Hello Mark,
Good to hear from someone who is already seeing how to implement the PCI Key Block TR-31 requirement. I invite you to see this link which was written by Mr. Richard Kisley who has helped me understand these changes a little more.
https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/richard-kisley1/2021/05/21/ibm-tdes-key-token-wrapenh3-for-pci-pin
To comply with phase one of the PCI PIN Key Blocks requirement, IBM CCA introduces the IBM TDES fixed-length key block with enhanced wrapping method 3 (WRAPENH3).
Enhanced wrapping method 3 (WRAPENH3) adds several important security features to the IBM fixed-length TDES key block.
You can use a utility for the migration of all TDES keys in a CKDS to WRAPENH3 wrapping method
I haven't done it yet, but I understand that once the CKDS is converted to the current APIs it will work without problems.
I understand that by having this covered, for phase two of the PCI requirement, it impacts the dynamic exchange of KEK keys and there if we have to use the new functions of importing the block in standard TR-31 format to be able to work with it later.
Then the pinblock received in the transactions must be verified using the Key Token generated in the previous process.
For phase three of the requirement, it is necessary to see the part of exporting keys in standard TR-31 key blocks format, but here you can find ATMs that handle RKL and it is necessary to see the TR-32 standard.
It will be quite a challenge for those of us who manage crypto using CCA/ICSF to implement these changes, however, the Crypto team has provided us with many things to get it up and running.
------------------------------
Gustavo Ramirez
------------------------------
Original Message:
Sent: Wed September 14, 2022 03:23 PM
From: Mark Vollmer
Subject: TR-31 keyblock ICSF capabilities exploration questions
Everyone,
My current environment is using CCA external keys for my general encryption needs. I get to convert most if not all of these keys to TR-31 format as part of PCI PIN security requirements.
Part 1: I'm starting with external CCA keys stored on my own application files. I currently pass those keys into various CCA functions to encrypt and decrypt my data. I now get to convert all those keys to external TR-31 keyblock format for my encrypt and decrypt ICSF calls. For a conversion process, I can export those external CCA keys into TR-31 keyblock format, but I'm fairly sure I cannot use those resulting keyblocks for encrypt and decrypt operations.
Part 2: Today, I get a partner key that I import with a KEK (CCA internal key) into a CCA external key. This resulting key is also used to encrypt and decrypt my data. In the future I will get a TR-31 block that I must import and save the resulting imported key into an external TR-31 keyblock format. And use that resulting TR-31 keyblock for encrypt and decrypt ICSF calls.
My current (and limited) understanding of ICSF API suggests I can import and export TR-31 keyblocks, but I cannot use them in ICSF API calls to encrypt and decrypt data.
Can ICSF do what I want or am I forced to import all my TR-31 keys into CCA keys before calling encrypt and decrypt ICSF API operations?
Sincerely,
Mark Vollmer
------------------------------
Mark Vollmer
------------------------------