Filter
Top Products
CCA Release 2.54
You provide or identify the operational transport key (key-encrypting key) and the
encrypted private key with its associated public key to the import service. The
service will return the private key encrypted under the current asymmetric
master-key along with the public key.
The Coprocessor is designed to generate and employ RSA CRT-form keys having
p>q. If you import a private key having q>p, the key will be accepted. However,
each time that you use such a key your application will incur substantial overhead
to recalculate the inverse of the quantity U. (See Figure B-12 on page B-14 for
the components of an RSA CRT key.)
Reenciphering a Private Key Under an Updated Master-Key
When the asymmetric master-key at a CCA node is changed, operational keys,
such as RSA private keys enciphered by the master key, must be securely
decrypted from under the preexisting master key and enciphered under the
replacement master-key. You can accomplish this task using the
PKA_Key_Token_Change verb.
After the preexisting asymmetric master-key has become the old master-key and
the replacement master-key has become the current master-key, you use the
PKA_Key_Token_Change verb to effect the reencipherment of the private key.
Using the PKA Keys
The public-private keys that you create (generate) or import can be used in these
services:
For private keys:
Digital_Signature_Generate
PKA_Symmetric_Key_Import
SET_Block_Decompose
PKA_Decrypt
Master_Key_Distribution
For public keys:
Digital_Signature_Verify
PKA_Symmetric_Key_Export
PKA_Symmetric_Key_Generate
SET_Block_Compose
PKA_Encrypt
Master_Key_Distribution
You must arrange appropriate protection for the private key. A CCA node can help
ensure that the key will remain confidential. However, you must ensure that the
master key and any transport keys are protected, for example, through
split-knowledge, dual-control procedures. Or, you can choose to retain the private
key in the secure cryptographic-engine.
Besides the confidentiality of the private key, you must also ensure that only
authorized applications can use the private key. You can hold the private key in
application-managed storage and pass the key to the cryptographic services as
required. This will generally limit the access other applications might have to the
key. In systems with an access monitor, such as RACF on MVS systems, it is
possible to associate a key name with the private key and have use of the key
name authorized by the access monitor.
Chapter 3. RSA Key-Management 3-5