159 lines
8.9 KiB
HTML
159 lines
8.9 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Cryptographic hardware concepts" />
|
|
<meta name="abstract" content="To better understand how to maximize your usage of cryptography and cryptographic hardware options with your system, read these basic concepts regarding cryptographic hardware." />
|
|
<meta name="description" content="To better understand how to maximize your usage of cryptography and cryptographic hardware options with your system, read these basic concepts regarding cryptographic hardware." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcco4758.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="hwconcepts" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Cryptographic hardware concepts</title>
|
|
</head>
|
|
<body id="hwconcepts"><a name="hwconcepts"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Cryptographic hardware concepts</h1>
|
|
<div><p>To better understand how to maximize your usage of cryptography
|
|
and cryptographic hardware options with your system, read these basic concepts
|
|
regarding cryptographic hardware.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> These concepts do not pertain to the IBM<sup>®</sup> 2058 Cryptographic Accelerator hardware.</div>
|
|
<dl><dt class="dlterm"><strong>Key types associated with the Cryptographic Coprocessor</strong></dt>
|
|
<dd>Your Coprocessor uses various key types. Not all DES or Triple DES keys
|
|
can be used for all symmetric key operations. Likewise, not all public key
|
|
algorithm (PKA) keys can be used for all asymmetric key operations. This is
|
|
a list of the various key types which the Coprocessor uses: <dl><dt class="dlterm">Master key</dt>
|
|
<dd>This is a clear key, which means that no other key encrypted it. The
|
|
Coprocessor uses the master key to encrypt all operational keys. The Coprocessor
|
|
stores the master key in a tamper-responding module. You cannot retrieve the
|
|
master key from the Coprocessor. The Coprocessor responds to tamper attempts
|
|
by destroying the master key and destroying its factory certification. The
|
|
coprocessors have two master keys: one for encrypting DES keys and one for
|
|
encrypting PKA keys.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Double-length key-encrypting keys</dt>
|
|
<dd>Your Coprocessor uses this type of Triple-DES key to encrypt or decrypt
|
|
other DES or Triple DES keys. Key-encrypting-keys are generally used to transport
|
|
keys between systems. However, they can also be used for storing keys offline
|
|
for backup. If key-encrypting-keys are used to transport keys, the clear
|
|
value of the key-encrypting-key itself must be shared between the two systems.
|
|
Exporter key-encrypting keys are used for export operations where a key encrypted
|
|
under the master key is decrypted and then encrypted under the key-encrypting
|
|
key. Importer key-encrypting keys are used for import operations where a
|
|
key encrypted under the key-encrypting key is decrypted and then encrypted
|
|
under the master key.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Double-length PIN keys</dt>
|
|
<dd>Your Coprocessor uses this type of key to generate, verify, encrypt,
|
|
and decrypt PINs used in financial operations. These are Triple DES keys.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">MAC keys</dt>
|
|
<dd>Your Coprocessor uses this type of key to generate Message Authentication
|
|
Codes (MAC). These can be either DES or Triple DES keys.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Cipher keys</dt>
|
|
<dd>Your Coprocessor uses this type of key to encrypt or decrypt data. These
|
|
can be either DES or Triple DES keys.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Single-length compatibility keys</dt>
|
|
<dd>Your Coprocessor uses this type of key to encrypt or decrypt data and
|
|
generate MACs. These are DES keys and are often used when encrypted data or
|
|
MACs are exchanged with systems that do not implement the Common Cryptographic
|
|
Architecture.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Private keys</dt>
|
|
<dd>Your Coprocessor uses private keys for generating digital signatures
|
|
and for decrypting DES or Triple DES keys encrypted by the public key.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Public keys</dt>
|
|
<dd>Your Coprocessor uses public keys for verifying digital signatures, for
|
|
encrypting DES or Triple DES keys, and for decrypting data encrypted by the
|
|
private key.</dd>
|
|
</dl>
|
|
</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Key forms</dt>
|
|
<dd>The Coprocessor works with keys in one of four different forms. The key
|
|
form, along with the key type, determines how a cryptographic process uses
|
|
that key. The four forms are: <dl><dt class="dlterm">Clear form</dt>
|
|
<dd>The clear value of the key is not protected by any cryptographic means.
|
|
Clear keys are not usable by the Coprocessor. The clear keys must first
|
|
be imported into the secure module and encrypted under the master key and
|
|
then stored outside the secure module.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Operational form</dt>
|
|
<dd>Keys encrypted under the master key are in operational form. They are
|
|
directly usable for cryptographic operations by the Coprocessor. Operational
|
|
keys are also called internal keys. All keys that are stored in the server
|
|
key store file are operational keys. However, you do not need to store all
|
|
operational keys in the key store file.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Export form</dt>
|
|
<dd>Keys encrypted under an exporter key-encrypting key as the result of an
|
|
export operation are in export form. These keys are also called external
|
|
keys. A key in export form can also be described as being in import form
|
|
if an importer key-encrypting key with the same clear key value as the exporter
|
|
key-encrypting key is present. You may store keys in export form in any manner
|
|
you choose except in key store files.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Import form</dt>
|
|
<dd>Keys encrypted under an importer key-encrypting key are in import form.
|
|
Only keys in import form can be used as the source for an import operation.
|
|
These keys are also called external keys. A key in import form can also
|
|
be described as being in export form if an exporter key-encrypting key with
|
|
the same clear key value as the importer key-encrypting key is present. You
|
|
may store keys in import form in any manner you choose except in key store
|
|
files.</dd>
|
|
</dl>
|
|
</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Function control vector</dt>
|
|
<dd>IBM provides
|
|
a digitally signed value known as a function control vector. This value enables
|
|
the cryptographic application within the Coprocessor to yield a level of
|
|
cryptographic service consistent with applicable import regulations and export
|
|
regulations. The function control vector provides your Coprocessor with the
|
|
key length information necessary to create keys. </dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Control vectors</dt>
|
|
<dd>A control vector, different from a function control vector, is a known
|
|
value associated with a key that governs the following: <ul><li>Key type</li>
|
|
<li>What other keys this key can encrypt</li>
|
|
<li>Whether your Coprocessor can export this key</li>
|
|
<li>Other allowed uses for this key</li>
|
|
</ul>
|
|
The control vector is cryptographically linked to a key and can not be
|
|
changed without changing the value of the key at the same time.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Key store file</dt>
|
|
<dd>An i5/OS™ database
|
|
file that is used to store keys which you encrypted under the master key of
|
|
the Coprocessor.</dd>
|
|
</dl>
|
|
<dl><dt class="dlterm">Key token</dt>
|
|
<dd> A data structure that can contain a cryptographic key, a control vector,
|
|
and other information related to the key. Key tokens are used as parameters
|
|
on most of the CCA API verbs that either act on or use keys. </dd>
|
|
</dl>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcco4758.htm" title="IBM offers two Cryptographic Coprocessors, which are available on a variety of server models.">4764 and 4758 Cryptographic Coprocessors</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |