IBM 2 Computer Hardware User Manual


  Open as PDF
of 508
 
CCA Release 2.54
┌──────────────┐ ┌──────────────┐
Operational Key to Be Imported Operational
Form of Key Exported Key Form of Key
at Node A └──────┬───────┘ └─────────────┘ at Node B
││
││
┌───────────────────────────│──────┐ ┌──────│───────────────────────────┐
│Key_Export ┌────────┐ ┌────┴────┐ Key_Import
│ │Multiply-│ │Multiply-│ │
│ Symmetric Master Key─Decipher │ │ │ │Encipher ──Symmetric Master Key│
│ └────┬────┘ └────────┘ │
│ ┌────────┐ ┌────┴────┐ │
│ Exporter │Multiply-│ │ │ │Multiply-│ Importer
│ Key-Encrypting Key ──Encipher │ │ │ │Decipher ──Key-Encrypting Key
│ └────┬────┘ └────────┘ │
└───────────────────────────│──────┘ └──────│───────────────────────────┘
││
││
│ ┌──────────────┐ │
└── External Key ├──┘
└──────────────┘
Figure 5-9. Key Exporting and Importing
Exporting and Importing Keys, Asymmetric Techniques
You can also distribute a DES key from one node to another node by “wrapping”
(encrypting) the DES key in the public key of the receiver (IMPORTER). CCA
provides two services for wrapping the DES key in the public key of the recipient:
PKA_Symmetric_Key_Export
PKA_Symmetric_Key_Generate
and you use the PKA_Symmetric_Key_Import verb to unwrap the transported key
using the recipient's matching private key.
Several techniques for formatting the key to be distributed are in common use and
are supported by the verbs. The verbs support processing of default DATA keys.
PKA_Symmetric_Key_Generate and PKA_Symmetric_Key_Import can also be used
to exchange a DES key-encrypting-key.
DATA keys can be exchanged with CCA and non-CCA implementations using two
methods defined in the RSA PKCS #1 v2.0 standard:
RSAES-OAEP
RSAES-PKCS-v1_5.
Key-encrypting keys can be exchanged between CCA implementations using the
“PKA92” formatting method. PKA92 is an OAEP formatting method.
The formatting methods are discussed in “Formatting Hashes and Keys in
Public-Key Cryptography” on page D-19.
Diversifying Keys
CCA supports several methods for diversifying a key using the
Diversified_Key_Generate verb. Key-diversification is a technique often used in
working with smart cards. In order to secure interactions with a population of
cards, a “key-generating key” is used with some data unique to a card to derive
(“diversify”) a key(s) for use with that card. The data is often the card serial
number or other quantity stored on the card. The data is often public, and
Chapter 5. DES Key-Management 5-19
 previous next