z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


ANSI X9.23 and IBM 4700

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

An enhancement to the basic cipher block chaining mode of ANSI X3.106 is defined so the data lengths that are not an exact multiple of 8 bytes can be processed. The ANSI X9.23 method always adds from 1 byte to 8 bytes to the plaintext before encipherment. The last added byte is the count of the added bytes and is in the range of X'01' to X'08'. The standard defines that the other added bytes, the pad characters, are random.

When ICSF enciphers the plaintext, the resulting ciphertext is always 1 to 8 bytes longer than the plaintext.

When ICSF deciphers the ciphertext, ICSF uses the last byte of the deciphered data as the number of bytes to be removed (the pad bytes and the count byte). The resulting plaintext is the same as the original plaintext.

The output chaining vector can be used as feedback with this method in the same way as with the X3.106 method.

In summary, for the ANSI X9.23 method:

  • X9.23 processing requires the caller to supply an ICV.
  • X9.23 encipher does not allow specification of a pad character.

The 4700 padding rule is similar to the X9.23 rule. The only difference is that in the X9.23 method, the padding character is not user-selected, but the padding string is selected by the encipher process.

Segmenting

The callable services can operate on large data objects. Segmenting is the process of dividing the function into more than one processing step. Your application can divide the process into multiple steps without changing the final outcome.

To provide segmenting capability, the MAC generation, MAC verification, and MDC generation callable services require an 18-byte system work area in the application address space that is provided as the chaining vector parameter to the callable service. The application program must not change the system work area.

Cipher Last-Block Rules

The DES defines cipher-block chaining as operating on multiples of 8 bytes, and AES uses multiples of 16 bytes. Various algorithms are used to process strings that are multiples of the block size. The algorithms are generically named "last-block rules". You select the supported last-block rules by using these keywords:

  • X9.23
  • IPS
  • CUSP (also used with PCF)
  • 4700-PAD
  • CBC-CS

You specify which cipher last-block rule you want to use in the rule_array parameter of the callable service.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014