Message authentication is the process of verifying the integrity
of transmitted messages. Message authentication code (MAC) processing
enables you to verify that a message has not been altered. You can
use a MAC to check that a message you receive is the same one the
message originator sent. The message itself may be in clear or encrypted
form. MAC keys are either single-length (64-bit) or double-length
(128-bit) keys.
A DES MAC key or DATA key checks that a message you receive is
the same one the message originator sent.
Note:
For CCF/PCICC systems only. In
order to generate and use double-length MAC keys in importable or
exportable form, the CKDS must contain NOCV-enablement keys and ANSI
system keys. When creating a new CKDS, add the NOCV-enablement keys
and ANSI system keys during the initialization process. For information
on initializing a CKDS, refer to Initializing the CKDS and PKDS at First-Time Startup.
ICSF uses these MAC keys in message authentication:
- MAC Generation Keys
- Before sending a message, an application program can generate
an authentication code for the message, using the MAC generate callable
service. The callable service computes the message authentication
code by using a MAC generation key to process the message text. The
originator of the message sends the message authentication code with
the message text.
Single-length MAC generation keys (MAC keys) are
used in the ANSI X9.9-1 MAC procedure. They support EMV algorithms. Double-length
MAC generation keys (DATAM keys) are used in the ANSI X9.19 optional
double key MAC procedure. For compatibility with ICSF Version 2 Release
1, ICSF continues to support the MACD key type, which uses the single-length
control vector for both the left and right half of the key to create
an external token (MAC || MAC).
On the z990, z890, z9 EC, z9
BC, z10 EC, z10 BC, and z196, ICSF supports double-length
MAC keys with the MAC key type.
- MAC Verification Key
- The message receiver uses a single-length (MACVER) or double-length
(DATAMV) MAC verification key to verify the message authentication
code that the message originator sends.
Note:
On the z990,
z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196, ICSF
supports double-length MACVER keys with the MACVER key type.
When the receiver gets the message, an application program
calls the MAC verify callable service. The callable service verifies
a message authentication code by using the MAC verification key to
process the message text. It compares the MAC it generates internally
with the MAC that was sent with the message. If the two MACs are the
same, the message that was sent is identical to the message that was
received.
The MAC generation key the sender uses and the MAC verification
key the receiver uses have the same clear value. However, each is
protected under the master key variant for its key type.
|