Summary of the content on the page No. 1
IBM PCI Cryptographic Coprocessor
CCA Basic Services Reference and Guide
Release 2.54
IBM iSeries PCICC Feature
CCA Release 2.54
Summary of the content on the page No. 2
CCA Release 2.54 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xiii. | Thirteenth Edition (December, 2004) | This manual describes the IBM Common Cryptographic Architecture (CCA) Basic Services API, Release 2.54 as revised in | December 2004, implemented for the IBM eServer iSeries PCI Cryptographic Coprocessor hardware feature (#4801) and OS/400 | Option 35, CCA CSP. This Basic Services manual replaces the m
Summary of the content on the page No. 3
CCA Release 2.54 Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii About This Publication ................................ xv Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Related Publications . . . . . . . . .
Summary of the content on the page No. 4
CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) . . . . . . . . . . . . . . . . 2-46 Key_Storage_Designate (CSUAKSD) . . . . . . . . . . . . . . . . . . . . . . . 2-48 Key_Storage_Initialization (CSNBKSI) . . . . . . . . . . . . . . . . . . . . . . . 2-50 Logon_Control (CSUALCT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-52 Master_Key_Distribution (CSUAMKD) . . . . . . . . . . . . . . . . . . . . . . . 2-55 Master_Key_Process (CSNBMKP) . . . . . . . . . . . . . .
Summary of the content on the page No. 5
CCA Release 2.54 Cryptographic_Variable_Encipher (CSNBCVE) . . . . . . . . . . . . . . . . . . 5-29 Data_Key_Export (CSNBDKX) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31 Data_Key_Import (CSNBDKM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33 Diversified_Key_Generate (CSNBDKG) . . . . . . . . . . . . . . . . . . . . . . 5-35 Key_Export (CSNBKEX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 Key_Generate (CSNBKGN) . . . . . . . . . . . . . . . .
Summary of the content on the page No. 6
CCA Release 2.54 Providing Security for PINs ............................ 8-6 Using Specific Key Types and Key-Usage Bits to Help Ensure PIN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Supporting Multiple PIN-Calculation Methods .................. 8-8 PIN-Calculation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Data_Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Supporting Multiple PIN-Block F
Summary of the content on the page No. 7
CCA Release 2.54 Aggregate Role Structure ........................... B-30 Access-Control-Point List . . . . . . . . . . . . . . . . . . . . . . . . . . . B-30 Default Role Contents ............................. B-31 Profile Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-32 Basic Structure of a Profile .......................... B-32 Aggregate Profile Structure .......................... B-33 Authentication Data Structure ........................ B-33 Examples
Summary of the content on the page No. 8
CCA Release 2.54 Triple-DES Ciphering Algorithms ........................ D-10 MAC Calculation Methods .............................. D-13 RSA Key-Pair Generation .............................. D-15 Access-Control Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-16 Passphrase Verification Protocol ........................ D-16 Design Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-16 Description of the Protocol .......................... D-16
Summary of the content on the page No. 9
CCA Release 2.54 Figures 1-1. CCA Security API, Access Layer, Cryptographic Engine ........ 1-3 2-1. CCA Node, Access-Control, and Master-Key Management Verbs .. 2-1 2-2. Coprocessor-to-Coprocessor Master-Key Cloning ........... 2-16 2-3. Cryptographic_Facility_Query Information Returned in the Rule Array 2-36 3-1. Public-Key Key-Administration Services ................. 3-1 3-2. PKA96 Verbs with Key-Token Flow .................... 3-2 3-3. PKA_Key_Token_Build Key-Values-Structure Contents
Summary of the content on the page No. 10
CCA Release 2.54 A-3. Reason Codes for Return Code 4 .................... A-3 A-4. Reason Codes for Return Code 8 .................... A-4 A-5. Reason Codes for Return Code 12 ................... A-10 A-6. Reason Codes for Return Code 16 ................... A-11 B-1. PKA Null Key-Token Format ....................... B-2 B-2. Internal DES Key-Token, Version 0 Format (Version 2 Software) .. B-3 B-3. Internal DES Key-Token, Version 3 Format .............. B-3 B-4. External DES Key-Token Format,
Summary of the content on the page No. 11
CCA Release 2.54 C-1. Key Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 C-2. Key Type Default Control-Vector Values ................ C-3 C-3. Control-Vector-Base Bit Map ....................... C-5 C-4. Multiply-Enciphering and Multiply-Deciphering CCA Keys ...... C-13 C-5. PKA96 Clear DES Key Record ..................... C-14 C-6. NL-EPP-5 Key Record Format ...................... C-16 C-7. Exchanging a Key with a Non-Control-Vector System ........ C-18 C-8. Cont
Summary of the content on the page No. 12
CCA Release 2.54 xii IBM 4758 CCA Basic Services, Release 2.54, February 2005
Summary of the content on the page No. 13
CCA Release 2.54 Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM’s product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any of IBM’s intellectual property rights or other legally protectable rights may
Summary of the content on the page No. 14
CCA Release 2.54 The following terms, denoted by a double asterisk (**) in this publication, are the trademarks of other companies: Diebold Diebold Inc. Docutel Docutel MasterCard MasterCard International, Inc. Pentium Intel Corporation NCR National Cash Register Corporation RSA RSA Data Security, Inc. UNIX UNIX Systems Laboratories, Inc. VISA VISA International Service Association SET SET Secure Electronic Transaction LLC xiv IBM 4758 CCA Basic Services, Release 2.54, February 2005
Summary of the content on the page No. 15
CCA Release 2.54 Revision History About This Publication The manual is intended for systems and applications analysts and application programmers who will evaluate or create programs for the IBM 4758 Common Cryptographic Architecture (CCA) support for the IBM 4758 Models 002 and 023 technology used with IBM eServer iSeries (OS/400) Option 35, CCA CSP on OS/400 systems. Please reference the IBM iSeries Web sites for the specific features and supported levels of software related to the IBM 4758
Summary of the content on the page No. 16
Revision History CCA Release 2.54 Eleventh Edition, April, 2004, CCA Support Program, Release 2.52 This revision to the February, 2004, edition of the IBM 4758 CCA Basic Services Reference and Guide for the IBM 4758 Models 002 and 023, Release 2.52, replaces the February, 2004, Release 2.51 edition. Incorporated changes include: Addition of a second set of issuer-master key parameters with revised processing in the PIN_Change/Unblock (CSNBPCU) verb. The processing changes are further descri
Summary of the content on the page No. 17
CCA Release 2.54 Revision History 1. Functions in support of EMV-compatible smart-cards. Support of the PIN Change/Unblock function described in the VISA Integrated Circuit Card Specification Manual, Section C.11 Support of the key-generation function used for secure messaging described in the VISA Integrated Circuit Card Specification Manual, Section B.4 Encryption of PINs and keys for inclusion in smart-card transactions with EMV-compatible smart cards. This support is provided throug
Summary of the content on the page No. 18
Revision History CCA Release 2.54 Eighth Edition, Revised, CCA Support Program, Release 2.41 This revised Release 2.41 manual incorporates additional information concerning access controls (see “CCA Access-Control” on page 2-2) and other minor editorial changes. Eighth Edition, CCA Support Program, Release 2.41 The major items changed, extended, or added in Release 2.41 include: The Key_Export, Key_Import, Data_Key_Export, and Data_Key_Import now require the exporter or importer key to have
Summary of the content on the page No. 19
CCA Release 2.54 Revision History can create an application to to clone keys having any of the CSS, CSR, and SA keys longer than 1024-bits. See “Establishing Master Keys” on page 2-13. The PKA_Key_Token_Change verb now returns return code 0 and reason code 0 if you request to update a key token that contains only a public key. A key token containing only a public key is legitimate, but the PKA_Key_Token_Change verb will have no effect on such a key token. The verb used to return reason code
Summary of the content on the page No. 20
Revision History CCA Release 2.54 The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and PKA_Symmetric_Key_Import verbs are updated to include support of the “OAEP” key-wrapping technique as specified in the RSA PKCS#1-v2.0 specification. The action associated with the derivation-counter in control vector bits 12-14 in the Diversified_Key_Generate verb when using the TDES-ENC and TDES-DEC keywords is described on page 5-37. Weak-key checking in the Master_Key_Process verb is corr