Filter
Top Products
PKA_Symmetric_Key_Import CCA Release 2.54
PKA_Symmetric_Key_Import (CSNDSYI)
Platform/
Product
OS/2 AIX Win NT/
2000
OS/400
IBM 4758-2/23 X X X X
The PKA_Symmetric_Key_Import verb recovers a symmetric DES (or CDMF) key
that is enciphered by an RSA public key. The verb deciphers the RSA-enciphered
symmetric-key to be imported by using an RSA private-key, then multiply-enciphers
the symmetric DES-key using the master key and a control vector.
You specify the operational importing RSA private-key, the RSA-enciphered DES
key to be imported, and a rule-array keyword to define the key-formatting method.
Several methods for recovering keys are available. You select a method through
the use of a rule-array keyword:
For processing single-length or double-length DATA keys, use one of the these
three methods. The control vector in any non-NULL key token identified by the
target_key_identifier parameter must specify the default value for a DATA
control-vector corresponding to the key length found in the decrypted information.
See Figure C-2 on page C-3.
PKCSOAEP The PKCSOAEP keyword specifies that after decrypting the
RSA_enciphered_key variable, the format is checked for conformance with
RSA DSI PKCS#1-v2.0 RSAES-OAEP specifications for a single-length or
double-length key. See “PKCS #1 Formats” on page D-19.
PKCS-1.2 The PKCS-1.2 keyword specifies that after decrypting the
RSA_enciphered_key variable, the format is checked for conformance with
RSA DSI PKCS #1 block type 2 specifications for a single-length or
double-length key. In the RSA PKCS #1 v2.0 standard, RSA terminology
describes this as the RSAES-PKCS1-v1_5 format. See “PKCS #1 Formats” on
page D-19.
ZERO-PAD The ZERO-PAD keyword specifies that after decrypting the
RSA_enciphered_key variable, the format is checked to ensure that all bytes to
the left of either a single-length or a double-length key are zero bits.
For key-encrypting keys:
PKA92 Key-encrypting keys and their control vectors are deciphered using the
method employed in the Transaction Security Systems PKA92 implementation.
See “PKA92 Key Format and Encryption Process” on page C-14.
A node-identification (EID) value must be established prior to use of this verb.
Under the PKA92 scheme, the EID values at the exporting and importing
nodes must be different. Use the Cryptographic_Facility_Control verb to set
the EID.
Note: This implementation will import IPINENC, OPINENC, PINGEN, and
PINVER key types when formatted according to the PKA92 scheme. However,
the implementation does not provide a means for enciphering these key types
in PKA92 format. This extension to CCA is considered non-standard, and may
not be present in other CCA implementations such as the implementation on
IBM eServer zSeries (S/390).
5-86 IBM 4758 CCA Basic Services, Release 2.54, February 2005