Key Management Service Calls



next up previous contents
Next: Public Key Cryptography Up: Secret Key Cryptography Previous: Encryption and Data

Key Management Service Calls

GENKEY

Parameter Descriptions:

KEYID:
Specifies the address that points to the character string containing the name of the key to be generated.

LEN:
Specifies the length of key in bits. DES keys are 64 bits for a single key, 128 bits for a key pair.

OUTPUTCLEAR:
Specifies if the generated plaintext key should be returned to the host.

ATTRIB:
Represented in a byte, this parameter specifies the operations that the generated key can be used for (See SETATTRIB service call for reference). Each bit within the byte corresponds to an operation, a one in the bit enables the operation whereas a zero disables the operation. The assigned bit positions for the basic key operations are as follows:

PTKEY:
Specifies the address that points to the string of bytes containing the generated plaintext key if OUTPUTCLEAR is set; null otherwise.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call generates a secret key of odd parity of length LEN and stores it under the name of KEYID in SKEYDB. If OUTPUTCLEAR is set, the plaintext key (PTKEY) and STATUS are returned to the host; otherwise, PTKEY contains a null pointer and only STATUS is returned. The key may be initialized with a key counter using the SETCOUNT service call. Allowable operations for the key are set according to what is specified in ATTRIB, the key attributes.
DELETEKEY

Parameter Descriptions:

UID:
Specifies the address that points to the character string containing the user's identity whose key is to be deleted from SKEYDB.

KEYID:
Specifies the address that points to the character string containing the name of the key to be deleted.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call deletes the key identified by KEYID of user UID from SKEYDB, and returns the resulting STATUS to the host. A user can only delete his/her own keys, however, a CO may delete a user's keys before closing a user's account.
LOADKEY

Parameter Descriptions:

KEYID:
Specifies the address that points to the character string containing the name of the key to be loaded.

LEN:
Specifies the length of key in bits. DES keys are 64 bits for a single key, 128 bits for a key pair.

KEY:
Specifies the address that points to the string of bytes containing the clear key value to be loaded.

PARITY:
Specifies if odd parity is to be used for the key to be loaded.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call loads a clear KEY of length LEN to SKEYDB under the identity of KEYID. If PARITY is set, the key is set to odd parity; otherwise, the parity of the key is not checked. The resulting STATUS is returned to the host.
EXPORTKEY

Parameter Descriptions:

KEYID:
Specifies the address that points to the character string containing the name of the key to be exported.

KKID:
Specifies the address that points to the character string containing the name of the key encrypting key.

NOS:
Specifies if notarization is desired or not.

KOFFSET:
Specifies if key offset is to be used.

ORI:
Specifies the address that points to the character string containing the identity of the message originator.

RCV:
Specifies the address that points to the character string containing the identity of the message recipient.

LEN:
Specifies the address that points to the data storage that will receive the length of the encrypted key (ENCRYPTEDKEY) in bits. DES keys are 64 bits for a single- length key, 128 bits for a key pair.

ENCRYPTEDKEY:
Specifies the address that points to the string of bytes containing the encrypted key value of KEYID.

CTT:
Specifies the address that points to a string of 7 bytes containing the transmit count if NOS or KOFFSET is used; null otherwise.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call encrypts a plaintext key before exporting the key outside the CM. If notarization (NOS) is desired, a notarizing key is formed inside the CM before it is used to encrypt the key value of KEYID. A notarizing key is formed by XORing the plaintext key value of KKID with a notary seal formed from the transmit count (CTT) of KKID and the identities of the message originator (ORI) and the intended recipient (RCV). (See ANSI X9.17 Standard for reference.) If key offset is desired, the plaintext value of KKID is XORed with the transmit count (CTT) of KKID before the result is used to encrypt the key value of KEYID (See ANSI X9.17 Standard for reference). The notarization flag (NOS) and the key offset flag (KOFFSET) are mutually exclusive, i.e., both flags can not be set to 1 in the same call. If neither key offset nor notarization is desired, the key value of KEYID is simply encrypted by the key value of KKID, and the ORI and RCV fields are ignored. The length of the encrypted key (LEN), the encrypted key (ENCRYPTEDKEY) itself, and the resulting STATUS are returned to the host. If notarization or key offset is used, CTT is also returned to the host; otherwise, a null pointer is returned.
IMPORTKEY

Parameter Descriptions:

KEYID:
Specifies the address that points to the character string containing the name of the key to be imported.

KKID:
Specifies the address that points to the character string containing the name of the key used to encrypt KEYID.

LEN:
Specifies the length of the key to be imported in bits. DES keys are 64 bits for a single key, 128 bits for a key pair.

ENCRYPTEDKEY:
Specifies the address that points to the string of bytes containing the encrypted key value of KEYID.

NOS:
Specifies if notarization is to be used.

KOFFSET:
Specifies if key offset is to be used.

ORI:
Specifies the address that points to the character string containing the identity of the message originator.

RCV:
Specifies the address that points to the character string containing the identity of the message recipient.

CTR:
Specifies the address that points to a string of 7 bytes containing the receive count used in key notarization.

PARITY:
Specifies if the imported key conformed to odd parity.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call decrypts an imported key and stores it in SKEYDB. If notarization (NOS) was used, a notarizing key was formed by XORing the key value of the key encrypting key (KKID) with a notary seal formed from the receive count (CTR) of KKID and the identities of the message originator (ORI) and the recipient (RCV). The notarizing key is then used to decrypt the encrypted key (ENCRYPTEDKEY). (For the processing of key counters and the notarization procedure, see the ANSI X9.17 Standard for reference.) If key offset was used, the key value of KKID is XORed with the receive count (CTR) of KKID before the result is used to decrypt the ENCRYPTEDKEY. The CTR is always compared with the stored receive count and processed according to the ANSI X9.17 standard. The notarization flag (NOS) and the key offset flag (KOFFSET) are mutually exclusive, i.e., both can not be set to 1 in the same call. If neither notarization nor key offset was used, the ORI, RCV, and COUNT fields are ignored and the ENCRYPTEDKEY of length LEN is simply decrypted by KKID. The deciphered key is checked for odd parity and stored in SKEYDB under the identity of KEYID. The result of the parity check and the STATUS of processing the call are returned to the host.
SETATTRIB

Parameter Descriptions:

KEYID:
Specifies the address that points to the character string containing the name of the key whose attributes are to be set.

ENCRYPTEDATTRIB:
Specifies the address that points to a string of 8 bytes containing the encrypted attributes of KEYID. ENCRYPTEDATTRIB is encrypted under the key value of KEYID.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call sets the operations that a key is allowed to perform, referred to as a key's attributes, according to what is specified in ENCRYPTEDATTRIB. Currently six operations are defined. The key attributes are represented in a byte with the assigned bit positions:


A set bit (i.e., bit set to 1) within the byte enables the specific operation for the key. For example, if Bit 4 is set, KEYID can be exported outside the CM using the EXPORTKEY service call. If enabled, the lock bit (Bit 5) locks the key's attributes and makes it impossible to change the attributes afterwards. Before calling SETATTRIB, the plaintext key attribute should have been padded on the right with seven zero bytes and DES-encrypted under the key value of KEYID. Upon receiving the SETATTRIB call, the CM decrypts ENCRYPTEDATTRIB (with the key value of KEYID) and sets the attributes for KEYID. It is the responsibility of the CM to check the key attributes before a key is used for any operation. The service call returns the STATUS of the call to the host.
READATTRIB

Parameter Descriptions:

KEYID:
Specifies the address that points to the character string containing the name of the key whose attributes are to be retrieved.

ATTRIB:
Specifies the address that points to the one-byte data storage that will receive the attributes of KEYID.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call reads the attributes associated with KEYID, stores the retrieved attributes in ATTRIB and returns the STATUS to the host. Refer to the SETATTRIB service call for the format of key attributes.
XORKEYS

Parameter Descriptions:

NEWKEYID:
Specifies the address that points to the character string containing the name of the new key formed by XORing the keys of KEYID1 and KEYID2.

KEYID1:
Specifies the address of the character string containing the name of the key to be XORed with the key of KEYID2.

KEYID2:
Specifies the address of the character string containing the name of the key to be XORed with the key of KEYID1.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call exclusive-ors two keys in the SKEYDB identified by KEYID1 and KEYID2 to form a new key identified by NEWKEYID. The service call facilitates the use of dual control in forming a working key. The attributes for the new key are set equal to the intersection of the attributes possessed by KEYID1 and KEYID2.
SETCOUNT

Parameter Descriptions:

KEKID:
Specifies the address that points to the character string containing the name of the key encrypting key whose counters are to be reset.

CTT:
Specifies the address that points to a string of 7 bytes containing the transmit count to be set for KEKID.

CTR:
Specifies the address that points to a string of 7 bytes containing the receive count to be set for KEKID.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call lets the host set the transmit count (CTT) and the receive count (CTR) associated with KEKID in the SKEYDB. The resulting STATUS is returned to the host. The SETCOUNT and READCOUNT service calls are added for compatibility with the ANSI X9.17 Key Management (Wholesale) Standard. The initial values of key counters should be selected according to specifications in the X9.17 Standard.
READCOUNT

Parameter Descriptions:

KEKID:
Specifies the address that points to the character string containing the name of the key encrypting key whose counters are to be retrieved.

CTT:
Specifies the address that points to a string of 7 bytes containing the transmit count of KEKID.

CTR:
Specifies the address that points to a string of 7 bytes containing the receive count of KEKID.

STATUS:
Specifies the address that points to the data storage that will receive the status of processing the service call.

This service call lets the host read the transmit count (CTT) and the receive count (CTR) associated with KEKID in the SKEYDB. The counters and the resulting STATUS are returned to the host. SETCOUNT and READCOUNT service calls are added for compatibility with the ANSI X9.17 Key Management (Wholesale) Standard.



next up previous contents
Next: Public Key Cryptography Up: Secret Key Cryptography Previous: Encryption and Data



John Barkley
Fri Oct 7 16:17:21 EDT 1994