CCA Release 2.54
master key or a key-encrypting key. If you are generating a DES asymmetric
key-type, the verb will multiply-encipher the random number a second time with
the “opposite” key-type control-vector. The verb restricts the combination of
control vectors used for the two encipherments and also places restrictions on
the use of master-key versus EXPORTER and IMPORTER
encryption-key-types. This is done to ensure a secure, asymmetric
key-distribution system.
The Key_Generate verb can also do the following:
– Generate one random number for a single-length key or one or two random
numbers for a double-length key
– Update a key token or create a key token that contains the default
control-vector values for the key type. If you update a key token, you can
use your own control vector to add additional restrictions.
Before generating a key, consider how the key will be archived and recovered if
unexpected events occur. Before using the Key_Generate verb, also consider the
following aspects of key processing:
The use of the key determines the key type and can determine whether you
create a key token with the default control-vector or a key token with your own
updated control-vector that contains non-default restrictions.
If you update a key token, first use the Control_Vector_Generate and
Key_Token_Build verbs to create the control vector and the key token, then
use the Key_Generate verb to generate the key.
Where and when the key will be used determines the form of the key, whether
the verb generates one key or a key-pair, and whether the verb
multiply-enciphers each key for operational, import, or export use. The verb
multiply-enciphers each key under a key that is formed by exclusive-ORing the
control vector in the new or updated key-token with one of the following keys:
– The symmetric master-key. This is the operational (OP) key form.
– An IMPORTER key-encrypting-key. This is the external, importable (IM)
key form.
– An EXPORTER key-encrypting-key. This is the external, exportable (EX)
key form.
If a key will be used locally, it should be enciphered in the OP key form or IM
key form. An IM key form can be saved on external media and imported when
its use is required. Saving a key locally in the IM key form ensures that the key
can be used if the symmetric master-key is changed between the time the key
was generated and the time it is used. This allows you to maintain the
IMPORTER key-encrypting-keys in operational form and to store keys that are
not needed immediately on external media.
If a key will be used remotely (sent to another node), it should be enciphered in
the EX key form under a local EXPORTER key. At the other node, the key will
be imported under the paired IMPORTER key.
Use the SINGLE keyword for a key that should be single length. Use the
SINGLE-R keyword for a double-length key that should perform as a
single-length key; this is often required when such a key will be interchanged
with a non-CCA system. Use the DOUBLE keyword for a double-length key.
Chapter 5. DES Key-Management 5-17