CCA Release 2.54
An IBM 4758 does not permit the introduction of a new master key value that has
the same verification value as either the current master-key or as the old
master-key.
Token-Validation Value and Record-Validation Value
The Token-Validation Value (TVV) is a checksum that helps ensure that an
application program-provided key token is valid. A Token-Validation Value is the
sum (two’s complement ADD), ignoring carries and overflow, on the key token by
operating on four bytes at a time, starting with bytes zero to three and ending with
bytes 56 to 59. The four-byte strings are treated as big-endian binary numbers with
the high-order byte stored in the lower address. DES key-token bytes 60 to 63
contain the Token-Validation Value.
When an application program supplies a key token, the CCA node checks the
Token-Validation Value. When a CCA verb builds a DES key-token, it generates a
Token-Validation Value in the key token.
The record-validation value (RVV) used in DES key-storage records uses the same
algorithm as the Token-Validation Value. The RVV is the sum of the bytes in
positions 0 to 123 except for bytes 60 to 63.
Null Key-Token
Figure B-1 shows the null key-token format. With some CCA verbs, a null
key-token can be used instead of an internal or an external key-token. A verb
generally accepts a null key-token as a signal to use a key token with default
values.
A null key-token is indicated by the value X'00' at offset zero in a key token, a key
token variable, or a key identifier variable.
The (DES) Key_Import verb accepts input with offset zero valued to X'00'. In this
special case, the verb treats information starting at offset 16 as an enciphered,
single length key. In a very limited sense, this special case can be considered a
“null key-token.”
PKA key-storage uses an eight-byte structure, shown below, to represent a null
key-token. The DES_Key_Record_Read verb will return this structure if a key
record with a null key-token is read. Also, if you examine PKA key-storage, you
should expect key records without a key token containing specific key values to be
represented by a “null key-token.” In the case of key-storage records, the record
length (offset 2 and 3) can be greater than 8.
Figure B-1. PKA Null Key-Token Format
Offset Length Meaning
00 01 X'00' Indicates that this is a null key-token
01 01 X'00' Version zero
02 02 X'0008' Indicates a PKA null key-token
04 04 Reserved, binary zero
B-2 IBM 4758 CCA Basic Services, Release 2.54, February 2005