z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Incorporating the secured signon session key generator algorithm into your program

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

To generate a secured signon session key without using the secured signon session key generator service, you need to incorporate the secured signon session key generator algorithm into your program.

In order to ensure identical session key generation on both platforms, the following steps must be implemented by both the non-RACF application and the second party network entity.

The secured signon session key generator algorithm consists of two parts:
  • Secured signon session key generation logic
  • CDMF key-weakening logic
The flowcharts in Figure 1 and Figure 2 and the descriptions that follow show how to implement the secured signon session key generator algorithm.
Parent topic: Generating a secured signon session key

Secured signon session key generation logic

Figure 1. Secured signon session key generation logicSecured signon session key generation logic
The secured signon session key generation logic is:
  1. The PassTicket used to establish the session is time-coder evaluated to extract the time stamp.

    This is the reverse process of steps 5 and 6 as described in Incorporating the PassTicket generator algorithm into your program. If the time stamp used to generate the PassTicket is already known, this step can be skipped.

  2. The input user ID is DES-encrypted with the secured signon key shared with the second party network entity.
    Note: Steps 2 through 4 of this secured signon session key generation logic are the same as steps 1 and 2 of Incorporating the PassTicket generator algorithm into your program.
  3. The result of step 2 is XORed with the non-RACF application name.
  4. The result of step 3 is again DES-encrypted with the secured signon key.
  5. The left 4 bytes of the result of step 4 are XORed with the left 4 bytes of the time stamp (result of step 1) and then concatenated with the right 4 bytes of the result of step 4.
  6. The result of step 5 is DES-encrypted with the secured signon key to produce a strong session key.
  7. The result of step 6 is weakened using CDMF to produce the final secured signon session key.

CDMF key-weakening logic

Figure 2. CDMF key-weakening logicCDMF key-weakening logic
The CDMF key-weakening logic is:
  1. The parity bits of the key are zeroed by ANDing it with the string X'FEFEFEFEFEFEFEFE'.
  2. The result of step 1 is DES-encrypted with the key X'C408B0540BA1E0AE'.
  3. The result of step 2 is XORed with the result of step 1.
  4. The result of step 3 is ANDed with the string X'0EFE0EFE0EFE0EFE'.
  5. The result of step 4 is DES-encrypted with the key X'EF2C041CE6382FE6' to produce the weakened key.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014