Filter
Top Products
CCA Release 2.54
restricted key usage. These systems can determine if a requesting process has
the right to use the particular key name that is cryptographicly bound to the private
key. You specify such a key name when you build the skeleton_key_token in the
PKA_Key_Token_Build verb.
For RSA keys, you decide if the key should be returned in modular-exponent form
or in Chinese-Remainder-Theorem (CRT) form. Generally the CRT form performs
faster in services that use the private key. This decision is represented by the form
of the private key that you indicate in the skeleton_key_token. You can reuse an
existing key-token having the desirable properties, or you can build the
skeleton_key_token with the PKA_Key_Token_Build verb. Note that certain
implementations such as the IBM zSeries (S/390) server CMOS Cryptographic
Coprocessor feature (CCF) cannot employ a private key in the CRT form generated
by the PKA_Key_Generate verb. (The PCICC feature on the zSeries does support
use of the generated CRT key.)
For RSA keys, you also decide if the public exponent should be valued to three,
2
16
+1, or fully random. Also, in the PKA_Key_Token_Build verb you can indicate
that the key should be usable for both digital signature signing and symmetric key
exchange (KEY-MGMT), or you can indicate that the key should be usable only for
digital signature signing (SIG-ONLY), or only key decryption (KM-ONLY).
The key can be generated as a random value, or the key can be generated based
on a seed derived from regeneration data provided by the application program.
You can also have a newly generated public key “certified” by a private key held
within the Coprocessor. You can obtain a self-signature, and/or a signature(s) from
another key. To obtain these signature/certificates, you must extend the skeleton
key-token yourself as this support is not provided by the PKA_Key_Token_Build
verb.
The formats of the key tokens are described in “RSA PKA Key-Tokens” on
page B-6. The key tokens are a concatenation of several “sections” with each
section providing information pertaining to the key. All of the described formats can
be input to the Version 2 support, but only selected formats are output by Version 2
support.
Key Import
To be secure and useful in services, a private key must be enciphered by an
asymmetric master-key on the CCA node where it will be used.
1
You can use the
PKA_Key_Import verb to get a private key deciphered from a transport key and
enciphered by the asymmetric master-key. Also, you can get a clear
(unenciphered) private key enciphered by the master key using the
PKA_Key_Import verb.
The public and private keys must be presented in a PKA external key-token (see
“RSA PKA Key-Tokens” on page B-6). You can use the PKA_Key_Token_Build
verb to structure the key into the proper token format.
1
Of course a private key generated as a retained private-key is also secure, but in this case PKA_Key_Import does not apply.
3-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005