ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/qc3MigrateCR1.htm

648 lines
28 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<title>Migrating from CR1-57xx</title>
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Change History: -->
<!-- YYMMDD USERID Change description -->
<!-- 050629 HAG New -->
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<!-- Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<h2><img src="delta.gif" alt="Start of change">Migrating from 57xx-CR1</h2>
<p>IBM plans to drop support of IBM Cryptographic Support for AS/400 (5722-CR1) in the release after V5R4. This article will help you migrate your CR1 applications to the Cryptographic Services APIs.</p>
<p>Prior to reading this article, you may want to review the information
in the following articles:</p>
<ul>
<li><a href="../rzajc/rzajcconcepts.htm">Cryptography Concepts</a></li>
<li><a href="qc3MasterKeys.htm">Cryptographic Services Master Keys</a></li>
<li><a href="qc3KeyStore.htm">Cryptographic Services Key Store</a></li>
</ul>
<h3>General Functional Differences</h3>
<ul>
<li><b>PIN functions</b>
<br>The Cryptographic Services APIs do not support the CR1 PIN functions.
CR1 supports the 3624 PIN calculation method. It is possible
to code the 3624 PIN calculation method using the Cryptographic
Services APIs. To do so, implement the &quot;PIN Generation Algorithm&quot; described
in Chapter 4 of the <a href="http://publib.boulder.ibm.com/cgi-bin/bookmgr/bookmgr.cmd/BOOKS/QBKALT01/CCONTENTS">Cryptographic User's Guide</a>, replacing the CR1 APIs with
Cryptographic Services APIs as described below. However, a better solution
would be to use a cryptographic
coprocessor and the Common Cryptographic Architecture API set, which supports
many PIN calculation methods and PIN block formats. For more
information, see <a href="../rzajc/rzajcco4758.htm">4764 and 4758
Cryptographic Coprocessors</a>.
<br><br>
<li><b>Key management</b>
<br>Both CR1 and the Cryptographic Services APIs implement key management using
a key hierarchy. At the top, a clear master key is securely stored.
Other keys can be stored in a database file where the key values are encrypted
under the master key. However, note the following differences in key management
between CR1 and the Cryptographic Services APIs:
<br><br>
<ul>
<li>CR1 supports one master key.
<p>The Cryptographic Services APIs support
eight master keys.</p>
</li>
<li>CR1 supports one key store file, QCRP/QACRKTBL, also known as the cross-domain
key table.
<p>With the Cryptographic
Services APIs, the user can create any number of key store files.</p>
</li>
<li>CR1 defines key-encrypting keys (KEKs) as those keys stored within the
cross-domain key table as sending and receiving cross-domain key types.
They are limited to
export (encrypting keys to send to another system)
and import (decrypting keys received from another system) operations.
The user is responsible for storing data-encrypting keys.
<p>The Cryptographic Services APIs do not distinguish between
key-encrypting keys and data-encrypting keys. It is up to the user to define
what keys are used as key-encrypting keys and as data-encrypting keys.</p>
</li>
<li>Only keys for export, import, and PIN protection operations can be stored
in the CR1 cross-domain key table.
<p>Any type of key can be stored in a Cryptographic
Services APIs key store file.</p>
</li>
</ul>
<br>
</li>
</li>
<li><b>Master key variants</b>
<br>Master key variants are values that are exclusive-OR'd into the master
key value prior to encrypting or decrypting a key. Master key variants are
used to limit how the encrypted key can be used. Both CR1 and the
Cryptographic Services APIs use master key variants. However, the values of
the variants and how they are used are completely different.
<p>CR1 uses master key variants to limit cross-domain keys to either export, import, or PIN protection operations. The CR1 master key variants are the following:
<table width="95%">
<tr>
<td valign="top" width="30%"><strong>Sending cross-domain key</strong></td>
<td>Eight bytes of hexadecimal 88.</td>
</tr>
<tr>
<td><strong>Receiving cross-domain key</strong></td>
<td>Eight bytes of hexadecimal 22.</td>
</tr>
<tr>
<td><strong>PIN cross-domain key</strong></td>
<td>Eight bytes of hexadecimal 44.</td>
</tr>
</table>
</p>
<p>Cryptographic Services APIs use master key variants to limit master key
encrypted keys to any combination of encrypt, decrypt, MAC, and sign operations.</p>
</li>
</ul>
<h3>Migrating Keys</h3>
<p>If you have not already established a Cryptographic Services APIs master key,
do so using the <A HREF="qc3ldmkp.htm">Load Master Key Part</A> and
<A HREF="qc3setmk.htm">Set Master Key</A> APIs.</p>
<p>Write a program that performs the following steps to migrate your keys from the CR1
cross-domain key table to a Cryptographic Services APIs key store file.</p>
<ol>
<li>Create a key store file using the <A HREF="qc3crtks.htm">Create Key Store</A>
API.
<br><br>
</li>
<li>Get the CR1 master key value.
<ul>
<li>You should not hard-code the CR1 master key value in your program, but instead
request the input interactively.</li>
<li>If the CR1 master key was established using multiple key parts, you should
maintain multiple responsibility and request input of multiple key parts.
Your program would then exclusive-OR those parts together to obtain the master
key value.</li>
</ul>
<br>
</li>
<li>Create a key context token for each variant of the CR1 master key.
<ul>
<li>Create three new key values by
exclusive-ORing the master key value with each variant value (as described
above). For example, a master key value of hex 3BA93722AF8D0526 exclusive-OR'd
with the sending cross-domain key variant (hex 8888888888888888) would be
hex B321BFAA27058DAE.</li>
<li>If you will be migrating more CR1 cross-domain keys in the future,
save all three key values to your key store file. Do this using the
<A HREF="qc3wrtkr.htm">Write Key Record</A> API.
<ul>
<li>The key string parameter should contain the key value (for example, hex B321BFAA27058DAE).</li>
<li>The length of key string parameter should specify a value of 8.</li>
<li>The key format parameter should specify a value of 0 to indicate it is a
binary value.</li>
<li>The key type parameter should specify a value of 20 to indicate it is a
DES key.</li>
<li>The key form parameter should specify a value of 0 to indicate the key
value is not encrypted.</li>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
</li>
<li>Create a key context for each of the three values using the
<a href="qc3crtkx.htm">Create Key Context</a> API. The key string, length
of key string, key format, key type, and key form parameters should all
match what was specified above for the Write Key Record API. If in the future
you retrieve these key values from the key store file, you would specify
the Create Key Context parameters as follows:
<ul>
<li>The key string parameter would contain the key store label structure as
described in the API.</li>
<li>The length of key string parameter would specify 56, which is the length
of the key store label structure.</li>
<li>The key format parameter would specify a value of 4 to indicate it is a
key store label structure.</li>
<li>The key type and key form parameters would not change.</li>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
</li>
</ul>
<br>
</li>
<li>Erase the master key value, the three new key values, and any key part values
from program storage.<br><br></li>
</li>
<li>Create a DES algorithm context token using the
<a href="qc3crtax.htm">Create Algorithm Context</a> API.
<ul>
<li>The algorithm description format name parameter should specify a value of
&quot;ALGD0200&quot;.</li>
<li>The algorithm description parameter should contain the ALGD0200
structure. The entire ALGD0200 structure should be set to null. The
fields should then be specified as follows:
<ul>
<li>The block cipher algorithm field should specify a value of 20 to indicate
the DES algorithm.</li>
<li>The block length field should specify a value of 8.</li>
</ul>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
<br>
</li>
<li>Read each record of the cross-domain key table and import the key value
to your key store file.
<ul>
<li>The format of a cross-domain key table record is as follows: <table width="95%">
<tr>
<th align="left" valign="top">Field</th>
<th align="left" valign="top">Length</th>
</tr>
<tr>
<td valign="top" width="30%">Key Label</td>
<td>10</td>
</tr>
<tr>
<td>Key Type</td>
<td>1</td>
</tr>
<tr>
<td>Encrypted Key Value</td>
<td>8</td>
</tr>
</table> <p>A key type of &quot;S&quot; indicates the key is a sending cross-domain key. A key type
of &quot;R&quot; indicates the key is a receiving cross-domain key. A key type of &quot;P&quot;
indicates the key is a PIN key.</p></li>
</li>
<li>Use the <A HREF="qc3wrtkr.htm">Write Key Record</A> API to import the key
value to the key store file.
<ul>
<li>For the record label parameter, you should be able to use the same value
as the label from the cross-domain key table record unless a key record by that
label already exists in the key store file.</li>
<li>The key string parameter should contain the encrypted key value.</li>
<li>The length of key string parameter should specify a value of 8.</li>
<li>The key format parameter should specify a value of 0 to indicate it is a
binary value.</li>
<li>The key type parameter should specify a value of 20 to indicate it is a
DES key.</li>
<li>The key form parameter should specify a value of 1 to indicate the key
value is encrypted.</li>
<li>The key-encrypting key context token parameter should specify the appropriate
key context token created in step 3 above. Use the key type field of the
cross-domain key record to determine which token to use.</li>
<li>The key-encrypting algorithm context token should specify the algorithm
context token created in step 5 above.</li>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
</li>
</ul>
</li>
</ol>
<p>To migrate CR1 master key encrypted keys not stored in the cross-domain key
table, your program should perform the following steps.</p>
<ol>
<li>Get the CR1 master key value.
<ul>
<li>You should not hard-code the CR1 master key value in your program, but instead
request the input interactively.</li>
<li>If the CR1 master key was established using multiple key parts, you should
maintain multiple responsibility and request input of multiple key parts.
Your program would then exclusive-OR those parts together to obtain the master
key value.</li>
</ul>
<br>
</li>
<li>Create a key context token for the CR1 master key.
<ul>
<li>If you will be migrating more CR1 keys in the future,
save the master key to a key store file. Do this using the
<A HREF="qc3wrtkr.htm">Write Key Record</A> API.
<ul>
<li>The key string parameter should contain the master key value.</li>
<li>The length of key string parameter should specify a value of 8.</li>
<li>The key format parameter should specify a value of 0 to indicate it is a
binary value.</li>
<li>The key type parameter should specify a value of 20 to indicate it is a
DES key.</li>
<li>The key form parameter should specify a value of 0 to indicate the key
value is not encrypted.</li>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
</li>
<li>Create a key context for the CR1 master key value using the
<a href="qc3crtkx.htm">Create Key Context</a> API. The key string, length
of key string, key format, key type, and key form parameters should all
match what was specified above for the Write Key Record API. If in the future
you retrieve the CR1 master key value from the key store file, you would specify
the Create Key Context parameters as follows:
<ul>
<li>The key string parameter would contain the key store label structure as
described in the API.</li>
<li>The length of key string parameter would specify 56, which is the length
of the key store label structure.</li>
<li>The key format parameter would specify a value of 4 to indicate it is a
key store label structure.</li>
<li>The key type and key form parameters would not change.</li>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
</li>
</ul>
<br>
</li>
<li>Erase the master key value and any key part values from program storage. <br><br></li>
</li>
<li>Create a DES algorithm context token using the
<a href="qc3crtax.htm">Create Algorithm Context</a> API.
<ul>
<li>The algorithm description format name parameter should specify a value of
&quot;ALGD0200&quot;.</li>
<li>The algorithm description parameter should contain the ALGD0200
structure. The entire ALGD0200 structure should be set to null. The
fields should then be specified as follows:
<ul>
<li>The block cipher algorithm field should specify a value of 20 to indicate
the DES algorithm.</li>
<li>The block length field should specify a value of 8.</li>
</ul>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
<br>
</li>
<li>Import the CR1 master key encrypted keys.
<p>For each CR1 master key encrypted key, use the <a href="qc3impky.htm">Import Key</a> API to re-encrypt the key under a Cryptographic Services APIs master key.
<ul>
<li>The key string parameter should contain the encrypted key value.</li>
<li>The length of key string parameter should specify a value of 8.</li>
<li>The key form parameter should specify a value of 1 to indicate the key
value is encrypted.</li>
<li>The key-encrypting key context token parameter should specify the
key context token created in step 2 above. </li>
<li>The key-encrypting algorithm context token should specify the algorithm
context token created in step 4 above.</li>
<li>Follow the API instructions for the remaining parameters.</li>
</ul>
</li>
</ol>
<h3>Migrating Programs</h3>
<p>Use the following list to determine how to replace CR1 APIs with
Cryptographic Services APIs.</p>
<dl>
<dt><strong>Add Cross-Domain Key (CL, ADDCRSDMNK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3crtks.htm">Create Key Store (OPM, QC3CRTKS; ILE, Qc3CreateKeyStore)</a></li>
<li><a href="qc3wrtkr.htm">Write Key Record (OPM, QC3WRTKR; ILE, Qc3WriteKeyRecord)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>Whereas CR1 supports one key store file which is shipped with the product,
the Cryptographic Services APIs user must create a key store file.</li>
<li>Cryptographic Services APIs key store keys can not be restricted to export,
import, and PIN protection functions as is done with CR1. However, they can be
restricted to any combination of encrypt, decrypt, MAC, and sign operations.</li>
</ul>
<br>
</dd>
<dt><strong>Change Cross-Domain Key (CL, CHGCRSDMNK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3dltkr.htm">Delete Key Record (OPM, QC3DLTKR; ILE, Qc3DeleteKeyRecord)</a></li>
<li><a href="qc3wrtkr.htm">Write Key Record (OPM, QC3WRTKR; ILE, Qc3WriteKeyRecord)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>There is no Cryptographic Services API to change a key record.
The application must first delete the record and then re-create it.
</li>
<li>Cryptographic Services APIs key store keys can not be restricted to export,
import, and PIN protection functions as is done with CR1. However, they can be
restricted to any combination of encrypt, decrypt, MAC, and sign operations.</li>
</ul>
<br>
</dd>
<dt><strong>Change Master Key (CL, CHGMSTKK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3tstmk.htm">Test Master Key (OPM, QC3TSTMK; ILE, Qc3TestMasterKey)</a></li>
<li><a href="qc3ldmkp.htm">Load Master Key Part (OPM, QC3LDMKP; ILE, Qc3LoadMasterKeyPart)</a></li>
<li><a href="qc3setmk.htm">Set Master Key (OPM, QC3SETMK; ILE, Qc3SetMasterKey)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>
The CR1 Change Master Key API requires knowledge of the master key verification
code. The Cryptographic Services APIs application program can implement this
function using the Test Master Key API.</li>
</ul>
<br>
</dd>
<dt><strong>Cipher Data (CL, CPHDTA; OPM, QCRCIPHR)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3encdt.htm">Encrypt Data (OPM, QC3ENCDT; ILE, Qc3EncryptData)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>OPTION(*SCPH) is not supported by the Cryptographic Services APIs. Your
application program must convert the 16 hexadecimal characters to the 8-byte
binary value prior to calling the Encrypt Data API. Similarly, if a 16
hexadecimal character output is desired, the application program must
do the conversion.</li>
<li>To duplicate the function of Cipher Data, the Encrypt Data API should
specify an algorithm description for DES. However, it is recommended that
you upgrade the security of your application by moving to a newer algorithm
such as TDES or the better performing AES.</li>
</ul>
<br>
</dd>
<dt><strong>Encrypt Cipher Key (CL, ENCCPHK; OPM, QCRENCKY)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3impky.htm">Import Key (OPM, QC3IMPKY; ILE, Qc3ImportKey)</a></li>
</dd>
</ul>
<br>
</dd>
<dt><strong>Encipher From Master Key (CL, ENCFRMMSTK; OPM, QCRENCFR)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3crtkx.htm">Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext)</a></li>
<li><a href="qc3crtax.htm">Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext)</a></li>
<li><a href="qc3expky.htm">Export Key (OPM, QC3EXPKY; ILE, Qc3ExportKey)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>The Export Key API requires a key context be created for the key-encrypting
key. It is on the Create Key Context API that you specify the key store file
and label.</li>
<li>The Export Key API also requires an algorithm context. To duplicate the
function of Encipher From Master Key, create a DES algorithm context. The
algorithm description should specify ECB mode and no padding.</li>
<li>The Export Key API does not support the output of two encrypted key values
as does Encipher From Master Key. To obtain a second encrypted key value,
create another key context and issue the Export Key API again. You may reuse
the same algorithm context.</li>
</ul>
<br>
</dd>
<dt><strong>Encipher To Master Key (CL, ENCTOMSTK; OPM, QCRENCTO)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3crtkx.htm">Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext)</a></li>
<li><a href="qc3crtax.htm">Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext)</a></li>
<li><a href="qc3impky.htm">Import Key (OPM, QC3IMPKY; ILE, Qc3ImportKey)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>When importing an encrypted key, the Import Key API requires a key context
be created for the key-encrypting key. It is on the Create Key Context API that
you specify the key store file and label.</li>
<li>Importing an encrypted key also requires an algorithm context. To duplicate
the function of Encipher To Master Key, create a DES algorithm context. The
algorithm description should specify ECB mode and no padding.</li>
</ul>
<br>
</dd>
<dt><strong>Generate Cipher Key (CL, GENCPHK; OPM, QCRGENKY)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3gensk.htm">Generate Symmetric Key (OPM, QC3GENSK; ILE, Qc3GenSymmetricKey)</a></li>
<li><a href="qc3crtkx.htm">Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext)</a></li>
<li><a href="qc3crtax.htm">Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext)</a></li>
<li><a href="qc3expky.htm">Export Key (OPM, QC3EXPKY; ILE, Qc3ExportKey)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>The Generate Symmetric Key API will generate a random key value and return
it in the clear, encrypted under a master key, or encrypted under a
key-encrypting key. If both a master key encrypted form and a KEK encrypted
form is required, first use Generate Symmetric Key API to generate a key
encrypted under a master key. Then follow the same procedures outlined for
Encipher From Master Key.</li>
</ul>
<br>
</dd>
<dt><strong>Generate Cross-Domain Key (CL, GENCRSDMNK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3addprngseed.htm">Add Seed for Pseudorandom Number Generator (OPM, QC3ADDSD; ILE, Qc3AddPRNGSeed)</a></li>
<li><a href="qc3genkr.htm">Generate Key Record (OPM, QC3GENKR; ILE, Qc3GenKeyRecord)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>The Generate Key Record API does not require a seed value because it uses
the system's pseudorandom number generator which automatically seeds.
However, if your security practices require the input of seed data,
first use the Add Seed for Pseudorandom Number Generator API.</li>
<li>The Generate Key Record API generates a single key record. To generate
multiple key records, invoke this API multiple times.</li>
<li>Cryptographic Services APIs key store keys can not be restricted to export,
import, and PIN protection functions as is done with CR1. However, they can be
restricted to any combination of encrypt, decrypt, MAC, and sign operations.</li>
</ul>
<br>
</dd>
<dt><strong>Generate Message Authentication Code (CL, GENMAC; OPM, QCRGENMA)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3calma.htm">Calculate MAC (OPM, QC3CALMA; ILE, Qc3CalculateMAC)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>To duplicate the function of Generate Message Authentication Code,
the Calculate MAC API should
specify an algorithm description for DES. However, it is recommended that
you upgrade the security of your application by moving to a newer algorithm
such as TDES or the better performing AES.</li>
</ul>
<br>
</dd>
<dt><strong>Generate PIN (CL, GENPIN; OPM, QCRGENPN)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3encdt.htm">Encrypt Data (OPM, QC3ENCDT; ILE, Qc3EncryptData)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>Although the Cryptographic Services APIs do not support PIN functions,
it is possible for your application to implement the 3624 PIN generation
algorithm. The Encrypt Data API would be used for encrypting the PIN
validation data.</li>
<li>The PIN validation data must be presented to the Encrypt Data API as an
8-byte value. Your application program may need to convert the 8-byte
encrypted value to 16 hexadecimal characters prior to decimalization.
Refer to the &quot;PIN Generation Algorithm&quot; described in Chapter 4 of the <a href="http://publib.boulder.ibm.com/cgi-bin/bookmgr/bookmgr.cmd/BOOKS/QBKALT01/CCONTENTS">Cryptographic User's Guide</a>.</li>
<li>There are a number of security issues involved in supporting PIN functions
with the Cryptographic Services APIs.
A better solution would be to use a cryptographic
coprocessor and the Common Cryptographic Architecture API set. For more
information, see <a href="../rzajc/rzajcco4758.htm">4764 and 4758
Cryptographic Coprocessors</a>.</li>
</ul>
<br>
</dd>
<dt><strong>Remove Cross-Domain Key (CL, RMVCRSDMNK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3dltkr.htm">Delete Key Record (OPM, QC3DLTKR; ILE, Qc3DeleteKeyRecord)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>The Delete Key Record API deletes a single key record. To delete multiple
key records, you must invoke this API multiple times.</li>
<li>Cryptographic Services APIs key store files are created with no capabilities.
You can not modify a key store file using other APIs. To remove all records from
the key store file, you must delete the file and then recreate it.</li>
</ul>
<br>
</dd>
<dt><strong>Set Master Key (CL, SETMSTK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3ldmkp.htm">Load Master Key Part (OPM, QC3LDMKP; ILE, Qc3LoadMasterKeyPart)</a></li>
<li><a href="qc3setmk.htm">Set Master Key (OPM, QC3SETMK; ILE, Qc3SetMasterKey)</a></li>
</ul>
<br>
</dd>
<dt><strong>Translate PIN (CL, TRNPIN; OPM, QCRTRNPN)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3crtkx.htm">Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext)</a></li>
<li><a href="qc3crtax.htm">Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext)</a></li>
<li><a href="qc3trndt.htm">Translate Data (OPM, QC3TRNDT; ILE, Qc3TranslateData)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>Although the Cryptographic Services APIs do not support PIN functions,
it is possible to translate a PIN using the Translate Data API.</li>
<li>The Translate Data API does not support the specification of 16 hexadecimal
characters for the encrypted PIN number. You must supply it as an 8-byte value.
</li>
<li>There are a number of security issues involved in supporting PIN functions
with the Cryptographic Services APIs.
A better solution would be to use a cryptographic
coprocessor and the Common Cryptographic Architecture API set. For more
information, see <a href="../rzajc/rzajcco4758.htm">4764 and 4758
Cryptographic Coprocessors</a>.</li>
</ul>
<br>
</dd>
<dt><strong>Verify Master Key (CL, VFYMSTK)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3tstmk.htm">Test Master Key (OPM, QC3TSTMK; ILE, Qc3TestMasterKey)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>The Verify Master Key CL command compares the input verification code
against the master key verification code. The Test Master Key API just
returns the master key verification code. Therefore, your application
program must do the comparison.</li>
</ul>
<br>
</dd>
<dt><strong>Verify PIN (CL, VFYPIN; OPM, QCRVFYPN)</strong></dt>
<dd>Replace with
<ul>
<li><a href="qc3encdt.htm">Encrypt Data (OPM, QC3ENCDT; ILE, Qc3EncryptData)</a></li>
<li><a href="qc3decdt.htm">Decrypt Data (OPM, QC3DECDT; ILE, Qc3DecryptData)</a></li>
</dd>
</ul>
Notes:
<ul>
<li>Although the Cryptographic Services APIs do not support PIN functions,
it is possible for your application to implement the 3624 PIN generation
algorithm.
The Encrypt Data API would be used for encrypting the PIN
validation data.
The Decrypt Data API would be used to decrypt the PIN prior to the
comparison.</li>
<li>The encrypted PIN value must be presented to the Decrypt Data API as an
8-byte value.
The PIN validation data must be presented to the Encrypt Data API as an
8-byte value. Your application program may need to convert the output from
Encrypt Data to 16 hexadecimal characters prior to decimalization.
Refer to the &quot;PIN Generation Algorithm&quot; described in Chapter 4 of the <a href="http://publib.boulder.ibm.com/cgi-bin/bookmgr/bookmgr.cmd/BOOKS/QBKALT01/CCONTENTS">Cryptographic User's Guide</a>.</li>
<li>There are a number of security issues involved in supporting PIN functions
with the Cryptographic Services APIs.
A better solution would be to use a cryptographic
coprocessor and the Common Cryptographic Architecture API set. For more
information, see <a href="../rzajc/rzajcco4758.htm">4764 and 4758
Cryptographic Coprocessors</a>.</li>
</ul>
<br>
</dd>
</dl>
<img src="deltaend.gif" alt="End of change">
<br>
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> |
<a href= "catcrypt.htm">Cryptographic Services APIs</a> |<a href=
"aplist.htm">APIs by category</a></td>
</tr>
</table>
</center>
</body>
</html>