IBM Z10 BC manual Support for 13- thru 19-digit Personal Account Numbers, TKE 5.3 workstation

Support for AES encryption algorithm includes the master key management functions required to load or generate AES master keys, update those keys, and re-encipher key tokens under a new master key.

Support for 13- thru 19-digit Personal Account Numbers

Credit card companies sometimes perform card security code computations based on Personal Account Number (PAN) data. Currently, ICSF callable services CSNBCSV (VISA CVV Service Verify) and CSNBCSG (VISA CVV Service Generate) are used to verify and to generate a VISA Card Verifi cation Value (CVV) or a MasterCard Card Verifi cation Code (CVC). The ICSF callable services cur- rently support 13-, 16-, and 19-digit PAN data. To provide additional fl exibility, new keywords PAN-14, PAN-15, PAN- 17, and PAN-18 are implemented in the rule array for both CSNBCSG and CSNBCSV to indicate that the PAN data is comprised of 14, 15, 17, or 18 PAN digits, respectively.

Support for 13- through 19-digit PANs is exclusive to System z10 and is offered by z/OS and z/VM for guest exploitation.

TKE 5.3 workstation

The Trusted Key Entry (TKE) workstation and the TKE

5.3level of Licensed Internal Code are optional features on the System z10 BC. The TKE 5.3 Licensed Internal Code (LIC) is loaded on the TKE workstation prior to ship- ment. The TKE workstation offers security-rich local and remote key management, providing authorized persons a method of operational and master key entry, identifi cation, exchange, separation, and update. The TKE workstation supports connectivity to an Ethernet Local Area Network (LAN) operating at 10 or 100 Mbps. Up to ten TKE work- stations can be ordered.

Enhancement with TKE 5.3 LIC

The TKE 5.3 level of LIC includes support for the AES encryption algorithm, adds 256-bit master keys, and includes the master key management functions required to load or generate AES master keys to cryptographic copro- cessors in the host.

Also included is an imbedded screen capture utility to permit users to create and to transfer TKE master key entry instructions to diskette or DVD. Under ‘Service Manage- ment’ a “Manage Print Screen Files” utility will be available to all users.

The TKE workstation and TKE 5.3 LIC are available on the z10 EC, z10 BC, z9 EC, and z9 BC.

Smart Card Reader

Support for an optional Smart Card Reader attached to the TKE 5.3 workstation allows for the use of smart cards that contain an embedded microprocessor and associated memory for data storage. Access to and the use of con-

fidential data on the smart cards is protected by a user- defi ned Personal Identifi cation Number (PIN).

TKE 5.3 LIC has added the capability to store key parts on DVD-RAMs and continues to support the ability to store key parts on paper, or optionally on a smart card. TKE 5.3 LIC has limited the use of fl oppy diskettes to read-only. The TKE 5.3 LIC can remotely control host cryptographic coprocessors using a password-protected authority signa- ture key pair either in a binary fi le or on a smart card.

The Smart Card Reader, attached to a TKE workstation with the 5.3 level of LIC will support System z10 BC, z10 EC, z9 EC, and z9 BC. However, TKE workstations with 5.0, 5.1 and 5.2 LIC must be upgraded to TKE 5.3 LIC.