IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only
Expand all | Collapse all

Key Generate parms question

  • 1.  Key Generate parms question

    Posted Mon September 19, 2022 06:00 PM

    I'm trying to create a brand new internal DES key type IM using CSNBKGN.

    One of the parameters is KEK_key_identifier_1.  And according to the documentation, I need to provide a token or label for a KEK.

     For some reason I'm thinking I want the call to create a new key of type IM encrypted under the master key and stored internally CKDS with a label.

    I am under the impression, that I can give that new key a name using the generated key identifier 1 field.

    What do I need the KEK identifier for?  Wouldn't the system just encrypt under the master key?

    What have I missed?

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------


  • 2.  RE: Key Generate parms question

    Posted Tue September 20, 2022 12:37 PM
    I think I've figured out that I need to build a token first, and pass that into our KEK identifier 1 field.

    I built a token DES/DOUBLE-O/INTERNAL of type EXPORTER.

    I'm trying to gen a key IM/DOUBLE-O/IKEYXLAT and get a 8/47 ret/rsn (decimal) source key token is unusable.

    I've tried a key gen with EX/DOUBLE-O/OKEYXLAT and get the same error.

    How does one debug such a problem?  How do we know what part of the source token it does not like?

    I'm trying to build an internal key that I can use to export other keys.

    Any helpful insights on debugging this problem would be appreciated.

    Sincerely,

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 3.  RE: Key Generate parms question

    Posted Wed September 21, 2022 07:35 AM
    Edited by Bob Petti Wed September 21, 2022 07:45 AM
    Hi Mark. Certain key types are required to be created in pairs - and the IMPORTER/EXPORTER key types are such keys. When calling CSNBKGN for those key types, you would specify a key form of "OPEX" (key 1 is "operational" and key 2 is "exportable") for example, with "key1" being an IMPORTER key type and key2 being an "EXPORTER" key type. You would need to specify a valid internal key encrypting key for KEK_Key_Identifier_2 parameter. This would result in an internal IMPORTER key (enciphered under the coprocessor master key) and an external EXPORTER key that is encrypted using your supplied key encrypting key and can be sent to another system where it can be imported and thus you can exchange keys with that system. The only way I know to create a single standalone keytype that is normally created in pairs is to use a service like CSNBSKM, but you would have to supply the key value vs having the coprocessor generate one for you (you can call CSNBRNGL to get random bytes of data for the key value). Hope this helps.

    ------------------------------
    Bob Petti
    ------------------------------



  • 4.  RE: Key Generate parms question

    Posted Thu September 22, 2022 02:23 PM
    Edited by Mark Vollmer Thu September 22, 2022 02:23 PM
    Bob,

    This would seem to be the chicken and the egg problem.  I need a KEK to create the KEK (key 2).   How do people do this?

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 5.  RE: Key Generate parms question

    Posted Fri September 23, 2022 08:35 AM
    Well yes - there has to be a beginning somewhere - lol.

    It normally would have happened some time ago where a user or a set of users would enter key parts into a service like CSNBKPI to create that first key. Users on two systems would enter the same key parts - one creating an exporter key, one creating an importer key - and then they could begin to exchange other keys. Key exchange of course requires both sides of the exchange have peer keys - an importer and an exporter - that have the same clear key value. That is why they are generated in pairs - and that is why one of the pairs is made external so that it can be shipped to another system where the other side of the key exchange will happen. An importer key by itself - with a random value - doesn't have much use without an exporter key with the same clear key value that can be used to create an external token that can be imported by your importer key. I'm not sure what you plan to do with the IM key you want KGN to generate, but if all you want to do is create one IM key, I would suggest using CSNBPKI instead of KGN.

    ------------------------------
    Bob Petti
    ------------------------------



  • 6.  RE: Key Generate parms question

    Posted Fri September 23, 2022 10:32 AM

    From the looks of the Import Part Key API...

    • I'd need to use token build first.
    • And I'd need to do this again with the same key to create an importer key that corresponds to this one if I want to import any exporter keys I create with this KEK.

    Am I on the right track now?

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 7.  RE: Key Generate parms question

    Posted Fri September 23, 2022 10:53 AM
    Yep - call CSNBKTB making sure you include the rule KEY-PART. The output skeleton can then be used as the key_identifier parm for your first call with KPI.

    ------------------------------
    Bob Petti
    ------------------------------



  • 8.  RE: Key Generate parms question

    Posted Fri September 23, 2022 03:31 PM
    Edited by Mark Vollmer Fri September 23, 2022 04:53 PM
    Got the token build successful.  The import key part first & last are also successful.  (RC 0/0)

    Now I try to gen a new key with the new ID value.  (BKGN)
    OPEX
    IMPORTER/EXPORTER
    KEK Identifier 2 using the new ID value from the prior import part call.
    I get a 8/39 return  - control  vector violation

    I have no idea what that means.  I believe control vectors are generally internal to ICSF.    Anyone know what should I be looking at to solve this error?
    I've not used any CV related rule array values in any of my calls.
    Perhaps this is a RACF permission problem?
    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 9.  RE: Key Generate parms question

    Posted Fri September 23, 2022 05:19 PM
    Hi Mark -
    8/39 indicates that a key_identifier is the wrong key type. 
    For key form OPEX, an EXPORTER key-encrypting key must be passed in the KEK_identifier_2 field.

    ------------------------------
    Eleanor Chan
    ------------------------------



  • 10.  RE: Key Generate parms question

    Posted Mon September 26, 2022 11:11 AM
    Eleanor, thanks for your help.

    I thought I had created a proper KEK.  Here is how I did it.  Perhaps someone can see the flaw in my efforts and share that/them with me?

    BKTB call with EXPORTER key type.  Rule array with DES, INTERNAL, KEYLN16, KEY & KEY-PART.

    Then a BKPI call with Rule array FIRST, KEYBUF16, USECONFG, passing the TOKEN from the TB call above.  And the first part of the key.

    A second BKPI call passing all the above except replacing FIRST with LAST.    And then the last part of the key.

    Finally a BKGN call using OPEX as key form, KEYLN16 as key length, IMPORTER as key type 1 and EXPORTER as key type 2.  And then passing the Key ID from the second BKPI call above in as the KEK TYPE ID 2 value.

    I think I've got everything right.  Does anyone see something I got wrong?

    Feedback would be very much appreciated.



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 11.  RE: Key Generate parms question

    Posted Mon September 26, 2022 02:32 PM
    Hi Mark - take a look at this sample and see if it helps. I did what you described and it worked - so you're definitely on the right track. Probably something minor in your code that's not obvious to your eye (welcome to crypto, lol). This runs and gives RC=0 for KGN.

    /* rexx */                                                                      
    
    KTB_RC = 'FFFFFFFF'x                                      
    KTB_RS = 'FFFFFFFF'x                                      
    KTB_exit_data_length = '00000000'x                        
    KTB_exit_data = ''                                        
    KTB_key_token = COPIES('00'x,64)                          
    KTB_key_type = LEFT("EXPORTER",8,' ')                        
    rules = "DES INTERNAL KEYLN16 KEY KEY-PART"
    numrules = WORDS(rules)                                   
    KTB_rule_array = ''                                       
    Do r = 1 to numrules                                      
       rule = WORD(rules,r)                                   
       KTB_rule_array = KTB_rule_array || LEFT(rule,8)        
    End                                                       
    KTB_rule_array_count = D2C(numrules,4)                    
    KTB_key_value = ''x                                       
    KTB_master_key_version_number = '00000000'x               
    KTB_key_register_number = 'FFFFFFFF'x                     
    KTB_token_data_1 = 'FFFFFFFF'x                            
    KTB_control_vector = COPIES('00'x,16)                     
    KTB_initialization_vector = ''                            
    KTB_pad_character = '00000000'x                           
    KTB_cryptographic_period_start = ''                       
    KTB_master_key_verification_pattern = '0000000000000000'x 
    KTB_master_key_verification_pattern = '0000000000000000'x
    Address LINKPGM 'CSNBKTB',                               
       'KTB_RC' 'KTB_RS',                                    
       'KTB_exit_data_length' 'KTB_exit_data',               
       'KTB_key_token',                                      
       'KTB_key_type',                                       
       'KTB_rule_array_count' 'KTB_rule_array',              
       'KTB_key_value',                                      
       'KTB_master_key_version_number',                      
       'KTB_key_register_number',                            
       'KTB_token_data_1',                                   
       'KTB_control_vector',                                 
       'KTB_initialization_vector',                          
       'KTB_pad_character',                                  
       'KTB_cryptographic_period_start',                     
       'KTB_master_key_verification_pattern'                 
    Say "KTB_RC="C2X(KTB_RC) "KTB_RS="C2X(KTB_RS),        
       rs2text(KTB_RC,KTB_RS)                             
    If KTB_RC<>'00000000'x | KTB_RS<>'00000000'x Then Exit
    
    Keypart='54493E34C134E3040E51C87501D34A38'x                           
    Skeleton = KTB_key_token
    KPI_RC = 'FFFFFFFF'x                                                   
    KPI_RS = 'FFFFFFFF'x                                                   
    KPI_exit_data_length = '00000000'x                                     
    KPI_exit_data = ''                                                     
    KPI_rule_array_count = '00000001'x                                     
    KPI_rule_array = "FIRST   "                                            
    KPI_key_part = Keypart                                                
    KPI_key_identifier = Skeleton                                          
    Address LINKPGM 'CSNBKPI',                   
       'KPI_RC' 'KPI_RS',                        
       'KPI_exit_data_length' 'KPI_exit_data',   
       'KPI_rule_array_count' 'KPI_rule_array',  
       'KPI_key_part',                           
       'KPI_key_identifier'                      
    Say "KPI_RC="C2X(KPI_RC) "KPI_RS="C2X(KPI_RS),        
       rs2text(KPI_RC,KPI_RS)                    
    If KPI_RC<>'00000000'x Then Exit
    
    Keypart1='00000000000000000000000000000000'x                           
    KPI_RC = 'FFFFFFFF'x                                                   
    KPI_RS = 'FFFFFFFF'x                                                   
    KPI_exit_data_length = '00000000'x                                     
    KPI_exit_data = ''                                                     
    KPI_rule_array_count = '00000001'x                                     
    KPI_rule_array = "LAST    "                                            
    KPI_key_part = Keypart                                                
    Address LINKPGM 'CSNBKPI',                   
       'KPI_RC' 'KPI_RS',                        
       'KPI_exit_data_length' 'KPI_exit_data',   
       'KPI_rule_array_count' 'KPI_rule_array',  
       'KPI_key_part',                           
       'KPI_key_identifier'                      
    Say "KPI_RC="C2X(KPI_RC) "KPI_RS="C2X(KPI_RS),        
       rs2text(KPI_RC,KPI_RS)        
    If KPI_RC<>'00000000'x Then Exit
    
    KGN_RC = 'FFFFFFFF'x                                                
    KGN_RS = 'FFFFFFFF'x                                                
    KGN_exit_data_length = '00000000'x                                  
    KGN_exit_data = ''                                                  
    KGN_key_length = ''                                                 
    KGN_key_form = LEFT("OPEX",8)                                         
    KGN_key_type_1 = LEFT("IMPORTER",8)                                    
    KGN_key_type_2 = LEFT("EXPORTER",8)                                    
    KGN_KEK_key_identifier_1 = COPIES('00'x,64)
    KGN_KEK_key_identifier_2 = KPI_key_identifier
    KGN_generated_key_identifier_1 = COPIES('00'x,64)                         
    KGN_generated_key_identifier_2 = COPIES('00'x,64)
    Address LINKPGM 'CSNBKGN',                                          
       'KGN_RC' 'KGN_RS',                                               
       'KGN_exit_data_length' 'KGN_exit_data',                          
       'KGN_key_form',                                                  
       'KGN_key_length',                                                
       'KGN_key_type_1' 'KGN_key_type_2',                               
       'KGN_KEK_key_identifier_1' 'KGN_KEK_key_identifier_2',           
       'KGN_generated_key_identifier_1' 'KGN_generated_key_identifier_2'
    Say "KGN_RC="C2X(KGN_RC) "KGN_RS="C2X(KGN_RS),                    
       RS2TEXT(KGN_RC,KGN_RS)                                         
    if KGN_RC <> '00000000'x Then Exit
    
    
    Exit
    


    ------------------------------
    Bob Petti
    ------------------------------



  • 12.  RE: Key Generate parms question

    Posted Mon September 26, 2022 02:52 PM
    Bob,

    Thanks very much for the example.  I'll be digging through it with a fine tooth comb for a while.

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 13.  RE: Key Generate parms question

    Posted Mon September 26, 2022 03:56 PM
    I've made some progress.  It seems that by import key part calls work better of I use just the first and last rule values, and not the other two values KEYBUF16 & USECONFG.

    Now I get to work on the TR-31 export.

    Thanks for everyone's help.  It is making a difference.

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 14.  RE: Key Generate parms question

    Posted Wed September 28, 2022 05:13 PM
    Everyone,

    I've made it successfully to a TR-31 export of a key.

    I replaced my key gen call with a couple of random number calls and a couple of key import calls.  The random numbers helped me get a double clear key value.   The two imports allowed me to create operational IMPORTER and EXPORTER  keys for use with my TR-31 export & import calls.

    I've not coded up any tests for the import side of things. But that is next.

    I want to thank all that helped me get to this point.  I am so grateful.

    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------