Before a cryptographic session can be established, VTAM® must recognize a request for a cryptographic session, determine whether both ends of the session are capable of cryptography, verify that the levels of cryptographic sessions specified for both ends of the session are compatible, and get a cryptographic session key.

Compatible cryptographic levels are not necessarily the same type. For example, if one partner LU specifies selective encryption and the second LU specifies required encryption, the established session uses required encryption. VTAM rejects the cryptographic session request if one end of the session is not capable of cryptography and the other end of the session requires cryptography.

In this request, VTAM specifies the name of the SLU. This name is not network-qualified.

If there is no SLU key for the SLU in the cryptographic key data set (CKDS) and if the session is to be selective or required, VTAM rejects the session-initiation request.

If there is an SLU key, VTAM gets a session-cryptography key enciphered under the SLU key and gets another copy enciphered under the host master key. VTAM saves the latter key. Then it puts the former key in the BIND request, and sends the BIND request to the SLU, which stores the session-cryptography key. Then the SLU generates an 8-byte random bit string (called the initial chaining value), saves it, enciphers it (under the session-cryptography key), puts it in the BIND response, and transmits the response to the PLU.

When VTAM receives the BIND response, it uses the session-cryptography key to decipher the initial chaining value and saves this deciphered value. To verify that both ends of the session are using the same session-cryptography key and initial chaining value, VTAM inverts the first 4 bytes of the initial chaining value, enciphers the value (under the session-cryptography key), and returns it to the SLU in a Cryptography Verification (CRV) request.

The SLU deciphers the value of the CRV request (using the session-cryptography key), inverts the first 4 bytes, and compares this value with the initial chaining value that it saved earlier. If the values are the same, both ends of the session are confirmed to be using the same session-cryptography key and initial chaining value, so the SLU sends a positive response to the CRV request. If the two values do not match, it sends a negative response to the CRV request.

When the PLU receives a positive response to its CRV request, normal VTAM session-establishment processing continues. If VTAM receives a negative response to its CRV request, it sends an UNBIND request to the SLU to terminate the session. At the PLU, the OPNDST macroinstruction fails with (RTNCD,FDB2)=(X'10',X'01').

The level of cryptography cannot be set by the application program in the negotiable BIND response; it must be specified in the NIB, using the ENCR operand of the NIB macroinstruction.