Support User Manuals

IBM 2 Computer Hardware User Manual

Open as PDF

of 508

CCA Release 2.54

Encrypting a Key_Encrypting Key in the NL-EPP-5 Format

The PKA_Symmetric_Key_Generate verb supports a NL-EPP-5 method of

encrypting a DES key-encrypting key with an RSA public key. The verb returns an

encrypted key block by RSA encrypting a key record formed in the following

manner:

1. Format the key and other data per Figure C-6

2. Insert random padding data into the record

3. Insert the count of pad bytes plus one.

Figure C-6. NL-EPP-5 Key Record Format

Offset

(Bytes)

Length

(Bytes)

Description

000 02 Header and Null Cancelation bytes, X'0B00'

002 08

16

Single length key-encrypting key

Double length key-encrypting key

010 or

018

Random padding data

063 01 Padding count byte:

 With an RSA key of length 512-bits: X'36' for a single length

key-encrypting key, or X'2E' for a double length key-encrypting key

 With an RSA key of length 1024-bits: X'76' for a single length

key-encrypting key, or X'6E' for a double length key-encrypting key.

Changing Control Vectors

Use the following techniques to change the control vector associated with a key:

Pre-exclusive-OR

Use this technique to import or export a key from a cryptographic node if

you can exclusive-OR one or more bit patterns into the value of the

key-encrypting key used to import the key.

Control_Vector_Translate Verb

Use the Control_Vector_Translate verb to change the control vector of

an external key.

Note: An external key is a key enciphered by a KEK other than the

master key.

Changing Control Vectors with the Pre-Exclusive-OR Technique

Use the pre-exclusive-OR technique to change a key's control vector when

exporting or importing the key from or to a CCA cryptographic node. By

exclusive-ORing information with the KEK used to import or export the key, you can

effectively change the control vector associated with the key.

The pre-exclusive-OR technique requires exclusive-ORing additional information

into the value of the IMPORTER or EXPORTER KEK by one of the following

methods:

 Exchange the KEK in the form of a plaintext value or in the form of key parts.

For example, if you use the Key_Part_Import verb to enter the KEK key parts,

C-16 IBM 4758 CCA Basic Services, Release 2.54, February 2005

previous next