Filter
Top Products
CCA Release 2.54
you can enter another part that is set to the value of the pre-exclusive-OR
quantity (which quantity is discussed later).
Use the Key_Generate verb to generate an IMPORTER/EXPORTER pair of
KEKs, with the KEY-PART control vector bit set on. Then use the
Key_Part_Import verb to enter an additional key part that is set to the value of
the pre-exclusive-OR quantity.
To understand how you can change a key’s control vector when importing or
exporting keys, you must first understand the importing and exporting process. For
example, when exporting key K, the cryptogram e*Km⊕CV
k
(K) is changed to the
cryptogram e*KEK⊕CV
k1
(K).
Notes:
1. The first cryptogram is read as “the multiple encipherment of key K by the key
formed from the exclusive-OR of the master key and the control vector, CV
k
, of
key K.”
2. The second cryptogram is read as “the multiple encipherment of key K by the
key formed from the exclusive-OR of the KEK and the control vector, CV
k1
, of
key K.” KEK represents the value of the EXPORTER key.
3. A control vector of value binary zero is equivalent to not having a control
vector.
The CCA specifies that in all but one case, CV
k
is the same as CV
k1
. The
exception is that a DATA key whose CV
k
contains the value of a default CV for that
key type, has a CV
k1
equal to binary zero.
To change the control vector on key K, the KEK must be set to the value:
KEK ⊕ CV
k1
⊕ CV
k2
where:
KEK is the value of the shared EXPORTER key.
⊕ represents exclusive-OR.
CV
k1
is the control vector value used with the operational key K at the local
node.
CV
k2
is the desired control vector value for the exported key K.
This process works because the value CV
k1
is specified in the key token for the
exported key. The Key_Export verb provides this control-vector value to the
hardware, which exclusive-ORs it with the EXPORTER KEK. However, you have
set the EXPORTER KEK to the value KEK⊕CV
k1
, and when CV
k1
is
exclusive-ORed with CV
k1
, the effect is that CV
k1
is removed. Because you also
set the KEK to include the desired control vector, CV
k2
, the exported key will have
a changed control vector.
If you need to change the control vector for a key when importing the key, the
Key_Import verb works in a similar manner. You exclusive-OR the actual control
vector value (sometimes called a “variant”) and the desired control vector value for
the imported key into the value of the key-encrypting key. Then when you call the
Key_Import verb, be sure that the source-key token contains the control vector of
the desired target key.
Appendix C. CCA Control-Vector Definitions and Key Encryption C-17