Keys can either be clear or encrypted. A clear key is the base value of a key. A clear key is not encrypted under another key. To create an encrypted key, either a master key or a transport key is used to encrypt the base value of the key.

Clear keys, if used carelessly, can compromise security. In symmetric cryptographic processes, such as DES or AES, anyone can use the clear key and the publicly known algorithm to decipher data, key values, or PINs. In asymmetric cryptographic processes it is important to protect the clear value of the private key. It would cause a serious security exposure if the wrong person obtained the value of the private key. It could be used to forge electronic signatures on documents, or decipher key values encrypted under the corresponding public key.

ICSF uses clear key values to encode and decode data. You can use the encode and decode callable services (CSNBECO and CSNBDCO) or the ICSF utility panels to encode and decode data. For a description of the callable services, see z/OS Cryptographic Services ICSF Application Programmer’s Guide. For a description of how to use the utility panels, see Using the Utility Panels to Encode and Decode Data.

ICSF may have to input and output clear keys. For example, it might receive and send clear keys when it communicates with other cryptographic systems that use clear keys in their functions. When you give ICSF a clear key value, ICSF can encrypt the key before using it on the system. ICSF has specific callable services that perform this function. These callable services are clear key import and secure key import, which are described in z/OS Cryptographic Services ICSF Application Programmer’s Guide.