z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


MAC Keys

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

Message authentication is the process of verifying the integrity of transmitted messages. Message authentication code (MAC) processing enables you to verify that a message has not been altered. You can use a MAC to check that a message you receive is the same one the message originator sent. The message itself may be in clear or encrypted form. MAC keys are either single-length (64-bit) or double-length (128-bit) keys.

A DES MAC key or DATA key checks that a message you receive is the same one the message originator sent.

Note:
For CCF/PCICC systems only. In order to generate and use double-length MAC keys in importable or exportable form, the CKDS must contain NOCV-enablement keys and ANSI system keys. When creating a new CKDS, add the NOCV-enablement keys and ANSI system keys during the initialization process. For information on initializing a CKDS, refer to Initializing the CKDS and PKDS at First-Time Startup.

ICSF uses these MAC keys in message authentication:

MAC Generation Keys
Before sending a message, an application program can generate an authentication code for the message, using the MAC generate callable service. The callable service computes the message authentication code by using a MAC generation key to process the message text. The originator of the message sends the message authentication code with the message text.

Single-length MAC generation keys (MAC keys) are used in the ANSI X9.9-1 MAC procedure. They support EMV algorithms. Double-length MAC generation keys (DATAM keys) are used in the ANSI X9.19 optional double key MAC procedure. For compatibility with ICSF Version 2 Release 1, ICSF continues to support the MACD key type, which uses the single-length control vector for both the left and right half of the key to create an external token (MAC || MAC).

On the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196, ICSF supports double-length MAC keys with the MAC key type.

MAC Verification Key
The message receiver uses a single-length (MACVER) or double-length (DATAMV) MAC verification key to verify the message authentication code that the message originator sends.
Note:
On the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196, ICSF supports double-length MACVER keys with the MACVER key type.

When the receiver gets the message, an application program calls the MAC verify callable service. The callable service verifies a message authentication code by using the MAC verification key to process the message text. It compares the MAC it generates internally with the MAC that was sent with the message. If the two MACs are the same, the message that was sent is identical to the message that was received.

The MAC generation key the sender uses and the MAC verification key the receiver uses have the same clear value. However, each is protected under the master key variant for its key type.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014