Cryptographic hardware concepts
To better understand how to maximize your usage of cryptography and cryptographic hardware options with your system running the i5/OS operating system, this topic provides basic concepts regarding cryptographic hardware.
These concepts do not pertain to the IBM® 2058 Cryptographic Accelerator hardware.
- Key types associated with the Cryptographic Coprocessor
- Your Coprocessor uses various key types. Not all DES or Triple DES keys can be used for all symmetric key operations. Likewise, not all public key algorithm (PKA) keys can be used for all asymmetric key operations. This is a list of the various key types which the Coprocessor uses:
- Master key
- This is a clear key, which means that no other key encrypted it. The Coprocessor uses the master key to encrypt all operational keys. The Coprocessor stores the master key in a tamper-responding module. You cannot retrieve the master key from the Coprocessor. The Coprocessor responds to tamper attempts by destroying the master key and destroying its factory certification. The coprocessors have two master keys: one for encrypting DES keys and one for encrypting PKA keys.
- Double-length key-encrypting keys
- Your Coprocessor uses this type of Triple-DES key to encrypt or decrypt other DES or Triple DES keys. Key-encrypting-keys are generally used to transport keys between systems. However, they can also be used for storing keys offline for backup. If key-encrypting-keys are used to transport keys, the clear value of the key-encrypting-key itself must be shared between the two systems. Exporter key-encrypting keys are used for export operations where a key encrypted under the master key is decrypted and then encrypted under the key-encrypting key. Importer key-encrypting keys are used for import operations where a key encrypted under the key-encrypting key is decrypted and then encrypted under the master key.
- Double-length PIN keys
- Your Coprocessor uses this type of key to generate, verify, encrypt, and decrypt PINs used in financial operations. These are Triple DES keys.
- MAC keys
- Your Coprocessor uses this type of key to generate Message Authentication Codes (MAC). These can be either DES or Triple DES keys.
- Cipher keys
- Your Coprocessor uses this type of key to encrypt or decrypt data. These can be either DES or Triple DES keys.
- Single-length compatibility keys
- Your Coprocessor uses this type of key to encrypt or decrypt data and generate MACs. These are DES keys and are often used when encrypted data or MACs are exchanged with systems that do not implement the Common Cryptographic Architecture.
- Private keys
- Your Coprocessor uses private keys for generating digital signatures and for decrypting DES or Triple DES keys encrypted by the public key.
- Public keys
- Your Coprocessor uses public keys for verifying digital signatures, for encrypting DES or Triple DES keys, and for decrypting data encrypted by the private key.
- Key forms
- The Coprocessor works with keys in one of four different forms. The key form, along with the key type, determines how a cryptographic process uses that key. The four forms are:
- Clear form
- The clear value of the key is not protected by any cryptographic means. Clear keys are not usable by the Coprocessor. The clear keys must first be imported into the secure module and encrypted under the master key and then stored outside the secure module.
- Operational form
- Keys encrypted under the master key are in operational form. They are directly usable for cryptographic operations by the Coprocessor. Operational keys are also called internal keys. All keys that are stored in the system key store file are operational keys. However, you do not need to store all operational keys in the key store file.
- Export form
- Keys encrypted under an exporter key-encrypting key as the result of an export operation are in export form. These keys are also called external keys. A key in export form can also be described as being in import form if an importer key-encrypting key with the same clear key value as the exporter key-encrypting key is present. You may store keys in export form in any manner you choose except in key store files.
- Import form
- Keys encrypted under an importer key-encrypting key are in import form. Only keys in import form can be used as the source for an import operation. These keys are also called external keys. A key in import form can also be described as being in export form if an exporter key-encrypting key with the same clear key value as the importer key-encrypting key is present. You may store keys in import form in any manner you choose except in key store files.
- Function control vector
- IBM provides a digitally signed value known as a function control vector. This value enables the cryptographic application within the Coprocessor to yield a level of cryptographic service consistent with applicable import regulations and export regulations. The function control vector provides your Coprocessor with the key length information necessary to create keys.
- Control vectors
- A control vector, different from a function control vector, is a known value associated with a key that governs the following:
The control vector is cryptographically linked to a key and can not be changed without changing the value of the key at the same time.
- Key type
- What other keys this key can encrypt
- Whether your Coprocessor can export this key
- Other allowed uses for this key
- Key store file
- An i5/OS™ database file that is used to store keys which you encrypted under the master key of the Coprocessor.
- Key token
- A data structure that can contain a cryptographic key, a control vector, and other information related to the key. Key tokens are used as parameters on most of the CCA API verbs that either act on or use keys.
Parent topic:
4764 and 4758 Cryptographic Coprocessors