set of control information
must permit the control vector changes applied to each key half. Normally,
control vector bit positions 41, 42, 105, and 106 are different for
each key half. Therefore, set bits 41 and 42 to B'00' in mask
array elements B1, B2,
and B3.
You can verify that the
source and target key tokens have control vectors with matching bits
in bit positions 40-42 and 104-106, the "form field" bits. Ensure
that bits 40-42 of mask array B4 are set
to B'111'.
- LEFT
- This keyword enables you to supply a single-length key and obtain
a double-length key. The source key token must contain:
- The KEK-enciphered single-length key
- The control vector for the single-length key (often this is a
null value)
- A control vector, stored in the source token where the right-half
control vector is normally stored, used in decrypting the single-length
source key when the key is being processed for the target right half
of the key.
The service first processes the source and target tokens
as with the SINGLE keyword. Then the source token is processed
using the single-length enciphered key and the source token right-half
control vector to obtain the actual key value. The key value is then
enciphered using the KEK and the control vector in the target token
for the right-half of the key.
This approach is frequently
of use when you must obtain a double-length CCA key from a system
that only supports a single-length key, for example when processing
PIN keys or key-encrypting keys received from non-CCA systems.
To prevent the service from ensuring that each key byte has odd
parity, you can specify the NOADJUST keyword. If you do not
specify the NOADJUST keyword, or if you specify the ADJUST keyword,
the service ensures that each byte of the target key has odd parity.
|