To better understand how to maximize your usage of cryptography
and cryptographic hardware options with your system, read these basic concepts
regarding cryptographic hardware.
Note: These concepts do not pertain to the IBM® 2058 Cryptographic Accelerator hardware.
- Key types associated with the Cryptographic Coprocessor
- Your Coprocessor uses various key types. Not all DES or Triple DES keys
can be used for all symmetric key operations. Likewise, not all public key
algorithm (PKA) keys can be used for all asymmetric key operations. This is
a list of the various key types which the Coprocessor uses:
- Master key
- This is a clear key, which means that no other key encrypted it. The
Coprocessor uses the master key to encrypt all operational keys. The Coprocessor
stores the master key in a tamper-responding module. You cannot retrieve the
master key from the Coprocessor. The Coprocessor responds to tamper attempts
by destroying the master key and destroying its factory certification. The
coprocessors have two master keys: one for encrypting DES keys and one for
encrypting PKA keys.
- Double-length key-encrypting keys
- Your Coprocessor uses this type of Triple-DES key to encrypt or decrypt
other DES or Triple DES keys. Key-encrypting-keys are generally used to transport
keys between systems. However, they can also be used for storing keys offline
for backup. If key-encrypting-keys are used to transport keys, the clear
value of the key-encrypting-key itself must be shared between the two systems.
Exporter key-encrypting keys are used for export operations where a key encrypted
under the master key is decrypted and then encrypted under the key-encrypting
key. Importer key-encrypting keys are used for import operations where a
key encrypted under the key-encrypting key is decrypted and then encrypted
under the master key.
- Double-length PIN keys
- Your Coprocessor uses this type of key to generate, verify, encrypt,
and decrypt PINs used in financial operations. These are Triple DES keys.
- MAC keys
- Your Coprocessor uses this type of key to generate Message Authentication
Codes (MAC). These can be either DES or Triple DES keys.
- Cipher keys
- Your Coprocessor uses this type of key to encrypt or decrypt data. These
can be either DES or Triple DES keys.
- Single-length compatibility keys
- Your Coprocessor uses this type of key to encrypt or decrypt data and
generate MACs. These are DES keys and are often used when encrypted data or
MACs are exchanged with systems that do not implement the Common Cryptographic
Architecture.
- Private keys
- Your Coprocessor uses private keys for generating digital signatures
and for decrypting DES or Triple DES keys encrypted by the public key.
- Public keys
- Your Coprocessor uses public keys for verifying digital signatures, for
encrypting DES or Triple DES keys, and for decrypting data encrypted by the
private key.
- Key forms
- The Coprocessor works with keys in one of four different forms. The key
form, along with the key type, determines how a cryptographic process uses
that key. The four forms are:
- Clear form
- The clear value of the key is not protected by any cryptographic means.
Clear keys are not usable by the Coprocessor. The clear keys must first
be imported into the secure module and encrypted under the master key and
then stored outside the secure module.
- Operational form
- Keys encrypted under the master key are in operational form. They are
directly usable for cryptographic operations by the Coprocessor. Operational
keys are also called internal keys. All keys that are stored in the server
key store file are operational keys. However, you do not need to store all
operational keys in the key store file.
- Export form
- Keys encrypted under an exporter key-encrypting key as the result of an
export operation are in export form. These keys are also called external
keys. A key in export form can also be described as being in import form
if an importer key-encrypting key with the same clear key value as the exporter
key-encrypting key is present. You may store keys in export form in any manner
you choose except in key store files.
- Import form
- Keys encrypted under an importer key-encrypting key are in import form.
Only keys in import form can be used as the source for an import operation.
These keys are also called external keys. A key in import form can also
be described as being in export form if an exporter key-encrypting key with
the same clear key value as the importer key-encrypting key is present. You
may store keys in import form in any manner you choose except in key store
files.
- Function control vector
- IBM provides
a digitally signed value known as a function control vector. This value enables
the cryptographic application within the Coprocessor to yield a level of
cryptographic service consistent with applicable import regulations and export
regulations. The function control vector provides your Coprocessor with the
key length information necessary to create keys.
- Control vectors
- A control vector, different from a function control vector, is a known
value associated with a key that governs the following:
- Key type
- What other keys this key can encrypt
- Whether your Coprocessor can export this key
- Other allowed uses for this key
The control vector is cryptographically linked to a key and can not be
changed without changing the value of the key at the same time.
- Key store file
- An i5/OS™ database
file that is used to store keys which you encrypted under the master key of
the Coprocessor.
- Key token
- A data structure that can contain a cryptographic key, a control vector,
and other information related to the key. Key tokens are used as parameters
on most of the CCA API verbs that either act on or use keys.