z/OS Cryptographic Services ICSF System Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


DES Internal Key Token

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

Table 48 shows the format for a DES internal key token.

Table 48. Internal Key Token Format
BytesDescription
0X'01' (flag indicating this is an internal key token)
1-3Implementation-dependent bytes (X'000000' for ICSF)
4Key token version number (X'00' or X'01')
5Reserved (X'00')
6Flag byte
Bit
Meaning When Set On
0
Encrypted key and master key verification pattern (MKVP) are present.
1
Control vector (CV) value in this token has been applied to the key.
2
Key is used for no control vector (NOCV) processing. Valid for transport keys only.
3
Key is an ANSI key-encrypting key (AKEK).
4
AKEK is a double-length key (16 bytes).
Note:
When bit 3 is on and bit 4 is off, AKEK is a single-length key (8 bytes).
5
AKEK is partially notarized.
6
Key is an ANSI partial key.
7
Export prohibited.
7
Bit
Meaning When Set On
0-2
Key value encryption method.
  • 000 - the key is encrypted using the original CCA method (ECB).
  • 001 - the key is encrypted using the X9.24 enhanced method (CBC).
These bits are ignored if the token contains no key or a clear key.
3-7
Reserved.
8-15Master key verification pattern (MKVP)
16-23A single-length key, the left half of a double-length key, or Part A of a triple-length key. The value is encrypted under the master key when flag bit 0 is on, otherwise it is in the clear.
24-31X'0000000000000000' if a single-length key, or the right half of a double-length operational key, or Part B of a triple-length operational key. The right half of the double-length key or Part B of the triple-length key is encrypted under the master key when flag bit 0 is on, otherwise it is in the clear.
32-39The control vector (CV) for a single-length key or the left half of the control vector for a double-length key.
40-47X'0000000000000000' if a single-length key or the right half of the control vector for a double-length operational key.
48-55X'0000000000000000' if a single-length key or double-length key, or Part C of a triple-length operational key. Part C of a triple-length key is encrypted under the master key when flag bit 0 is on, otherwise it is in the clear.
56-58Reserved (X'000000')
59 bits 0 and 1
B'10'
Indicates CDMF DATA or KEK.
B'00'
Indicates DES for DATA keys or the system default algorithm for a KEK.
B'01'
Indicates DES for a KEK.
59 bits 2 and 3
B'00'
Indicates single-length key (version 0 only).
B'01'
Indicates double-length key (version 1 only).
B'10'
Indicates triple-length key (version 1 only).
59 bits 4 -7B'0000'
60-63Token validation value (TVV).
Note:
A key token stored in the CKDS will not have an MKVP or TVV. Before such a key token is used, the MKVP is copied from the CKDS header record and the TVV is calculated and placed in the token. See Token Validation Value for more information.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014