CCA Release 2.54
2. For key-encrypting keys, set the following bits:
The Key-Encrypting Key-limiting bits, previously described as bits “hhh, bits
35 to 37,” are not supported in any current release of the Coprocessor CCA
support.
The key-generating usage bits (gks, bits 18 to 20). Set the gks bits to
B'111' to indicate that the Key_Generate verb can use the associated
key-encrypting key to encipher generated keys when the Key_Generate
verb is generating various key-pair key-form combinations (see the
Key-Encrypting Keys section of Figure C-3 on page C-5). Without any of
the gks bits set to 1, the Key_Generate verb cannot use the associated
key-encrypting key. (The Key_Token_Build verb can set the gks bits to 1
when you supply the OPIM, IMEX, IMIM, OPEX, and EXEX keywords.)
The IMPORT and EXPORT bit and the XLATE bit (ix, bits 21 and 22). If
the ‘i’ bit is set to 1, the associated key-encrypting key can be used in the
Data_Key_Import, Key_Import, Data_Key_Export, and Key_Export verbs. If
the ‘x’ bit is set to 1, the associated key-encrypting key can be used in the
Key_Translate verb. The Control_Vector_Generate verb can set the ‘ix’
bits to 1 when you supply the IMPORT, EXPORT, and XLATE keywords.
The key-form bits (fff, bits 40 to 42). The key-form bits indicate how the
key was generated and how the control vector participates in
multiple-enciphering. To indicate that the parts can be the same value, set
these bits to B'010'. For information about the value of the key-form bits
in the right half of a control vector, see step 13 on page C-11.
3. For the DATA-class keys (DATA, DATAC, DATM, DATAMV) set the “edmv” bits
(bits 18 to 21) to one to respectively enable encipher, decipher,
mac-generation, and mac-verification operations.
4. For the cipher-class keys (CIPHER, DECIPHER, ENCIPHER, DATA, DATAC)
set the encipher and decipher bits (bits 18 and 19). When bit 18 is set to 1,
the key can encipher data. When bit 19 is set to 1, the key can decipher data.
5. For MAC, MACVER, DATAM, and DATAMV keys, set the following bits:
Bits 12 to 14 Key Subtype
PIN Keys
001 PIN-generating key (PINGEN, PINVER)
000 Inbound PIN-block decrypting key (IPINENC)
010 Outbound PIN-block encrypting key (OPINENC)
Key-Generating Keys
001 KEYGENKY key-generating keys
sss DKYGENKY key-generating keys
sss is the count minus one of the number of diversifications used to
obtain the final, non-diversification key. See “Diversifying Keys” on
page 5-19. (The Key_Token_Build verb can set the sss bits when
you supply the DKYL0, ..., and DKYL7 keywords.)
Cryptographic Variable-Encrypting Keys
111 Cryptographic variable-encrypting key (CVAR....)
C-8 IBM 4758 CCA Basic Services, Release 2.54, February 2005