Data cryptography operations using control vectors

Abstract

Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

Claims

What is claimed is:

1. In a data processing system which processes cryptographic service requests for performing data cryptography functions on data using cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an apparatus for validating that the data cryptography functions requested for a cryptographic key have been authorized by the originator of the key, comprising:

a cryptographic facility characterized by a secure boundary through which passes an input path for receiving said cryptographic service requests, data, cryptographic keys and their associated control vectors, and an output path for providing responses thereto, there being included within said boundary a cryptographic control means coupled to said input path, a control vector checking means and a cryptographic processing means coupled to said control means, and a master key storage coupled to said processing means, for providing a secure location for executing data cryptography functions in response to said received service requests;

said cryptographic control means receiving over said input path a cryptographic service request for performing a data cryptography function with a cryptographic key;

said control vector checking means having an input coupled to said input path for receiving a control vector associated with said cryptographic key and an input coupled to said cryptographic control means, for receiving control signals to initiate checking that said control vector authorizes the data cryptographic function which is requested by said cryptographic service request;

said control vector checking means having an authorization output coupled to an input of said cryptographic processing means, for signalling that said data cryptography function is authorized, the receipt of which by said cryptographic processing means initiates the performance of the requested data cryptography function with said cryptographic key.

2. The apparatus of claim 1, which further comprises:

a cryptographic key storage means coupled to said cryptographic facility over said input and output paths, for storing said cryptographic key in an encrypted form in which said cryptographic key is encrypted under a storage key which is a logical product of said associated control vector and a master key stored in said master key storage;

said cryptographic control means receiving over said input path a cryptographic service request for performing a data cryptographic function which includes recovering said cryptographic key from said cryptographic key storage means and said control vector checking means outputting in response thereto, an authorization signal to said cryptographic processing means that the requested data cryptographic function is authorized;

said cryptographic processing means operating in response to said authorization signal, to receive said encrypted form of said cryptographic key from said cryptographic key storage means and to decrypt said encrypted form under said storage key whichis a logical product of said associated control vector and said master key stored in said master key storage;

said cryptographic processing means further operating in response to said authorization signal, to receive said data from said input path and to complete performing the requested data cryptography function on said data with said cryptographic key.

3. The apparatus of claim 2, wherein said storage key is the exclusive-OR product of said associated control vector and said master key stored in said master key storage.

4. The apparatus of claim 2, wherein said associated control vector is stored with said encrypted form of said cryptographic key in said cryptographic key storage means.

5. The apparatus of claim 1, wherein said associated control vector includes fields defining authorized types of cryptographic functions including key management functions, data cryptography functions and PIN processing functions, and the data cryptography functions type is designated.

6. The apparatus of claim 5, wherein said associated control vector includes fields defining export control and usage.

7. The apparatus of claim 2, wherein said associated control vector includes a type field designating that said cryptographic key can perform data cryptography functions and further includes an export control field which designates whether said local data processing system is allowed to export said cryptographic key and further designates whether a remote data processing system to which said local data processing system is connected, is allowed to reexport said cryptographic key.

8. The apparatus of claim 1, wherein said associated control vector includes a type field designating that said cryptographic key can perform data cryptography functions and further includes a subtype field designating that said cryptographic key can perform data privacy functions.

9. The apparatus of claim 8, wherein said associated control vector further includes a usage field designating that said cryptographic key can perform encryption of said data.

10. The apparatus of claim 8, wherein said associated control vector further includes a usage field designating that said cryptographic key cannot perform encryption of said data.

11. The apparatus of claim 8, wherein said associated control vector further includes a usage field designating that said cryptographic key can perform decryption of said data.

12. The apparatus of claim 8, wherein said associated control vector further includes a usage field designating that said cryptographic key cannot perform decryption of said data.

13. The apparatus of claim 1, wherein said associated control vector includes a type field designating that said cryptographic key can perform data cryptography functions and further includes a subtype field designating that said cryptographic key can perform message authentication functions.

14. The apparatus of claim 13, wherein said associated control vector further includes a usage field designating that said cryptographic key can be used to generate a message authentication code on said data.

15. The apparatus of claim 13, wherein said associated control vector further includes a usage field designating that said cryptographic key cannot be used to generate a message authentication code on said data.

16. The apparatus of claim 13, wherein said associated control vector further includes a usage field designating that said cryptographic key can be used to verify a message authentication code on said data.

17. The apparatus of claim 13, wherein said associated control vector further includes a usage field designating that said cryptographic key cannot be used to verify a message authentication code on said data.

18. The apparatus of claim 1, wherein said associated control vector includes a type field designating that said cryptographic key can perform data cryptography functions and further includes a subtype field designating that a translate ciphertext function can be performed by said cryptographic key.

19. The apparatus of claim 18, wherein said associated control vector further includes a usage field designating that said cryptographic key can be used as the output data key in a translate ciphertext function.

20. The apparatus of claim 18, wherein said associated control vector further includes a usage field designating that said cryptographic key cannot be used as the output data key in a translate ciphertext function.

21. The apparatus of claim 18, wherein said associated control vector further includes a usage field designating that said cryptographic key can be used as the input data key in a translate ciphertext function.

22. The apparatus of claim 18, wherein said associated control vector further includes a usage field designating that said cryptographic key cannot be used as the input data key in a translate ciphertext function.

23. The apparatus of claim 1, wherein said associated control vector includes a type field designating that said cryptographic key can perform data cryptography functions and further includes a subtype field designating that said cryptographic key is an ANSI data key.

24. In a data processing system which processes cryptographic service requests for the performance of data cryptography functions on data using cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, a method for validating that data cryptography functions requested for a cryptographic key have been authorized by the originator of the key, comprising the steps of:

receiving a cryptographic service request for performing a data cryptography function on data using a cryptographic key in a cryptographic facility characterized by a source boundary through which passes an input path and an output path;

receiving a control vector associated with said cryptographic key and checking that said control vector authorizes the data cryptography function which is requested by said cryptographic service request;

signalling that said data cryptography function is authorized and initiating the performance of the requested data cryptography function with said cryptographic key.

25. The method of claim 24, which further comprises the steps of:

storing in a storage means said cryptographic key in an encrypted form in which said cryptographic key is encrypted under a storage key which is a logical product of said associated control vector and a master key.

26. The method of claim 24, wherein said associated control vector includes fields defining authorized types of cryptographic functions including key management functions, data cryptography functions and PIN processing functions, and the data cryptography functions type is designated.

27. The method of claim 24, wherein said data cryptography function is session protection to protect the confidentiality of data transmissions between two communicating devices in said system which share a common data encrypting/decrypting key, permitting each said device to both send and receive encrypted data, further comprising the steps of:

sharing a data privacy key between said devices;

storing said data privacy key in operational form encrypted under a master key at each respective device;

providing usage attributes for the control vector of each data privacy key for enciphering and deciphering, respectively, which enables each key to be used to both encipher and decipher data.

28. The method of claim 24, wherein said data cryptography function is file protection to protect the confidentiality of data files, wherein a single end user of said system possesses a data encrypting/decrypting key permitting data to be encrypted for storage and to be decrypted for purposes of recovery of the file, further comprising the steps of:

providing a data privacy key to said single end user;

storing an encrypted form of said data privacy key with data which has been encrypted thereby;

said data privacy key being stored in import form encrypted under a key encrypting key, with its associated control vector;

providing usage attributes for the control vector of said data privacy key for enciphering and deciphering, thereby permitting the data file to be both encrypted and decrypted with the same key.

29. The method of claim 24, wherein said data cryptography function is an encrypted mail box in which each of a plurality of users of said system has a data privacy key in two forms, a first form permitting data encryption and a second form permitting data decryption, the first form of the key being placed in the public directory accessible to all said users of the mail box so that each registered key is recorded under a user identifier belonging to one of said users who registers the key, the second form of the key being private to said one of said users to which it belongs, so that mail deposited in the mail box directed to said one of said users in its encrypted form, can be decrypted only by said one of said users who is the intended recipient, further comprising the steps of:

providing a data privacy key which has been generated in two forms, a first form permitting enciphering only and a second form permitting deciphering;

providing control vector usage attributes for the control vector associated with said data privacy key, which has for the first form of the data privacy key encipher only features and which has for the second form of the data privacy key decipher features.

30. The method of claim 24, wherein said data cryptography function is a ciphertext translation function to be performed at a ciphertext translation center in a network in said system capable of securely translating encrypted data from encryption under a first data key to encryption under a second data key, further comprising the steps of:

generating a data key in two forms at a plurality of devices in a communications network in said system, a first form being a data privacy key in operational form having an associated control vector which has encipher and decipher attributes, and a second form of the data key being a data translate key in the export form, suitable for export to a ciphertext translation center in the network;

receiving the data translate key at the ciphertext translation center and converting the received data translation key to an operational form, the control vector associated with said data translation key having both translate-in and translate-out attributes;

enciphering data at a first device in said network which is transmitted to said ciphertext translation center where it is translated to encipherment under said second data key known to a second device in the network connected to said ciphertext translation center;

transmitting said translated data from said center to said second device where it is deciphered under said second data key.

31. The method of claim 30, wherein said ciphertext translation center cannot decrypt received inbound encrypted data nor can it encrypt data in a form comparable to outbound encrypted data.

32. The method of claim 24, wherein said data cryptography function is a peer-to-peer ciphertext translation for a communications network chain in said system which includes a first device which originates a communication, connected to a first ciphertext translation center which in turn is connected to a second ciphertext translation center which in turn is connected to a second network device, for a transmission of encrypted data from said first device through said first and second ciphertext translation centers to said second device, further comprising the steps of:

generating a first data key in said first network device in two forms, a first form being a data privacy key in operational form having an associated control vector which has encipher attributes, and a second form of said first data key being a data translate-in key in the export form, suitable for export to said first ciphertext translation center;

generating a second data key in said second network device in two forms, a first form being a data privacy key in operational form having an associated control vector which has decipher attributes, and a second form of said second data key being a data translate-out key in export form, suitable for export to said second ciphertext translation center;

generating a third data key in said first ciphertext translation center in two forms, a first form being a data translate-out key and a second form being a data translate-in key, suitable for export to said second ciphertext translation center;

said first network device transmitting said first data key in its second form as a translate-in key to said first ciphertext translation center;

said second network device transmitting said second data key in its second form as a translate-out key to said second ciphertext translation center;

said first ciphertext translation center transmitting said third data key in its second form as a translate-in key to said second ciphertext translation center;

said first network device encrypting data under said first data key in said first form and transmitting the encrypted data to said first ciphertext translation center where the data is translated under said first data key in said second form to be encrypted under said third data key in said first form to be translated out and transmitted to said second ciphertext translation center where the data is translated under said third data key in its second form into a form encrypted under said second data key in its second form where it is translated out and transmitted to said second network device where the data is then decrypted under said second data key in its first form.

33. The method of claim 24, wherein said data cryptography function is applied to an encrypted file under a first key so that a portion of the file can be re-encrypted under a second key for transmission to an intended receiver, without revealing the entire encrypted file, further comprising the steps of:

generating a first data key in two forms at a first device in said system, a first form being a data privacy key stored in operational form and a second form being a data translate-in key;

encrypting a data file using said data privacy key and storing said file in its encrypted form in a data storage device;

said first device generating a second data key in two forms, a translate-out key and a data decryption key;

transmitting said data decryption key to a second device in said system connected to said first device;

accessing said data file from said data storage device and re-enciphering a portion of said file from encipherment under said first data key to encipherment under said second data key via a translate ciphertext instruction using said first data key in said translate-in form and said second data key in said translate-out form, and transmitting said re-enciphered portion of said data file from said first device to said second device;

decrypting said transmitted portion of said data file by means of said decryption key form of said second key for use at said second device.

34. The method of claim 24, wherein said data cryptography function is message integrity, wherein the contents of a message is protected from unauthorized modification, further comprising the steps of:

providing a data/MAC key and an associated control vector having MAC generation and MAC verification attributes at both a sending station and a receiving station in a communications network in said system;

computing an MAC value for a message to be sent from the sending station to the receiving station, employing said data/MAC key and said control vector at said sending station;

transmitting said message and said computed MAC value from said sending station to said receiving station;

computing a second MAC value on said received message at said receiving station, employing said data/MAC key and said control vector and comparing said second computed MAC value with said transmitted MAC value;

verifying the integrity of the message received at said receiving station when said two computed MAC values are equal.

35. The method of claim 24, wherein said data cryptography function is message authentication with non-repudiation, further comprising the steps of:

providing a data/MAC key with a first associated control vector having an MAC generation attribute at a sending station in a communications network in said system;

providing said data/MAC key with a second control vector having an MAC verification attribute but not having an MAC generation attribute, at a receiving station in said communications network in said system;

computing a first value for the MAC on a message to be sent by said sending station over said communications network to said receiving station, using the said data/MAC key and said first control vector at said sending station;

transmitting said message and said first MAC value from said sending station over said communications network to said receiving station;

computing a second value for said MAC on said message received at said receiving station, using said data/MAC key and said second control vector, at said receiving station;

verifying that said message has integrity and that it was sent by said sending station, when said first value for said MAC equals said second value for said MAC.

36. The apparatus of claim 1, which further comprises:

a working key storage within said cryptographic facility coupled to said cryptographic processing means, for providing a secure location for the storage of working keys.

37. The apparatus of claim 36, which further comprises:

said working key storage storing a plurality of working keys and their associated control vectors in clear text form.

38. The apparatus of claim 37, which further comprises:

said cryptographic facility receiving over said input path a cryptographic service request for performing a data cryptography function;

said control vector checking means checking the associated control vector accessed from said working key storage and outputting an authorization signal to said cryptographic processing means that said cryptographic service request is authorized using the respective key accessed from said working key storage.

39. The apparatus of claim 37, which further comprises:

said working keys being stored in said working key storage as the exclusive-OR product of each key with its respective control vector.

40. The apparatus of claim 39, which further comprises:

said cryptographic facility receiving over said input path a cryptographic service request for performing a data cryptography function and also receiving the corresponding associated control vector which undergoes control vector checking in said control vector checking means;

said control vector checking means outputting an authorization signal to said cryptographic processing means that said cryptographic service request is authorized, said corresponding exclusive-OR product of the control vector and its respective key then being exclusive-ORed with said control vector in order to recover the key for the requested cryptographic operation.

41. The apparatus of claim 1, which further comprises:

a working key storage within said cryptographic facility, for storing working keys in clear text form and for storing their respective associated control vectors;

said cryptographic control means receiving over said input path a cryptographic service request for performing a data cryptography function which includes accessing said cryptographic key and said associated control vector from said working key storage and said control vector checking means outputting in response thereto, an authorization signal to said cryptographic processing means that the requested data cryptography function is authorized;

said cryptographic processing means operating in response to said authorization signal, to complete performing the requested data cryptography function on said data with said cryptographic key.

42. The apparatus of claim 1, which further comprises:

a working key storage within said cryptographic facility coupled to said cryptographic processing means, for storing the exclusive-OR product of working keys and their associated control vectors;

said cryptographic control means receiving over said input path a cryptographic service request and the corresponding associated control vector, for performing a data cryptography function;

said control vector checking means checking said control vector and outputting in response thereto, an authorization signal to said cryptographic processing means that the requested data cryptography function is authorized;

said cryptographic processing means operating in response to said authorization signal, to perform an exclusive-OR operation between said control vector and said product which has been accessed from said working key storage, yielding said working key in clear text form;

said cryptographic processing means further operating in response to said authorization signal, to complete performing the requested data cryptography function with said cryptographic key.

43. The method of claim 24, wherein said data cryptography function is a peer-to-peer ciphertext translation for a communications network in said system chain which includes a key issuing device in the network, a first device which originates a communication, connected to a first ciphertext translation center which in turn is connected to a second ciphertext translation center which in turn is connected to a second network device, for a transmission of encrypted data from said first device through said first and second ciphertext translation centers to said second device, further comprising the steps of:

generating a first data key in said first network device in two forms, a first form being a data privacy key in operational form having an associated control vector which has encipher attributes, and a second form of said first data key being a data translate-in key in the export form, suitable for export to said first ciphertext translation center;

generating a second data key in said second network device in two forms, a first form being a data privacy key in operational form having an associated control vector which has decipher attributes, and a second form of said second data key being a data translate-out key in export form, suitable for export to said second ciphertext translation center;

generating a third data key in said key issuing device in two forms, a first form being a data translate-out key suitable for export to said first ciphertext translation center and the second form being a data translate-in key, suitable for export to said second ciphertext translation center;

said first network device transmitting said first data key in its second form as a translate-in key to said first ciphertext translation center;

said second network device transmitting said second data key in its second form as a translate-out key to said second ciphertext translation center;

said first key issuing device transmitting said third data key in its first form as a translate-out key to said first ciphertext translation center and transmitting said third data key in its second form as a translate-in key to said second ciphertext translation center;

said first network device encrypting data under said first data key in its first form and transmitting the encrypted data to said first ciphertext translation center where the data is translated under said first data key in its second form to be encrypted under said third data key in its first form to be translated out and transmitted to said second ciphertext translation center where the data is translated under said third data key in its second form into a form encrypted under said second data key in its second form where it is translated out and transmitted to said second network device where the data is then decrypted under said second data key in its first form.

Description

DESCRIPTION

BACKGROUND OF THE INVENTION

1. Technical Field

The invention disclosed broadly relates to data processing technology and more particularly relates to cryptographic applications in data processing.

2. Background Art

The following two copending patent applications are related to this invention and are incorporated herein by reference: B. Brachtl, et al., "Controlled Use of Cryptographic Keys via Generating Stations Established Control Values", Ser. No. 55,502, filed March 1987 now U.S. Pat. No. 4,850,017 and assigned to IBM Corporation; S. M. Matyas, et al., "Secure Management of Keys Using Control Vectors," filed August 1988, and assigned to IBM Corporation.

Various methods exist in support of electronic data security. Cryptography is the transformation of intelligible information into apparently unintelligible form in order to conceal the information from unauthorized parties. Cryptography is the only known practical method to protect information transmitted through communications networks that use land line, communications satellities, and microwave facilities. It can also be the most economical way to protect stored data. Cryptographic procedures can be used not only to protect the privacy of data, but also the integrity of data.

The cryptographic transformation of data is ordinarily defined by a selected algorithm, or procedure, under the control of a key. Since the algorithm is normally public knowledge, protection of the transformed, or enciphered, data depends on secrecy of the key. Thus the key must be kept secret to prevent an opponent from simply using the known algorithm and key to recover the enciphered data. The protection of the data therefore hinges on the protection of secret keys.

A new approach to key management is described in the above-mentioned copending application by S. M. Matyas, et al. which also provides a good background for this invention. The invention disclosed herein deals with data cryptography which has as its objective the application of cryptographic keys and methods to protecting the confidentiality and integrity of data via cryptography whereas the S. M. Matyas, et al. copending patent application deals with the generation, distribution, and management of the keys themselves.

Prior art methods for encryption and decryption of data have evolved into complex sequences of key and data manipulations to thwart the attacks of an eavesdropper. These sequences have become so convoluted that security management of the secure system is difficult. Changing the security features of a processor or a system of processors is costly. What is needed is a better way to control usage of keys and the data encrypted by those keys. It is important for the system administrator to be able to specify the security features of the system, including the ability to maintain the separation of certain types of data and the corresponding keys. To maximize the security of the system, the administrator should be able to do this on a dynamic, unannounced basis with ease. The system administrator must be able to enforce a security policy for the system which imposes restrictions on the users, the data, the keys and the crytographic operations which can be performed. That enforcement should be easily implemented by the administrator and yet should be secure from subversion by an attacker. The features of flexibility and security have been difficult to achieve in the prior art.

OBJECTS OF THE INVENTION

It is therefore an object of the invention to provide an improved method of data crytography.

It is another object of the invention to provide an improved method of data crytography which is more flexible than in the prior art.

It is another object of the invention to provide an improved data crytography method which controls the authorization of users to encrypt, decrypt or authenticate data in accordance with a security policy established by the system manager.

It is another object of the invention to provide a data cryptographic method which builds into the storage of a key the authority to use that key in a manner which has been authorized by its originator.

It is an object of the invention to improve file security by providing the ability to encrypt a data filem so that one portion is fully encrypted and another portion can be decrypted by authorized recipients.

SUMMARY OF THE INVENTION

These and other objects, features and advantages are accomplished by the invention disclosed herein. Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the users of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, and translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention.

Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects, features and advantages of the invention will be more fully appreciated with reference to the accompanying figures:

FIG. 1 is a system diagram showing the major components of the Cryptographic Facility (CF).

FIG. 2 is a system diagram showing the components of the CF, software driver CFAP and cryptographic application programs.

FIG. 3 illustrates the fundamental crytographic key separation.

FIG. 4 illustrates data key separation.

FIG. 5 shows the general format for Control Vectors (CV).

FIG. 6 shows the CV format for privacy keys.

FIG. 7 shows the CV format for MAC keys.

FIG. 8 shows the CV format for data compatibility keys.

FIG. 9 shows the CV format for data translate (XLATE) keys.

FIG. 10 shows the CV format for ANSI Data keys.

FIG. 11 shows the CV format for intermediate ICVs.

FIG. 12 shows the CV format for tokens.

FIG. 13 is a block diagram of the encode instruction.

FIG. 14 is a block diagram of the decode instruction.

FIG. 15 is a block diagram of the encipher instruction.

FIG. 16 is a block diagram of the decipher instruction.

FIG. 17 is a block diagram of the generate message authentication code (Genmac) instruction.

FIG. 18 is a block diagram of the verify message authentication code (Vermac) instruction.

FIG. 19 is a block diagram of the translate cipher text instruction.

FIG. 20 shows the electronic code book (ECB) mode of DES encryption.

FIG. 21 shows the cipher block containing (CBC) mode of DES encipherment.

FIG. 22 shows the CBC mode of DES decipherment.

FIG. 23 shows the message authentication (MAC) algorithm.

FIG. 24 summarizes the equations for each of the data instructions.

FIG. 25 shows the operation of session protection.

FIG. 26 shows the operation of file protection.

FIG. 27 shows the operation of encrypted mail box.

FIG. 28 shows the operation of ciphertext translation center.

FIG. 29 shows the operation of peer-to-peer ciphertext translation.

FIG. 30 shows translating part of an encrypted file.

FIG. 31 shows message integrity using control vectors.

FIG. 32 shows message integrity with non-repudiation using control vectors.

FIG. 33 shows a message format.

DESCRIPTION OF THE BEST MODE FOR CARRYING OUT THE INVENTION

The reader should refer to the copending patent application by S. M. Matyas, et al. referred to above for an overall description of the principles of the Cryptographic Architecture (CA) underlying the invention disclosed herein. The Cryptographic Architecture enforces strict key separation within the local cryptographic facility and between systems by employing control vectors which force the recipient or user of a key to use the key in a manner consistent with the intentions of the originator of the key.

The following cryptographic data management functions are provided by the invention disclosed herein:

1. Data Confidentiality. Data confidentiality protects the contents of a message or file form unauthorized disclosure.

Applications of data confidentiality include the following:

a. Session Protection. Data encryption to protect the confidentiality or session level data transmission between two communicating devices. Each end user (device or application) shares a common data encrypting/decrypting key, thus permitting each end user to both send and receive encrypted data.

b. File Protection. Data encryption to protect the confidentiality of data files. A single end user (device or application) possesses a data encrypting/decrypting key permitting data to be encrypted for storage and to be decrypted, at a later time, for purposes of recovery or access to the file.

c. Encrypted Mail Box. The encrypted mail box describes a multi-user environment in which each user has a data/privacy key in two forms. The first form permits data encryption; the second form permits data decryption. The first form of the key is placed in a public directory or central registry accessible to all users of the system. Each so registered key is recorded under a user identifier belonging to the user who registers the key. The second form of the key is kept private by the user to which it belongs. Thus, a user i who wishes to send encrypted messages to user j, first requests user i's encryption from the public directory. Data encrypted with this key is then sent to user i and placed in user i's mail box. User i can read received mail by decrypting first with his/her private decryption key. But since no other user has access to user i's decryption key, the environment is such that users can encrypt mail for each other user but only the authorized designated receiving user can decrypt and read his/her mail.

d. Ciphertext Translation Center (CTC). The ciphertext translation center is a network node or device capable of securely translating encrypted data from encryption under a first data key to encryption under a second data key. In effect, the CTC possesses one or more data keys under which encrypted data may be received and one or more data keys under which received encrypted data may be re-encrypted. These data keys thus establish a secure channel permitting the CTC to translate ciphertext from one key to another but not to decrypt ciphertext. The CTC may be further restricted from encrypting data with one or more of these data/privacy keys for the purpose of introducing data into the secure channel.

e. Peer-to-Peer Ciphertext Translation. This environment consists of a chain of two or more CTCs which establish a secure channel from one set of network devices to another set of network devices. The first CTC in the chain possesses one or more data keys under which encrypted data may be received from the first set of network devices. Each CTC in the chain possesses one or more data keys under which encrypted data may be re-encrypted, but not decrypted. The CTCs may be further restricted from encrypting data with one or more of these keys for the purpose of introducing data into the secure channel. The last CTC in the chain re-encrypts the encrypted data under one or more data keys shared with members of the second set of network devices.

f. Translate Part of an Encrypted File. This is an application wherein part of an encrypted file can be translated to a key which can be conveniently shared with an intended receiver. The method avoids sharing the original data/privacy key used to encrypt the file, since doing so may jeopardize the confidentiality of data not intended to be shared.

2. Data Integrity. Data Integrity protects the contents of message or file from unauthorized modification. This includes changes, additions, and deletions to the data. Cryptography provides only methods for detecting unauthorized changes to data. It cannot prevent unauthorized changes to data.

3. Message Authentication. Message authentication is a procedure established between two communicants which allows each communicant to verify that received messages are genuine. Communicants can be people, devices, or processing functions. Message authentication allows the receiver of a message to determine that:

a. The message originated with the alleged sender.

b. The contents of the message have not been accidentally or intentionally changed.

c. The message has been received in the same sequence that it was transmitted.

d. The message was devliered to the intended receiver.

In other words, message authentication permits the receiver to validate a message's origin, contents, timeliness, and intended destination. Applications of message authentication include the following:

a. Straight message authentication.

b. Non-repudiation via MACGEN and MACVER.

FIG. 1 gives a block diagram representation of the data processing system with the cryptographic facility therein. In FIG. 1, the data processing system 2 executes a program such as the crypto facility access programs and the application programs illustrated in FIG. 2. These programs output cryptographic service requests for data cryptography operations using keys which are associated with control vectors. The general format for a control vector is shown in FIG. 5. Control vectors define the function which the associated key is allowed by its originator to perform. The invention herein is an apparatus and a method for validating that data cryptography functions requested for a data set by the program, have been authorized by the originator of the key.

As is shown in FIG. 1, contained within or associated with the data processing system 2 is a cryptographic facility 4 which is characterized by a secure boundary 6. An input/output path 8 passes through the secure boundary 6 for receiving the cryptographic service request, data, cryptographic keys and their associated control vectors from the program. The input/out path 8 outputs responses to those cryptographic requests from the cryptograpic facility. Included within the secure boundary 6 is a cryptographic instruction storage 10 which is coupled by units of the bus 12 to the input/output path 8. A control vector checking units 14 is coupled to the instruction in storage 10 and a cryptographic processing units 16 is also coupled to the instruction storage 10. A master key storage 18 is coupled to the cryptographic processing unit 16. The cryptographic facility 4 provides a secure location for executing data cryptography functions in response to the received service request.

The cryptographic instruction storage 10 receives over the input/output path 8 a cryptographic service request for performing a data cryptography function with a cryptographic key. The control vector checking unit 14 has an input coupled to the input/output path 8, for receiving a control vector associated with the cryptographic key. The control vector checking unit 14 also has an input connected to the cryptographic instruction storage 10, for receiving control signals to initiate checking that the control vector authorizes the data cryptography function which is requested by the cryptographic service request.

The control vector checking unit 14 has an authorization output 20 which is connected to an input of the cryptographic processing unit 16, for signalling that data cryptography function is authorized, the receipt of the authorization signal by the cryptographic processing unit 16 initiates the performance of the requested data cryptography function with the cryptographic key. A cryptographic key storage unit 22 is coupled to the cryptographic facility 14 over the input/output path 8. The cryptographic key storage unit 22 stores the cryptographic key in an encrypted form in which the cryptographic key is encrypted under a storage key which is a logical product of the associated control vector and the master key stored in the master key storage 18.

An example of recovering an encrypted key from the cryptographic key storage 22 occurs when the cryptographic instruction storage 10 receives over the input/output path 8 a cryptographic service request for recovering the cryptographic key from the cryptographic key storage units 22. The control vector checking unit 14 will then output in response thereto, an authorization signal on line 20 to the cryptographic processing unit 16 that the function of recovering the cryptographic key is authorized. The cryptographic processing unit 16 will then operate in response to the authorization signal on line 20, to receive the encrypted form of the cryptographic key from the cryptographic key storage 22 and to decrypt the encrypted form under the storage key which is a logical product of the associated control vector and the master key stored in the master key storage 18.

The storage key is the exclusive-OR product of the associated control vector and the master key stored in the master key storage 18. Although the logical product is an exclusive OR operation in the preferred embodiment, it can also be other types of logical operations.

The associated control vector, whose general format is shown in FIG. 5, is stored with the encrypted form of its associated cryptographic key in the cryptographic key storage 22. Since all keys stored on a cryptographic storage are encrypted under the master key, a uniform method for encryption and decryption of encrypted keys thereon can be performed.

The associated control vector, whose general format is shown in FIG. 5, includes fields defining the authorized types of cryptographic functions, including data cryptography functions, data encryption/decryption functions and personal identification numbers (PIN) processing functions. In the data cryptography applications, the data cryptography functions type is designated for the type field. The associated control vector also includes additional fields which can define export control for the keys and associated encrypted information and the usage of the keys and associated encrypted information.

The following provides a more detailed descrption of the components and operations of the invention.

FIG. 2 shows the major components of a crypto subsystem. The cryptographic subsystem consists of a Crypto Facility (CF), Crypto Facility Access Program (CFAP), and Application Program (AP). Normally, the CF is implemented in hardware, inside a physically secure box. Depending upon the implementation, the CF, CFAP, and AP could all be in a physically secure box.

The Cryptographic Facility 4 consists of:

Key Registers

The registers and their usages are described below:

Master Key Register 18 The master key register is 128 bits wide, containing the master key.

New Master Key (NMK) register: The new master key register is 128 bits wide, containing the new master key that is going to become the current master key. The New Master Key will become the current master key only after a special instruction, the SMK instruction is ussed to load the value of new master key into the master key register.

Old Master Key Register The old master key register is 128 bits wide, containing the master key that was replaced by the current master key. The master key update mechanism is such that the current master key becomes the old master key prior to the new master key becoming the current master key.

Key Part Register The key part register is 128 bits wide, containing the value of a key part (component), or a complete key that is being installed via a key loading device such as a key pad or key board attached to the CF via an optional secured physical interface.

Working Key Register(s) For performance reasons, the system has working register(s), 128 bits wide each, to contain immediate working key(s) for fast accesses. For example, a key that is used to encrypt data is brought into the CF is encrypted form on the first use. It then is decrypted and the clear value can be stored in one of the working key registers. In subsequent uses to encrypt or decrypt the data, this clear key can be quickly accessed from a specific working key register, thus eliminating the repeated steps of decrypting the key prior to using it.

Program MDC Register (PMDC Reg) The program MDC register is 64 bits wide, containing the MDC of the program to be loaded in the program memory inside the CF.

Dataset MDC register (DMDC Reg) The dataset MDC register is 64 bits wide, containing the MDC of the datasets whose integrity is validated by CFAP. This normally is, at least, the key storage datasets.

Cryptographic instructions and control vector checking algorithms.

The instruction set and control vector checking algorithms are implemented in the secured cryptographic facility and are stored in the cryptographic instruction storage 10 which is a random access memory. They are executed in a microprocessor such as an Intel 80286 which can serve as the cryptographic processing unit 16. The control vector checking unit 14 can also be implemented in the cryptographic processing unit 16 or it can be implemented by a second microprocessor such as an Intel 80286 serving as the control vector checking unit 14.

Program Memory and Processing Engine

The system can also employ a memory inside the CF to store user's programs and a processing engine to execute the programs. An example of this is a program or macro for performing new algorithms for PIN verifications on new PIN formats.

Random Number Generator 26

The random number generator is an algorithmic procedure for producing 64 bit pseudo random numbers. The algorithm itself is nonsecret, but makes use of two 128 bit secret keys and a 64 bit nonsecret incrementing counter. Although nonsecret, the integrity and proper management of the counter are essential to security.

The Crypto Facility (CF) is a secure implementation containing the Data Encryption Algorithm and storage for a small number of key and data parameters in the cryptographic instruction storage 10. It can be accessed only through inviolate interfaces (secure against intrusion, circumvention, and deception) which allow processing requests, key, and data parameters to be presented, and transformed output(s) to be received.

The ANSI Data Encryption Algorithm (DEA) is a standard cryptographic algorithm for commercial data security products. The DEA is a symmetric block cipher algorithm that uses a 56-bit secret key to encipher 64 bits of plaintext to form 64 bits of cipher text. DEA keys are normally stored with 1 parity bit per byte, forming a 64-bit key. DEA forms the basis for the National Bureau of Standards approved Federal Data Encryption Standard, so it is also called DES.

The cryptographic facility must resist probing by an insider adversary who has limited access to the cryptographic hardware. "Limited" is measured in minutes or hours as opposed to days and weeks, and the adversary is constrained to a probing attack at the location where the system is installed, using limited electronic devices as opposed to a laboratory attack launched at a site under the conrol of the adversary using sophisticated electronic and mechanical equipment.

The cryptographic facility must detect attempts at physical probing or intrusion. This may be accomplished using a variety of electro-mechanical sensing devices.

The cryptographic facility must provide for the automatic zeroization of all internally stored clear keys. Such zeroization must be performed automatically whenever an attempted probing or intrusion has been detected. The cryptographic facility must also provide a manual capability to zeroize key storage via the front panel interface.

The crypto facility contains one master key KM. All other keys can reside on mass storage encrypted under a key formed by Exlusive ORing the master key with a valid control vector. Refer to U.S. Pat. No. 4,386,234 entitled "Cryptographic Communications and File Security Using Terminals" by Ehrsam, et al., assigned to IBM Corporation, and incorporated herein by reference, for a description of an example Cryptographic Facility.

The CFAP is the programming interface between the CF and the application program. Since users do not have direct access to the cryptographic facility, the CFAP is the programming interface through which the users can request the CF to perform specific operations.

Associated with the CFAP is the Key Storage outside the CF where encrypted keys are stored. No clear keys are stored outside the CF. The Key Storage 22 is also referred to herein as the "Cryptographic Key Data Set" (CKDS).

The CFAP typically consists of the following:

Key Storage Manager to manage keys stored in the key storage mentioned above.

CFAP Macros through which users access to the CF to perform cryptographic functions.

Application programs include user's application programs, some utilities such as a key installation utility, and communication programs such as IBM VTAM.

User's application programs consist of statements that will invoke certain CFAP macros to perform a specific task. As mentioned, the CFAP is the only interface through which application programs can request CF to execute a cryptographic operation. For example, a user might want to encipher a file prior to shipping it to another node on the network. His application program might have one statement that calls a CFAP macro to generate a key, and another statement that invokes another CFAP macro to encipher the data of the file with the given key.

Another example of a user's application program is one that allows the manual installation of keys on the system, similar to the installation program mentioned above.

    __________________________________________________________________________
    Notation - The following notation is used herein:
    __________________________________________________________________________
    ECB        Electronic code book
    CBC        Cipher block chaining
    KM         128 bit Master key
    KEK        128 bit Key encrypting key
    K          64 bit key
    *K         128 bit key
    (*)K       64 or 128 bit key
    KD         64 bit data encrypting key
    KK         64 bit Key encrypting key
    *KK        128 bit Key encrypting key
    KKo        offset 64 bit Key encrypting key
    *KKo       offset 128 bit Key encrypting key
    (*)KKo     offset 64 or 128 bit Key encrypting key
    *KKNI      128 bit partial notarizing Key encrypting
               key
    *KN        128 bit notarizing key, equivalent to
               *KKNIo
    cx         64 bit control vector
    CxL        64 bit left control vector
    CxR        64 bit right control vector
    XOR or xor exclusive or operation
    or         logical or operation
    X `0`      Hex notation
    11         concatenation operation
    [x]        optional parameter x
    not =      not equal
    E or e     single encryption
    D or d     single decryption
    EDE or ede triple encryption
    DED or ded triple decryption
    Equations  The function of each instruction is
               mathematically denoted in the form:
               I1, I2, I3, I4, . . . --- 01, 02, 03, . . .
               where I1, I2, I3, . . . are the inputs to the
               function and 01, 02, 03, . . . are the outputs
               from the function.
    KM.Cx      (KML XOR Cx) 11 (KMR XOR Cx) = KMY 11 KMX
               where, KML = Left 64 bits of the master key
               KM,
               KMR = right 64 bits of the master key
               KM,
               KMY = KML XOR Cx
               KMX = KMR XOR Cx
    e*KM.Cx(key)
               e*KM.Cx(key) = eKMY(dKMX(eKMY(key)))
               where, KMY = KML XOR Cx
               KMX = KMR XOR Cx
               key = 64 bit key
    e*KEKn.CX(key)
               e*KEKn.Cx(key) = eKEKY(dKEKX(eKEKY(key)))
               where, KEKY = KEKnL XOR CxL
               KEKX = KEKnR XOR CxR
               key = 64 bit key
    e*KM.CxL(KEKnL)
               e*KM.CxL(KEKL) = eKMY)dKMX(eKMY(KEKnL)))
               where, KEKL = left 64 bits of KEK
               KMY = KML XOR CxL
               KMX = KMR XOR CxL
    e*KM.CxR(KEKnR)
               e*KM.CxR(KEKR) = eKMY(dKMX(eKMY(KEKnR)))
               where, KEKR = right 64 bits of KEK
               KMY = KML XOR CxR
               KMX = KMR XOR CxR
    e*KEKo(key)
               e*KEKo(key) = eKEKLo(dKEKRo(eKEKLo(key)
               where, KEKLo = KEKL XOR cntr
               KEKRo = KEKR XOR cntr
               cntr = implicit 64-bit key-message
               counter for KEK
               key = 64 bit key
    __________________________________________________________________________

    ______________________________________
    Encode (ENC)
    ______________________________________
    Equation
    KD, A -- eKD(A)
    Inputs:
    KD               64 bit clear key
    A                64 bit plain text
    Outputs:
    eKD(A)           64 bit encrypted data
    ______________________________________

    ______________________________________
    CC:
         1. successful operation
         2. unsuccessful operation (error)
         NOTE: Unsuccessful operation can be any hardware error
         specific to a given implementation. The condition
         codes (CC described here merely represent suggested
         condition codes for the instruction, however, there
         may be more condition codes implemented in a given
         system. Furthermore, the CC codes do not represent
         the actual condition codes that have to be passed by
         the function in a given implementation, the numbering
         used here is for a convenient description of crypto
         architecture.
    Control Vector Checking: None.
    Decode (DEC)
    Equation:        KD, eKD(A) -- A
    Inputs:
    KD               64 bit clear key
    eKD(A)           64 bit encrypted data
    Outputs:
    A                64 bit encrypted data
    ______________________________________

    ______________________________________
    CC:
          1. successful operation
          2. unsuccessful operation (error)
    Control Vector Checking: None
    Encipher (ENCI)
    Equation:  e*KM.C1(KD1), ICV, A, n,
               C1 --- eKD1(ICV,A)
    Inputs:
    e*KM.C1(KD1)
               64 bit data key (KD1) triple encrypted
               under the master key (KM) with a
               control vector C1.
    ICV        64 bit plain input chaining value
               NOTE: Encrypted ICVs are managed by
               CFAP as described in the "ICV/OCV
               Management" and "Software Interface."
               If output chaining value (OCV) is
               required, the last 8 byte output (En)
               must be used as OCV, however, this is
               not a standard approach. Each system
               implementation treats the encryption
               and decryption of the last block
               differently. Refer to "Software
               Interface" for more details on the
               last block treatment and OCV
               generation techniques. CFAP handles
               all the possible last block
               encipherment and decipherment and also
               OCV management.
    A          Data to be encrypted, in multiples of
               8 byte blocks. The 8 byte blocks are
               A1, A2, . . . An. If the last block An is
               not a multiples of 8 bytes, padding
               should be performed by CFAP before
               calling this instruction. CF
               instructions always assume multiples
               of 8 bytes data as inputs and outputs.
    n          number of 8 byte blocks to be
               encrypted. n should be as large as
               possible, however, this may be system
               dependent. CA does not define any
               maximum limit on n.
               For example: If number of 8 byte
               blocks = 10,000 and n max = 4,000,
               then Encipher instruction will be
               invoked as follows:
    Encipher n = 4000
    Encipher n = 4000
    Encipher n = 2000
               Note: After each call of Encipher,
               the last 8 bytes enciphered data En
               (OCV) has to be fed back as ICV input
               to the next Encipher call.
    c1         64 bit control vector for data key (KD1).
    Outputs:
    ekD1(ICV,A encrypted data, n blocks, each block
               is 8 bytes (E1, E2 . . . En).
    ______________________________________

    ______________________________________
    CC:
         1. successful operation
         2. C1 is invalid
         3. unsuccessful operation (error)
    Control Vector Checking:
    1.  Checking on C1
    cv type =
        "data/compatibility" or
                         "data/privacy" or
                         "data/ANSI`
    E usage bit =
        1
    reserved (48:63) =
        X`0`
    NOTE: For all the instructions described here, control
    vector checking implies that if the check is not passed
    then the instruction must be aborted and the corresponding
    control vector invalid condition code (CC) be turned on.
    If there are one or more checks to be performed on the
    control vectors, all the checks are performed and all the
    checks have to be passed to perform the operation. If any
    of the checks fail, the operation must be aborted.
    Decipher (DECI)
    Equation:
    e*KM.C1(KD1), ICV, eKD1(ICV,A), n, C1 -- A
    Inputs:
    e*KM.C1(Kd1)
              64 bit data key (KD1) triple encrypted
              under the master key (KM) with a control
              vector C1.
    ICV       64 bit plain input chaining value.
              Note: Encrypted ICVs are managed by CFAP
              as described in the "ICV/OCV Management"
              and "Software Interface."
              If output chaining value (OCV) is required,
              the last 8 byte input (En) must be used as
              OCV, however, this is not a standard
              approach. Each system implementation
              treats the encryption and decryption of the
              last block differently. Refer to "Software
              Interface" for more details on the last
              block treatment and OCV generation
              techniques. CFAP handles all the possible
              last block encipherment and decipherment
              and also OCV management.
    eKd1(ICV,A)
              encrypted data, n blocks, each block is 8
              bytes (E1, E2 . . . En).
    n         number of 8 byte blocks to be decrypted. n
              should be as large as possible, however,
              this may be system dependent. CA does not
              define any maximum limit on n.
              Note: After each call of Decipher, the
              last 8 bytes enciphered data En (OCV) has
              to be fed as input ICV to the next Decipher
              call. This is being managed by CFAP.
              For example:
              If number of 8 byte blocks = 10,000 and n
              max = 4000, then Decipher instruction will
              be invoked as follows:
              Decipher n = 4000
              Decipher n = 4000
              Decipher n = 2000
    C1        64 bit control vector for data key (KD1).
    Outputs:
    A         Plain data, in a multiples of 8 byte
              blocks. The 8 byte blocks are A1,
              A2, . . . An.
    ______________________________________

    ______________________________________
    CC:
         1. successful operation
         2. C1 is invalid
         3. unsuccessful operation (error)
    Control Vector Checking
    1.  Checking on C1
    cv type =
        "data/compatibility" or
                         "data/privacy" or
                         "data/ANSI"
    D usage bit =
        1
    reserved (48:63) =
        X`0`
    GENMAC (GMAC)
    Equation:
    e*KM.C1(KD2=1),[e*KM.C2(KD2)],
    ICV[e*KM.C3(OCV)],
    A, n, icv-type,output-type, mac-enc, C1,[C2],[C3]
    MAC (64 bit)
    or
    e*KM.C3(OCV)
    Inputs:
    e*KM.C1(KD1)
               KD1 is a MAC generation key for single
               encrypting MAC, triple encrypted under KM
               with a control vector C1.
    e*KM.C2(KD2)
               KD2 is an optional MAC generation key for
               triple encrypting MAC, triple encrypted under
               KM with a control vector C2. This is an optional
               input required for triple encrypting mac output
               if mac-enc = 1.
    ICV        ICV equal to zero is the default Initial
               Chaining Value, and is standard to CA
               architecture, ANSI X9.9 and ANSI X9.19.
               Non-zero plain ICV can also be used to be com-
               patible with systems which require plain ICV
               input. Encrypted ICV input is not supported by
               CA as it was found that it does not provide any
               more security for the function. Encrypted
               intermediate ICVs are supported by CA.
               Note: Encrypted ICVs if required are managed
               by CFAP as described in the ICV/OCV
               Management" and "Software Interface."
    e*KM.C3(OCV)
               This is a 64 bit intermediate ICV encrypted
               under the master key with a special control
               vector C3. This is an optional input which must
               be provided if large blocks of data (/n) are
               used to generate MAC. Decrypting the ICV is
               done internal to the function. Intermediate OCV
               can not be shipped from the local node, as it is
               stored under the master key with a control
               vector in the form for local use only.
    A          Data to be MAC'd, in multiples of 8 byte blocks
               (A1, A2 . . . An).
    n          number of 8 byte blocks to be MAC'd. n should
               be as large as possible, however, this may be
               system dependent. CCA does not define any
               maximum limit on n. If large number of blocks
               have to be MAC'd then GMAC is invoked
               multiple number of times until all blocks are
               complete.
               For example:
               If n max is 4000 for the system, and the data to
               be MAC's are 10,000 8 byte blocks, then GMAC
               is invoked as follows:
               GMAC n=4000,output-type=1,icv-type=0
               GMAC n=4000,output-type=1,icv-type=2
               GMAC n=2000,output-type=1,icv-type=2
               Note: After each call of GMAC, the
               intermediate ICV e*KM.C3(OCV) must be
               fed back to next GMAC
               call as ICV input. The decryption of this
               intermediate ICV must be done internally in the
               CF
    icv-type   icv-type indicates whether the ICV passed to the
               function is zero, plain, or intermediate.
               Intermediate ICV is triple encrypted under the
               master key with a control vector C3. Zero ICV
               is a default value.
               0: zero ICV (default)
               1: plain ICV
               2: intermediate ICV (OCV)
    output-type
               indicates the stage of the mac generation
               process to the instruction.
               0: MAC output
               1: Intermediate ICV output (OCV)
    mac-enc    mac-enc indicates a single or triple encryption
               mac output
               0: single encrypting mac output
               1: triple encrypting mac output(ANSI 9.19
               requirement)
    C1,C2,C3   64 bit control vectors for KD1, KD2, and OCV
               respectively. C2 and C3 are optional inputs to
               the instruction, C2 must be input if mac-enc=1,
               and C3 must be input if icv-type = 2 or
               output-type=1.
    Outputs:
    MAC        is a 64 bit output, resulted from the single
               encryption or triple encryption of the final
               input block of data, depending upon mac-enc
               parameter. This output is valid only if
               output-type=0.
    e*KM.C3(OCV)
               OCV is a 64 bit intermediate ICV triple
               encrypted under KM with control vector C3.
               This output is valid only if output-type=1.
               MAC output and Intermediate OCV outputs
               both must not be output at the same time
               for security reasons.
    ______________________________________

    ______________________________________
    CC:
    1.   successful operation
    2.   C1 is invalid
    3.   C2 or C3 is invalid
    4.   unsuccessful operation (error).
    Control Vector Checking:
    1.   Checking on C1
    CV type = "data/compatibility" or "data/mac"
         or "data/ANSI"
    MG usage bit = 1
    reserved (48:63)=X`0`
    2.   Checking on C2 if (mac-enc = 1).
    cv type = "data/compatibility" or "data/mac"
         or "data/ANSI"
    MG usage bit = 1
    reserved 48:63) = X`0`
    3.   Checking on C3 if (icv-type=2 OR output-type = 1).
    CV type = "Intermediate ICV"
    Verify MAC (VMAC)
    Equation:
    e*KM.C1(KD1), [e*KM.C2(KD2)]
    ICV[e*KM.C3(OCV)],
    A,MAC, n, icv-type,output-type,mac-enc,mac-len, C1, [C2],[C3]
    yes/no
    OR
    e*KM.C3(OCV)
    Inputs:
    e*KM.C1(KD1)
               KD1 is a mac verification key for single
               encrypting mac, triple encrypted under KM
               with a control vector C1.
    e*KM.C2(KD2)
               KD2 is a mac verification key for triple
               encrypting mac, triple encrypted under KM
               with a control vector C2. This is an optional
               input required for triple encrypting mac output
               if mac-enc=1.
    ICV        ICV equal to zero is the default Initial
               Chaining Value, and is standard to CA
               architecture,ANSI X9.9 and ANSI X9.19.
               Non-zero plain ICV can also be used
               to be compatible with
               systems which require plain ICV input.
               Encrypted ICV input is not supported by CA
               as it was found that it does not provide any
               more security for the function. Encrypted
               intermediate ICVs are supported by CA.
               NOTE: Encrypted ICVs if required are
               managed by CFAP as described in the
               "ICV/OCV Management"
               and "Software Interface."
    e*KM.C3(OCV)
               This is a 64 bit intermediate ICV encrypted
               under the master key with a special control
               vector C3. This is an optional input must be
               provided if large blocks of data (] n) are used
               to verify MAC. Decrypting the ICV is done
               internal to the function. Intermediate OCV can
               not be shipped from the local node, as it is
               stored under the master key with a control
               vector in the form for local use only. The
               intermediate ICV's must be secret in the MAC
               verification process to protect from attacks.
    A          Data used in MAC, in multiples of 8 byte blocks
               (A1,A2 . . . An).
    MAC        64 bit MAC input to the instruction either
               single or triple encrypted. By default, only
               left most 32 bits of this MAC are used for MAC
               comparison. mac-len may be used to explicitly
               specify other comparison lengths.
    n          number of 8 byte blocks MAC'ed. n should
               be as large as possible, however,
               this may be system
               dependent. If large number of blocks have to be
               mac verified then VMAC is invoked multiple
               number of times until all blocks are complete.
               For example:
               if n max is 4000 for the system, and the data
               to be verified are 10,000 8 byte blocks,
               then VMAC is invoked as follows:
               NOTE: After each call of VMAC,
               the intermediate ICV e*KM.C3(OCV) must
               be fed back to next VMAC
               call as ICV input.
               The decryption of this intermediate ICV must
               be done internally in the CF.
               VMAC n=4000,output-type=1,icv-type=0
               VMAC n=4000,output-type=1,icv-type=2
               VMAC n=2000,output-type=0,icv-type=2
    icv-type   icv-type indicates whether the ICV passed to
               the function is zero, plain, or intermediate.
               Intermediate ICV is triple encrypted under the
               master key with a control vector C3.
               0: zero ICV (default)
               1: plain ICV
               2: intermediate ICV (OCV)
    output-type
               indicates the stage of the mac verification
               process to the instruction
               0: MAC Verification output
               1: Intermediate ICV output (OCV)
    mac-enc    mac-enc indicates a single or triple encryption
               mac input.
               0: single encrypting mac input
               1: triple encrypting mac input (ANSI 9.19
               requirement)
    mac-len    mac-len specifies the number of bytes of the mac
               to be compared. 4 left most bytes are compared
               as a default.
               0: 4 left most bytes
               1: 5 left most bytes
               2: 6 left most bytes
               3: 7 left most bytes
               4: 8 bytes
               NOTE: provision of 4, 5, 6, 7, 8 byte MAC
               verification may subvert MAC
               generation process for 8 byte MAC.
               We do not have any solution to
               solve this problem in crypto facility, but CFAP
               may consider some checking for different length
               MAC verification. Further investigation is
               needed for this problem.
    C1,C2,C3   64 bit control vectors for KD1, KD2, and OCV
               respectively. C2 and C3 are optional inputs to
               the instruction, C2 is required if mac-enc=1,
               and C3 is required if icv-type=2 or
               output-type=1.
    Outputs:
    yes/no     mac is verified or not.
    e*KM.C3(OCV)
               OCV is a 64 bit intermediate ICV triple
               encrypted under KM with control vector C3.
               This is an optional output valid for
               output-type=1.
    Description:
               The input data is encrypted with CBC
               mode of DEA encryption using data key
               KD1 and 32 left most
               bits of the final encrypted block are compared
               for equality with the supplied MAC.32 bit
               MAC compare is a default value, and other
               comparisons must be made as specified by the
               mac-len parameter. CC = 1 is set for macs
               equal and CC=2 is set if macs are
               not equal. There
               are two encryption modes: single encryption
               mode, a single key KD1 is used to create the
               MAC. In the triple encryption mode, the single
               encryption mode is employed with KD1
               to create a MAC, except the MAC is
               then decrypted with KD2,
               and reencrypted again with KD1 to produce the
               final 64 bit MAC. The MAC is generated as
               specified by mac-enc input and then compared
               with the supplied mac to the function.
               The first ICV is zero as a standard and
               optionally can be plain. Intermediate ICV must
               be used if the mac'd data is greater than n
               blocks in length.
               If the data block is not multiples of 8 byte
               blocks, padding must be done. The padding has
               to be performed by the CFAP before invoking
               this instruction.
               FIG. 18 is a block diagram of this instruction.
    cc:
    1.   MACs equal
    2.   MACs not equal
    3.   C1 is invalid
    4.   C2 or C3 is invalid
    5.   unsuccessful operation (error).
    Control Vector Checking:
    1.   Checking on C1
    cv type = "data/compatibility" or "data/mac"
         or "data/ANSI"
    MV usage bit = 1
    reserved (48:63)=X`0`
    2.   Checking on C2 if (mac-enc = 1).
    cv type = "data/compatibility" or "data/mac"
         or "data/ANSI"
    MG usage bit = 1
    reserved 48:63) = X`0`
    3.   Checking on C3 if (icv-type=2 OR output-type=1).
    CV type = "Intermediate ICV"
    Translate Cipher Text (TCTXT)
    Equation: e*KM.C1(KD1),ICV1,eKD1(ICV1,A),
    e*KM.C2(KD2),ICV2, n, C1, C2
    eKD2(ICV2,A)
    Inputs:
    e*KM.C1(KD1)
               KD1 is an input data key, triple encrypted
               under KM with a control vector C1.
    ICV1       64 bit clear ICV.
    eKD1(ICV1,A)
               KD2 is an output data key, triple encrypted
               under KM with a control vector C2
    ICV2       64 bit clear ICV.
    n          Number of 8 byte blocks of data to be
    translated.
    C1, C2     Control vectors for KD1, KD2 respectively.
    Outputs:
    eKD2(ICV2,A)
               outputs Data A encrypted with data key KD2
               using ICV2.
    Description:
               Translate cipher text instruction translates
               data from one data key and ICV to another data
               key and ICV. This instruction operates with
               data/xlt keys, and data/compatibility keys. CV
               keys or CV=0 keys can be used to translate
               data, no mix and match of these key types are
               permitted by this instruction. The data can be
               up to n 8 byte blocks, the translation is done
               in the crypto facility without exposing the
               clear data outside the crypt facility.
               The ICV inputs ICV1 and ICV2 can only
               be plain - ICV inputs to the instruction.
               No intermediate



               ICV is provided by the instruction. If more
               than n blocks of data have to be translated, and
               the data has to be chained then
               CFAP has to pass the last 8
               byte encrypted block(En) as input to
               ICV. If encrypted ICVs are used then CFAP
               must decipher the ICVs before passing ICVs
               to the instruction.
               NOTE: The xlate Ciphertext instruction is
               specifically designed to operate with CV-only
               keys (i.e., xlate data keys). There is no
               compatibility mode xlate ciphertext option
               offered. To get around this, the xlate
               ciphertext instruction will accept data keys
               with the D and E attributes as well as the XDin
               and XDout attributes. But this is provided as a
               service to reduce the accidental exposure of
               clear data, since an insider adversary could
               recover data unclear using the decipher
               instruction. It is not possible to isolate the
               xlate ciphertext keys in the compatibility mode,
               and to architect a control vector for this would
               give an illusion of security, when in fact, an
               attack could be perpetrated with the RTMK
               instruction by importing an intended xlate key
               (sent over CV=0 channel) as a decipher key.
               Thus, the xlate ciphertext data channel could be
               subverted by deciphering data sent over that
               channel.
               FIG. 19 is a block diagram of this instruction.
    CC:
    1.   successful operation
    2.   C1 or C2 is invalid
    3.   unsuccessful operation (error)
    Control Vector Checking:
    1.   Checking on C1
    cvy type = "data/xlt" or "data/compatability"
    If (cv type = "data/xlt") then XDin = 1
    reserved (48:63)=X`0`
    2.   Checking on C2 if (mac-enc=1).
    cv type = " data/lxt" or "data/compatability"
    If (cv type = "data/xlt") then XDout = 1.
    reserved 48:63) =X`0`
    3.   Checking on C1 and C2
    CV type(C1) = "cv type (C2)
    ______________________________________