Support User Manuals

IBM 2 Computer Hardware User Manual

Open as PDF

of 508

CCA Release 2.54

You can use the default control-vector for a key type, or you can create a more

restrictive control-vector. The default control-vector for a key type provides basic

key-separation functions. Optional usage restrictions can further tighten the

security of the system.

The cryptographic subsystem creates a default control vector for a key type when

you use the Key_Generate verb and specify a null key token and a key-type in the

key_type parameter. Also, when you import or export a key, you can specify a key

type to obtain a default control-vector instead of supplying a control vector in a key

token. If you specify a key type with the Key_Import verb, ensure that the default

control-vector is the same as the control vector that was used to encrypt the key.

The additional control-vector bits that you can turn on or off permit you to further

restrict the use of a key. This gives you the ability to implement the general

security policy of permitting only those capabilities actually required in a system.

The additional bits are designed to block specific attacks although these attacks are

often obscure.

You can obtain the value for a control vector in one of several ways:

 To use a default-value control vector, obtain the value from Figure C-2.

 See “Specifying a Control-Vector-Base Value” on page C-7. The material

presents an ordered set of questions to enable you to create the value for a

control vector.

 Use the Key_Token_Build verb or the Control_Vector_Generate verb and

keywords to construct a control vector and incorporate this control vector into a

key token. See Figure 5-4 on page 5-9.

Figure C-2 (Page 1 of 2). Key Type Default Control-Vector Values

Key Type

Control Vector

Hexadecimal Value for

Single-length Key or Left Half

of Double-Length Key

Control Vector

Hexadecimal Value for Right

Half of Double-Length Key

CIPHER 00 03 71 00 03 00 00 00

DATA

(Internal)

(External)

(single-length)

00 00 7D 00 03 00 00 00

00 00 00 00 00 00 00 00

DATA

(Internal)

(External)

(double-length)

00 00 7D 00 03 41 00 00

00 00 00 00 00 00 00 00

00 00 7D 00 03 21 00 00

00 00 00 00 00 00 00 00

DATAC 00 00 71 00 03 41 00 00 00 00 71 00 03 21 00 00

DATAM 00 00 4D 00 03 41 00 00 00 00 4D 00 03 21 00 00

DATAMV 00 00 44 00 03 41 00 00 00 00 44 00 03 21 00 00

DECIPHER 00 03 50 00 03 00 00 00

DKYGENKY 00 71 44 00 03 41 00 00 00 71 44 00 03 21 00 00

ENCIPHER 00 03 60 00 03 00 00 00

Appendix C. CCA Control-Vector Definitions and Key Encryption C-3

previous next