Filter
Top Products
CCA Release 2.54
A key that is multiply-enciphered under the master key is an operational key (OP).
The key is operational because a cryptographic facility can use the master key to
multiply-decipher it to obtain the original key-value. A key that is
multiply-enciphered under a key-encrypting key (other than the master key) is
called an external key. Two types of external keys are used at a cryptographic
node:
An importable key (IM) is enciphered under an operational key-encrypting key
(KEK) whose control vector provides key-importing authority.
An exportable key (EX) is enciphered under an operational KEK whose control
vector provides key-exporting authority.
Control Vectors
The CCA cryptographic commands form a complete, consistent, secure command
set that performs within tamper-resistant hardware. The cryptographic commands
use a set of distinct key types that provide a secure cryptographic system that
blocks many attacks that can be directed against it.
CCA implementations use a control vector to separate keys into distinct key types
and to further restrict the use of a key. A control vector is a non-secret value that
is carried in the clear in the key token along with the encrypted key that it specifies.
A control vector is cryptographically associated with a key by being exclusive-ORed
with a master key or another key-encrypting key to form a key that is used to
multiply-encipher or multiply-decipher the key being associated with the control
vector. This permanently binds the type and use of the key to the key. Any
change to the original control vector would result in later recovering an altered
key-value. If the control vector used to decipher a key is different from the control
vector that was used to encipher the same key, the correct clear key cannot be
recovered. The key-encipherment processes are described in detail at “CCA Key
Encryption and Decryption Processes” on page C-12.
After a key is multiply-enciphered, the originator of the key can ensure that the
intended use of the key is preserved by giving the key-encrypting key only to a
system that implements the CCA control vector design and that is managed by an
audited organization.
Key-encrypting keys in CCA are double-length keys. A double-length DES key
consists of two (single-length) 56-bit DES keys that are used together as one key.
The first half (left half) of a double-length key, and all of a single-length key, are
multiply-enciphered using the exclusive-OR of the encrypting key and the control
vector. The second half (right half) of a double-length key is multiply-enciphered
using the exclusive-OR of the encrypting key and a modification of the control
vector; the modification consists of the reversal of control vector bits 41 and 42.
Appendix C, “CCA Control-Vector Definitions and Key Encryption” provides detailed
information about the construction of a control-vector value and the process for
encrypting a CCA DES key.
5-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005