z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic |
Next topic
|
Contents
|
Contact z/OS
|
Library
|
PDF
Contents (exploded view)
z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16
Application Programmer's Guide
Figures
Tables
IBM CCA Programming
Introducing Programming for the IBM CCA
ICSF Callable Services Naming Conventions
Callable Service Syntax
Callable Services with ALET Parameters
Rules for Defining Parameters and Attributes
Parameter Definitions
Return and Reason Codes
Exit Data Length and Exit Data
Key Identifier for Key Token
Key Label
Invocation Requirements
Security Considerations
Performance Considerations
Special Secure Mode
Using the Callable Services
When the Call Succeeds
When the Call Does Not Succeed
Linking a Program with the ICSF Callable Services
Introducing Symmetric Key Cryptography and Using Symmetric Key Callable Services
Functions of the Symmetric Cryptographic Keys
Key Separation
Master Key Variant for Fixed-length Tokens
Transport Key Variant for Fixed-length Tokens
Key Forms
DES Key Flow
Key Token
Key Wrapping
Control Vector for DES Keys
Types of Keys
Other Considerations
Clear Keys
Generating and Managing Symmetric Keys
Key Generator Utility Program
Common Cryptographic Architecture DES Key Management Services
Clear Key Import Callable Service (CSNBCKI and CSNECKI)
Control Vector Generate Callable Service (CSNBCVG and CSNECVG)
Control Vector Translate Callable Service (CSNBCVT and CSNECVT)
Cryptographic Variable Encipher Callable Service (CSNBCVE and CSNECVE)
Data Key Export Callable Service (CSNBDKX and CSNEDKX)
Data Key Import Callable Service (CSNBDKM and CSNEDKM)
Key Export Callable Service (CSNBKEX and CSNEKEX)
Key Generate Callable Service (CSNBKGN and CSNEKGN)
Key Import Callable Service (CSNBKIM and CSNEKIM)
Key Part Import Callable Service (CSNBKPI and CSNEKPI)
Key Test Callable Service (CSNBKYT, CSNEKYT, CSNBKYTX, and CSNEKYTX)
Key Token Build Callable Service (CSNBKTB and CSNEKTB)
Key Translate Callable Service (CSNBKTR and CSNEKTR)
Key Translate2 Callable Service (CSNBKTR2 and CSNEKTR2)
Multiple Clear Key Import Callable Service (CSNBCKM and CSNECKM)
Multiple Secure Key Import Callable Service (CSNBSKM and CSNESKM)
Prohibit Export Callable Service (CSNBPEX and CSNEPEX)
Prohibit Export Extended Callable Service (CSNBPEXX and CSNEPEXX)
Random Number Generate Callable Service (CSNBRNG, CSNERNG, CSNBRNGL, and CSNERNGL)
Remote Key Export Callable Service (CSNDRKX and CSNFRKX)
Restrict Key Attribute Callable Service (CSNBRKA and CSNERKA)
Secure Key Import Callable Service (CSNBSKI and CSNESKI)
Symmetric Key Export Callable Service (CSNDSYX and CSNFSYX)
Symmetric Key Generate Callable Service (CSNDSYG and CSNFSYG)
Symmetric Key Import Callable Service (CSNDSYI and CSNFSYI)
Transform CDMF Key Callable Service (CSNBTCK and CSNETCK)
Trusted Block Create Callable Service (CSNDTBC and CSNFTBC)
User Derived Key Callable Service (CSFUDK and CSFUDK6)
Common Cryptographic Architecture AES Key Management Services
Key Generate Callable Service (CSNBKGN and CSNEKGN)
Key Generate2 Callable Service (CSNBKGN2 and CSNEKGN2)
Key Part Import2 Callable Service (CSNBKPI2 and CSNEKPI2)
Key Test2 Callable Service (CSNBKYT2 and CSNEKYT2)
Key Token Build Callable Service (CSNBKTB and CSNEKTB)
Multiple Clear Key Import Callable Service (CSNBCKM and CSNECKM)
Multiple Secure Key Import Callable Service (CSNBSKM and CSNESKM)
Restrict Key Attribute Callable Service (CSNBRKA and CSNERKA)
Secure Key Import2 Callable Service (CSNBSKI2 and CSNESKI2)
Symmetric Key Export Callable Service (CSNDSYX and CSNFSYX)
Symmetric Key Generate Callable Service (CSNDSYG and CSNFSYG)
Symmetric Key Import Callable Service (CSNDSYI and CSNFSYI)
Symmetric Key Import2 Callable Service (CSNDSYI2 and CSNFSYI2)
Common Cryptographic Architecture HMAC Key Management Services
Key Generate2 callable service (CSNBKGN2 and CSNEKGN2)
Key Part Import2 callable service (CSNBKPI2 and CSNEKPI2)
Key Test2 callable service (CSNBKYT2 and CSNEKYT2)
Key Token Build2 callable service (CSNBKTB2 and CSNEKTB2)
Restrict Key Attribute callable service (CSNBRKA and CSNERKA)
Secure Key Import2 callable service (CSNBSKI2 and CSNESKI2)
Symmetric Key Export Callable Service (CSNDSYX and CSNFSYX)
Symmetric Key Import2 Callable Service (CSNDSYI2 and CSNFSYI2)
ECC Diffie-Hellman Key Agreement Models
Token Agreement Scheme
Obtaining the Raw “Z” value
Improved remote key distribution
Remote Key Loading
Old remote key loading example
New remote key loading methods
Trusted block
Changes to the CCA API
The RKX key token
Using trusted blocks
Creating a trusted block
Exporting keys with Remote_Key_Export
Generating keys with Remote_Key_Export
Remote key distribution scenario
Usage example
Remote key distribution benefits
Diversifying keys
Callable Services for Dynamic CKDS Update
CKDS Key Record Create Callable Service (CSNBKRC and CSNEKRC)
CKDS Key Record Create2 Callable Service (CSNBKRC2 and CSNEKRC2)
CKDS Key Record Delete Callable Service (CSNBKRD and CSNEKRD)
CKDS Key Record Read Callable Service (CSNBKRR and CSNEKRR)
CKDS Key Record Read2 Callable Service (CSNBKRR2 and CSNEKRR2)
CKDS Key Record Write Callable Service (CSNBKRW and CSNEKRW)
CKDS Key Record Write2 Callable Service (CSNBKRW2 and CSNEKRW2)
Coordinated KDS Administration Callable Service (CSFCRC and CSFCRC6)
Callable Services that Support Secure Sockets Layer (SSL)
PKA Decrypt Callable Service (CSNDPKD)
PKA Encrypt Callable Service (CSNDPKE)
System Encryption Algorithm
ANSI X9.17 Key Management Services
Key Generate Callable Service Used to Generate an AKEK (CSNBKGN)
ANSI X9.17 EDC Generate Callable Service (CSNAEGN and CSNGEGN)
ANSI X9.17 Key Export Callable Service (CSNAKEX and CSNGKEX)
ANSI X9.17 Key Import Callable Service (CSNAKIM and CSNGKIM)
ANSI X9.17 Key Translate Callable Service (CSNAKTR and CSNGKTR)
ANSI X9.17 Transport Key Partial Notarize Callable Service (CSNATKN and CSNGTKN)
Enciphering and Deciphering Data
Encoding and Decoding Data (CSNBECO, CSNEECO, CSNBDCO, and CSNEDCO)
Translating Ciphertext (CSNBCTT or CSNBCTT1 and CSNECTT or CSNECTT1)
Managing Data Integrity and Message Authentication
Message Authentication Code Processing
HMAC Generation Callable Service (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1)
HMAC Verification Callable Service (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1)
MAC Generation Callable Service (CSNBMGN or CSNBMGN1 and CSNEMGN or CSNEMGN1)
MAC Verification Callable Service (CSNBMVR or CSNBMVR1 and CSNEMVR or CSNEMVR1)
Symmetric MAC Generate Callable Service (CSNBSMG, CSNBSMG1, CSNESMG and CSNESMG1)
Symmetric MAC Verify Callable Service (CSNBSMV, CSNBSMV1, CSNESMV and CSNESMV1)
Hashing Functions
One-Way Hash Generate Callable Service (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)
MDC Generation Callable Service (CSNBMDG or CSNBMDG1 and CSNEMDG or CSNEMDG1)
Managing Personal Authentication
Verifying Credit Card Data
Clear PIN Encrypt Callable Service (CSNBCPE and CSNECPE)
Clear PIN Generate Alternate Callable Service (CSNBCPA and CSNECPA)
Clear PIN Generate Callable Service (CSNBPGN and CSNEPGN)
CVV Key Combine Callable Service (CSNBCKC and CSNECKC)
Encrypted PIN Generate Callable Service (CSNBEPG and CSNEEPG)
Encrypted PIN Translate Callable Service (CSNBPTR and CSNEPTR)
Encrypted PIN Verify Callable Service (CSNBPVR and CSNEPVR)
PIN Change/Unblock Callable Service (CSNBPCU and CSNEPCU)
Transaction Validation Callable Service (CSNBTRV and CSNETRV)
ANSI TR-31 key block support
TR-31 Export Callable Service (CSNBT31X and CSNET31X)
TR-31 Import Callable Service (CSNBT31I and CSNET31I)
TR-31 Parse Callable Service (CSNBT31P and CSNET31P)
TR-31 Optional Data Read Callable Service (CSNBT31R and CSNET31R)
TR-31 Optional Data Build Callable Service (CSNBT31O and CSNET31O)
Secure Messaging
Trusted Key Entry (TKE) Support
Utilities
Character/Nibble Conversion Callable Services (CSNBXBC and CSNBXCB)
Code Conversion Callable Services (CSNBXEA and CSNBXAE)
X9.9 Data Editing Callable Service (CSNB9ED)
ICSF Query Algorithm Callable Service (CSFIQA)
ICSF Query Facility Callable Service (CSFIQF)
Typical Sequences of ICSF Callable Services
Key Forms and Types Used in the Key Generate Callable Service
Generating an Operational Key
Generating an Importable Key
Generating an Exportable Key
Examples of Single-Length Keys in One Form Only
Examples of OPIM Single-Length, Double-Length, and Triple-Length Keys in Two Forms
Examples of OPEX Single-Length, Double-Length, and Triple-Length Keys in Two Forms
Examples of IMEX Single-Length and Double-Length Keys in Two Forms
Examples of EXEX Single-Length and Double-Length Keys in Two Forms
Generating AKEKs
Using the Ciphertext Translate Callable Service
Summary of Callable Services
Introducing PKA Cryptography and Using PKA Callable Services
PKA Key Algorithms
PKA Master Keys
Operational private keys
PKA Callable Services
Callable Services Supporting Digital Signatures
Digital Signature Generate Callable Service (CSNDDSG and CSNFDSG)
Digital Signature Verify Callable Service (CSNDDSV and CSNFDSG)
Callable Services for PKA Key Management
PKA Key Generate Callable Service (CSNDPKG and CSNFPKG)
PKA Key Import Callable Service (CSNDPKI and CSNFPKI)
PKA Key Token Build Callable Service (CSNDPKB and CSNFPKB)
PKA Key Token Change Callable Service (CSNDKTC and CSNFKTC)
PKA Key Translate (CSNDPKT and CSNFPKT)
PKA Public Key Extract Callable Service (CSNDPKX and CSNFPKX)
Callable Services to Update the Public Key Data Set (PKDS)
PKDS Key Record Create Callable Service (CSNDKRC and CSNFKRC)
PKDS Key Record Delete Callable Service (CSNDKRD and CSNFKRD)
PKDS Key Record Read Callable Service (CSNDKRR and CSNFKRR)
PKDS Key Record Write Callable Service (CSNDKRW and CSNFKRW)
Callable Services for Working with Retained Private Keys
Retained Key Delete Callable Service (CSNDRKD and CSNFRKD)
Retained Key List Callable Service (CSNDRKL and CSNFKRL)
Clearing the retained keys on a coprocessor
Callable Services for SET Secure Electronic Transaction
SET Block Compose Callable Service (CSNDSBC and CSNFSBC)
SET Block Decompose Callable Service (CSNDSBD and CSNFSBD)
PKA Key Tokens
PKA Key Management
Security and Integrity of the Token
Key Identifier for PKA Key Token
Key Label
Key Token
The Transaction Security System and ICSF Portability
Summary of the PKA Callable Services
Introducing PKCS #11 and using PKCS #11 callable services
PKCS #11 Management Services
Attribute List
Handles
CCA Callable Services
Managing Symmetric Cryptographic Keys
Clear Key Import (CSNBCKI and CSNECKI)
Format
Parameters
Usage Notes
Control Vector Generate (CSNBCVG and CSNECVG)
Format
Parameters
Usage Notes
Control Vector Translate (CSNBCVT and CSNECVT)
Format
Parameters
Restrictions
Usage Notes
Cryptographic Variable Encipher (CSNBCVE and CSNECVE)
Format
Parameters
Restrictions
Usage Notes
Data Key Export (CSNBDKX and CSNEDKX)
Format
Parameters
Restrictions
Usage Notes
Data Key Import (CSNBDKM and CSNEDKM)
Format
Parameters
Restrictions
Usage Notes
Diversified Key Generate (CSNBDKG and CSNEDKG)
Format
Parameters
Restrictions
Usage Notes
ECC Diffie-Hellman (CSNDEDH and CSNFEDH)
Format
Parameters
Restrictions
Usage Notes
Key Export (CSNBKEX and CSNEKEX)
Format
Parameters
Restrictions
Usage Notes
Systems with the Cryptographic Coprocessor Feature.
Systems with a PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor
Key Generate (CSNBKGN and CSNEKGN)
Format
Parameters
Restrictions
Usage Notes
System Encryption Algorithm Marks (CCF systems only)
Key type and key form combinations
Key Generate2 (CSNBKGN2 and CSNEKGN2)
Format
Parameters
Usage Notes
Key Import (CSNBKIM and CSNEKIM)
Format
Parameters
Restrictions
Usage Notes
Systems with the Cryptographic Coprocessor Feature
Systems with the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor
Key Part Import (CSNBKPI and CSNEKPI)
Format
Parameters
Restrictions
Usage Notes
Related Information
Key Part Import2 (CSNBKPI2 and CSNEKPI2)
Format
Parameters
Usage Notes
Key Test (CSNBKYT and CSNEKYT)
Format
Parameters
Restrictions
Usage Notes
Key Test2 (CSNBKYT2 and CSNEKYT2)
Format
Parameters
Usage Notes
Key Test Extended (CSNBKYTX and CSNEKTX)
Format
Parameters
Restrictions
Usage Notes
Key Token Build (CSNBKTB and CSNEKTB)
Format
Parameters
Restrictions
Usage Notes
Related Information
Key Token Build2 (CSNBKTB2 and CSNEKTB2)
Format
Parameters
Usage Notes
Key Translate (CSNBKTR and CSNEKTR)
Format
Parameters
Restrictions
Usage Notes
Key Translate2 (CSNBKTR2 and CSNEKTR2)
Format
Parameters
Restrictions
Usage Notes
Multiple Clear Key Import (CSNBCKM and CSNECKM)
Format
Parameters
Usage Notes
Multiple Secure Key Import (CSNBSKM and CSNESKM)
Format
Parameters
Usage Notes
PKA Decrypt (CSNDPKD and CSNFPKD)
Format
Parameters
Restrictions
Usage Notes
PKA Encrypt (CSNDPKE and CSNFPKE)
Format
Parameters
Restrictions
Usage Notes
Prohibit Export (CSNBPEX and CSNEPEX)
Format
Parameters
Usage Notes
Prohibit Export Extended (CSNBPEXX and CSNEPEXX)
Format
Parameters
Restrictions
Usage Notes
Random Number Generate (CSNBRNG, CSNERNG, CSNBRNGL and CSNERNGL)
Format
Parameters
Usage Notes
Remote Key Export (CSNDRKX and CSNFRKX)
Format
Parameters
Usage Notes
Restrict Key Attribute (CSNBRKA and CSNERKA)
Format
Parameters
Usage Notes
Secure Key Import (CSNBSKI and CSNESKI)
Format
Parameters
Usage Notes
Secure Key Import2 (CSNBSKI2 and CSNESKI2)
Format
Parameters
Usage Notes
Symmetric Key Export (CSNDSYX and CSNFSYX)
Format
Parameters
Restrictions
Usage Notes
Symmetric Key Generate (CSNDSYG and CSNFSYG)
Format
Parameters
Restrictions
Usage Notes
Symmetric Key Import (CSNDSYI and CSNFSYI)
Format
Parameters
Restrictions
Usage Notes
Symmetric Key Import2 (CSNDSYI2 and CSNFSYI2)
Format
Parameters
Restrictions
Usage Notes
Transform CDMF Key (CSNBTCK and CSNETCK)
Format
Parameters
Restrictions
Usage Notes
Trusted Block Create (CSNDTBC and CSNFTBC)
Format
Parameters
Usage Notes
TR-31 Export (CSNBT31X and CSNET31X)
Format
Parameters
Restrictions
Usage Notes
TR-31 Import (CSNBT31I and CSNET31I)
Format
Parameters
Restrictions
Usage Notes
TR-31 Optional Data Build (CSNBT31O and CSNET31O)
Format
Parameters
Restrictions
Usage Notes
TR-31 Optional Data Read (CSNBT31R and CSNET31R)
Format
Parameters
Restrictions
Usage Notes
TR-31 Parse (CSNBT31P and CSNET31P)
Format
Parameters
Restrictions
Usage Notes
User Derived Key (CSFUDK and CSFUDK6)
Format
Parameters
Usage Notes
Protecting Data
Modes of Operation
Electronic Code Book (ECB) Mode
Cipher Block Chaining (CBC) Mode
Cipher Feedback (CFB) Mode
Output Feedback (OFB) Mode
Galois/Counter Mode (GCM)
Triple DES Encryption
Ciphertext Translate (CSNBCTT or CSNBCTT1 and CSNECTT or CSNECTT1)
Choosing Between CSNBCTT and CSNBCTT1
Format
Parameters
Restrictions
Usage Notes
Decipher (CSNBDEC or CSNBDEC1 and CSNEDEC or CSNEDEC1)
Choosing Between CSNBDEC and CSNBDEC1
Format
Parameters
Restrictions
Usage Notes
Related Information
Decode (CSNBDCO and CSNEDCO)
Considerations
Format
Parameters
Restrictions
Usage Notes
Encipher (CSNBENC or CSNBENC1 and CSNEENC or CSNEENC1)
Choosing between CSNBENC and CSNBENC1
Format
Parameters
Restrictions
Usage Notes
Related Information
Encode (CSNBECO and CSNEECO)
Considerations
Format
Parameters
Restrictions
Usage Notes
Symmetric Algorithm Decipher (CSNBSAD or CSNBSAD1 and CSNESAD or CSNESAD1)
Choosing Between CSNBSAD and CSNBSAD1 or CSNESAD and CSNESAD1
Format
Parameters
Usage Notes
Symmetric Algorithm Encipher (CSNBSAE or CSNBSAE1 and CSNESAE or CSNESAE1)
Choosing between CSNBSAE and CSNBSAE1 or CSNESAE and CSNESAE1
Format
Parameters
Usage Notes
Symmetric Key Decipher (CSNBSYD or CSNBSYD1 and CSNESYD or CSNESYD1)
Choosing Between CSNBSYD and CSNBSYD1
Format
Parameters
Usage Notes
Related Information
Symmetric Key Encipher (CSNBSYE or CSNBSYE1 and CSNESYE or CSNESYE1)
Choosing between CSNBSYE and CSNBSYE1
Format
Parameters
Usage Notes
Related Information
Verifying Data Integrity and Authenticating Messages
How MACs are Used
How Hashing Functions Are Used
How MDCs Are Used
HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1)
Choosing Between CSNBHMG and CSNBHMG1
Format
Parameters
Usage Notes
HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1)
Choosing Between CSNBHMV and CSNBHMV1
Format
Parameters
Usage Notes
MAC Generate (CSNBMGN or CSNBMGN1 and CSNEMGN or CSNEMGN1)
Choosing Between CSNBMGN and CSNBMGN1
Format
Parameters
Usage Notes
Related Information
MAC Verify (CSNBMVR or CSNBMVR1 and CSNEMVR or CSNEMVR1)
Choosing Between CSNBMVR and CSNBMVR1
Format
Parameters
Usage Notes
Related Information
MDC Generate (CSNBMDG or CSNBMDG1 and CSNEMDG or CSNEMDG1)
Choosing Between CSNBMDG and CSNBMDG1
Format
Parameters
Usage Notes
One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)
Format
Parameters
Usage Notes
Symmetric MAC Generate (CSNBSMG or CSNBSMG1 and CSNESMG or CSNESMG1)
Choosing Between CSNBSMG and CSNBSMG1 or CSNESMG and CSNESMG1
Format
Parameters
Usage Notes
Symmetric MAC Verify (CSNBSMV or CSNBSMV1 and CSNESMV or CSNESMV1)
Choosing Between CSNBSMV and CSNBSMV1 or CSNESMV and CSNESMV1
Format
Parameters
Usage Notes
Financial Services
How Personal Identification Numbers (PINs) are Used
How VISA Card Verification Values Are Used
Translating Data and PINs in Networks
Working with Europay-MasterCard-Visa smart cards
PIN Callable Services
Generating a PIN
Encrypting a PIN
Generating a PIN Validation Value from an Encrypted PIN Block
Verifying a PIN
Translating a PIN
Algorithms for Generating and Verifying a PIN
Using PINs on Different Systems
PIN-Encrypting Keys
Derived Unique Key Per Transaction Algorithms
Encrypted PIN Translate
Encrypted PIN Verify
ANSI X9.8 PIN Restrictions
ANSI X9.8 PIN - Enforce PIN block restrictions
ANSI X9.8 PIN - Allow modification of PAN
ANSI X9.8 PIN - Allow only ANSI PIN blocks
ANSI X9.8 PIN - Use stored decimalization tables only
The PIN Profile
PIN Block Format
PIN Block Format and PIN Extraction Method Keywords
Enhanced PIN Security Mode
Format Control
Pad Digit
Recommendations for the Pad Digit
Current Key Serial Number
Decimalization Tables
Clear PIN Encrypt (CSNBCPE and CSNECPE)
Format
Parameters
Restrictions
Usage Notes
Clear PIN Generate (CSNBPGN and CSNEPGN)
Format
Parameters
Restrictions
Usage Notes
Related Information
Clear PIN Generate Alternate (CSNBCPA and CSNECPA)
Format
Parameters
Restrictions
Usage Notes
CVV Key Combine (CSNBCKC and CSNECKC)
Format
Parameters
Restrictions
Usage Notes
Encrypted PIN Generate (CSNBEPG and CSNEEPG)
Format
Parameters
Restrictions
Usage Notes
Encrypted PIN Translate (CSNBPTR and CSNEPTR)
Format
Parameters
Restrictions
Usage Notes
Encrypted PIN Verify (CSNBPVR and CSNEPVR)
Format
Parameters
Restrictions
Usage Notes
Related Information
PIN Change/Unblock (CSNBPCU and CSNEPCU)
Format
Parameters
Usage Notes
Secure Messaging for Keys (CSNBSKY and CSNESKY)
Format
Parameters
Usage Notes
Secure Messaging for PINs (CSNBSPN and CSNESPN)
Format
Parameters
Usage Notes
SET Block Compose (CSNDSBC and CSNFSBC)
Format
Parameters
Restrictions
Usage Notes
SET Block Decompose (CSNDSBD and CSNFSBD)
Format
Parameters
Restrictions
Usage Notes
Transaction Validation (CSNBTRV and CSNETRV)
Format
Parameters
Usage Notes
VISA CVV Service Generate (CSNBCSG and CSNECSG)
Format
Parameters
Restrictions
Usage Notes
VISA CVV Service Verify (CSNBCSV and CSNECSV)
Format
Parameters
Restrictions
Usage Notes
Using Digital Signatures
Digital Signature Generate (CSNDDSG and CSNFDSG)
Format
Parameters
Restrictions
Usage Notes
Digital Signature Verify (CSNDDSV and CSNFDSV)
Format
Parameters
Restrictions
Usage Notes
Managing PKA Cryptographic Keys
PKA Key Generate (CSNDPKG and CSNFPKG)
Format
Parameters
Restrictions
Usage Notes
PKA Key Import (CSNDPKI and CSNFPKI)
Format
Parameters
Restrictions
Usage Notes
PKA Key Token Build (CSNDPKB and CSNFPKB)
Format
Parameters
Usage Notes
PKA Key Token Change (CSNDKTC and CSNFKTC)
Format
Parameters
Usage Notes
PKA Key Translate (CSNDPKT and CSNFPKT)
Format
Parameters
Restrictions
Usage Notes
PKA Public Key Extract (CSNDPKX and CSNFPKX)
Format
Parameters
Usage Notes
Retained Key Delete (CSNDRKD and CSNFRKD)
Format
Parameters
Usage Notes
Retained Key List (CSNDRKL and CSNFRKL)
Format
Parameters
Usage Notes
Key Data Set Management
CKDS Key Record Create (CSNBKRC and CSNEKRC)
Format
Parameters
Restrictions
Usage Notes
CKDS Key Record Create2 (CSNBKRC2 and CSNEKRC2)
Format
Parameters
Usage Notes
CKDS Key Record Delete (CSNBKRD and CSNEKRD)
Format
Parameters
Restrictions
Usage Notes
CKDS Key Record Read (CSNBKRR and CSNEKRR)
Format
Parameters
Restrictions
Usage Notes
CKDS Key Record Read2 (CSNBKRR2 and CSNEKRR2)
Format
Parameters
Usage Notes
CKDS Key Record Write (CSNBKRW and CSNEKRW)
Format
Parameters
Restrictions
Usage Notes
Related Information
CKDS Key Record Write2 (CSNBKRW2 and CSNEKRW2)
Format
Parameters
Usage Notes
Coordinated KDS Administration (CSFCRC and CSFCRC6)
Format
Parameters
Usage Notes
PKDS Key Record Create (CSNDKRC and CSNFKRC)
Format
Parameters
Usage Notes
PKDS Key Record Delete (CSNDKRD and CSNFKRD)
Format
Parameters
Restrictions
Usage Notes
PKDS Key Record Read (CSNDKRR and CSNFKRR)
Format
Parameters
Usage Notes
PKDS Key Record Write (CSNDKRW and CSNFKRW)
Format
Parameters
Restrictions
Usage Notes
Utilities
Character/Nibble Conversion (CSNBXBC and CSNBXCB)
Format
Parameters
Usage Notes
Code Conversion (CSNBXEA and CSNBXAE)
Format
Parameters
Usage Notes
ICSF Query Algorithm (CSFIQA and CSFIQA6)
Format
Parameters
Usage Notes
ICSF Query Facility (CSFIQF and CSFIQF6)
Format
Parameters
Usage Notes
X9.9 Data Editing (CSNB9ED)
Format
Parameters
Usage Notes
Trusted Key Entry Workstation Interfaces
PCI Interface Callable Service (CSFPCI and CSFPCI6)
Format
Parameters
Usage Notes
PKSC Interface Callable Service (CSFPKSC)
Format
Parameters
Usage Notes
Managing Keys According to the ANSI X9.17 Standard
ANSI X9.17 EDC Generate (CSNAEGN and CSNGEGN)
Format
Parameters
Usage Notes
ANSI X9.17 Key Export (CSNAKEX and CSNGKEX)
Format
Parameters
Usage Notes
ANSI X9.17 Key Import (CSNAKIM and CSNGKIM)
Format
Parameters
Usage Notes
ANSI X9.17 Key Translate (CSNAKTR and CSNGKTR)
Format
Parameters
Usage Notes
ANSI X9.17 Transport Key Partial Notarize (CSNATKN and CSNGTKN)
Format
Parameters
Usage Notes
PKCS #11 Callable Services
Using PKCS #11 Tokens and Objects
PKCS #11 Derive multiple keys (CSFPDMK and CSFPDMK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Derive key (CSFPDVK and CSFPDVK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Get attribute value (CSFPGAV and CSFPGAV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Generate key pair (CSFPGKP and CSFPGKP6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Generate secret key (CSFPGSK and CSFPGSK6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Generate HMAC (CSFPHMG and CSFPHMG6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Verify HMAC (CSFPHMV and CSFPHMV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 One-way hash, sign, or verify (CSFPOWH and CSFPOWH6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Private key sign (CSFPPKS and CSFPPKS6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Public key verify (CSFPPKV and CSFPPKV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Pseudo-random function (CSFPPRF and CSFPPRF6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Set attribute value (CSFPSAV and CSFPSAV6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Secret key decrypt (CSFPSKD and CSFPSKD6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Secret key encrypt (CSFPSKE and CSFPSKE6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Token record create (CSFPTRC and CSFPTRC6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Token record delete (CSFPTRD and CSFPTRD6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Token record list (CSFPTRL and CSFPTRL6)
Format
Parameters
Authorization
Usage Notes
PKCS #11 Unwrap key (CSFPUWK and CSFPUWK6)
Format
Parameters
Authorization
PKCS #11 Wrap key (CSFPWPK and CSFPWPK6)
Format
Parameters
Authorization
Appendixes
Appendix A. ICSF and TSS Return and Reason Codes
Return Codes and Reason Codes
Return Codes
Reason Codes for Return Code 0 (0)
Reason Codes for Return Code 4 (4)
Reason Codes for Return Code 8 (8)
Reason Codes for Return Code C (12)
Reason Codes for Return Code 10 (16)
Appendix B. Key Token Formats
AES Key Token Formats
AES Internal Key Token
Token Validation Value
DES Key Token Formats
DES Internal Key Token
DES External Key Token
External RKX DES Key Token
DES Null Key Token
Variable-length Symmetric Key Token Formats
Variable-length Symmetric Key Token
Variable-length Symmetric Null Key Token
PKA Key Token Formats
PKA Null Key Token
RSA Key Token Formats
RSA Public Key Token
RSA Private External Key Token
RSA Private Key Token, 1024-bit Modulus-Exponent External Form
RSA Private Key Token, 4096-bit Modulus-Exponent External Form
RSA Private Key Token, 4096-bit Chinese Remainder Theorem External Form
RSA Private Internal Key Token
RSA Private Key Token, 1024-bit Modulus-Exponent Internal Form for Cryptographic Coprocessor Feature
RSA Private Key Token, 1024-bit Modulus-Exponent Internal Form for PCICC, PCIXCC, CEX2C, or CEX3C
RSA Private Key Token, 4096-bit Chinese Remainder Theorem Internal Form
DSS Key Token Formats
DSS Public Key Token
DSS Private External Key Token
DSS Private Internal Key Token
ECC Key Token Format
Associated Data Format for ECC Token
AESKW Wrapped Payload Format for ECC Private Key Token
Trusted Block Key Token
Trusted block sections
Trusted block integrity
Number representation in trusted blocks
Format of trusted block sections
Trusted block section X'11'
Trusted block section X'12'
Trusted block section X'13'
Trusted block section X'14'
Trusted block section X'15'
Appendix C. Control Vectors and Changing Control Vectors with the CVT Callable Service
Control Vector Table
Specifying a Control-Vector-Base Value
Changing Control Vectors with the Control Vector Translate Callable Service
Providing the Control Information for Testing the Control Vectors
Mask Array Preparation
Selecting the Key-Half Processing Mode
When the Target Key Token CV Is Null
Control Vector Translate Example
Appendix D. Coding Examples
C
COBOL
Assembler H
PL/1
Appendix E. Using ICSF with BSAFE
Some BSAFE Basics
Computing Message Digests and Hashes
Generating Random Numbers
Encrypting and Decrypting with DES
Generating and Verifying RSA Digital Signatures
Encrypting and Decrypting with RSA
Using the New Function Calls in Your BSAFE Application
Using the BSAFE KI_TOKEN
ICSF Triple DES via BSAFE
Retrieving ICSF Error Information
Appendix F. Cryptographic Algorithms and Processes
PIN Formats and Algorithms
PIN Notation
PIN Block Formats
ANSI X9.8
ISO Format 1
ISO Format 2
VISA Format 2
VISA Format 3
IBM 4700 Encrypting PINPAD Format
IBM 3624 Format
IBM 3621 Format
ECI Format 2
ECI Format 3
PIN Extraction Rules
Encrypted PIN Verify Callable Service
Clear PIN Generate Alternate Callable Service
Encrypted PIN Translate Callable Service
PIN Change/Unblock Callable Service
IBM PIN Algorithms
3624 PIN Generation Algorithm
German Banking Pool PIN Generation Algorithm
PIN Offset Generation Algorithm
3624 PIN Verification Algorithm
German Banking Pool PIN Verification Algorithm
VISA PIN Algorithms
PVV Generation Algorithm
PVV Verification Algorithm
Interbank PIN Generation Algorithm
Cipher Processing Rules
CBC and ANSI X3.106
ANSI X9.23 and IBM 4700
Segmenting
Cipher Last-Block Rules
CUSP
The Information Protection System (IPS)
PKCS Padding Method
PKCS Padding Method (Example 1)
PKCS Padding Method (Example 2)
Wrapping Methods for Symmetric Key Tokens
ECB Wrapping of DES Keys (Original Method)
CBC Wrapping of AES Keys
Enhanced CBC Wrapping of DES Keys (Enhanced Method)
Wrapping key derivation for enhanced wrapping of DES keys
Variable length token (AESKW method)
PKA92 Key Format and Encryption Process
ANSI X9.17 Partial Notarization Method
Partial Notarization
Notations Used in the Calculations
Partial Notarization Calculation for a Double-Length AKEK
Partial Notarization Calculation for a Single-Length AKEK
Transform CDMF Key Algorithm
Formatting Hashes and Keys in Public-Key Cryptography
ANSI X9.31 Hash Format
PKCS #1 Formats
Visa and EMV-related smart card formats and processes
Deriving the smart-card-specific authentication code
Constructing the PIN-block for transporting an EMV smart-card PIN
Deriving the CCA TDES-XOR session key
Deriving the EMV TDESEMVn tree-based session key
PIN-block self-encryption
Key Test Verification Pattern Algorithms
DES Algorithm (single- and double-length keys)
SHAVP1 Algorithm
Appendix G. EBCDIC and ASCII Default Conversion Tables
Appendix H. Access Control Points and Callable Services
Callable Service Access Control Points
Glossary
Index
Copyright IBM Corporation 1990, 2014