CCA Release 2.54
Changing Control Vectors with the Control_Vector_Translate Verb
Do the following when using the Control_Vector_Translate verb:
Provide the control information for testing the control vectors of the source,
target, and key-encrypting keys to ensure that only sanctioned changes can be
performed
Select the key-half processing mode.
Providing the Control Information for Testing the Control
Vectors
To minimize your security exposure, the Control_Vector_Translate verb requires
control information (mask array information) to limit the range of allowable control
vector changes. To ensure that this verb is used only for authorized purposes, the
source-key control vector, target-key control vector, and key-encrypting key (KEK)
control vector must pass specific tests. The tests on the control vectors are
performed within the secured cryptographic engine.
The tests consist of evaluating four logic expressions, the results of which must be
a string of binary zeros. The expressions operate bit-for-bit on information that is
contained in the mask arrays and in the portions of the control vectors associated
with the key or key-half that is being processed. If any of the expression
evaluations do not result in all zero bits, the verb is ended with a control vector
violation return and reason code (8/39). See Figure C-8. Only the 56 bit positions
that are associated with a key value are evaluated. The low-order bit that is
associated with key parity in each key-byte is not evaluated.
Mask Array Preparation
A mask array consists of seven 8-byte elements: A
1
, B
1
, A
2
, B
2
, A
3
, B
3
, and B
4
.
You choose the values of the array elements such that each of the following four
expressions evaluates to a string of binary zeros. (See Figure C-8 on page C-22.)
Set the A bits to the value that you require for the corresponding control vector bits.
In expressions 1 through 3, set the B bits to select the control vector bits to be
evaluated. In expression 4, set the B bits to select the source and target control
vector bits to be evaluated. Also, use the following control vector information:
C
1
is the control vector associated with the left half of the KEK.
C
2
is the control vector associated with the source key, or selected source-key
half/halves.
C
3
is the control vector associated with the target key or selected target-key
half/halves.
1. (C
1
exclusive-OR A
1
) logical-AND B
1
This expression tests whether the KEK used to encipher the key meets your
criteria for the desired translation.
2. (C
2
exclusive-OR A
2
) logical-AND B
2
This expression tests whether the control vector associated with the source key
meets your criteria for the desired translation.
3. (C
3
exclusive-OR A
3
) logical-AND B
3
This expression tests whether the control vector associated with the target key
meets your criteria for the desired translation.
4. (C
2
exclusive-OR C
3
) logical-AND B
4
C-20 IBM 4758 CCA Basic Services, Release 2.54, February 2005