GENKEY
Parameter Descriptions:
This service call generates a secret key of odd parity of
length LEN and stores it under the name of KEYID in SKEYDB. If
OUTPUTCLEAR is set, the plaintext key (PTKEY) and STATUS are
returned to the host; otherwise, PTKEY contains a null pointer and
only STATUS is returned. The key may be initialized with a key
counter using the SETCOUNT service call. Allowable operations for
the key are set according to what is specified in ATTRIB, the
key attributes.
DELETEKEY
Parameter Descriptions:
This service call deletes the key identified by KEYID of user
UID from SKEYDB, and returns the resulting STATUS to the host.
A user can only delete his/her own keys, however, a CO may
delete a user's keys before closing a user's account.
LOADKEY
Parameter Descriptions:
This service call loads a clear KEY of length LEN to SKEYDB
under the identity of KEYID. If PARITY is set, the key is set to
odd parity; otherwise, the parity of the key is not checked.
The resulting STATUS is returned to the host.
EXPORTKEY
Parameter Descriptions:
This service call encrypts a plaintext key before exporting
the key outside the CM. If notarization (NOS) is desired, a
notarizing key is formed inside the CM before it is used to
encrypt the key value of KEYID. A notarizing key is formed by
XORing the plaintext key value of KKID with a notary seal
formed from the transmit count (CTT) of KKID and the
identities of the message originator (ORI) and the intended
recipient (RCV). (See ANSI X9.17 Standard for reference.) If key
offset is desired, the plaintext value of KKID is XORed with the
transmit count (CTT) of KKID before the result is used to encrypt
the key value of KEYID (See ANSI X9.17 Standard for reference).
The notarization flag (NOS) and the key offset flag (KOFFSET)
are mutually exclusive, i.e., both flags can not be set to 1 in
the same call. If neither key offset nor notarization is desired,
the key value of KEYID is simply encrypted by the key value of
KKID, and the ORI and RCV fields are ignored. The length of the
encrypted key (LEN), the encrypted key (ENCRYPTEDKEY) itself, and
the resulting STATUS are returned to the host. If notarization
or key offset is used, CTT is also returned to the host; otherwise,
a null pointer is returned.
IMPORTKEY
Parameter Descriptions:
This service call decrypts an imported key and stores it in
SKEYDB. If notarization (NOS) was used, a notarizing key was
formed by XORing the key value of the key encrypting key (KKID)
with a notary seal formed from the receive count (CTR) of KKID
and the identities of the message originator (ORI) and the
recipient (RCV). The notarizing key is then used to decrypt the
encrypted key (ENCRYPTEDKEY). (For the processing of key
counters and the notarization procedure, see the ANSI X9.17
Standard for reference.) If key offset was used, the key value of
KKID is XORed with the receive count (CTR) of KKID before the
result is used to decrypt the ENCRYPTEDKEY. The CTR is always
compared with the stored receive count and processed according to
the ANSI X9.17 standard. The notarization flag (NOS) and the key
offset flag (KOFFSET) are mutually exclusive, i.e., both can not
be set to 1 in the same call. If neither notarization nor key
offset was used, the ORI, RCV, and COUNT fields are ignored and
the ENCRYPTEDKEY of length LEN is simply decrypted by KKID.
The deciphered key is checked for odd parity and stored in SKEYDB
under the identity of KEYID. The result of the parity check
and the STATUS of processing the call are returned to the host.
SETATTRIB
Parameter Descriptions:
This service call sets the operations that a key is allowed to
perform, referred to as a key's attributes, according to what
is specified in ENCRYPTEDATTRIB. Currently six operations are
defined. The key attributes are represented in a byte with the
assigned bit positions:
A set bit (i.e., bit set to 1) within the byte enables the
specific operation for the key. For example, if Bit 4 is set,
KEYID can be exported outside the CM using the EXPORTKEY service
call. If enabled, the lock bit (Bit 5) locks the key's attributes
and makes it impossible to change the attributes afterwards.
Before calling SETATTRIB, the plaintext key attribute should
have been padded on the right with seven zero bytes and
DES-encrypted under the key value of KEYID. Upon receiving the
SETATTRIB call, the CM decrypts ENCRYPTEDATTRIB (with the key
value of KEYID) and sets the attributes for KEYID. It is the
responsibility of the CM to check the key attributes before a
key is used for any operation. The service call returns the STATUS
of the call to the host.
READATTRIB
Parameter Descriptions:
This service call reads the attributes associated with KEYID,
stores the retrieved attributes in ATTRIB and returns the STATUS
to the host. Refer to the SETATTRIB service call for the format of
key attributes.
XORKEYS
Parameter Descriptions:
This service call exclusive-ors two keys in the SKEYDB
identified by KEYID1 and KEYID2 to form a new key identified
by NEWKEYID. The service call facilitates the use of dual
control in forming a working key. The attributes for the new key
are set equal to the intersection of the attributes possessed by
KEYID1 and KEYID2.
SETCOUNT
Parameter Descriptions:
This service call lets the host set the transmit count (CTT)
and the receive count (CTR) associated with KEKID in the SKEYDB.
The resulting STATUS is returned to the host. The SETCOUNT and
READCOUNT service calls are added for compatibility with the
ANSI X9.17 Key Management (Wholesale) Standard. The initial
values of key counters should be selected according to
specifications in the X9.17 Standard.
READCOUNT
Parameter Descriptions:
This service call lets the host read the transmit count (CTT) and the receive count (CTR) associated with KEKID in the SKEYDB. The counters and the resulting STATUS are returned to the host. SETCOUNT and READCOUNT service calls are added for compatibility with the ANSI X9.17 Key Management (Wholesale) Standard.