Filter
Top Products
CCA Release 2.54 Key_Part_Import
of one bits, and there are no other problems, the verb will return reason
code 2. Use of the ADD-PART keyword requires that the Add Key Part
command be enabled in the access-control system. The key-part bit remains
on in the control vector of the updated key token returned from the verb.
With the COMPLETE keyword, the key-part bit is set off in the control vector of
the updated key token returned from the verb. Use of the COMPLETE
keyword requires that the Complete Key Part command be enabled in the
access-control system. The 16-byte key_part variable must be declared but will
be ignored by the Coprocessor.
Notes:
1. If your input creates a key value with one or more bytes with an even number
of one bits, that is an out-of-parity key, and the verb returns a reason-code
value of 2. Many verbs check the parity of keys and, if the key does not have
odd parity in each key-byte, may return a warning or may terminate without
performing the requested operation. In general, out-of-parity DATA keys are
tolerated.
2. You can enforce a dual-control, split-knowledge security policy by employing
the FIRST, ADD-PART, and COMPLETE keywords. See “Required
Commands” on page 5-57. New applications should employ the ADD-PART
and COMPLETE keywords in lieu of the MIDDLE and LAST keywords in order
to ensure a separation of responsibilities between someone who can add
key-part information and someone who can declare that appropriate information
has been accumulated in a key. Consider using the Key_Test verb to ensure a
correct key-value has been accumulated prior to using the COMPLETE option
to mark the key as fully operational.
Restrictions
A “replicated key-halves” key (both cleartext halves of a double-length key are
equal) performs like a single-length DES key and is therefore weaker than a
double-length key with unequal halves. Note that key parity bits are ignored.
When the Unrestrict Combine Key Parts command (offset X'027A') is turned off in
the active role, and when the key information decrypted from the key token is a
double-length key and has other than all-zero key bits (parity bits are ignored), the
halves of the key decrypted from the source key-token and the halves of the
updated key are inspected. The updated key is only returned if either the halves of
the source and the updated key are both equal or both unequal. When the equality
of the key-halves of the resulting accumulated key represents a change from the
equality of the source-key halves, the verb terminates with return code 8 and
reason code 2062.
Format
CSNBKPI
return_code Output Integer
reason_code Output Integer
exit_data_length In/Output Integer
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer one
rule_array Input String
array
rule_array_count * 8 bytes
key_part Input String 16 bytes
key_identifier In/Output String 64 bytes
Chapter 5. DES Key-Management
5-55