ICSF uses master keys to protect other keys. Keys are active
on a system only when they are encrypted under a master key variant,
so the master key protects all keys that are used on the system. A
key is in operational form when it has been encrypted under a master
key variant.
The ICSF administrator initializes and changes master keys using
the ICSF panels or TKE. Master keys always remain in a secure area
in the cryptographic hardware.
ICSF uses master keys to protect keys that are used with the
PCICC, PCIXCC, CEX2C, or CEX3C:
- DES Master Key
- The DES (DES-MK) master key is a 16-byte (128-bit)
key that is used to protect symmetric DES/TDES keys used on the PCICC,
PCIXCC, CEX2C or CEX3C. On a PCICC, this key must have the same
value as the DES master key on the zSeries.
- AES Master Key
- The AES (AES-MK) master key is a 32-byte (256 bit) key
that is used to protect AES keys used on the CEX2C or CEX3C,
and HMAC keys used on a CEX3C. It is only available on the z9 EC,
z9 BC, z10 EC, z10 BC, and z196 with the Nov. 2008 or later licensed internal code (LIC).
- RSA Master Key
- The RSA (RSA-MK) master key is a 24-byte (192-bit)
key. The RSA-MK master key protects RSA private keys that are used
on the PCICC, PCIXCC, CEX2C, or CEX3C.
- ECC Master Key
- The ECC (ECC-MK) master key is a 32-byte (256 bit) key that
is used to protect ECC keys used on the CEX3C. It is only available
on the z196 with the Sept. 2010 or later licensed internal code
(LIC).
Restriction: Master keys on a z990 or
z890 require a PCIXCC or CEX2C. Master Keys on a z9 EC and z9
BC require a CEX2C. Master keys on a z10 EC and z10 BC require a CEX2C
or CEX3C. Master keys on a z196 require a CEX3C.
ICSF uses three types of master keys to protect keys that are
used with the Cryptographic Coprocessor Feature:
- DES Master Key
- The DES master key is a double-length (128-bit) key that is
used to protect DES and CDMF keys.
- PKA Key Management Master Key
- The PKA key management master key (KMMK) is a triple-length
(192-bit) key. The KMMK protects PKA private keys that are used in
both the digital signature services and in the CDMF and DES data key
distribution functions. Support for the PKA KMMK is available only
on the Cryptographic Coprocessor Feature on the IBM zSeries 900 processors.
- PKA Signature Master Key
- The PKA signature master key (SMK) is a triple-length (192-bit)
key. The SMK protects PKA private keys that are used only in digital
signature services. Support for the PKA SMK is available only on the Cryptographic Coprocessor Feature on
the IBM zSeries 900 processors.
Note:
On CCF systems, it is strongly recommended
that the KMMK have the same value as the SMK.
|