Filter
Top Products
CCA Release 2.54
Using the Key-Processing and Key-Storage Verbs
Figure 5-8 on page 5-16 shows key-processing and key-storage verbs and how
they relate to key parts, internal and external key-tokens, and key storage. You
can create keys in your application programs by using the
Multiple_Clear_Key_Import, Diversified_Key_Generate, Key_Generate,
Key_Part_Import, Clear_Key_Import, and Random_Number_Generate verbs.
CCA subsystems do not reveal the clear value of enciphered keys, and do provide
significant control over encrypted keys. Simple key-distribution is addressed by the
Cryptographic Node Management (CNM) utility’s capabilities to read and write
encrypted keys from and to key storage and to process key parts with support for
dual control of the key parts. Application programs can use the key processing and
storage verbs to implement a key-distribution system of your design.
The CNM utility, Key_Part_Import, Clear_Key_Import, Multiple_Clear_Key_Import,
and Key_Test verbs allow you to install keys and verify key installation.
Installing and Verifying Keys
To keep a key secret, it can be installed as a series of key parts. Different
individuals can use an application program that loads individual key parts into the
cryptographic facility using the Key_Part_Import verb, or the Cryptographic Node
Management utility to enter a key part from a keyboard or diskette.
The key parts are single or double in length, based on the type of key you are
accumulating. Key-parts are exclusive-ORed as they are accumulated. Thus,
knowledge of a key-part value provides no knowledge about the final key when it is
composed of more than one part. An already-entered key-part(s) is stored outside
the cryptographic facility enciphered under the symmetric master-key. When all the
key parts are accumulated, the key-part bit is turned off in the key's control vector.
A master-key key-part is loaded into the new master-key register. The key part
replaces the value in the new master-key register, or is exclusive-ORed with the
existing contents of the register. In a separate command, you can copy the
contents of the current master-key register to the old master-key register and write
over the current master-key register with the contents of the new master-key
register.
The commands to load (master) key parts must be individually authorized by
appropriate bits being turned on in the active role for the Load First (Master) Key
Part command or the Load and Combine (Master) Key Part command.
You can use the Key_Test verb to generate a verification pattern. The verification
pattern can then be used to determine the equivalence of another key or a key
part. An application program can use the Key_Test verb to verify the contents of a
key register, an enciphered key, or an enciphered key-part. The CNM utility also
includes services to generate and use key and key-part verification patterns.
Though you do not know the value of the key or the key part, you can test a key
register, key, or key part to ensure it has a correct value. You can provide the
verification information to the individual who loads the key part(s) for the parts that
should already be loaded. If the pattern does not verify, you can instruct the
individual or application not to load an additional key part or not to set the master
key. This procedure can ensure that only valid key-parts are used.
Chapter 5. DES Key-Management 5-15