IBM 2 Computer Hardware User Manual


 
CCA Release 2.54 Key_Encryption_Translate
|
Key_Encryption_Translate (CSNBKET)
| Platform/
| Product
| OS/2| AIX| Win NT/
| 2000
| OS/400
| IBM 4758-2/23| X
|
The Key_Encryption_Translate verb is used to change the method of key
| encryption. An input key can be a double-length external CCA DATA key or a
| double-length CBC-encrypted key. The returned key is encrypted using the other
| method, CBC encryption or CCA (ECB) encryption. The CCA DATA key must be
| double-length and have an all-zero control vector. The CBC-encrypted key is
| treated as a 16-byte string encrypted using an all-zero initialization vector.
| You specify the following:
| 1. The translation reencryption operation using a rule-array keyword:
| CBCTOECB to change from CBC key-encryption to CCA (ECB) encryption
| ECBTOCBC to change from CCA (ECB) key-encryption to CBC encryption.
| 2. The key-encrypting key.
| When performing the CBCTOECB translation, specify an IMPORTER key
| When performing the ECBTOCBC translation, specify an EXPORTER key.
| 3. Using the key_in parameter, identify either a 64-byte external CCA DATA
| key-token or a 16-byte CBC encrypted key. Set the key_in_length variable to
| the length of the key_in variable.
| 4. Using the key_out parameter, identify either a 64-byte external CCA DATA
| key-token with an all-zero control vector, or a 16-byte string. Set the
| key_out_length variable to the length of the key_out variable.
| The verb does the following:
| Recovers the key-encrypting key and checks that its type is consistent with the
| requested translation, ECBTOCBC or CBCTOECB.
| Decrypts the supplied key_in key using the key-encrypting key, and encrypts
| the result again using the key-encrypting key.
| For CBCTOECB translation, the key_out variable is updated with the data key
| in an external token with an all-zero control vector.
| For ECBTOCBC translation, the key is returned in a 16-byte string.
| Restrictions
| None
Chapter 8. Financial Services Support Verbs 8-49