Benutzeranleitung / Produktwartung 2 des Produzenten IBM
Zur Seite of 508
IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and Guide Release 2.54 IBM iSeries PCICC Feature CCA Release 2.54.
CCA Release 2.54 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xiii. | Thirteenth Edition (December, 2004) | This manual describes the IBM Common Cryptographic Architecture (CCA) Basic Services API, Release 2.
CCA Release 2.54 Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii About This Publication .............
CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) . . . . . . . . . . . . . . . . 2-46 Key_Storage_Designate (CSUAKSD) . . . . . . . . . . . . . . . . . . . . . . . 2-48 Key_Storage_Initialization (CSNBKSI) . . . . . . . . . . . . . . . . .
CCA Release 2.54 Cryptographic_Variable_Encipher (CSNBCVE) . . . . . . . . . . . . . . . . . . 5-29 Data_Key_Export (CSNBDKX) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31 Data_Key_Import (CSNBDKM) . . . . . . . . . . . . . . . . . . . . .
CCA Release 2.54 Providing Security for PINs ............................ 8-6 Using Specific Key Types and Key-Usage Bits to Help Ensure PIN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Supporting Multiple PIN-Calculation Methods .
CCA Release 2.54 Aggregate Role Structure ........................... B-30 Access-Control-Point List . . . . . . . . . . . . . . . . . . . . . . . . . . . B-30 Default Role Contents ............................. B-31 Profile Structure . . . . . . . . .
CCA Release 2.54 Triple-DES Ciphering Algorithms ........................ D-10 MAC Calculation Methods .............................. D-13 RSA Key-Pair Generation .............................. D-15 Access-Control Algorithms . . . . . . . . . . . . . .
CCA Release 2.54 Figures 1-1. CCA Security API, Access Layer, Cryptographic Engine ........ 1-3 2-1. CCA Node, Access-Control, and Master-Key Management Verbs .. 2-1 2-2. Coprocessor-to-Coprocessor Master-Key Cloning ........... 2-16 2-3. Cryptographic_Facility_Query Information Returned in the Rule Array 2-36 3-1.
CCA Release 2.54 A-3. Reason Codes for Return Code 4 .................... A-3 A-4. Reason Codes for Return Code 8 .................... A-4 A-5. Reason Codes for Return Code 12 ................... A-10 A-6. Reason Codes for Return Code 16 .............
CCA Release 2.54 C-1. Key Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 C-2. Key Type Default Control-Vector Values ................ C-3 C-3. Control-Vector-Base Bit Map ....................... C-5 C-4. Multiply-Enciphering and Multiply-Deciphering CCA Keys .
CCA Release 2.54 xii IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM’s product, program, or service may be used.
CCA Release 2.54 The following terms, denoted by a double asterisk (**) in this publication, are the trademarks of other companies: Diebold Diebold Inc. Docutel Docutel MasterCard MasterCard International, Inc. Pentium Intel Corporation NCR National Cash Register Corporation RSA RSA Data Security, Inc.
CCA Release 2.54 Revision History About This Publication The manual is intended for systems and applications analysts and application programmers who will evaluate or create programs for the IBM 4758 .
Revision History CCA Release 2.54 Eleventh Edition, April, 2004, CCA Support Program, Release 2.52 This revision to the February, 2004, edition of the IBM 4758 CCA Basic Services Reference and Guide for the IBM 4758 Models 002 and 023 , Release 2.52, replaces the February, 2004, Release 2.
CCA Release 2.54 Revision History 1. Functions in support of EMV-compatible smart-cards. Support of the PIN Change/Unblock function described in the VISA Integrated Circuit Card Specification Manual , Section C.
Revision History CCA Release 2.54 Eighth Edition, Revised, CCA Support Program, Release 2.41 This revised Release 2.41 manual incorporates additional information concerning access controls (see “CCA Access-Control” on page 2-2) and other minor editorial changes.
CCA Release 2.54 Revision History can create an application to to clone keys having any of the CSS, CSR, and SA keys longer than 1024-bits. See “Establishing Master Keys” on page 2-13. The PKA_Key_Token_Change verb now returns return code 0 and reason code 0 if you request to update a key token that contains only a public key.
Revision History CCA Release 2.54 The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and PKA_Symmetric_Key_Import verbs are updated to include support of the “OAEP” key-wrapping technique as specified in the RSA PKCS#1-v2.0 specification.
CCA Release 2.54 Fifth Edition, CCA Support Program, Release 2.30 The fifth edition of the IBM 4758 CCA Basic Services Reference and Guide Version 2.30 for the IBM 4758 Models 002 and 023 technology a.
CCA Release 2.54 Organization This manual includes: Chapter 1, “Introduction to Programming for the IBM CCA” presents an introduction to programming for the CCA application programming interface and products.
CCA Release 2.54 Related Publications In addition to the manuals listed below, you may wish to refer to other CCA product publications which may be of use with applications and systems you might develop for use with the IBM 4758 product.
CCA Release 2.54 IBM Journal of Research and Development Volume 38 Number 2, 1994 , G322-0191 USA Federal Information Processing Standard (FIPS): – Data Encryption Standard, 46-1-1988 – Secure Hash Algorithm, 180-1, May 31, 1994 – Cryptographic Module Security, 140-1.
CCA Release 2.54 Chapter 1. Introduction to Programming for the IBM CCA This chapter introduces you to the IBM Common Cryptographic Architecture (CCA) application programming interface (API).
CCA Release 2.54 An Overview of the CCA Environment Figure 1-1 on page 1-3 provides a conceptual framework for positioning the CCA Security API . Application programs make procedure calls to the API to obtain cryptographic and related I/O services.
CCA Release 2.54 Figure 1-1. CCA Security API, Access Layer, Cryptographic Engine IBM 4758 PCI Cryptographic Coprocessor: The Coprocessor provides a secure programming and hardware environment wherein DES and RSA processes are performed.
CCA Release 2.54 Applications employ the CCA security API to obtain services from and to manage the operation of a cryptographic system that meets CCA architecture specifications. Cryptographic Engine: The CCA architecture defines a cryptographic subsystem that contains a cryptographic engine operating within a protected boundary.
CCA Release 2.54 Establishing a Master Key: To protect working keys, the master key must be generated and initialized in a secure manner. One method uses the internal random-number generator for the source of the master key.
CCA Release 2.54 The Coprocessor supports multiple logons by different users from different host processes. The Coprocessor also supports requests from multiple threads within a single host process. A user is logged on and off by the Logon_Control verb.
CCA Release 2.54 The security server and a directory server manage key storage . Applications can store locally used cryptographic keys in a key-storage facility. This is especially useful for long-life keys. Keys stored in key storage are referenced through the use of a key label .
CCA Release 2.54 The Security API, Programming Fundamentals You obtain CCA cryptographic services from the PCI Cryptographic Coprocessor through procedure calls to the CCA security application programming interface (API). Most of the services provided are considered an implementation of the IBM Common Cryptographic Architecture (CCA).
CCA Release 2.54 CSUA Cryptographic-node and hardware-control services. The last three letters in the entry-point name identify the specific service in a group and are often the first letters of the principal words in the verb pseudonym.
CCA Release 2.54 each verb. For descriptions of these parameters, see the definitions with the individual verbs. Variable Direction: The parameter descriptions use the following terms to identify the .
CCA Release 2.54 Commonly Encountered Parameters Some parameters are common to all verbs, other parameters are used with many of the verbs. This section describes several groups of these parameters: Parameters common to all verbs Rule_array and other keyword parameters Key_identifiers, key_labels, and key_tokens.
CCA Release 2.54 See Appendix A, “Return Codes and Reason Codes” for a detailed discussion of return codes and a complete list of all return and reason codes. Value Meaning 0 Indicates normal completion; a few nonzero reason codes are associated with this return code.
CCA Release 2.54 External A key that is either in the clear, or is encrypted (wrapped) by some key-encrypting key other than the master key. Generally, when a key is to be transported from place to place, or is to be held for a significant period of time, it is required to encrypt the key with a transport key .
CCA Release 2.54 commands in the performance of the verb. Each of these commands has to be authorized for use. Access-control administration concerns managing these authorizations. Chapter 3, “RSA Key-Management” explains how you can generate and protect an RSA key-pair.
CCA Release 2.54 Chapter 2. CCA Node-Management and Access-Control This chapter discusses: The access-control system that you can use to control who can perform various sensitive operations at wha.
CCA Release 2.54 CCA Access-Control This section describes these CCA access-control system topics: Understanding access control Role-based access control Initializing and managing the access-control system Logging on and logging off Protecting your transaction information.
CCA Release 2.54 A role-based system is more efficient than one in which the authority is assigned individually for each user. In general, users can be segregated into just a few different categories of access rights. The use of roles allows the administrator to define each of these categories just once, in the form of a role.
CCA Release 2.54 Understanding Profiles Any user who needs to be authenticated to the Coprocessor must have a user profile . Users who only need the capabilities defined in the default role do not need a profile. A user profile defines a specific user to the CCA implementation.
CCA Release 2.54 Initializing and Managing the Access-Control System Before you can use a Coprocessor with newly loaded or initialized CCA support you should initialize roles, profiles, and other data. You may also need to update some of these values from time to time.
CCA Release 2.54 Take care to ensure that you define roles that have the authority to perform initialization, including the RQ-TOKEN and RQ-REINT options of the Cryptographic_Facility_Control (CSUACFC) verb. You must also ensure there are active profiles that use these roles.
CCA Release 2.54 Notes: 1. During the portions of the year when Daylight Savings Time is not in effect, the time difference between Eastern Standard Time and GMT is 5 hours. 2. In the OS/400 environment, no translation is provided for Role and Profile names.
CCA Release 2.54 logged on, and frees resources you were using in the host system and in the Coprocessor. Use of Logon Context Information The Logon_Control verb offers the capability to save and restore logon context information through the GET-CNTX and PUT-CNTX rule-array keywords.
CCA Release 2.54 Protecting Your Transaction Information When you are logged on to the Coprocessor, the information transmitted to and from the CCA Coprocessor application is cryptographically protected using your session key. A message authentication code is used to ensure that the data was not altered during transmission.
CCA Release 2.54 used to establish the maximum strength of certain cryptographic functions, the environment identifier, and the maximum number of master-key-cloning shares, and the minimum number of shares needed to reconstitute a master key. Reset the intrusion latch.
CCA Release 2.54 Cryptographic_Resource_Allocate verb will fail if a cryptographic resource is already allocated. To determine the number of CCA Coprocessors installed in a machine, use the Cryptographic_Facility_Query verb with the STATCARD rule-array keyword.
CCA Release 2.54 the Coprocessor device driver. 5 The host code then polls each Coprocessor in turn to determine which ones contain the CCA application. As each Coprocessor is evaluated, the CCA host code associates the identifiers CRP01, CRP02, and so forth to the Coprocessors with CCA.
CCA Release 2.54 PKA_Key_Token_Change verbs). Whenever a working key is encrypted for local use, it is encrypted using the current master-key. Symmetric and Asymmetric Master-Keys The CCA Version 2 implementation incorporates a second set of master-key registers.
CCA Release 2.54 The verb performs a one-way function on the key-of-interest, the result of which is either returned or compared to a known correct result. Establishing a master key from an internally generated random value. The Master_Key_Process verb can be used to randomly generate a new master-key within the cryptographic engine.
CCA Release 2.54 must also have been marked as suitable for operation with the Master_Key_Distribution verb when it was generated. When receiving a share, you must also supply the share-signing key in a certificate to the Master_Key_Distribution verb.
CCA Release 2.54 ┌──────────────────────────────────┐ │Share─Administration Control Point│ 3.
CCA Release 2.54 7. In the target node, generate a retained key usable for master-key administration, the Coprocessor Share Receiving (CSR) key, and have this key certified by the SA key. 8. Once a master key has been established in the source node, perhaps through random master-key generation, obtain shares of the master key.
CCA Release 2.54 AIX and Windows Multi-Coprocessor Master-Key Support: It is a general recommendation that all of the CCA Coprocessors within the system use the same current and old master keys. When setting a new master-key, it is essential that all of the changes are performed by a single program running on a single thread.
CCA Release 2.54 When all of the Coprocessors are newly initialized, that is, their current-master-key registers are empty, first install the same master key in each of the new-master-key registers. Then set the master key in each of the Coprocessors.
CCA Release 2.54 Intentionally using different master keys in a set of Coprocessors. This situation becomes very complicated if you are using key storage with a subset of the Coprocessors. The preceding discussion provides information that you can use to manage this case.
CCA Release 2.54 Access_Control_Initialization Access_Control_Initialization (CSUAACI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Access_Control_Initialization verb is used to initialize or update parameters and tables for the Access-Control system in the 4758 Cryptographic Coprocessor.
Access_Control_Initialization CCA Release 2.54 verb_data_1_length The verb_data_1_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data_1 variable. verb_data_1 The verb_data_1 parameter is a pointer to a string variable containing data used by the verb.
CCA Release 2.54 Access_Control_Initialization verb_data_length_2 The verb_data_length_2 parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data_2 variable. verb_data_2 The verb_data_2 parameter is a pointer to a string variable containing data used by the verb.
Access_Control_Maintenance CCA Release 2.54 Access_Control_Maintenance (CSUAACM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Access_Control_Maintenance verb is used to query or control installed roles and user profiles.
CCA Release 2.54 Access_Control_Maintenance name The name parameter is a pointer to a string variable containing the name of a role or user profile which is the target of the request. This field is used differently depending on the function being performed.
Access_Control_Maintenance CCA Release 2.54 output_data_length The output_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the output_data variable.
CCA Release 2.54 Access_Control_Maintenance Rule-Array Keyword Contents of output_data Variable GET-PROF Contains the non-secret portion of the selected user profile.
Access_Control_Maintenance CCA Release 2.54 Rule-Array Keyword Contents of output_data Variable GET-ROLE The field contains the non-secret portion of the selected role.
CCA Release 2.54 Access_Control_Maintenance Required Commands The Access_Control_Maintenance verb requires the following commands to be enabled in the hardware: Read public access-control informat.
Cryptographic_Facility_Control CCA Release 2.54 Cryptographic_Facility_Control (CSUACFC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the Cryptographic_Facility_Control verb to perform the following services: Reinitialize the CCA application in the Coprocessor.
CCA Release 2.54 Cryptographic_Facility_Control Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
Cryptographic_Facility_Control CCA Release 2.54 verb_data_length The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data variable. On input, specify the size of the variable. The verb updates the variable with the size of the returned data.
CCA Release 2.54 Cryptographic_Facility_Control For SET-MOFN , verb_data is an input variable. The variable contents establish the minimum and maximum number of “cloning information” shares that are required and that can be used to pass sensitive information from one Coprocessor to another Coprocessor.
Cryptographic_Facility_Query CCA Release 2.54 Cryptographic_Facility_Query (CSUACFQ) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Facility_Query verb is used to retrieve information about the Cryptographic Coprocessor and the CCA application program in that Coprocessor.
CCA Release 2.54 Cryptographic_Facility_Query On output, the verb sets the variable to the number of rule-array elements it returns to the application program. Note: With this verb, the number of returned rule-array elements can exceed the rule-array count that you specified on input.
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 1 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option.
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 2 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option.
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 3 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option STATCARD 1 Number of Installed Adapters The number of active Cryptographic Coprocessors installed in the machine.
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 4 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description 12 Flash Memory Size A numeric character string containing the size of the flash EPROM memory on the Coprocessor, in 64-kilobyte increments.
Cryptographic_Facility_Query CCA Release 2.54 Figure 2-3 (Page 5 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description 5 Low Voltage Detected A numeric character string containing a value to indicate whether a power supply voltage was below the minimum acceptable level.
CCA Release 2.54 Cryptographic_Facility_Query Figure 2-3 (Page 6 of 7). Cryptographic_Facility_Query Information Returned in the Rule Array Element Number Name Description Output rule-array for option STATEID (Environment Identifier) 1,2 EID The two elements when concatenated provide the 16-byte EID value.
Cryptographic_Facility_Query CCA Release 2.54 verb_data_length The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb_data variable.
CCA Release 2.54 Cryptographic_Facility_Query of this verb. Its use depends on the options specified by the host application program. The verb_data parameter is not currently used by this verb. Required Commands Cryptographic_Facility_Query is a universally authorized verb.
Cryptographic_Resource_Allocate CCA Release 2.54 Cryptographic_Resource_Allocate (CSUACRA) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Resource_Allocate verb is used to allocate a specific CCA Coprocessor for use by the thread or process, depending on the scope of the verb.
CCA Release 2.54 Cryptographic_Resource_Allocate resource_name_length The resource_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the resource_name variable. The length must be within the range of 1 to 64.
Cryptographic_Resource_Deallocate CCA Release 2.54 Cryptographic_Resource_Deallocate (CSUACRD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Resource_Deallocate verb is used to deallocate a specific CCA Coprocessor that is currently allocated by the thread or process, depending on the scope of the verb.
CCA Release 2.54 Cryptographic_Resource_Deallocate resource_name_length The resource_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the resource_name variable. The length must be within the range of 1 to 64.
Key_Storage_Designate CCA Release 2.54 Key_Storage_Designate (CSUAKSD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X The Key_Storage_Designate verb specifies the key-storage file used by the process. You select the type of key storage, for DES keys or for public keys, using a rule-array keyword.
CCA Release 2.54 Key_Storage_Designate key_storage_file_name_length The key_storage_file_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_storage_file_name variable. The length must be within the range of 1 to 64.
Key_Storage_Initialization CCA Release 2.54 Key_Storage_Initialization (CSNBKSI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Storage_Initialization verb initializes a key-storage file using the current symmetric or asymmetric master-key.
CCA Release 2.54 Key_Storage_Initialization key_storage_file_name_length The key_storage_file_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_storage_file_name variable. The length must be within the range of 1 to 64.
Logon_Control CCA Release 2.54 Logon_Control (CSUALCT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the Logon_Control verb to perform the following services: Log on to the Coprocessor, using your access-control profile Log off of the Coprocessor Save or restore logon content information.
CCA Release 2.54 Logon_Control user_id The user_id parameter is a pointer to a string variable containing the ID string which identifies the user to the system. The user ID must be exactly eight characters in length. Shorter user IDs should be padded on the right with space characters.
Logon_Control CCA Release 2.54 On input, this field contains the length (in bytes) of the auth_data variable. When no usage is defined for the auth_data parameter, set the length variable to zero. On output, this field contains the number of bytes of data returned in the auth_data variable.
CCA Release 2.54 Master_Key_Distribution Master_Key_Distribution (CSUAMKD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Master_Key_Distribution verb is used to perform thes.
Master_Key_Distribution CCA Release 2.54 – The private_key_name of the Coprocessor-retained key used to decrypt the clone_info_encrypting_key. This key must have the CLONE attribute set at the time of key generation.
CCA Release 2.54 Master_Key_Distribution Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
Master_Key_Distribution CCA Release 2.54 clone_info_encrypting_key The clone_info_encrypting_key parameter is a pointer to a string variable containing the encrypted key used to recover the cloning information.
CCA Release 2.54 Master_Key_Process Master_Key_Process (CSNBMKP) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Master_Key_Process verb operates on the three master-key registers: new, current, and old.
Master_Key_Process CCA Release 2.54 The master-key verification pattern (MKVP) of the new master-key is compared against the MKVP of the current and the old master-keys.
CCA Release 2.54 Master_Key_Process key_part The key_part parameter is a pointer to a string variable containing a 168-bit (3x56-bit, 24-byte) clear key-part that is used when you specify one of the k.
Master_Key_Process CCA Release 2.54 – Clear Old PKA Master Key Register command (offset X ' 0061 ' ) with the CLR-OLD keyword – Load First PKA Master Key Part command (offset X ' 00.
CCA Release 2.54 Master_Key_Process FE 1 1 FE FE 1 1 FE / possibly semi-weak / E 1F 1 FE F1 E 1 FE / possibly semi-weak / E 1 1F FE F1 1 E FE / possi.
Random_Number_Tests CCA Release 2.54 Random_Number_Tests (CSUARNT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X The Random_Number_Tests verb invokes the USA NIST FIPS PUB 140-1 specified cryptographic operational tests.
CCA Release 2.54 Random_Number_Tests Required Commands None. Chapter 2. CCA Node-Management and Access-Control 2-65.
CCA Release 2.54 2-66 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Chapter 3. RSA Key-Management This chapter describes the management of RSA public and private keys and how you can: Generate keys with various characteristics Import keys from other systems Protect and move a private key from one node to another.
CCA Release 2.54 ────────────┬───────────────── ┌──────────────────┐ │PKA_Key_Token_Build├┐.
CCA Release 2.54 The PKA_Key_Generate verb either retains the generated private key within the Coprocessor, or the verb outputs the generated private key in one of three forms so you can control where the private key is deployed.
CCA Release 2.54 restricted key usage. These systems can determine if a requesting process has the right to use the particular key name that is cryptographicly bound to the private key. You specify such a key name when you build the skeleton_key_token in the PKA_Key_Token_Build verb.
CCA Release 2.54 You provide or identify the operational transport key (key-encrypting key) and the encrypted private key with its associated public key to the import service. The service will return the private key encrypted under the current asymmetric master-key along with the public key.
CCA Release 2.54 Using the Private Key at Multiple Nodes You can arrange to use a private key at multiple nodes if the nodes have the same asymmetric master-key, or if you arrange to have the same transport key installed at each of the target nodes.
CCA Release 2.54 PKA_Key_Generate PKA_Key_Generate (CSNDPKG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Generate verb is used to generate a public-private key-pair for use with the RSA algorithm.
PKA_Key_Generate CCA Release 2.54 Note: When using the RETAINED key option, the key label supplied in the skeleton key-token references the key storage within the Coprocessor, and in this case must not reference a record in the host-system key-storage.
CCA Release 2.54 PKA_Key_Generate Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable.
PKA_Key_Generate CCA Release 2.54 skeleton_key_token The skeleton_key_token parameter is a pointer to a string variable containing a skeleton key-token. This information provides the characteristics for the PKA key-pair to be generated. A skeleton key-token can be created using the PKA_Key_Token_Build verb.
CCA Release 2.54 PKA_Key_Import PKA_Key_Import (CSNDPKI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Import verb is used to import a public-private key-pair. A private key must be accompanied by the associated public key.
PKA_Key_Import CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable.
CCA Release 2.54 PKA_Key_Import Required Commands The PKA_Key_Import verb requires the PKA Key Import command (offset X ' 0104 ' ) to be enabled in the hardware.
PKA_Key_Token_Build CCA Release 2.54 PKA_Key_Token_Build (CSNDPKB) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Token_Build verb constructs a public-key architecture (PKA) key-token from the supplied information.
CCA Release 2.54 PKA_Key_Token_Build Restrictions The RSA-OPT rule-array keyword is not supported with Version 2. Instead, use keyword RSA-CRT to obtain a X ' 08 ' private-key section type. The RSA key length is limited to the range of 512 to 2048 bits with specific formats restricted to 1024 bits maximum.
PKA_Key_Token_Build CCA Release 2.54 key_values_structure_length The key_values_structure_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_values_structure variable. The maximum length is 2500 bytes.
CCA Release 2.54 PKA_Key_Token_Build Figure 3-3 (Page 1 of 2). PKA_Key_Token_Build Key-Values-Structure Contents Offset (Bytes) Length (Bytes) Description RSA key-values structure, modulus-exponent fo.
PKA_Key_Token_Build CCA Release 2.54 key_name_length The key_name_length parameter is a pointer to an integer variable containing the number of bytes of data in the optional key_name variable. If this variable contains zero, the key-name section is not included in the target token.
CCA Release 2.54 PKA_Key_Token_Build reserved_x(s) The reserved_x parameters are each a pointer to a string variable that is reserved for future use. Each of the reserved_x parameters should contain a null pointer.
PKA_Key_Token_Build CCA Release 2.54 Token Type Modulus Length in Bits Public Exponent Key-Values Structure (Hexadecimal) Structure Length (Bytes) RSA-CRT 512 Random (0) 0200 0000 0000 0000 0000 0000 .
CCA Release 2.54 PKA_Key_Token_Build Required Commands None Chapter 3. RSA Key-Management 3-21.
PKA_Key_Token_Change CCA Release 2.54 PKA_Key_Token_Change (CSNDKTC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Token_Change verb changes RSA private keys from encipherment with the old asymmetric master-key to encipherment with the current asymmetric master-key.
CCA Release 2.54 PKA_Key_Token_Change key_identifier_length The key_identifier_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_identifier variable. On output, the variable contains the length of the key token returned by the verb if a key token (not a key label) was specified.
PKA_Public_Key_Extract CCA Release 2.54 PKA_Public_Key_Extract (CSNDPKX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Public_Key_Extract verb is used to extract a public key from a public-private key-pair. The public key is returned in a PKA public-key token.
CCA Release 2.54 PKA_Public_Key_Extract target_key_token_length The target_key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the target_key_token variable. On output, the variable contains the length of the key token returned by the verb.
PKA_Public_Key_Hash_Register CCA Release 2.54 PKA_Public_Key_Hash_Register (CSNDPKH) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Public_Key_Hash_Register verb is used to register a hash value for a public key in anticipation of verifying the public key offered in a subsequent use of the PKA_Public_Key_Register verb.
CCA Release 2.54 PKA_Public_Key_Hash_Register hash_data_length The hash_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the hash_data variable.
PKA_Public_Key_Register CCA Release 2.54 PKA_Public_Key_Register (CSNDPKR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Public_Key_Register verb is used to register a public key in the cryptographic engine. Keywords in the rule array designate the subsequent permissible uses of the registered public key.
CCA Release 2.54 PKA_Public_Key_Register public_key_name The public_key_name parameter is a pointer to a string variable containing the name under which the registered public-key will be accessed.
CCA Release 2.54 3-30 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Chapter 4. Hashing and Digital Signatures This chapter discusses the data hashing and the digital signature techniques you can use to determine data integrity. A digital signature may also be used to establish the non-repudiation security property.
CCA Release 2.54 The CCA products support the following hash functions: Secure Hash Algorithm-1 (SHA-1) The SHA-1 is defined in FIPS 180-1 and produces a 20-byte, 160-bit hash value. The algorithm performs best on big-endian, general purpose computers.
CCA Release 2.54 Anyone with access to your public key can verify your information as follows: 1. Hash the data using the same hashing algorithm that you used to create the digital signature. 2. Decrypt the digital signature using your public key. 3. Compare the decrypted results to the hash value obtained from hashing the data.
Digital_Signature_Generate CCA Release 2.54 Digital_Signature_Generate (CSNDDSG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Digital_Signature_Generate verb is used to generate a digital signature. You specify: The RSA private key For X9.
CCA Release 2.54 Digital_Signature_Generate rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters.
Digital_Signature_Generate CCA Release 2.54 hash_length The hash_length parameter is a pointer to an integer variable containing the number of bytes of data in the hash variable. hash The hash parameter is a pointer to a string variable containing the information to be signed.
CCA Release 2.54 Digital_Signature_Verify Digital_Signature_Verify (CSNDDSV) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Digital_Signature_Verify verb is used to verify a digital signature. Provide the digital signature, the public key, the hash formatting method, and the hash of the data to be validated.
Digital_Signature_Verify CCA Release 2.54 Notes: 1. The hash for PKCS-1.1 and PKCS-1.0 should have been created using MD5 or SHA-1 algorithms. 2. The hash for ISO-9796 and ZERO-PAD can be obtained by any hashing method.
CCA Release 2.54 Digital_Signature_Verify Notes: 1. For ISO-9796 , the information identified by the hash parameter must be less than or equal to one-half of the number of bytes required to contain the modulus of the RSA key.
MDC_Generate CCA Release 2.54 MDC_Generate (CSNBMDG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the MDC_Generate verb to create a 128-bit (16-byte) hash value on a data string whose integrity you intend to confirm.
CCA Release 2.54 MDC_Generate Format CSNBMDG return_code Input Integer reason_code Input Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes text_length Input .
MDC_Generate CCA Release 2.54 Chaining_Vector The chaining_vector parameter is a pointer to an 18-byte string variable the security server uses as a work area to hold segmented data between verb invocations. Note: When segmenting text, the application program must not change the data in this string between verb calls to the MDC_Generate verb.
CCA Release 2.54 One_Way_Hash One_Way_Hash (CSNBOWH) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The One_Way_Hash verb obtains a hash value from a text string using the MD5, SHA-1, or RIPEMD-160 hashing methods, as you specify in the rule_array.
One_Way_Hash CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable.
CCA Release 2.54 One_Way_Hash hash_length The hash_length parameter is a pointer to an integer variable containing the number of bytes of data in the hash variable. This value must be at least 16 bytes for MD5, and at least 20 bytes for SHA-1. The maximum length is 128 bytes.
CCA Release 2.54 4-16 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Chapter 5. DES Key-Management This chapter describes verbs to perform basic CCA DES key-management functions. Figure 5-1 lists the verbs covered in this chapter.
CCA Release 2.54 Figure 5-1 (Page 2 of 2). Basic CCA DES Key-Management Verbs Verb Page Service Entry Point Svc Lcn PKA_Decrypt 5-73 Uses an RSA private-key to decrypt a symmetric key formatted in an RSA DSI PKCS #1 block type 2 structure and return the symmetric key in the clear.
CCA Release 2.54 functions in which it can be used. The cryptographic subsystem uses a system of control vectors 1 to separate the cryptographic keys into a set of key types and restrict the use of a key. The subsystem enforces the use of a particular key type in each part of a cryptographic command.
CCA Release 2.54 A key that is multiply-enciphered under the master key is an operational key (OP). The key is operational because a cryptographic facility can use the master key to multiply-decipher it to obtain the original key-value.
CCA Release 2.54 Checking a Control Vector Before Processing a Cryptographic Command Before a CCA cryptographic facility processes a command that uses a multiply-enciphered key, the facility’s logic checks the control vector associated with the key.
CCA Release 2.54 Asymmetric DES keys. An asymmetric DES key is a key in a key pair in which the keys are used as opposites. – ENCIPHER and DECIPHER. Used to only encrypt data versus only to decrypt data. – MAC and MACVER. Used in generating (and verifying) a MAC versus only verifying a MAC.
CCA Release 2.54 Figure 5-4 on page 5-9 shows the key-type, key subtype, and key-usage keywords that can be combined in the Control_Vector_Generate verb and the Key_Token_Build verb to build a control vector.
CCA Release 2.54 Figure 5-3 (Page 2 of 2). Key Types and Verb Usage Key Type Usable with Verbs IKEYXLAT, OKEYXLAT Key_Translate PIN Class These keys are used in the various financial-PIN processing commands. They are double-length keys. In operational form and in external form, these keys are associated with a control vector.
CCA Release 2.54 ├─Key_Type─┤├─Key_Subtype─┤├─Key_Usage─────────────────────────────────────────.
CCA Release 2.54 Figure 5-5 (Page 1 of 3). Control Vector Key-Subtype and Key-Usage Keywords Keyword Meaning Key-Encrypting Keys OPIM IMPORTER keys that have a control vector with this attribute can be used in the Key_Generate verb when the key form is OPIM.
CCA Release 2.54 Figure 5-5 (Page 2 of 3). Control Vector Key-Subtype and Key-Usage Keywords Keyword Meaning VISA-PVV Select the VISA-PVV PIN-calculation method.
CCA Release 2.54 Figure 5-5 (Page 3 of 3). Control Vector Key-Subtype and Key-Usage Keywords Keyword Meaning DKYL5 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL4. DKYL6 A DKYGENKY key with this subtype can be used to generate a DKYGENKY key with a subtype of DKYL5.
CCA Release 2.54 8 16 32 6 63 ┌─────────┬─────────┬──────────────┬──────────────┬───.
CCA Release 2.54 External Key-Token: An external key-token contains an external key that is multiply-enciphered under a key formed by the exclusive-OR of a key-encrypting key and the control vector that was assigned when the key token was created or updated.
CCA Release 2.54 Using the Key-Processing and Key-Storage Verbs Figure 5-8 on page 5-16 shows key-processing and key-storage verbs and how they relate to key parts, internal and external key-tokens, and key storage.
CCA Release 2.54 Random_Number_Generate Diversified_Key_Generate ┬┬ ┌────┴────┐ │ │ │ Clear_Key_ │ Key_Part_ Import │ Import ┬ ┌────────.
CCA Release 2.54 master key or a key-encrypting key. If you are generating a DES asymmetric key-type, the verb will multiply-encipher the random number a second time with the “opposite” key-type control-vector.
CCA Release 2.54 Since the two halves are random numbers, it is unlikely that the result of the DOUBLE keyword will produce two halves with the same 64-bit values. Exporting and Importing Keys, Symmetric Techniques To operate on data with the same key at two different nodes, you must transport the key securely between the nodes.
CCA Release 2.54 ┌──────────────┐ ┌──────────────┐ Operational │ Key to Be │ │ Imported │ Operational Form of Key │ Exported .
CCA Release 2.54 therefore it is very important to handle the key-generating key with a high degree of security lest the interactions with the whole population of cards be placed in jeopardy.
CCA Release 2.54 Security Precautions Be sure to see the “Observations on Secure Operations” chapter in the CCA Support Program Installation Manual . In order to maintain a secure cryptographic environment, each cryptographic node must be audited on a regular basis.
Clear_Key_Import CCA Release 2.54 Clear_Key_Import (CSNBCKI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_Key_Import verb enciphers a clear, single-length DES key under a symmetric master-key.
CCA Release 2.54 Clear_Key_Import Required Commands The Clear_Key_Import verb requires the Encipher Under Master Key command (command offset X ' 00C3 ' ) to be enabled in the active role.
Control_Vector_Generate CCA Release 2.54 Control_Vector_Generate (CSNBCVG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Control_Vector_Generate verb builds a control vector from keywords specified by the key_type and rule_array parameters.
CCA Release 2.54 Control_Vector_Generate rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords.
Control_Vector_Translate CCA Release 2.54 Control_Vector_Translate (CSNBCVT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Control_Vector_Translate verb changes the control vector used to encipher an external key.
CCA Release 2.54 Control_Vector_Translate mask_array_left The mask_array_left parameter is a pointer to a string variable containing the mask array enciphered under the left-array key.
Control_Vector_Translate CCA Release 2.54 target_key_token The target_key_token parameter is a pointer to a string variable containing an external key-token with the new control-vector. This key token contains the key halves with the new control-vector.
CCA Release 2.54 Cryptographic_Variable_Encipher Cryptographic_Variable_Encipher (CSNBCVE) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Cryptographic_Variable_Encipher verb uses a CVARENC key to encrypt plaintext to produce ciphertext using the Cipher Block Chaining (CBC) method.
Cryptographic_Variable_Encipher CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
CCA Release 2.54 Data_Key_Export Data_Key_Export (CSNBDKX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Data_Key_Export verb exports a single-length or double-length internal DATA-key. The verb can export the key from an internal key-token in key storage or application storage.
Data_Key_Export CCA Release 2.54 target_key_token The target_key_token parameter is a pointer to a string variable containing the reencrypted source-key token.
CCA Release 2.54 Data_Key_Import Data_Key_Import (CSNBDKM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Data_Key_Import verb imports an encrypted, source DES single-length or double-length DATA key and creates or updates a target internal key-token with the master-key-enciphered source key.
Data_Key_Import CCA Release 2.54 Restrictions Starting with Release 2.41, unless you enable the Unrestrict Data Key Import command (offset X ' 027C ' ), an IMPORTER transport key having replicated key-halves is not permitted to import a key having unequal key-halves.
CCA Release 2.54 Diversified_Key_Generate Diversified_Key_Generate (CSNBDKG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Diversified_Key_Generate verb generates a key based on a function of a key-generating key, the process rule, and data that you supply.
Diversified_Key_Generate CCA Release 2.54 Returns the diversified key, multiply-enciphered by the master key modified by the control vector. Restrictions The TDES-XOR rule-array keyword is available starting with Release 2.50. The TDESEMV2 and TDESEMV4 rule-array keywords are available starting with Release 2.
CCA Release 2.54 Diversified_Key_Generate Keyword Meaning TDES-ENC Specifies that 8 or 16 bytes of clear (not encrypted) data shall be triple-DES en crypted with the generating key to create the generated key. If the generated_key_identifier variable specifies a single-length key, then 8 bytes of clear data is triple-DES encrypted.
Diversified_Key_Generate CCA Release 2.54 Keyword Meaning TDESEMV2, TDESEMV4 Note: These options are available starting with Release 2.51. Specifies that 10, 18, 26, or 34 bytes of clear data shall be.
CCA Release 2.54 Diversified_Key_Generate Keyword Meaning TDES-XOR Note: This option is available starting with Release 2.50. Specifies that 10 or 18 bytes of clear (not encrypted) data shall be processed as described at “VISA and EMV-Related Smart Card Formats and Processes” on page E-17 to create the generated key.
Diversified_Key_Generate CCA Release 2.54 generating_key_identifier The generating_key_identifier parameter is a pointer to a string variable containing the key-generating-key key-token or key label of a key-token record.
CCA Release 2.54 Diversified_Key_Generate effective single-length key) by enabling the Enable DKG Single Length Keys and Equal Halves for TDES-ENC, TDES-DEC command (offset X ' 0044 ' ).
Key_Export CCA Release 2.54 Key_Export (CSNBKEX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Export verb exports a source DES internal-key into a target external key-token. Existing information in the target key-token is overwritten.
CCA Release 2.54 Key_Export Format CSNBKEX return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_type Input Str.
Key_Generate CCA Release 2.54 Key_Generate (CSNBKGN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Generate verb generates a random DES key and returns one or two enciphered copies of the key, ready to use or distribute.
CCA Release 2.54 Key_Generate Format CSNBKGN return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_form Input S.
Key_Generate CCA Release 2.54 key_length The key_length parameter is a pointer to an eight-byte string variable, left-justified and padded on the right with space characters, containing the length of the new key or keys. Depending on key type, you can specify a single-length key or a double-length key.
CCA Release 2.54 Key_Generate unless you are using the TOKEN keyword, you must identify a null key-token on input. Required Commands Depending on your specification of key form, key type, and use of the SINGLE-R key length control, different commands are required to enable operation of the Key_Generate verb.
Key_Generate CCA Release 2.54 can use to generate a single key copy with default control-vectors. Figure 5-12 on page 5-49 shows the key types you can use to generate two copies of a key. An ‘X’ indicates a permissible key type for a given key-form.
CCA Release 2.54 Key_Generate Figure 5-12. Key_Type and Key_Form Keywords for a Key Pair Key_Type_1 Key_Type_2 Key_ Form OPOP, OPIM, IMIM Key_ Form OPEX Key_ Form EXEX Key_ Form IMEX DATA MAC MAC MACV.
Key_Generate CCA Release 2.54 key-length the verb uses when you supply eight space characters with the key_length parameter. Figure 5-13. Key Lengths by Key Type Key Type SINGLE KEYLN8 SINGLE-R DOUBLE.
CCA Release 2.54 Key_Import Key_Import (CSNBKIM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Import verb imports a source DES key enciphered by the IMPORTER key-encrypting-key into a target internal key-token. The imported target-key is returned enciphered using the symmetric master-key.
Key_Import CCA Release 2.54 Restrictions Starting with Release 2.41, unless you enable the Unrestrict Reencipher to Master Key command (offset X ' 027B ' ), an IMPORTER key-encrypting-key having equal key-halves is not permitted to import a key having unequal key-halves.
CCA Release 2.54 Key_Import key-halves IMPORTER key-encrypting-key to import a key having unequal key-halves (key parity bits are ignored). Chapter 5. DES Key-Management 5-53.
Key_Part_Import CCA Release 2.54 Key_Part_Import (CSNBKPI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Part_Import verb is used to accumulate “parts” of a key and store the result as an encrypted partial key or as the final key.
CCA Release 2.54 Key_Part_Import of one bits, and there are no other problems, the verb will return reason code 2. Use of the ADD-PART keyword requires that the Add Key Part command be enabled in the access-control system. The key-part bit remains on in the control vector of the updated key token returned from the verb.
Key_Part_Import CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable.
CCA Release 2.54 Key_Part_Import Required Commands The Key_Part_Import verb requires the following commands to be enabled in the active role: The Load First Key Part command (offset X ' 001B ' ) with the FIRST keyword. The Combine Key Parts command (offset X ' 001C ' ) with the MIDDLE and LAST keywords.
Key_Test CCA Release 2.54 Key_Test (CSNBKYT) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X You use the Key_Test verb to verify the value of a key or key-part. Several verification algorithms are supported. The verb supports testing of clear keys, enciphered keys, master keys, and key-parts.
CCA Release 2.54 Key_Test Restrictions None Format CSNBKYT return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes ru.
Key_Test CCA Release 2.54 key_identifier The key_identifier parameter is a pointer to a string variable containing an internal key-token, a key label that identifies an internal key-token record in key storage, or a clear key. The key token contains the key or the key part used to generate or verify the verification pattern.
CCA Release 2.54 Key_Token_Build Key_Token_Build (CSNBKTB) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Token_Build verb assembles an external or internal key-token in application storage from information you supply.
Key_Token_Build CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. key_token The key_token parameter is a pointer to a string variable containing the assembled key-token.
CCA Release 2.54 Key_Token_Build key_value The key_value parameter is a pointer to a string variable containing the encrypted key-value incorporated into the encrypted-key portion of the key token if you use the KEY rule_array keyword.
Key_Token_Change CCA Release 2.54 Key_Token_Change (CSNBKTC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X Use the Key_Token_Change verb to reencipher a DES key from encryption under the old master-key to encryption under the current master-key and to update the keys in internal DES key-tokens.
CCA Release 2.54 Key_Token_Change Key_Identifier The key_identifier parameter is a pointer to a string variable containing the DES internal key-token or the key label of an internal key-token record in key storage.
Key_Token_Parse CCA Release 2.54 Key_Token_Parse (CSNBKTP) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Token_Parse verb disassembles a key token into separate pieces of information. The verb can disassemble an external key-token or an internal key-token in application storage.
CCA Release 2.54 Key_Token_Parse Note: You cannot use a key label for a key-token record in key storage. The key token must be in application storage. key_type The key_type parameter is a pointer to a string variable containing a keyword defining the key type.
Key_Token_Parse CCA Release 2.54 key_value The key_value parameter is a pointer to a string variable. If the verb returns the KEY keyword in the rule array, the key-value variable contains the 16-byte enciphered key. MKVP The MKVP parameter is a pointer to an integer variable.
CCA Release 2.54 Key_Translate Key_Translate (CSNBKTR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Key_Translate verb uses one key-encrypting key to decipher an input key and then enciphers this key using another key-encrypting key within the secure environment.
Key_Translate CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. input_key_token The input_key_token parameter is a pointer to a string variable containing an external key-token.
CCA Release 2.54 Multiple_Clear_Key_Import Multiple_Clear_Key_Import (CSNBCKM) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Multiple_Clear_Key_Import verb multiply-enciphers a clear, single-length or double-length DES DATA key under a symmetric master-key.
Multiple_Clear_Key_Import CCA Release 2.54 clear_key_length The clear_key_length parameter is a pointer to an integer variable containing the number of bytes of data in the clear_key variable.
CCA Release 2.54 PKA_Decrypt PKA_Decrypt (CSNDPKD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Decrypt verb decrypts (unwraps) input data using an RSA private-key. The decrypted data is examined to ensure it meets RSA DSI PKCS #1 block type 2 format specifications.
PKA_Decrypt CCA Release 2.54 source_encrypted_key_length The source_encrypted_key_length parameter is a pointer to an integer variable containing the number of bytes of data in the source_encrypted_key variable.
CCA Release 2.54 PKA_Encrypt PKA_Encrypt (CSNDPKE) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Encrypt verb encrypts (wraps) input data using an RSA public key. The data that you encrypt may include: For keys, the encrypted data can be formatted according to RSA DSI PKCS #1 block type 2 format specifications.
PKA_Encrypt CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters.
CCA Release 2.54 PKA_Encrypt target_data The target_data parameter is a pointer to a string variable containing the encrypted data returned by the verb.
PKA_Symmetric_Key_Export CCA Release 2.54 PKA_Symmetric_Key_Export (CSNDSYX) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Symmetric_Key_Export verb enciphers a symmetric DES or CDMF default DATA-key using an RSA public key.
CCA Release 2.54 PKA_Symmetric_Key_Export Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
PKA_Symmetric_Key_Export CCA Release 2.54 RSA_enciphered_key The RSA_enciphered_key parameter is a pointer to a string variable containing the exported RSA-enciphered key returned by the verb.
CCA Release 2.54 PKA_Symmetric_Key_Generate PKA_Symmetric_Key_Generate (CSNDSYG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Symmetric_Key_Generate verb generates a random DES-key and enciphers the key value.
PKA_Symmetric_Key_Generate CCA Release 2.54 Key-encrypting keys, either effective single-length or true double-length, are generated with the details dependent on the keyword you use to control the key formatting technique. PKA92 With this keyword, the verb generates a key-encrypting key and returns two copies of the key.
CCA Release 2.54 PKA_Symmetric_Key_Generate Format CSNDSYG return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes ru.
PKA_Symmetric_Key_Generate CCA Release 2.54 key_encrypting_key_identifier The key_encrypting_key_identifier parameter is a pointer to a string variable containing the key token or the key label of a key token in key storage with the key-encrypting key used to encipher one generated-key copy for DES-based key distribution.
CCA Release 2.54 PKA_Symmetric_Key_Generate RSA_enciphered_key_token_length The RSA_enciphered_key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the RSA_enciphered_key_token variable. On output, the variable is updated with the actual length of the RSA_enciphered_key_token variable.
PKA_Symmetric_Key_Import CCA Release 2.54 PKA_Symmetric_Key_Import (CSNDSYI) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Symmetric_Key_Import verb recovers a symmetric DES (or CDMF) key that is enciphered by an RSA public key.
CCA Release 2.54 PKA_Symmetric_Key_Import Restrictions 1. Private key key-usage controls can prevent use of specific private keys in this verb. See page 3-7. A key-usage flag bit (see offset 050 in the private-key section) must be on to permit use of the private key in the decryption of a symmetric key.
PKA_Symmetric_Key_Import CCA Release 2.54 RSA_enciphered_key_length The RSA_enciphered_key_length parameter is a pointer to an integer containing the number of bytes of data in the RSA_enciphered_key variable.
CCA Release 2.54 PKA_Symmetric_Key_Import Symmetric Key Import ZERO-PAD command (command offset X ' 023D ' ) for DATA keys using the ZERO-PAD methods PKA92 Symmetric Key Import comma.
Prohibit_Export CCA Release 2.54 Prohibit_Export (CSNBPEX) Platform/ Product OS/2 AIX NT OS/400 IBM 4758-2/23 X X X X The Prohibit_Export verb modifies an operational key than can be exported so that it can no longer be exported.
CCA Release 2.54 Random_Number_Generate Random_Number_Generate (CSNBRNG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Random_Number_Generate verb generates a random number for use as an initialization vector, clear key, or clear key-part.
Random_Number_Generate CCA Release 2.54 random_number The random_number parameter is a pointer to a string variable containing the random number returned by the verb. Required Commands The Random_Number_Generate verb requires the Generate Key command (offset X ' 008E ' ) to be enabled in the hardware.
CCA Release 2.54 Chapter 6. Data Confidentiality and Data Integrity This chapter describes the verbs that use the Data Encryption Standard (DES) algorithm to encrypt and decrypt data and to generate and verify a message authentication code (MAC). Figure 6-1.
CCA Release 2.54 verbs also support the ANSI X9.23 mode of encryption. In X9.23 encryption, at least one byte of data and up to eight bytes of data are always added to the end of your plaintext. The last of the added bytes is a binary value equal to the number of added bytes.
CCA Release 2.54 Ensuring Data Integrity CCA offers three classes of services for ensuring data integrity: Message authentication code (MAC) techniques based on the DES algorithm Hashing techniques Digital signature techniques. This chapter includes the MAC verbs.
CCA Release 2.54 In each procedure call, a segmenting-control keyword indicates whether the call contains the first, middle, or last unit of segmented data; the chaining_vector parameter specifies the work area that the verb uses. (The default segmenting-control keyword ONLY specifies that segmenting is not used.
CCA Release 2.54 Decipher Decipher (CSNBDEC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Decipher verb uses the Data Encryption Standard (DES) or the Commercial Data Masking Facility (CDMF) algorithm and a cipher key to decipher data (ciphertext).
Decipher CCA Release 2.54 ciphertext The ciphertext parameter is a pointer to a string variable containing the text to be deciphered. initialization_vector The initialization_vector parameter is a pointer to a string variable containing the initialization_vector the verb uses with the input data.
CCA Release 2.54 Decipher length of the plaintext when it returns. The length will be different when padding is removed. Required Commands The Decipher verb requires the Decipher command (offset X ' 000F ' ) to be enabled in the hardware. Chapter 6.
Encipher CCA Release 2.54 Encipher (CSNBENC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encipher verb uses the DES algorithm and a secret key to encipher data. This verb returns data called ciphertext. The returned ciphertext can be as many as eight bytes longer than the plaintext due to padding.
CCA Release 2.54 Encipher text_length The text_length parameter is a pointer to an integer variable. On input, the text_length variable contains the number of bytes of data in the cleartext variable. On output, the text_length variable contains the number of bytes of data in the ciphertext variable.
Encipher CCA Release 2.54 chaining_vector The chaining_vector parameter is a pointer to a string variable containing a work area that the security server uses to carry segmented data between procedure-calls. Note: The application program must not change the data in this variable.
CCA Release 2.54 MAC_Generate MAC_Generate (CSNBMGN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The MAC_Generate verb generates a message authentication code (MAC) for a text string that you supply.
MAC_Generate CCA Release 2.54 Format CSNBMGN return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_identifier I.
CCA Release 2.54 MAC_Generate chaining_vector The chaining_vector parameter is a pointer to a string variable containing a work area the security server uses to carry segmented data between procedure calls. Note: The application program must not change the data in this variable.
MAC_Verify CCA Release 2.54 MAC_Verify (CSNBMVR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The MAC_Verify verb verifies a message authentication code (MAC) for a text string that you supply. For additional information about using the MAC generation and verification verbs, see “Ensuring Data Integrity” on page 6-3.
CCA Release 2.54 MAC_Verify Format CSNBMVR return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes key_identifier Inp.
MAC_Verify CCA Release 2.54 chaining_vector The chaining_vector parameter is a pointer to a string variable containing a work area the security server uses to carry segmented data between procedure-calls. Note: The application program must not change the data in this variable.
CCA Release 2.54 Chapter 7. Key-Storage Verbs This chapter describes how you can use key-storage mechanisms and the associated verbs for creating, writing, reading, listing, and deleting records in key storage.
CCA Release 2.54 Use the Key_Record_Delete verb to delete a key token from a key record, or to entirely delete the key record from key storage. Use the Key_Record_List verb to determine the existence of key records in key storage. The Key_Record_List verb creates a key-record-list data set with information about select key-records.
CCA Release 2.54 Some verbs accept a key label containing a “wild card” represented by an asterisk (*). (X ' 2A ' in ASCII; X ' 5C ' in EBCDIC). When a verb permits the use of a wild card, the wild card can appear as the first character, as the last character, or as the only character in a name token.
DES_Key_Record_Create CCA Release 2.54 DES_Key_Record_Create (CSNBKRC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Create verb adds a key record with a null key-token to DES key-storage. It is identified by the key label specified using the key_label parameter.
CCA Release 2.54 DES_Key_Record_Delete DES_Key_Record_Delete (CSNBKRD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Delete verb does either of the following tasks: Replaces the token in a key record with a null key-token Deletes an entire key record, including the key label, from key storage.
DES_Key_Record_Delete CCA Release 2.54 key_label The key_label parameter is a pointer to a string variable containing the key label of a key-token record in key storage.
CCA Release 2.54 DES_Key_Record_List DES_Key_Record_List (CSNBKRL) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_List verb creates a key-record-list data set containing information about specified key records in key storage.
DES_Key_Record_List CCA Release 2.54 data_set_name_length The data_set_name_length parameter is a pointer to an integer variable containing the number of bytes of data returned by the verb in the data_set_name variable. The maximum returned value is 64 bytes.
CCA Release 2.54 DES_Key_Record_Read DES_Key_Record_Read (CSNBKRR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Read verb copies a key token from DES key-storage to application storage. The returned key-token can be null.
DES_Key_Record_Write CCA Release 2.54 DES_Key_Record_Write (CSNBKRW) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The DES_Key_Record_Write verb copies an internal DES key-token from application storage into DES key-storage. Before you use the DES_Key_Record_Write verb, use DES_Key_Record_Create to create a key record.
CCA Release 2.54 PKA_Key_Record_Create PKA_Key_Record_Create (CSNDKRC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Create service adds a key record with a null key-token to PKA key-storage. The new key-record may be a null key-token or a valid PKA internal or external key-token.
PKA_Key_Record_Create CCA Release 2.54 key_token_length The key_token_length parameter is a pointer to an integer variable containing the number of bytes of data in the key_token variable. If the value of the key_token_length variable is zero, a record with a null PKA key-token is created.
CCA Release 2.54 PKA_Key_Record_Delete PKA_Key_Record_Delete (CSNDKRD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Delete verb does either of the following tasks: Replaces the token in a key record with a null key-token Deletes an entire key-record, including the key label, from key storage.
PKA_Key_Record_Delete CCA Release 2.54 key_label The key_label parameter is a pointer to a string variable containing the key label of a key-token record in PKA key-storage. Use a wild card (*) in the key_label variable to identify multiple records in key storage.
CCA Release 2.54 PKA_Key_Record_List PKA_Key_Record_List (CSNDKRL) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_List verb creates a key-record-list data set containing information about specified key records in PKA key-storage.
PKA_Key_Record_List CCA Release 2.54 rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable. The value must be zero for this verb. rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords.
CCA Release 2.54 PKA_Key_Record_Read PKA_Key_Record_Read (CSNDKRR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Read verb copies a key token from PKA key-storage to application storage. The returned key-token may be null.
PKA_Key_Record_Read CCA Release 2.54 key_token The key_token parameter is a pointer to a string variable containing the key token read from PKA key-storage. This variable must be large enough to hold the PKA key-token being read. On successful completion, the key_token_length variable contains the actual length of the token being returned.
CCA Release 2.54 PKA_Key_Record_Write PKA_Key_Record_Write (CSNDKRW) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The PKA_Key_Record_Write verb copies an internal or external PKA key-token from application storage into PKA key-storage.
PKA_Key_Record_Write CCA Release 2.54 key_label The key_label parameter is a pointer to a string variable containing the key label that identifies the key record in PKA key-storage where the key token is to be written.
CCA Release 2.54 Retained_Key_Delete Retained_Key_Delete (CSNDRKD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Retained_Key_Delete verb deletes a PKA key that has been retained within the Coprocessor.
Retained_Key_List CCA Release 2.54 Retained_Key_List (CSNDRKL) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Retained_Key_List verb lists the key labels of those PKA keys that have been retained within the Coprocessor.
CCA Release 2.54 Retained_Key_List key_label_mask The key_label_mask parameter points to a string variable containing a key label mask that is used to filter the list of key names returned by the verb. You can use a wild card (*) to identify multiple keys retained within the Coprocessor.
CCA Release 2.54 7-24 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Chapter 8. Financial Services Support Verbs There are several classes of verbs described in this chapter: Finance industry PIN processing verbs. Information common to these verbs is described in the next section. Support for changing the acceptable PIN on a smart card based on VISA and EMV design concepts.
CCA Release 2.54 Figure 8-1 (Page 2 of 2). Financial Services Support Verbs Verb Page Service Entry Point Svc Lcn PIN_Change/Unblock 8-52 Calculates a PIN for a smart card based on keys and data you supply according to VISA and EMV specifications.
CCA Release 2.54 – Create encrypted PIN blocks for transmission – Generate institution-assigned PINs – Generate an offset or a VISA PIN-validation value (PVV) – Create encrypted PIN blocks for a PIN-verification database – Change the PIN-block encrypting key or the PIN-block format – Verify PINs.
CCA Release 2.54 Account Customer─Entered PIN Customer─Selected PIN Number ──────────┬───────── ──────────┬─────────.
CCA Release 2.54 PIN-Verb Summary The following terms are used for the various “PIN” values: A-PIN The quantity derived from a function of the account number, and PIN-generating key, and other inputs such as a decimalization table . C-PIN The quantity that a customer should use to identify himself.
CCA Release 2.54 PIN-Calculation Method and PIN-Block Format Summary As described in the following sections, you can use a variety of PIN calculation methods and a variety of PIN-block formats with the various PIN-processing verbs. Figure 8-3 provides a summary of the supported combinations.
CCA Release 2.54 Using Specific Key Types and Key-Usage Bits to Help Ensure PIN Security The control vectors (see Appendix C, “CCA Control-Vector Definitions and Key Encryption” on page C-1) associated with obtaining and verifying PINs enable you to minimize certain security exposures.
CCA Release 2.54 OPINENC (output PIN-block encrypting) key type The PIN verbs that encrypt a PIN block require the encrypting key to have a control vector that specifies an OPINENC key type.
CCA Release 2.54 Note: To avoid errors when using the IBM 3624 PIN-block format, you should not include in the decimalization table a decimal digit that is also used as a pad digit. For information about a pad digit, see “PIN Profile” on page 8-10.
CCA Release 2.54 – Eleven (rightmost) digits of PAN data, excluding the check digit. For information about a PAN, see “Personal Account Number (PAN)” on page 8-13. – A constant, six. – A one-digit key index selector from one to six. – Three numeric characters of validation data.
CCA Release 2.54 Format Control Enforcement: The format-control level is the second element in a PIN profile. For the IBM 4758 implementation, this element must be set to NONE followed by four space characters. Pad Digit: The pad digit is the third element in a PIN profile.
CCA Release 2.54 The CKSN is the concatenation of a terminal identifier and a sequence number which together define a unique terminal (within the set of terminals associated with a given base key) and the sequence number of the transaction originated by that terminal.
CCA Release 2.54 Personal Account Number (PAN) A personal account number (PAN) identifies an individual and relates that individual to an account at the financial institution. The PAN consists of the following: Issuer identification number Customer account number One check digit.
CCA Release 2.54 The MAC_Generate and MAC_Verify verbs incorporate post-padding a X ' 80 ' ...X ' 00 ' string to a message as required for authenticating messages exchanged with EMV smart cards. 8-14 IBM 4758 CCA Basic Services, Release 2.
CCA Release 2.54 Clear_PIN_Encrypt Clear_PIN_Encrypt (CSNBCPE) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_PIN_Encrypt verb formats a PIN into one of the following PIN-block formats and encrypts the results (see “PIN-Block Formats” on page E-9): IBM 3624 format ISO-0 format (same as the ANSI X9.
Clear_PIN_Encrypt CCA Release 2.54 Format CSNBCPE return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes PIN_encrypt.
CCA Release 2.54 Clear_PIN_Encrypt PIN_profile The PIN_profile parameter points to a string variable containing three 8-byte elements with: a PIN-block format keyword, a format control keyword ( NONE ), and a pad digit as required by certain formats. See “PIN Profile” on page 8-10.
Clear_PIN_Generate CCA Release 2.54 Clear_PIN_Generate (CSNBPGN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_PIN_Generate verb generates an A-PIN or an O-PIN by usin.
CCA Release 2.54 Clear_PIN_Generate Restrictions None Format CSNBPGN return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_lengt.
Clear_PIN_Generate CCA Release 2.54 PIN_check_length The PIN_check_length parameter points to an integer variable in the range from 4 to 16 containing the length of the PIN offset. The verb uses the PIN check length if you specify the IBM-PINO keyword for the calculation method.
CCA Release 2.54 Clear_PIN_Generate_Alternate Clear_PIN_Generate_Alternate (CSNBCPA) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Clear_PIN_Generate_Alternate verb is used to obtain a value, the “O-PIN” (offset or VISA-PVV), that will relate the institution-assigned PIN to the customer-known PIN.
Clear_PIN_Generate_Alternate CCA Release 2.54 Calculates the A-PIN. The verb uses the specified calculation method, the data_array variable, and the PIN_check_length variable to calculate the PIN. Calculates the O-PIN Returns the clear O-PIN in the variable identified by the returned_result parameter.
CCA Release 2.54 Clear_PIN_Generate_Alternate Note: When using the ISO-0 format, use the 12 rightmost PAN digits, excluding the check digit. encrypted_PIN_block The encrypted_PIN_block parameter points to a string variable containing the encrypted PIN-block of the (customer-selected) C-PIN value.
Clear_PIN_Generate_Alternate CCA Release 2.54 PIN_check_length The PIN_check_length parameter points to an integer variable in the range from 4 to 16 containing the number of digits of PIN information that the verb should check. The verb uses the PIN_check_length parameter if you specify the IBM-PINO keyword for the calculation method.
CCA Release 2.54 Clear_PIN_Generate_Alternate When using the NL-PIN-1 keyword, identify the following elements in the data array: When using the VISA-PVV keyword, identify the following elements in the data array.
Clear_PIN_Generate_Alternate CCA Release 2.54 returned_result The returned_result parameter points to a string variable containing the clear O-PIN returned by the verb. The 16-byte result will be left-justified and padded on the right with space characters.
CCA Release 2.54 CVV_Generate CVV_Generate (CSNBCSG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The CVV_Generate verb supports the VISA card-verification value (CVV) and the MasterCard card-verification code (CVC) process as defined for track 2 by generating a CVV.
CVV_Generate CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters.
CCA Release 2.54 CVV_Generate CVV_key-B_identifier The CVV_key-B_identifier parameter points a string variable containing an internal key-token or a key label of an internal key-token record in key storage. The internal key-token contains the key-B key that decrypts information in the CVV process.
CVV_Verify CCA Release 2.54 CVV_Verify (CSNBCSV) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The CVV_Verify verb supports the VISA card-verification value (CVV) and the MasterCard card-verification code (CVC) process as defined for track 2 by verifying a CVV.
CCA Release 2.54 CVV_Verify Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable.
CVV_Verify CCA Release 2.54 expiration_date The expiration_date parameter points to a string variable containing the card expiration date. The date is in numeric character format. The application programmer must determine whether the CVV will be calculated as YYMM or MMYY.
CCA Release 2.54 Encrypted_PIN_Generate Encrypted_PIN_Generate (CSNBEPG) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encrypted_PIN_Generate verb generates and formats a PIN and encrypts the PIN block.
Encrypted_PIN_Generate CCA Release 2.54 – When using the ISO-0 PIN-block format, specify a PAN. For information about a personal account number (PAN), see “Personal Account Number (PAN)” on page 8-13. – When using another PIN-block format, specify a 12-byte variable in application storage.
CCA Release 2.54 Encrypted_PIN_Generate Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
Encrypted_PIN_Generate CCA Release 2.54 PIN_profile The PIN_profile parameter is a pointer to a string variable containing the PIN profile including the PIN-block format. See “PIN Profile” on page 8-10. PAN_data The PAN_data parameter is a pointer to a string variable containing 12 digits of Personal Account Number (PAN) data.
CCA Release 2.54 Encrypted_PIN_Translate Encrypted_PIN_Translate (CSNBPTR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encrypted_PIN_Translate verb can change PIN block encryption, and optionally format a PIN into a different PIN-block format.
Encrypted_PIN_Translate CCA Release 2.54 key serial number, and then uses ANSI X9.24-specified “special decryption.” Checks the control vector to ensure that for an IPINENC key that the TRANSLAT b.
CCA Release 2.54 Encrypted_PIN_Translate Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
Encrypted_PIN_Translate CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, and must be left-justified and padded on the right with space characters.
CCA Release 2.54 Encrypted_PIN_Translate and optionally an additional 24 bytes containing the output current key serial number (CKSN). The strings are equivalent to 24-byte or 48-byte strings. For more information about a PIN profile, see “PIN Profile” on page 8-10.
Encrypted_PIN_Verify CCA Release 2.54 Encrypted_PIN_Verify (CSNBPVR) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The Encrypted_PIN_Verify verb extracts a trial PIN (T-PIN) from an encrypted PIN-block and verifies this value by comparing it to an account PIN (A-PIN) calculated by using the specified PIN-calculation method.
CCA Release 2.54 Encrypted_PIN_Verify The verb does the following: Decrypts the input PIN-block by using the supplied IPINENC key in ECB mode, or derives the decryption key using the specified KEYGENKY key and CKSN and uses ANSI X9.24-specified “special decryption.
Encrypted_PIN_Verify CCA Release 2.54 Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11.
CCA Release 2.54 Encrypted_PIN_Verify PIN_check_length The PIN_check_length parameter is a pointer to an integer variable containing the number of digits of PIN information that the verb should verify. The verb uses the value in the variable if you specify the IBM-PIN or IBM-PINO keyword for the calculation method.
Encrypted_PIN_Verify CCA Release 2.54 data_array The data_array parameter is a pointer to a string variable containing three 16-byte character strings, which are equivalent to a single 48-byte string. The values you specify in the data array depend on the PIN-calculation method.
CCA Release 2.54 Encrypted_PIN_Verify When using the VISA-PVV or VISAPVV4 keywords, identify the following elements in the data array. For more information about these elements, and transaction security data for the VISA-PVV calculation method, see “VISA PIN Validation Value (PVV) Calculation Method” on page E-7.
Encrypted_PIN_Verify CCA Release 2.54 Required Commands The Encrypted_PIN_Verify verb requires the following commands to be enabled in the hardware, based on the keyword specified for the PIN-calculation methods. The Encrypted_PIN_Translate verb also requires the Unique Key Per Transaction, ANSI X9.
CCA Release 2.54 Key_Encryption_Translate | Key_Encryption_Translate (CSNBKET) | Platform/ | Product | OS/2 | AIX | Win NT/ | 2000 | OS/400 | IBM 4758-2/23 | X | The Key_Encryption_Translate verb is used to change the method of key | encryption. An input key can be a double-length external CCA DATA key or a | double-length CBC-encrypted key.
Key_Encryption_Translate CCA Release 2.54 | Format | CSNBKET | return_code | Output | Integer | reason_code | Output | Integer | exit_data_length | In/Output | Integer | exit_data | In/Output | String.
CCA Release 2.54 Key_Encryption_Translate | key_out_length | The key_out_length parameter points to an integer variable. On input, you | should set the variable to at least 64 for the CBCTOECB translation or to at | least 16 for the ECBTOCBC translation.
PIN_Change/Unblock CCA Release 2.54 PIN_Change/Unblock (CSNBPCU) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-23 X Use the PIN_Change/Unblock verb to prepare an encrypted message-portion for communicating an original or replacement PIN for an EMV smart-card.
CCA Release 2.54 PIN_Change/Unblock See “VISA and EMV-Related Smart Card Formats and Processes” on page E-17 which explains the derivation processes and PIN-block formation.
PIN_Change/Unblock CCA Release 2.54 Restrictions This verb is supported beginning with Release 2.50. Support for the TDESEMV2 and TDESEMV4 keywords begins with Release 2.
CCA Release 2.54 PIN_Change/Unblock authentication_key_identifier_length The authentication_key_identifier_length parameter points to an integer variable set to 64.
PIN_Change/Unblock CCA Release 2.54 The first 8 or 16 bytes of data should contain the value used to form the smart-card-specific authentication value and the PIN-block encryption key.
CCA Release 2.54 PIN_Change/Unblock current_reference_PIN_profile The current_reference_PIN_profile parameter points to an array of three, 8-byte string variables. The contents of the variables are inspected when the VISAPCU2 rule-array keyword is present.
PIN_Change/Unblock CCA Release 2.54 When an MAC-MDK and/or ENC-MDK of key type DKYGENKY is specified with control vector bits (19-22) of B'1111', the Generate Diversified Key (DALL with DKYGENKY key type) command (offset X ' 0290 ' ) must also be enabled in the active role.
CCA Release 2.54 Secure_Messaging_for_Keys Secure_Messaging_for_Keys (CSNBSKY) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-23 X Use the Secure_Messaging_for_Keys verb to decrypt a key you supply for incorporation into a text block you also supply.
Secure_Messaging_for_Keys CCA Release 2.54 Returns the enciphered text. Restrictions This verb is supported beginning with Release 2.50. Format CSNBSKY return_code Output Integer reason_code Outpu.
CCA Release 2.54 Secure_Messaging_for_Keys input_key. You may also specify a key label of a key storage record for such a key. For an internal-form input_key, you may specify a null key-token.
Secure_Messaging_for_PINs CCA Release 2.54 Secure_Messaging_for_PINs (CSNBSPN) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-23 X Use the Secure_Messaging_for_PINs verb to decrypt an input PIN-block, optionally reformat the PIN-block, and incorporate the PIN-block into a text block you also supply.
CCA Release 2.54 Secure_Messaging_for_PINs The Secure_Messaging_for_PINs verb: Deciphers the input PIN block Reformats the PIN block when the input and output PIN-block formats differ Self-encrypts the output PIN block as specified Places the PIN block within the supplied text at the specified offset Encrypts the updated text.
Secure_Messaging_for_PINs CCA Release 2.54 input_PIN_block The input_PIN_block parameter is a pointer to an eight-byte string variable containing the input, encrypted PIN-block.
CCA Release 2.54 Secure_Messaging_for_PINs clear_text_length The clear_text_length parameter is a pointer to an integer containing the length of text to be encrypted. This must be a multiple of eight, and less than or equal to 4096. clear_text The clear_text parameter is a pointer to the text string to be updated with a PIN block and encrypted.
SET_Block_Compose CCA Release 2.54 SET_Block_Compose (CSNDSBC) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The SET_Block_Compose verb creates a SET-protocol RSA-OAEP block and DES encrypts the data block in support of the SET protocols.
CCA Release 2.54 SET_Block_Compose Parameters For the definitions of the return_code , reason_code , exit_data_length , and exit_data parameters, see “Parameters Common to All Verbs” on page 1-11. rule_array_count The rule_array_count parameter is a pointer to an integer variable containing the number of elements in the rule_array variable.
SET_Block_Compose CCA Release 2.54 The hash is an optional part of the OAEP block. No hash is computed or inserted into the OAEP block if the data_to_hash_length variable is zero. data_to_hash The data_to_hash parameter is a pointer to a string variable containing the data that is to be hashed and included in the OAEP block.
CCA Release 2.54 SET_Block_Compose with the data_to_encrypt variable). The starting address must not fall inside the data_to_encrypt area. Required Commands The SET_Block_Compose verb requires the SET Block Compose command (command offset X ' 010B ' ) to be enabled in the hardware.
SET_Block_Decompose CCA Release 2.54 SET_Block_Decompose (CSNDSBD) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2/23 X X X X The SET_Block_Decompose verb decomposes the RSA-OAEP block and DES decrypts the data block in support of the SET protocols.
CCA Release 2.54 SET_Block_Decompose Format CSNDSBD return_code Output Integer reason_code Output Integer exit_data_length In/Output Integer exit_data In/Output String exit_data_length bytes rule_arra.
SET_Block_Decompose CCA Release 2.54 RSA-OAEP_block_length The RSA-OAEP_block_length parameter is a pointer to an integer variable containing the number of bytes of data in the RSA-OAEP_block variable. This value must be 128 bytes. RSA-OAEP_block The RSA-OAEP_block parameter is a pointer to a string variable containing the RSA-OAEP block.
CCA Release 2.54 SET_Block_Decompose of a 128-byte buffer. The first 64 bytes of the buffer are reserved for future use, and should be set to X ' 00 ' . The PIN encrypting-key token will be returned to the caller in the same buffer on completion of the verb.
SET_Block_Decompose CCA Release 2.54 Required Commands The SET_Block_Decompose verb requires the SET Block Decompose command (command offset X ' 010C ' ) to be enabled in the hardware. Two additional commands are used when encrypting PIN data with this verb.
CCA Release 2.54 Transaction_Validation Transaction_Validation (CSNBTRV) Platform/ Product OS/2 AIX Win NT/ 2000 OS/400 IBM 4758-2 X X X X The Transaction_Validation verb supports the generation and validation of American Express card security codes (CSC).
Transaction_Validation CCA Release 2.54 rule_array The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length, left-justified, and padded on the right with space characters, as shown below.
CCA Release 2.54 Transaction_Validation Operation Element Description Validation-Values Length GENERATE and CSC-345 555554444333 where: 55555 = CSC 5 value 4444 = CSC 4 value 333 = CSC 3 value 12 VERI.
CCA Release 2.54 8-78 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Appendix A. Return Codes and Reason Codes This appendix describes the return codes and the reason codes that a verb uses to report the results of processing. Each return code is associated with a reason code that supplies details about the result of verb processing.
CCA Release 2.54 Figure A-2 on page A-2 shows the reason codes, listed in numeric sequence and grouped by their corresponding return code. The return codes appear in decimal form, and the reason codes appear in decimal and hexadecimal (hex) form. Return Code 0 Figure A-2.
CCA Release 2.54 Return Code 4 Figure A-3. Reason Codes for Return Code 4 Return Code Dec Reason Code Dec (Hex) Meaning 4 001 (001) The verification test failed. 4 013 (00D) The key token has an initialization vector, and the initialization_vector parameter value is nonzero.
CCA Release 2.54 Return Code 8 Figure A-4 (Page 1 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 012 (00C) The token-validation value in an external key token is not valid. 8 022 (016) The ID number in the request field is not valid.
CCA Release 2.54 Figure A-4 (Page 2 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 063 (03F) A key token had an invalid token header (for example, not an internal token). 8 064 (040) The RSA key is not permitted to perform the requested operation.
CCA Release 2.54 Figure A-4 (Page 3 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 155 (09B) The value that the generated_key_identifier parameter specifies is not valid, or it is not consistent with the value that the key_form parameter specifies.
CCA Release 2.54 Figure A-4 (Page 4 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 343 (157) Either the data block or the buffer for the block is too small, or a variable has caused an attempt to create an internal data structure that is too large.
CCA Release 2.54 Figure A-4 (Page 5 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 770 (302) The PKA key token has an invalid field. 8 771 (303) The user is not logged on. 8 772 (304) The requested role was not found.
CCA Release 2.54 Figure A-4 (Page 6 of 6). Reason Codes for Return Code 8 Return Code Dec Reason Code Dec (Hex) Meaning 8 1102 (44E) Hardware device driver invalid buffer length. 8 1103 (44F) Hardware device driver too many opens. Cannot open device now.
CCA Release 2.54 Return Code 12 Figure A-5. Reason Codes for Return Code 12 Return Code Dec Reason Code Dec (Hex) Meaning 12 097 (061) File space in key storage is insufficient to complete the operation.
CCA Release 2.54 Return Code 16 Figure A-6. Reason Codes for Return Code 16 Return Code Dec Reason Code Dec (Hex) Meaning 16 099 (063) An unrecoverable error occurred in the security server; contact your IBM service representative. 16 336 (150) An error occurred in a cryptographic hardware or software component.
CCA Release 2.54 A-12 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Appendix B. Data Structures This appendix describes the following data structures: Key tokens Chaining vector records Key-storage records Key record list data set Access-control data structures Master key shares Distributed function control vector.
CCA Release 2.54 An IBM 4758 does not permit the introduction of a new master key value that has the same verification value as either the current master-key or as the old master-key.
CCA Release 2.54 DES Key-Tokens DES key-token data structures are 64 bytes in length, contain an enciphered key, a control vector, various flag bits, version number, and token validation value.
CCA Release 2.54 Figure B-3 (Page 2 of 2). Internal DES Key-Token, Version 3 Format Offset Length Meaning 48-59 12 Reserved, binary zero 60-63 4 The token-validation value B-4 IBM 4758 CCA Basic Services, Release 2.
CCA Release 2.54 External DES Key-Token CCA implementations generally use a version X ' 00 ' external key-token. See Figure B-4. The IBM 4758 Version 2 CCA Support Program also uses a version X ' 01 ' external key-token to hold a double-length DATA key that is associated with a null (all-zero bits) control vector.
CCA Release 2.54 DES Key-Token Flag Byte 1: DES Key-Token Flag Byte 2: Figure B-6. Key-Token Flag Byte 1 Bits (MSB...LSB) 1 Meaning 1xxx xxxx The encrypted key value and the Master Key Verification Pa.
CCA Release 2.54 Coprocessor but your application will encounter a performance penalty with each use of the key. Protection of the private key is provided by encrypting a confounder (a random number) and the private key information exclusive of the modulus.
CCA Release 2.54 – Section identifier X ' 05 ' for a CRT-format key up to 1024 bits is accepted as input. A public-key section (RSA section identifier X ' 04 ' , see Figure B.
CCA Release 2.54 Figure B-8. RSA Key-Token Header Offset (Bytes) Length (Bytes) Description 000 001 Token identifier (a flag that indicates token type) X ' 1E ' External token; the optional private-key is either in cleartext or enciphered by a transport key-encrypting-key.
CCA Release 2.54 Figure B-9. RSA Private Key, 1024-Bit Modulus-Exponent Format Offset (Bytes) Length (Bytes) Description 000 001 X ' 02 ' Section identifier, RSA private key, modulus-exponent format (RSA-PRIV). This section type is created by selected IBM 4755 Cryptographic Adapters and the IBM 4758 Version 1 CCA Support Program.
CCA Release 2.54 Figure B-10 (Page 1 of 2). Private Key, 2048-Bit Chinese-Remainder Format Offset (Bytes) Length (Bytes) Description 000 001 X ' 05 ' Section identifier, RSA private key, CRT (RSA-OPT) format. This section type is created by the IBM 4758 Version 1 CCA Support Program.
CCA Release 2.54 Figure B-10 (Page 2 of 2). Private Key, 2048-Bit Chinese-Remainder Format Offset (Bytes) Length (Bytes) Description 076 +ppp +qqq rrr d p = d mod(p-1) 076 +ppp +qqq +rrr sss d q = d m.
CCA Release 2.54 Figure B-11. RSA Private Key, 1024-Bit Modulus-Exponent Format with OPK Offset (Bytes) Length (Bytes) Description 000 001 X ' 06 ' Section identifier, RSA private key, modulus-exponent format (RSA-PRIV). This section type is created by the IBM 4758 Version 2 CCA Support Program.
CCA Release 2.54 Figure B-12 (Page 1 of 2). RSA Private Key, Chinese-Remainder Format with OPK Offset (Bytes) Length (Bytes) Description 000 001 X ' 08 ' Section identifier, RSA private key, CRT format (RSA-CRT). This section type is created by the IBM 4758 Version 2 CCA Support Program.
CCA Release 2.54 Figure B-12 (Page 2 of 2). RSA Private Key, Chinese-Remainder Format with OPK Offset (Bytes) Length (Bytes) Description 124 Start of the (optionally) encrypted subsection.
CCA Release 2.54 Figure B-13. RSA Public Key Offset (Bytes) Length (Bytes) Description 000 001 X ' 04 ' , Section identifier, RSA public key 001 001 The version number (X ' 00 ' ) .
CCA Release 2.54 RSA Public-Key Certificate Section: An optional public key certificate(s) section can be included in an RSA key-token. The section consists of: The section header (identifier X &a.
CCA Release 2.54 Figure B-17. RSA Public-Key Certificate(s) Optional Information Subsection Header Offset (Bytes) Length (Bytes) Description 000 001 X ' 42 ' , Information Subsection Header .
CCA Release 2.54 Figure B-21. RSA Public-Key Certificate(s) Signature Subsection Offset (Bytes) Length (Bytes) Description 000 001 X ' 45 ' , Signature Subsection Header 001 001 The version .
CCA Release 2.54 RSA Private-Key Blinding Information: Figure B-22. RSA Private-Key Blinding Information Offset (Bytes) Length (Bytes) Description 000 001 X ' FF ' , Section identifier, private-key blinding information.
CCA Release 2.54 Key-Storage Records Key storage exists as an online, Direct Access Storage Device (DASD)-resident data set for the storage of key records. Key records contain a key label, space for a key token, and control information. The stored key tokens are accessed using the key label.
CCA Release 2.54 Figure B-24. Key-Storage-File Header, Record 1 (not OS/400) Offset Length Meaning 00 04 The total length of this key record. 04 04 The record validation value. 08 64 The key label without separators. $$FORTRESS$REL01$MASTER$KEY$VERIFY$PATTERN .
CCA Release 2.54 Figure B-25. Key-Storage File Header, Record 2 (not OS/400) Offset Length Meaning 00 04 The total length of this key record. 04 04 The record validation value. 08 64 The key label without separators. For the DES key-storage file the key label is $$FORTRESS$DES$REL01$KEY$STORAGE$FILE$HEADER .
CCA Release 2.54 Figure B-27. DES Key-Record Format, OS/400 Key Storage Offset Length Meaning 00 56 The key label without separators. 56 02 Reserved 58 64 The DES key token. 122 04 The date and time of when this record was created. This field has the same format as the created date in Figure B-24 on page B-21.
CCA Release 2.54 Key_Record_List Data Set There are two Key_Record_List verbs, one for the DES key store and one for the PKA key store. Each creates an internal data set that contains information about specified key records in key storage. Both verbs return the list in a data set, KYRLT nnn .
CCA Release 2.54 Figure B-29 (Page 2 of 2). Key-Record-List Data Set Format (Other Than OS/400) Offset Length Meaning Detail Record (Part 1) 0 1 This field contains an asterisk (*) if the key-storage record did not have a correct record validation value; this record should be considered to be a potential error.
CCA Release 2.54 Figure B-30 (Page 1 of 2). Key-Record-List Data Set Format (OS/400 only) Offset Length Meaning Header Record 0 24 This field contains the installation-configured listing header (the default value for the DES key store is DES KEY-RECORD-LIST and for the PKA key store is PKA KEY-RECORD-LIST).
CCA Release 2.54 Figure B-30 (Page 2 of 2). Key-Record-List Data Set Format (OS/400 only) Offset Length Meaning Detail Record 0 1 This field contains an asterisk (*) if the key-storage record did not have a correct record validation value; this record should be considered to be a potential error.
CCA Release 2.54 Role Structure This section describes the data structures used with roles. Basic Structure of a Role The following figure describes how the Role data is structured. This is the format used when role data is transferred to or from the Coprocessor, using verbs CSUAACI or CSUAACM.
CCA Release 2.54 Aggregate Role Structure A set of zero one or more role definitions are sent in a single data structure. This structure consists of a header , followed by one or more role structures as defined in “Basic Structure of a Role” on page B-29.
CCA Release 2.54 The entire access-control-point structure is comprised of a header, followed by one or more access-control-point segments. The header indicates how many segments are contained in the entire structure. The layout of this structure is illustrated in Figure B-33.
CCA Release 2.54 Figure B-34 (Page 2 of 2). Functions Permitted in Default Role Code Function Name X ' 0113 ' Change the expiration date in a user profile X ' 0114 ' Change the aut.
CCA Release 2.54 The checksum is defined as the exclusive-OR (XOR) of each byte in the profile structure. The high-order byte of the checksum field is set to zero (X ' 00 ' ), and the exclusive-OR result is put in the low-order byte. Note: The checksum value is not used in the current profile structure.
CCA Release 2.54 The header is followed by individual sets of authentication data, each containing the data for one authentication mechanism. This layout is shown pictorially in Figure B-38 on page B-34. Figure B-38. Layout of the Authentication Data Field The content of the individual Authentication Data structures is shown in Figure B-39 below.
CCA Release 2.54 Figure B-39 (Page 1 of 2). Authentication Data for Each Authentication Mechanism Field name Length (bytes) Description Length 2 The size of this set of authentication mechanism data, in bytes. The length field includes all bytes of mechanism data following the length field itself.
CCA Release 2.54 Authentication Data for Passphrase Authentication: For passphrase authentication, the mechanism data field contains the 20-byte SHA-1 hash of the user's passphrase. The hash is computed in the host, where it is used to construct the profile that is downloaded to the Coprocessor.
CCA Release 2.54 1 5a 2d 2 53 61 6d 7 6c 65 2 5 72 6f ...Z- Sample Pro 66 69 6c 65 2 31 2 2d ab cd 4a 5f 53 6d file 1 -....J_Sm 69 74 68 2 41 44 4d 49 4e 31 2 2 7 cd 6 1 ith ADMIN1 ...
CCA Release 2.54 1 1 5a 2d 2 53 61 ...........Z- Sa 6d 7 6c 65 2 5 72 6f 66 69 6c 65 2 31 2 2d mple Profile 1 - ab cd 4a 5f 53 6d 69 74 68 2 41 44 4d 49 .
CCA Release 2.54 00 03 The number of bytes of data in the access-control points for this segment. There are 3 bytes, for the access-control points from 512 through 535. 00 00 A reserved field, which must be filled with zeros. 8F 99 FE This is the second set of access-control points, with one bit corresponding to each point.
CCA Release 2.54 Aggregate Role Data Structure Figure B-45 shows the an aggregate role data structure, like you would load using the CSUAACI verb. 1 1 62 2a 4e 65 77 .
CCA Release 2.54 Master Key Shares Data Formats Master key shares, and potentially other information to be “cloned” from one Coprocessor to another Coprocessor are packed into a data structure as described in Figure B-46.
CCA Release 2.54 Function Control Vector The export (distribution) of cryptographic implementations by USA companies is controlled under USA Government export regulations. An IBM 4758 becomes a practical cryptographic engine when it accepts and validates digitally signed software.
CCA Release 2.54 Figure B-49 (Page 2 of 2). FCV Distribution Structure Offset Decimal (Hex) Length Decimal Meaning FCV Supplied to Coprocessor (offset 470 above) 470 (1D6) 1 Record ID, X ' 06 &ap.
CCA Release 2.54 B-44 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Appendix C. CCA Control-Vector Definitions and Key Encryption This appendix describes the following: DES control-vector values 1 Specifying a control-vector-base value Changing control vectors CCA key encryption and decryption processes.
CCA Release 2.54 Usually there is a default control-vector associated with each of the key types just listed; see Figure C-2 on page C-3. The bits in positions 16-22 and 33-37 generally have different meanings for every key class. Many of the remaining bits in a control vector have a common meaning.
CCA Release 2.54 You can use the default control-vector for a key type, or you can create a more restrictive control-vector. The default control-vector for a key type provides basic key-separation functions. Optional usage restrictions can further tighten the security of the system.
CCA Release 2.54 Figure C-2 (Page 2 of 2). Key Type Default Control-Vector Values Key Type Control Vector Hexadecimal Value for Single-length Key or Left Half of Double-Length Key Control Vector Hexad.
CCA Release 2.54 Control─Vector─Base Bits │ │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 │ │ 2 4 6 │8 2 4 │6 8 2 │4 6 8 .
CCA Release 2.54 Control─Vector─Base Bits │ │ 1 1 1 │1 1 2 2 │2 2 2 3 │3 3 3 3 │4 4 4 4 │4 5 5 5 │5 5 6 6 │ │ 2 4 6 │8 2 4 │6 8 2 │4 6 8 .
CCA Release 2.54 Key-Form Bits, ‘fff’ and ‘FFF’ The key-form bits, 40-42...and for a double-length key, bits 104-106...are designated ‘fff’ and ‘FFF’ in the preceding diagram.
CCA Release 2.54 2. For key-encrypting keys, set the following bits: The Key-Encrypting Key-limiting bits, previously described as bits “hhh, bits 35 to 37,” are not supported in any current release of the Coprocessor CCA support. The key-generating usage bits (gks, bits 18 to 20).
CCA Release 2.54 The MAC control bits (bits 20 and 21). For a MAC generation key, set bits 20 and 21 to B ' 11 ' . For a MAC verification key, set bits 20 and 21 to B ' 01 ' . The key-form bits (fff, bits 40 to 42). For a single-length key, set the bits to B ' 000 ' .
CCA Release 2.54 9. For the IPINENC (inbound) and OPINENC (outbound) PIN-block ciphering keys, do the following: Set the TRANSLAT bit (t, bit 21) to 1 to permit the key to be used in the PIN_Translate verb. The Control_Vector_Generate verb can set the TRANSLAT bit to 1 when you supply the TRANSLAT keyword.
CCA Release 2.54 13. For all keys, set the following bits: The export bit (E, bit 17). If set to 0, the export bit prevents a key from being exported. By setting this bit to 0, you can prevent the receiver of a key from exporting or translating the key for use in another cryptographic subsystem.
CCA Release 2.54 CCA Key Encryption and Decryption Processes This section describes the CCA key-encryption processes: CCA DES key encryption CCA RSA private key encryption Encipherment of DES keys under RSA in “PKA92” format Encipherment of a DES key-encrypting key under RSA in “NL-EPP-5” format.
CCA Release 2.54 ┌──────────────┬──────────────┬──────────────┐ ┌─────────────.
CCA Release 2.54 PKA92 Key Format and Encryption Process The PKA_Symmetric_Key_Export, PKA_Symmetric_Key_Generate, and the PKA_Symmetric_Key_Import verbs optionally support a PKA92 method of encrypting a DES or CDMF key with an RSA public key.
CCA Release 2.54 Decrypting Sub-process: RSA decrypt the AS External Key Block using an RSA private key and call the result of the decryption PKR. The private key must be usable for key management purposes. Validating Sub-process: Verify that the high-order two bits of the PKR record are valued to B ' 01 ' .
CCA Release 2.54 Encrypting a Key_Encrypting Key in the NL-EPP-5 Format The PKA_Symmetric_Key_Generate verb supports a NL-EPP-5 method of encrypting a DES key-encrypting key with an RSA public key. The verb returns an encrypted key block by RSA encrypting a key record formed in the following manner: 1.
CCA Release 2.54 you can enter another part that is set to the value of the pre-exclusive-OR quantity (which quantity is discussed later). Use the Key_Generate verb to generate an IMPORTER/EXPORTER pair of KEKs, with the KEY-PART control vector bit set on.
CCA Release 2.54 Note that if you are processing a double-length key, you almost certainly will have to process the key twice, using the key-encrypting key modified by different values each appropriate to a key half. Then you concatenate the resulting two correct key-halves.
CCA Release 2.54 CVil is the control vector for the left half of the target input PIN-block encrypting key. e*Km ⊕ CViml(Kt ⊕ CVir) e*Km ⊕ CVimr(Kt ⊕ CVir) where: CVir is the control vector for the right half of the target input PIN-block encrypting key.
CCA Release 2.54 Changing Control Vectors with the Control_Vector_Translate Verb Do the following when using the Control_Vector_Translate verb: Provide the control information for testing the cont.
CCA Release 2.54 This expression tests whether the control vectors associated with the source key and the target key meet your criteria for the desired translation. Encipher two copies of the mask array, each under a different cryptographic-variable key (key type CVARENC).
CCA Release 2.54 For expression 1: KEK CV ┌─┬─┬─┬─┬─────┬─┬─┬─┬─┬───────────────────────────┐ Control Vector 2: Source CV ││1││1│... ││1││1│.
CCA Release 2.54 Selecting the Key-Half Processing Mode The Control_Vector_Translate verb rule-array keywords determine which key halves are processed in the verb call, as shown in Figure C-9.
CCA Release 2.54 The verb first processes the source and target tokens as with the SINGLE keyword. Then the source token is processed using the single-length enciphered key and the source token right-half control vector to obtain the actual key value.
CCA Release 2.54 Appendix D. Algorithms and Processes This appendix provides processing details for the following aspects of the CCA design: Cryptographic key-verification techniques Ciphering.
CCA Release 2.54 S/390 Based Master Key Verification Method When the first and third portions of the symmetric master key have the same value, the master key is effectively a double-length DES key.
CCA Release 2.54 The CCA DES key verification algorithm does the following: 1. Sets KKR ′ = KKR exclusive-OR RN 2. Sets K1 = X ' 4545454545454545 ' 3. Sets X1 = DES encoding of KKL using key K1 4. Sets K2 = X1 exclusive-OR KKL 5. Sets X2 = DES encoding of KKR ′ using key K2 6.
CCA Release 2.54 When the keywords PADMDC-2 and PADMDC-4 are used, the supplied text is always padded as follows: If the supplied text is less than 16 bytes in length, pad bytes are appended to make the text length equal to 16 bytes.
CCA Release 2.54 MDC-2 Calculation The MDC-2 calculation consists of the following procedure: MDC-2 (n, text, KEY1, KEY2, MDC); For i := 1,2,...,n do Call MDC-1(KEY1, KEY2, T8<i>, T8<i>, OUT1, OUT2) Set KEY1 := OUT1 Set KEY2 := OUT2 End do Set output MDC := (KEY1 || KEY2).
CCA Release 2.54 General Data Encryption Processes Although the fundamental concepts of ciphering (enciphering and deciphering) data are simple, different methods exist to process data strings that are not a multiple of eight bytes in length. Two widely used methods for enciphering general data are defined in these ANSI standards: ANSI X3.
CCA Release 2.54 ANSI X3.106 Cipher Block Chaining (CBC) Method ANSI standard X3.106 defines four modes of operation for ciphering. One of these modes, Cipher Block Chaining (CBC), defines the basic method for ciphering multiple eight-byte data strings.
CCA Release 2.54 ┌──────────────┐ │Verb Parameter│ └──────┬───────┘ │ ┌─────────────┐ ──.
CCA Release 2.54 ┌──────────────┐ │Verb Parameter│ └──────┬───────┘ │ ┌─────────────┐ ── P.
CCA Release 2.54 Triple-DES Ciphering Algorithms Triple-DES is used to encrypt keys, PIN blocks, and general data. Several techniques are employed: T-DES ECB DES keys, when triple encrypted under a double-length DES key, are ciphered using an e-d-e scheme without feedback.
CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐ │ T1.
CCA Release 2.54 ┌─────────────┬─────────────┬─────────────┬/┬─────────────┐ EDE2 ED.
CCA Release 2.54 MAC Calculation Methods With CCA Release 2.51, three variations of DES based message authentication are supported by the MAC_Generate and MAC_Verify verbs: ANSI X9.9 ANSI X9.19 optional Procedure 1 EMV post-padding of X ' 80 ' .
CCA Release 2.54 T1 T2 Tn-1 Tn │ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ ││ │ │ │ │ │ │ ┌──┤ XOR │ ┌──┤ XOR │ ┌─.
CCA Release 2.54 RSA Key-Pair Generation RSA key-pair generation is determined based on user input of the modulus bit length, public exponent, and key type.
CCA Release 2.54 Access-Control Algorithms The following sections describe algorithms and protocols used by the access-control system. Passphrase Verification Protocol This section describes the process used to log a user on to the Cryptographic Coprocessor.
CCA Release 2.54 3. The client workstation generates a random number, RN (64 bits). Note: Note: The random-number RN is not used inside the Cryptographic Coprocessor. It is only included in the protocol to guarantee that the cleartext of the logon request is different every time.
CCA Release 2.54 Master-Key-Splitting Algorithm This section describes the mathematical and cryptographic basis for the m-of-n key shares scheme. The key splitting is based on Shamir's secret sharing algorithm: The value to be shared is the master key, Km, which is a triple-DES key and thus 168 bits long.
CCA Release 2.54 Formatting Hashes and Keys in Public-Key Cryptography The Digital_Signature_Generate and Digital_Signature_Verify verbs support several methods for formatting a hash, and in some cases a descriptor for the hashing method, into a bit-string to be processed by the cryptographic algorithm.
CCA Release 2.54 – RSASSA-PKCS1-v1_5, the newer name for the block-type 1 format. In CCA, keyword PKCS-1.1 is used to invoke this formatting technique. – The PKCS #1 specification no longer discusses use of block-type 0. In CCA, keyword PKCS-1.0 is used to invoke this formatting technique.
CCA Release 2.54 Appendix E. Financial System Verbs Calculation Methods and Data Formats This appendix describes the following: PIN-calculation methods PIN-block formats Unique-key-per-transaction calculation methods MasterCard and VISA card verification techniques VISA and EMV smart card PIN-related formats and processes.
CCA Release 2.54 PIN-Calculation Methods The financial PIN verbs support some or all of these PIN-calculation methods, see Figure 8-3 on page 8-6: IBM 3624 PIN (IBM-PIN) IBM 3624 PIN Offset (IBM-PINO) Netherlands PIN-1 (NL-PIN-1).
CCA Release 2.54 IBM 3624 PIN-Calculation Method The IBM 3624 PIN-calculation method calculates a PIN that is from 4 to 16 digits in length. The IBM 3624 PIN-calculation method consists of the following steps to create the A-PIN: 1.
CCA Release 2.54 IBM 3624 PIN Offset Calculation Method The IBM 3624 PIN Offset calculation method is the same as the IBM 3624 PIN-calculation method except that a step is added after the A-PIN is cal.
CCA Release 2.54 Netherlands PIN-1 Calculation Method The Netherlands PIN-1 (NL-PIN-1) calculation method calculates a PIN that is 4 digits in length. The method consists of the following steps to create the A-PIN: 1.
CCA Release 2.54 IBM German Bank Pool Institution PIN-Calculation Method The IBM German Bank Pool Institution PIN calculation method calculates an institution PIN that is 4 digits in length. The German Bank Pool Institution PIN-calculation method consists of the following steps: 1.
CCA Release 2.54 VISA PIN Validation Value (PVV) Calculation Method The VISA-PVV calculation method calculates a VISA-PVV that is 4 digits in length. The VISA PIN Validation Value (PVV) calculation method consists of the following steps: 1. Let X denote the transaction_security_parameter element.
CCA Release 2.54 Interbank PIN-Calculation Method The Interbank PIN-calculation method consists of the following steps: 1. Let X denote the transaction_security_parameter element converted to an array of sixteen 4-bit numeric values.
CCA Release 2.54 PIN-Block Formats The PIN verbs support one or more of the following PIN-block formats: IBM 3624 format ISO-0 format (same as the ANSI X9.8, VISA-1, and ECI formats). ISO-1 format (same as the ECI-4 format) ISO-2 format 3624 PIN-Block Format The 3624 PIN-block format supports a PIN from 1 to 16 digits in length.
CCA Release 2.54 ISO-0 PIN-Block Format An ISO-0 PIN-block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1 PIN-block formats. The ISO-0 PIN-block format supports a PIN from 4 to 12 digits in length. A PIN that is longer than 12 digits is truncated on the right.
CCA Release 2.54 ISO-1 PIN-Block Format The ISO-1 PIN-block format is equivalent to an ECI-4 PIN-block format. The ISO-1 PIN-block format supports a PIN from 4 to 12 digits in length.
CCA Release 2.54 ISO-2 PIN-Block Format The ISO-2 PIN-block format supports a PIN from 4 to 12 digits in length. A PIN that is longer than 12 digits is truncated on the right.
CCA Release 2.54 UKPT Calculation Methods This section describes the calculation methods for deriving the unique-key-per-transaction (UKPT) key according to ANSI X9.24 and performing the special encryption and special decryption processes. 1 Deriving an ANSI X9.
CCA Release 2.54 a. Move the rightmost 8 bytes of the current key serial number to a work area ( W a ). b. Move the rightmost 3 bytes of W a to another work area ( C a ). c. Perform an AND operation with the rightmost 3 bytes of W a with X ' E00000 ' .
CCA Release 2.54 The following is an example of calculating the current PIN encrypting key: W a = X'4567 89AB CDE ' C a = X'11' S a 1 = X'1.
CCA Release 2.54 CVV and CVC Method Figure E-6 2 shows the method used to generate a card-verification value (CVV) for track 2. Each (decimal) digit is represented as a 4-bit, binary value and packed two digits per byte.
CCA Release 2.54 VISA and EMV-Related Smart Card Formats and Processes The VISA and EMV specifications for performing secure messaging with an EMV compliant smart card are covered in these documents: EMV 2000 Integrated Circuit Card Specification for Payment Systems Version 4.
CCA Release 2.54 3. Set the second digit of block-2 to the length of the new PIN (4 to 12), followed by the new PIN, and padded to the right with X ' F ' . 4. Include any current PIN by placing it into the leftmost digits of block-3. 5. Exclusive-OR blocks -1, -2, and -3 to form the 8-byte PIN block.
CCA Release 2.54 TDESEMV2 causes processing with a branch factor of 2 and a height of 16. TDESEMV4 causes processing with a branch factor of 4 and a height of 8.
CCA Release 2.54 E-20 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Appendix F. Verb List This appendix lists the verbs supported by the CCA Support Program feature for the IBM 4758 PCI Cryptographic Coprocessor. Figure F-1 lists each verb by the verb’s pseudonym and entry-point name and shows the operating environment under which the verb is supported.
CCA Release 2.54 Figure F-1 (Page 2 of 3). Security API Verbs in Supported Environments Pseudonym Entry-Point OS/2 AIX NT OS/400 Page Data Confidentiality and Data Integrity Verbs Decipher CSNBDEC √.
CCA Release 2.54 Figure F-1 (Page 3 of 3). Security API Verbs in Supported Environments Pseudonym Entry-Point OS/2 AIX NT OS/400 Page Financial Services Support Verbs Clear_PIN_Encrypt CSNBCPE √ √.
CCA Release 2.54 F-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Appendix G. Access-Control-Point Codes The table in this appendix lists the CCA access-control commands (“control points”). The role to which a user is assigned determines the commands available to that user. Important: By default, you should disable commands.
CCA Release 2.54 Figure G-1 (Page 1 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 000E ' Encipher Encipher CSNBENC O X ' 000F ' Decipher Decipher CSNB.
CCA Release 2.54 Figure G-1 (Page 2 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 008E ' Generate Key Key_Generate ‡ Random_Number_Generate CSNBKGN CSNBRNG R .
CCA Release 2.54 Figure G-1 (Page 3 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 0109 ' Data Key Import Data_Key_Import CSNBDKM O X ' 010A ' Data Key.
CCA Release 2.54 Figure G-1 (Page 4 of 4). Supported CCA Commands Offset Command Name Verb Name Entry Usage X ' 0230 ' List Retained Key Retained_Key_List CSNDRKL O X ' 0231 ' Gene.
CCA Release 2.54 G-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 List of Abbreviations ANSI American National Standards Institute ACF/VTAM Advanced Communications Function for the Virtual Telecommunications Access Method AIX Advanced Interactive Ex.
CCA Release 2.54 ROM Read-Only Memory RPQ Request for Price Quotation RSA Rivest, Shamir, and Adleman SAA Systems Application Architecture SAF System Authorization Facility SHA Secure Hashing Algorith.
CCA Release 2.54 Glossary This glossary includes some terms and definitions from the IBM Dictionary of Computing , New York: McGraw Hill, 1994. This glossary also includes some terms and definitions from: The American National Standard Dictionary for Information Systems , ANSI X3.
CCA Release 2.54 B bus . In a processor, a physical facility along which data is transferred. byte . (1) A binary character operated on as a unit and usually shorter than a computer word. (A) (2) A string that consists of a number of bits, treated as a unit, and representing a character.
CCA Release 2.54 decipher . (1) To convert enciphered data into clear data. (2) Synonym for decrypt . (3) Contrast with encipher . decode . (1) To convert data by reversing the effect of some previous encoding. (A) (I) (2) In the CCA products, decode and encode relate to the Electronic Code Book mode of the Data Encryption Standard (DES).
CCA Release 2.54 H host . (1) In this publication, same as host computer or host processor. The machine in which the Coprocessor resides. (2) In a computer network, the computer that usually performs network-control functions and provides end-users with services such as computation and database access.
CCA Release 2.54 N National Institute of Science and Technology (NIST) . This is the current name for the US National Bureau of Standards. network . (1) A configuration of data-processing devices and software programs connected for information interchange.
CCA Release 2.54 reason code . (1) A value that provides a specific result as opposed to a general result. (2) Contrast with return code . replicated key-half . In the CCA implementation, a double-length DES key where the two halves of the clear-key value are equal.
CCA Release 2.54 U Unique Key Per Transaction (UKPT) . UKPT is a cryptographic process that can be used to decipher PIN blocks in a transaction. user-exit routine . A user-written routine that receives control at predefined user-exit points. user ID .
CCA Release 2.54 X-10 IBM 4758 CCA Basic Services, Release 2.54, February 2005.
CCA Release 2.54 Index A Access Control, CCA 2-2 Access_Control_Initialization (CSUAACI) 2-21 Access_Control_Maintenance (CSUAACM) 2-24 American Express transaction validation verb 8-75 American National Standards Institute (ANSI) X3.106 (CBC) method D-7 X9.
CCA Release 2.54 CSNBCPA (Clear_PIN_Generate_Alternate) 8-21 CSNBCPE (Clear_PIN_Encrypt) 8-15 CSNBCSG (CVV_Generate) 8-27 CSNBCSV (CVV_Verify) 8-30 CSNBCVE (Cryptographic_Variable_Encipher) 5-29 CSNBC.
CCA Release 2.54 E EMV (Europay, Mastercard, VISA) application transaction counter (ATC) E-18 MAC padding method D-13 PIN-block self-encryption E-19 PIN_Change/Unblock verb 8-52 Secure_Messaging_for_K.
CCA Release 2.54 I IM (importable) keys 5-4 importable (IM) keys 5-4 importing, description 5-18, C-17 initializing key storage 2-48, 2-50 input/output (I/O) parameters 1-10 installing keys 5-15 inter.
CCA Release 2.54 keys activating 3-22 asymmetric 5-6 ciphering 5-7, 5-10 clear 5-16 control vectors 5-4 deactivating 3-22 deleting 3-22, 7-13, 7-21 double-length 5-6 exportable (EX) 5-4 exporting, asy.
CCA Release 2.54 listing keys 7-22 loading a master key 2-59, 2-64 Logging on and logging off 2-7 logon context information 2-8 Logon Control (CSUALCT) 2-52 Logon_Control (CSUALCT) 2-52 M m-of-n maste.
CCA Release 2.54 reenciphering keys 3-22 replicated key-half export restriction 5-34, 5-42, 5-52 export restriction an EXPORTER transport key 5-31 Required Commands Description B-30 List of access-con.
IBM CCA Release 2.54 PDF File.
Ein wichtiger Punkt beim Kauf des Geräts IBM 2 (oder sogar vor seinem Kauf) ist das durchlesen seiner Bedienungsanleitung. Dies sollten wir wegen ein paar einfacher Gründe machen:
Wenn Sie IBM 2 noch nicht gekauft haben, ist jetzt ein guter Moment, um sich mit den grundliegenden Daten des Produkts bekannt zu machen. Schauen Sie zuerst die ersten Seiten der Anleitung durch, die Sie oben finden. Dort finden Sie die wichtigsten technischen Daten für IBM 2 - auf diese Weise prüfen Sie, ob das Gerät Ihren Wünschen entspricht. Wenn Sie tiefer in die Benutzeranleitung von IBM 2 reinschauen, lernen Sie alle zugänglichen Produktfunktionen kennen, sowie erhalten Informationen über die Nutzung. Die Informationen, die Sie über IBM 2 erhalten, werden Ihnen bestimmt bei der Kaufentscheidung helfen.
Wenn Sie aber schon IBM 2 besitzen, und noch keine Gelegenheit dazu hatten, die Bedienungsanleitung zu lesen, sollten Sie es aufgrund der oben beschriebenen Gründe machen. Sie erfahren dann, ob Sie die zugänglichen Funktionen richtig genutzt haben, aber auch, ob Sie keine Fehler begangen haben, die den Nutzungszeitraum von IBM 2 verkürzen könnten.
Jedoch ist die eine der wichtigsten Rollen, die eine Bedienungsanleitung für den Nutzer spielt, die Hilfe bei der Lösung von Problemen mit IBM 2. Sie finden dort fast immer Troubleshooting, also die am häufigsten auftauchenden Störungen und Mängel bei IBM 2 gemeinsam mit Hinweisen bezüglich der Arten ihrer Lösung. Sogar wenn es Ihnen nicht gelingen sollte das Problem alleine zu bewältigen, die Anleitung zeigt Ihnen die weitere Vorgehensweise – den Kontakt zur Kundenberatung oder dem naheliegenden Service.