Support User Manuals

IBM 2 Computer Hardware User Manual

Open as PDF

of 508

CCA Release 2.54 Diversified_Key_Generate

Diversified_Key_Generate (CSNBDKG)

Platform/

Product

OS/2 AIX Win NT/

2000

OS/400

IBM 4758-2/23 X X X X

The Diversified_Key_Generate verb generates a key based on a function of a

key-generating key, the process rule, and data that you supply. The

key-generating-key key-type enables you to restrict such keys from being used in

other verbs that might reveal the value of a diversified key.

This verb is especially useful for creating “diversified keys” for operating with

finance industry smart cards. Be sure to review “Diversifying Keys” on page 5-19.

To use the verb, specify the following:

 A rule-array keyword to select the diversification process.

 The operational key-generating key from which the diversified keys are

generated. The control vector of the key-generating key determines the type of

target key that is generated and, except for the SESS-XOR process, restricts

the use of this key to the key-diversification process.

 The data and its length used in the diversification process.

 The operational key used to recover the data or, for processes that employ

clear data, a null key-token.

 The generated-key key-token with a suitable control vector for receiving the

diversified key. The specified process can restrict the type of generated key.

– For the CLR8-ENC, TDESEMV2, TDESEMV4, and TDES-XOR processes,

a null token may not be specified

– For the TDES-ENC or TDES-DEC processes, a null token may be specified

– For the SESS-XOR process, a null token must be specified.

The verb generates the diversified key and updates the generated-key key-token

with this value by the following procedure:

 Determines that it can support the process as requested by the rule-array

keyword

 Recovers the key-generating key and checks the control vector for the

appropriate key-type and the specified usage in this verb

 Determines that the length of the generating key is appropriate to the specified

process

 Determines that the control vector in the generated-key key-token is permissible

for the specified process

 Recovers the data-encrypting key and determines that the control vector is

appropriate for the specified process

 Decrypts the data as can be required by the specified process

 Generates the key appropriate to the specified process

 Does not adjust the parity of the derived key.

Chapter 5. DES Key-Management 5-35

previous next