IBM 2 Computer Hardware User Manual


 
CCA Release 2.54
Ensuring Data Integrity
CCA offers three classes of services for ensuring data integrity:
Message authentication code (MAC) techniques based on the DES algorithm
Hashing techniques
Digital signature techniques.
This chapter includes the MAC verbs. For information on using hashing or digital
signatures to ensure the integrity of data, see Chapter 4, “Hashing and Digital
Signatures.”
The MAC_Generate and the MAC_Verify verbs support message authentication
code generation and verification consistent with ANSI standard X9.9,
ISO DP 8731, Part I, (ISO/IEC 9797-1, Algorithm 1) and ANSI X9.19 Optional
Procedure 1 (ISO/IEC 9797-1, Algorithm 3). These methods together support both
single-length and double-length keys. If the specified key is double length, the
ANSI X9.19 algorithm will be performed; otherwise, ANSI X9.9 will be performed.
See Appendix C, “CCA Control-Vector Definitions and Key Encryption.”
The verbs also support the message padding technique employed with EMV smart
card messages. The verbs perform EMV-required padding when you supply a
rule-array keyword EMVMAC or EMVMACD consistent with the specified
single-length or double-length key.
Both the DATA-class and the MAC/MACVER key types can be used. Control
vector bit 20 must be on for keys used in the MAC_Generate verb. Control vector
bit 21 must be on for keys used in the MAC_Verify verb.
For additional information about MAC calculation methods, see “MAC Calculation
Methods” on page D-13.
You can employ MAC values with four-byte, six-byte, or eight-byte lengths (32, 48,
or 64 bits) by using the MACLEN4, MACLEN6, or MACLEN8 keywords in the rule
array. MACLEN4 is the default.
When generating or verifying a 32-bit MAC, exchange the MAC in one of these
ways:
Binary, in four bytes (the default method)
Eight hexadecimal characters, invoked using the HEX-8 keyword
Eight hexadecimal characters with a space character between the fourth and
fifth hex characters invoked using the HEX-9 keyword.
For details about MAC services, see the MAC_Generate verb on page 6-11 and the
MAC_Verify verb on page 6-14.
MACing Segmented Data
The MAC services described in this chapter allow you to divide a string of data into
parts, and generate or verify a MAC in a series of calls to the appropriate verb.
This can be useful when it is inconvenient or impossible to bring the entire string
into memory. For example, you might wish to MAC the entire contents of a data
set tens or hundreds of megabytes in length. The length of the data in each
procedure-call is restricted only by the operating environment and the particular
verb. For restrictions to a verb, see the “Restriction” section of the verb
descriptions later in this chapter.
Chapter 6. Data Confidentiality and Data Integrity 6-3