IBM Crypto Education Community

Transporting AES Keys 

Mon August 31, 2020 09:48 AM

Multi-step process to wrap/unwrap an existing AES DATA key with AES IMPORTER/EXPORTER keys derived
from an ECC Key Pair.

1. On each LPAR, generate an ECC key pair using CSNDPKB and CSNDPKG GENECC2.rexx | View
Details
2. On each LPAR, use CSNDPKB to build an ECC public key from the other LPAR's public key
IMPRTEC2.rexx | View Details
3. On the sending LPAR, use CSNBKTB2 and CSNDEDH to derive an AES EXPORTER key from the
receiver's ECC public key and it's own ECC private key DRVAESXP.rexx | View Details
4. On the receiving LPAR, use CSNBKTB2 and CSNDEDH to derive an AES IMPORTER key from the
sender's ECC public key and it's own ECC private key. DRVAESMP.rexx | View Details
1. This ECDH key exchange operation independently produces the same key value as the sending
LPAR.
2. You now have a shared transporter (EXPORTER/IMPORTER) key on both LPARs
5. On the sending LPAR, use CSNBKRR to read the existing AES DATA key from the CKDS (or invoke
CSNBKGN to generate a new AES DATA key to transport) and call CSNBKTR2 to translate the key to an
AES CIPHER key. Then call CSNDSYX to export the AES CIPHER key under the derived AES
EXPORTER key. EXPAES32.rexx | View Details
6. On the receiving LPAR, use CSNDSYI to import the AES CIPHER key from under the AES EXPORTER
key and call CSNBKTR2 to translate the key back to an AES DATA key and store the key in the CKDS.
IMPAES32.rexx | View Details
Detailed Techdoc on Transporting AES Data Keys... http://www-03.ibm.com/support
/techdocs/atsmastr.nsf/WebIndex/WP102736

Attachment(s)
zip file
TransportingAESKeys.zip   14 KB   1 version
Uploaded - Mon August 31, 2020