Filter
Top Products
CCA Release 2.54
Note that if you are processing a double-length key, you almost certainly will have
to process the key twice, using the key-encrypting key modified by different values
each appropriate to a key half. Then you concatenate the resulting two correct
key-halves.
┌──────────────────────────────┐
│PIN─Block─Enciphering Key (Kp)│
└──────────────┬───────────────┘
│
┌─────────────────────────────┐ │
│ Other─System Variant ├────┐ │
└─────────────────────────────┘ │ │
┌──┐ ┌───────────────────┐
│XOR├───────Encipher─Key Process│
└──┘ └─────────┬──────────┘
┌─────────────────────────────┐ │ │
│ Transport Key (Kt) ├────┘ │
└──────────────┬──────────────┘ │
││ │
Typical Non-CCA System│ eKt(Kp) = eᑍKt(Kp)
──────────────────────│───────────────────────────────────────│─────────────────────
CCA System │ │
││ │
┌─────────────────────────────────┐ │
│ Transport-key XOR │ │
│ Other─System Variant XOR │ │
│ Control Vector to Obtain │ ┌────────────────────────────┐
│ KEK-left and KEK-right │ │ eᑍKEK.Variant(Kp) │
└────────┬───────────────┬─────────┘ └──────────────┬──────────────┘
││ │
││ │
┌───────────────────────────┐ │
│ Double─Length KEK' ├────┐ │
└─────────────────────────────┘ │ │
┌──┐ ┌─────────┴──────────┐
│XOR├───────Decipher─Key Process│
┌─────────────────────────────┐ └──┘ └─────────┬──────────┘
│ Control Vector for the │ │ │
│ PIN─Block─Enciphering Key, │ │ │
│ Control Vector Left and │────┘ ┌─────────────────────────────┐
│ Control Vector Right │ │PIN─Block─Enciphering Key (Kp)│
└─────────────────────────────┘ └──────────────────────────────┘
Figure C-7. Exchanging a Key with a Non-Control-Vector System
Figure C-7 shows a typical situation. In a non-CCA system, a PIN-block encrypting
key is singly encrypted by a transport key. No control vector or variant modifies the
value of the transport key, Kt, used to encrypt the PIN-block encrypting key, Kp.
The resulting cryptogram can be designated eKt(Kp). Since triple-encryption is the
same as single-encryption when both halves of the encrypting key is equal,
eKt(Kp)&rbl,.= e*Kt(Kp).
In the CCA system, a PIN-block decrypting key is an IPINENC key and must be
double length. (Note that if both halves of the double-length key are the same, the
IPINENC key effectively performs single encryption.) You must import both halves
of the target IPINENC key in different steps and combine the result to obtain the
desired result key.
1. Create two key-encrypting keys to import each half of the target input PIN-block
encrypting key (“IPINENC” key). When you receive key Kt, store this as two
different keys:
e*Km⊕CViml(Kt⊕CVil) e*Km⊕CVimr(Kt⊕CVil)
where:
CViml is the control vector for the left half of an IMPORTER key
CVimr is the control vector for the right half of an IMPORTER key
C-18 IBM 4758 CCA Basic Services, Release 2.54, February 2005