ICSF provides callable services that allow you to develop key distribution systems that adhere to the ANSI X9.17 standard.

Restriction: These services are not supported on a PCIXCC/CEX2C.

When protected data is sent between two systems, it is protected by data-encrypting keys. The same data-encrypting key exists on two different systems so that both systems can encipher and decipher the data.

For two systems to exchange keys, they must establish a shared transport key, the ANSI key-encrypting key (AKEK), which is distributed manually. This transport key is bidirectional, and can be used for distributing keys in both directions between System A and System B, as shown in Figure 9.

Figure 9. ANSI X9.17 Keys Sent between System A and System B

System A generates the data-encrypting key, enciphers it under System A's master key, and stores it in the CKDS. System A uses the ANSI X9.17 key export callable service to encrypt the data-encrypting key under the shared transport key, AKEKAB, and export it to System B. System B then uses the ANSI X9.17 key import callable service to decrypt the data-encrypting key using the shared transport key, AKEKAB, and then encrypts it under System B's master key. The shared transport key is coupled with source and destination identifiers for System A and System B, and a message counter as defined in the ANSI offset and notarization processes.

The shared ANSI key-encrypting key is bidirectional. System B can also send keys to System A. The systems can also exchange data keys along with the AKEK used to encrypt them. The AKEKs are themselves encrypted under the transport AKEK.

ANSI X9.17 key distribution can take place in several types of environments:

• Point-to-point environment
• Key distribution center environment
• Key translation center environment

For more information on ANSI X9.17 key distribution, refer to the ANSI X9.17 Standard.