116 lines
5.4 KiB
HTML
116 lines
5.4 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
|
|
<!-- Begin Header Records -->
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<!-- Created for V5R4 by beth hagemeister 6/28/04 -->
|
|
<!-- Change history: -->
|
|
<!-- end header records -->
|
|
<title>Cryptographic Services Master Keys</title>
|
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
|
</head>
|
|
<body>
|
|
<a name="Top_Of_Page"></a>
|
|
<!--Java sync-link-->
|
|
|
|
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
|
|
</script>
|
|
|
|
|
|
<h2><img src="delta.gif" alt="Start of change">Cryptographic Services
|
|
Master Keys</h2>
|
|
<p>The eServer i5 server is capable of storing eight master keys, which cannot
|
|
be directly modified or accessed by the user (including the security officer).
|
|
These master keys are 256-bit AES keys and can be used with the cryptographic
|
|
services APIs to protect other keys.
|
|
</p>
|
|
<p>Each master key is composed of three 32-byte values, called versions. The
|
|
versions are <strong>new</strong>, <strong>current</strong>, and
|
|
<strong>old</strong>. The <strong>new</strong> master key version contains the
|
|
value of the master key while it is being loaded. The <strong>current</strong>
|
|
master key version contains the active master key value. This is the value that
|
|
will be used when a master key is specified on a cryptographic operation (unless
|
|
specifically stated otherwise). The <strong>old</strong> master key version
|
|
contains the previous current master key version. It is used to prevent the
|
|
loss of data and keys when the master key is changed.
|
|
</p>
|
|
<p>The <a href="qc3ldmkp.htm">Load Master Key Part (OPM, QC3LDMKP; ILE,
|
|
Qc3LoadMasterKeyPart)</a> API loads a key part into the new master key version.
|
|
To ensure no single person has the ability to reproduce a master key, assign
|
|
different key parts to different individuals.
|
|
</p>
|
|
<p>The <a href="qc3setmk.htm">Set Master Key (OPM, QC3SETMK; ILE,
|
|
Qc3SetMasterKey)</a> API copies the current master key
|
|
version into the old master key version, copies the new master key version into
|
|
the current master key version, and then clears the new master key version by
|
|
setting it to binary 0s.
|
|
</p>
|
|
<p>The current and old master key versions each have a 20-byte key verification
|
|
value (KVV). The KVV is used to determine if the master key has changed.
|
|
Use the <a href="qc3tstmk.htm">Test Master Key (OPM, QC3TSTMK; ILE,
|
|
Qc3TestMasterKey)</a> API to retrieve the KVV values. In addition, if a KVV is
|
|
associated with a key when that key is encrypted under a master
|
|
key, the KVV can be used later to determine if the master key has changed, and
|
|
if the encrypted key should be re-encrypted.
|
|
</p>
|
|
<p>The <a href="qc3clrmk.htm">Clear Master Key (OPM, QC3CLRMK; ILE,
|
|
Qc3ClearMasterKey)</a> API clears a new or old master key version by setting
|
|
it to binary 0s.</p>
|
|
<p>
|
|
Each of these APIs create a security CY audit record.
|
|
</p>
|
|
<p>The server's master keys are not saved as part of a SAVSYS operation.
|
|
Therefore, the passphrases used with Load Master Key Part should be saved so
|
|
that a master key can be restored in the event it is lost. For example, the
|
|
master keys will be destroyed when the licensed internal code is installed.
|
|
</p>
|
|
<p>Whenever a master key is changed,
|
|
all keys encrypted under that master key require re-encryption. For key store
|
|
files, use the <a href="qc3trnks.htm">Translate Key Store (OPM, QC3TRNKS;
|
|
ILE, Qc3TranslateKeyStore)</a> API.
|
|
For keys stored outside a key store file, use the
|
|
<a href="qc3expky.htm">Export Key (OPM, QC3EXPKY;
|
|
ILE, Qc3ExportKey)</a> then <a href="qc3impky.htm">Import Key (OPM, QC3IMPKY;
|
|
ILE, Qc3ImportKey)</a> APIs.
|
|
For more information about key store files, refer to
|
|
<a href="qc3KeyStore.htm">Cryptographic Services Key Store</a>.
|
|
</p>
|
|
<p>
|
|
Whenever a key is encrypted under a master key, the KVV for the current version
|
|
of the master key is returned. Keys encrypted under a master key can be stored
|
|
in a key store file, or stored at the discretion of the user.
|
|
When a key is stored in a key store file, the KVV of the master key is stored in
|
|
the key record along with the key value. When a key encrypted under a master
|
|
key is stored by the user, the user should also save the KVV.
|
|
When a key encrypted under a master key is used on an API
|
|
and the master key KVV is supplied, cryptographic
|
|
services will check the supplied KVV against the master key versions' KVVs.
|
|
If the supplied KVV matches the current version KVV, the operation will proceed
|
|
normally. If the supplied KVV matches the old version KVV, the operation will
|
|
proceed but return a diagnostic to the API and to QSYSOPR informing the user
|
|
that the key needs retranslation. If the supplied KVV matches neither, the
|
|
operation will end with an error.
|
|
</p>
|
|
|
|
<img src="deltaend.gif" alt="End of change">
|
|
<br>
|
|
|
|
<hr>
|
|
<center>
|
|
<table cellpadding="2" cellspacing="2">
|
|
<tr align="center">
|
|
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
|
|
"catcrypt.htm">Cryptographic Services APIs</a> | <a href="aplist.htm">APIs by
|
|
category</a></td>
|
|
</tr>
|
|
</table>
|
|
</center>
|
|
</body>
|
|
</html>
|
|
|