IBM Crypto Education Community

Hello Folks,

I have been trying to create a COBOL program which does symmetric key encryption using AES. I created a test program (attached as a file) which calls CSNBSYE to encrypt the data. I have created a clear 128 bit AES key of TYPE(DATA) and LENGTH(16).

In the program, I have been testing various processing rules like CBC, CBC-CS and PKCS-PAD.

Currently I am only able to get CBC-CS working with ICV selection as ONLY. When I try to switch to CBC and ICV selection as INITIAL, I get a RC of 8 with reason code of 11000 (Explanation: The value specified for length parameter for a key token, key, or text field is not valid.).

I have kept all lengths (clear text & initialization vector/ICV) as multiples of 16 which is the block size for AES but still I get the above error. I am wondering if I am missing something.

Could one of you please have a look at my program and let me know what I might be doing wrong?

Regards

Deepak

Hello,

Just figured out what I was doing wrong. It seems we need to specify the length of the CHAIN-DATA field in the CHAIN-DATA-LENGTH variable. It's was not quite clear for me from the ICSF Application Programmer's Guide.

Here is how it's described:

chain_data_length

The length of the chain_data parameter. On output, the actual length of the
chaining vector will be stored in the parameter. This parameter is ignored if
the ICV selection keyword is ONLY.

Now,  see how the cipher_text_length is described:

On input, this parameter specifies the size of the storage pointed to by the
cipher_text parameter. On output, this parameter has the actual length of the
text stored in the buffer addressed by the cipher_text parameter.

chain_data_length is an input parameter when calling CSNBSYE but the manual does not quite clearly explain that as it's done for the cipher_text_length.

Regards

Deepak

Deepak,

The chain_data_length is described under chain_data.

chain_data

This field is used as a system work area for the chaining vector. Your
application program must not change the data in this string. The chaining
vector holds the output chaining vector from the caller.

The direction is output if the ICV selection keyword is INITIAL. This
parameter is ignored if the ICV selection keyword is ONLY.

The mapping of the chain_data depends on the algorithm specified. For AES,
the chain_data field must be at least 32 bytes in length. The OCV is in the first
16 bytes in the chain_data. For DES, the chain_data field must be at least 16
bytes in length.

I will move this information to chain_data_length at the next refresh of the APG.

Hello Eleanor,

Yes, reading through the chain_data description, I had a hint on what I might be doing wrong, though it was not as obvious the the descriptions of other length fields. Thank you for getting the manuals updated.

Regards
Deepak