Filter
Top Products
CCA Release 2.54
Chapter 6. Data Confidentiality and Data Integrity
This chapter describes the verbs that use the Data Encryption Standard (DES)
algorithm to encrypt and decrypt data and to generate and verify a message
authentication code (MAC).
Figure 6-1. Data Confidentiality and Data Integrity Verbs
Verb Page Service Entry
Point
Svc
Lcn
Decipher 6-5 Deciphers data CSNBDEC E
Encipher 6-8 Enciphers data CSNBENC E
MAC_Generate 6-11 Generates a message authentication code (MAC) CSNBMGN E
MAC_Verify 6-14 Verifies a MAC. CSNBMVR E
Service location (Svc Lcn): E=Cryptographic Engine, S=Security API software
Encryption and Message Authentication Codes
This section explains how to use the services described in this chapter to ensure
the confidentiality of data through encryption, and to ensure the integrity of data
through the use of Message Authentication Codes (MAC).
Note: See Chapter 4, “Hashing and Digital Signatures” on page 4-1 for
information about other ways to ensure data integrity.
Ensuring Data Confidentiality
You can use the Encipher verb to convert plaintext to ciphertext, and the Decipher
verb to reverse the process to convert ciphertext back to plaintext. These services
use the DES data encryption algorithm. DES operates on blocks of 64 bits (8
bytes). Based on the length of the DES key that you specify, the Encipher and
Decipher verbs will perform either basic (single) DES or triple-DES
1
. See
“Single-DES and Triple-DES for General Data” on page D-6.
If you know that your data will always be a multiple of 8 bytes, you can request the
use of the cipher block chaining mode of encryption, designated CBC. In this mode
of encryption, the enciphered result of encrypting one block of plaintext is
exclusive-ORed with the subsequent block of plaintext prior to enciphering the
second block. This process is repeated through the processing of your plaintext.
The process is reversed in decryption. See “Ciphering Methods” on page D-5.
Note that if some portion of the ciphertext is altered, the CBC decryption of that
block and the subsequent block will not recover the original plaintext. Other blocks
of plaintext will be correctly recovered. CBC encryption is used to disguise patterns
in your data that could be seen if each data block was encrypted by itself.
In general, data to be ciphered is not a multiple of eight bytes. In this case, you
need to adopt a strategy for the last block of data. The Encipher and Decipher
1
Note that CCA implementations always encipher DES keys and PIN blocks with “triple-DES.”
Copyright IBM Corp. 1997, 2005
6-1