Filter
Top Products
CCA Release 2.54 Master_Key_Process
Master_Key_Process (CSNBMKP)
Platform/
Product
OS/2 AIX Win NT/
2000
OS/400
IBM 4758-2/23 X X X X
The Master_Key_Process verb operates on the three master-key registers: new,
current, and old. Use the verb to:
Clear the new and clear the old master-key registers
Generate a random master-key value in the new master-key register
Exclusive-OR a clear value as a key part into the new master-key register
Set the master key which transfers the current master-key to the old master-key
register, the new master-key to the current master-key register, and clear the
new master-key register. SET also clears the master-key-shares tables.
For IBM 4758 Cryptographic Coprocessor implementations, the master key is a
triple-length, 168-bit, 24-byte value.
You choose processing of the symmetric or asymmetric registers by specifying one
of the SYM-MK and the ASYM-MK rule-array keywords. If neither keyword is
specified, the verb performs the same operation on both classes of registers,
provided that the registers already contain the same values.
Before starting to load new master-key information, ensure that the new master-key
register is cleared. Do this by using the CLEAR keyword in the rule array.
To form a master key from key parts in the new master-key register, use the verb
several times to complete the following tasks:
Clear the register, if it is not already clear
Load the first key part
Load any middle key-parts, calling the verb once for each middle key_part
Load the last key_part.
You can remove a prior master-key from the Coprocessor with the CLR-OLD
keyword. The contents of the old master-key register are removed and
subsequently only current-master-key encrypted keys will be usable. If there is a
value in the old master-key register, this master key can also be used to decrypt an
enciphered working key.
For symmetric master-keys, the low-order bit in each byte of the key is used as
parity for the remaining bits in the byte. Each byte of the key part should contain
an odd number of one bits. If this is not the case, a warning is issued. The
product maintains odd parity on the accumulated symmetric master-key value.
When the LAST master-key part is entered, this additional processing is performed:
If any two of the eight-byte parts of the new master-key have the same value, a
warning is issued. This warning should not be ignored and a key with this
property should generally not be used.
Chapter 2. CCA Node-Management and Access-Control 2-59