OA46466: NEW FUNCTION - DK PIN METHODS SERVICE UPDATES

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• New function for the DK PIN method support in ICSF:
  - New key derivation algorithms for the Diversified Key
    Generate2 callable service.
  - Key management support for new AES secure messaging keys.
  - Support for AES diversified key-generating keys to derive AES
    secure messaging keys.
  - Additional key-derivation sequence levels for AES diversified
    key-generating keys.
  - Support for AES secure messaging and MAC keys for the DK PIN
    Change service.
  - AES CIPHER key type enhanced to allow any mode of encryption.
  - Support for a MAC of length 8 for AES in MAC Verify2
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of the German Banking Industry         *
  *                 Committee PIN methods                        *
  ****************************************************************
  * PROBLEM DESCRIPTION: Enhancement to ICSF to provide          *
  *                      additional support for the German       *
  *                      Banking Industry Committee PIN method.  *
  *                      New key derivation methods for          *
  *                      Diversified Key Generate2, key          *
  *                      management support for new AES secure   *
  *                      messaging keys, additional              *
  *                      key-derivation sequence levels for AES  *
  *                      diversified key-generating keys, and    *
  *                      support for AES secure messaging, MAC   *
  *                      keys for the DK PIN Change service,     *
  *                      AES CIPHER keys allowing any mode       *
  *                      of encryption, and support for          *
  *                      a MAC of length 8 for AES for           *
  *                      MAC Verify2.                            *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  New support for the German Banking Industry Committee (Deutsche
  Kreditwirtschaft (DK)) PIN method.
  
  - New key derivation rules for the Diversified Key Generate2
    (CSNBDKG2 and CSNEDKG2) callable service.
  
     KDFFM-DK
  
       Specifies to use  the DK version of Key Derivation Function
       in Feedback Mode generate a bank specific Issuer Master
       Key.  The generated Issuer Master Key (keying material) can
       be used to derive an ICC master key.
  
     MK-OPTC
  
       Specifies to use the EMV Master Key Derivation Option C to
       generate  an ICC master key. The generated ICC master key
       (keying material) can be used for Application Cryptogram
       generation or verification, issuer authentication, and
       secure messaging.
  
  New access control points added for this support.
  
  DD   disabled by default in the domain role
  ED   enabled by default in the domain role
  
  Access control point name             Callable Service   Usage
  ------------------------------------- ------------------ -----
  Diversified Key Generate2   KDFFM-DK  CSNBDKG2/CSNEDKG2   ED
  Diversified Key Generate2   MK-OPTC   CSNBDKG2/CSNEDKG2   ED
  Diversified Key Generate2 -
     Allow length option with KDFFM-DK  CSNBDKG2/CSNEDKG2   DD
  
  - Key Token Build2 (CSNBKTB2 and CSNEKTB2) callable service has
    been updated to support AES secure messaging keys. The new key
    type is SECMSG and new rule array keywords for key usage have
    been added.
  
     ANY-USE    - no restriction for services to use this key
     DPC-ONLY   - this key can only be used with the DK PIN
                  Change service
     SMPIN      - enable the encryption of PINs in an EMV secure
                  message
  
  - The following services have been updated to support AES
    SECMSG keys:
       Key Test2 (CSNBKYT2 and CSNEKYT2)
       Key Translate2 (CSNBKTR2 and CSNEKTR2)
       Restrict Key Attribute (CSNBRKA and CSNERKA)
  
  - Key Token Build2 callable service has been updated to support
    the derivation of AES secure messaging key by AES diversified
    key-generating keys. A new key usage keyword for DKYGENKY has
    been added:
  
    D-SECMSG  - Specifies that this key can derive an AES SECMSG
                key
  
  - Key Token Build2 callable service has been updated to support
    DKYL1 and DKYL2 key-derivation sequence levels for the AES
    DKYGENKY key type. New key usage keywords have been added.
  
    DKYL1 - generate a Level 0 diversified key with key type
            DKYGENKY.
    DKYL2 - generate a Level 1 diversified key with key type
            DKYGENKY.
  
  - KGUP has been updated to support the new key-derivation
    sequence levels for the AES DKYGENKY key type and the
    derivation of AES secure messaging keys.
  
  - DK PIN Change (CSNBDPC and CSNEDPC) callable service has
    been enhanced to support AES keys for the
    script_key_identifier and script_MAC_key_identifier
    parameters. New rule array keywords have been added for
    this support:
  
    AES-CBC   - Script selection algorithm and method keyword
                indicates that AES algorithm will be used and
                the script_key_identifier must be an AES
                secure messaging key.
  
    CMAC      - MAC ciphering method keyword indicates that the
                script_MAC_key_identifier must a AES MAC key.
  
  - Key Token Build2 callable service has been updated to
  support ANY-MODE encryption mode keyword for the AES CIPHER
  key type. ANY-MODE allows the CIPHER key to be used with any
  encryption mode in a callable service.
  
  - MAC Verify2  (CSNBMVR2 and CSNEMVR2) callable service has been
  enhanced to allow a length of 8 or 16 for the reference MAC when
  verifying an AES MAC.
  
  D/T2827
  D/T2828
  E2964/K
  

Problem conclusion

Temporary fix

Comments

• New function for the DK PIN method support in ICSF:
  - New key derivation algorithms for the Diversified Key
    Generate2 callable service.
  - Key management support for new AES secure messaging keys.
  - Support for AES diversified key-generating keys to derive
    AES secure messaging keys.
  - Additional key-derivation sequence levels for AES
    diversified key-generating keys.
  - Support for AES secure messaging and MAC keys for the DK PIN
    Change service.
  - AES CIPHER key type enhanced to allow any mode of encryption.
  - Support for a MAC of length 8 for AES in MAC Verify2.
  
  A description of the enhancements for this apar is documented
  in a pdf file, OA46466.pdf, available at
  ftp://public.dhe.ibm.com/eserver/zseries/zos/icsf/pdf/
      OA46466.pdf
  
  All of the enhancements included in this APAR will also be
  documented in the next release of the following ICSF
  publications:
  
       ICSF Application Programmer's Guide     SC14-7508
       ICSF Administrator's Guide              SC14-7506
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA77841 UA77843 UA77842

Modules/Macros

• CSFDDFRL CSFDDMRL CSFKG300 CSFNCAPG CSFNCCT2
  CSFNCDCG CSFNCDDG CSFNCDG2 CSFNCDMP CSFNCDNU CSFNCDPC CSFNCDPM
  CSFNCDPT CSFNCDPV CSFNCDRG CSFNCDRP CSFNCEDH CSFNCHMG CSFNCHMV
  CSFNCKG2 CSFNCKT2 CSFNCKY2 CSFNCPCI CSFNCPKG CSFNCPKI CSFNCPKT
  CSFNCRKA CSFNCSAD CSFNCSAE CSFNCSK2 CSFNCSXD CSFNCSYX CSFNCSY2
  CSFVCKB2 CSFVCKW2
  

Fix information

• Fixed component name

  ICSF/MVS

• Fixed component ID

  568505101

Applicable component levels

• R7A0 PSY UA77841

     UP15/06/26 P F506

• R7A1 PSY UA77842

     UP15/06/26 P F506

• R7B0 PSY UA77843

     UP15/06/26 P F506

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.