Access control points and callable services
For information about PKCS #11 access control points, see 'PKCS #11 Coprocessor Access Control Points' in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
Access to callable services that are executed on a coprocessor is through access control points in the domain role. To execute services on the coprocessor, access control points must be enabled for each service in the domain role. The access control points available depend on the coprocessor you are using.
A new or a zeroized coprocessor (or domain) comes with an initial set of access control points (ACPs) that are enabled by default. The table of access control points lists the default setting of each access control point.
When a firmware upgrade is applied to an existing cryptographic
coprocessor, the upgrade may introduce new ACPs.
- If a TKE workstation has been used to manage a cryptographic coprocessor, the firmware upgrade does not retroactively enable the new ACPs. These ACPs must be enabled via the TKE (or subsequent zeroize) in order to utilize the new support they govern.
- If a TKE workstation has not been used to manage a cryptographic coprocessor, the firmware upgrade retroactively updates the new ACPs that would be enabled by default.
Note: Access control points for ICSF utilities are listed in z/OS Cryptographic Services ICSF Administrator's Guide.
If an access control point is disabled, the corresponding ICSF callable service will fail during execution with an access denied error.
The following tables list usage information using the following
abbreviations:
- AE
- Always enabled, cannot be disabled.
- ED
- Enabled by default.
- DD
- Disabled by default.
- SC
- Usage of this access control point requires special consideration.
This table lists access control points that affect multiple services or require special consideration when enabling the access control point. The Offset is the hexadecimal offset, or access-control-point code, for the control in the domain role in the coprocessor.
| Name | Callable services | Notes | Value (hex) | Usage |
|---|---|---|---|---|
| Allow weak DES wrap of RSA |
CSNDPKG / CSNFPKG,
CSNDPKI / CSNFPKI, CSNDPKT / CSNFPKT |
A weaker DES key-encrypting key is allowed to wrap an RSA private key
token. The Prohibit weak wrap – Transport keys access control must be enabled and this access control will override the restriction. |
0331 | DD, SC |
| Allow weak wrapping of compliance-tagged keys by DES MK | All callable services that use compliant-tagged DES key tokens. | 02EB | DD, SC | |
| ANSI X9.8 PIN - Allow modification of PAN | CSNBPTR / CSNEPTR, CSNBPTR2 / CSNEPTR2, CSNBPTRE / CSNEPTRE, CSNBSPN / CSNESPN | See ANSI X9.8 PIN restrictions for a description of this control. | 0351 | DD, SC |
| ANSI X9.8 PIN - Allow only ANSI PIN blocks | CSNBPTR / CSNEPTR, CSNBPTR2 / CSNEPTR2, CSNBPTRE / CSNEPTRE, CSNBSPN / CSNESPN | See ANSI X9.8 PIN restrictions for a description of this control. | 0352 | DD, SC |
| ANSI X9.8 PIN - Enforce PIN block restrictions | CSNBCPA / CSNECPA, CSNBPTR / CSNEPTR, CSNBPTR2 / CSNEPTR2, CSNBPTRE / CSNEPTRE, CSNBPFO / CSNEPFO, CSNBSPN / CSNESPN | See ANSI X9.8 PIN restrictions for a description of this control. | 0350 | DD, SC |
| ANSI X9.8 PIN – Use stored decimalization tables only | CSNBCPA / CSNECPA, CSNBEPG / CSNEEPG, CSNBPFO / CSNEPFO, CSNBPGN / CSNEPGN, CSNBPVR / CSNEPVR | See ANSI X9.8 PIN restrictions for a description of this control. | 0356 | DD, SC |
| Authenticated Key Export - DRVTXKEY | CSNBSYD / CSFNESYD, CSNBSYD1 / CSNESYD1, CSNBSYE / CSNESYE, CSNBSYE1 / CSNESYE1, CSNBFLD / CSNEFLD, CSNBFLE / CSNEFLE, CSNBKRR2 / CSNEKRR2 | Required in order to establish a secure communication channel between the coprocessor and CPACF. | 02F6 | AE |
| Authenticated Key Export - EXPTSK | CSNBSYD / CSFNESYD, CSNBSYD1 / CSNESYD1, CSNBSYE / CSNESYE, CSNBSYE1 / CSNESYE1, CSNBFLD / CSNEFLD, CSNBFLE / CSNEFLE, CSNBKRR2 / CSNEKRR2 | Required in order to export secure key tokens to CPACF protected key format. | 02F7 | AE |
| Authenticated Key Export - SETSNKEY | CSNBSYD / CSFNESYD, CSNBSYD1 / CSNESYD1, CSNBSYE / CSNESYE, CSNBSYE1 / CSNESYE1, CSNBFLD / CSNEFLD, CSNBFLE / CSNEFLE, CSNBKRR2 / CSNEKRR2 | Required in order to establish a secure communication channel between the coprocessor and CPACF. | 02F5 | AE |
| DATAM Key Management Control | CSNBKGN / CSNEKGN, CSNBKIM / CSNEKIM, CSNBKEX / CSNEKEX, CSNBDKG / CSNEDKG | When enabled, the DATAM and DATAMV key types can be used. When disabled, the key types are not allowed. | 0275 | ED |
| Disable 56-bit length DES keys | All CCA callable services that accept or generate 56-bit length DES keys. | When enabled, all requests to CCA callable services with 56-bit length DES keys will fail. | 0026 | DD, SC |
| Disable 56-bit effective length DES keys | All CCA callable services that accept or generate 56-bit effective length DES keys including loading master keys. | When enabled, all requests to CCA callable services with 56-bit effective length DES keys (112-bit or 168-bit keys with repeated 56-bit sections) will fail. This will also disallow loading a master key that has a 56-bit effective length. | 0027 | DD, SC |
| Disable RSA keys with less than 1024-bit modulus length | All CCA callable services that accept or generate RSA keys with less than 1024-bit modulus length. | When enabled, all requests to CCA callable services with RSA keys with a modulus length less than 1024-bit will fail. | 002B | DD, SC |
| Disable RSA keys with less than 2048-bit modulus length | All CCA callable services that accept or generate RSA keys with less than 2048-bit modulus length. | When enabled, all requests to CCA callable services with RSA keys with a modulus length less than 2048-bit will fail. | 002C | DD, SC |
| Disable ECC keys weaker than 224-bit | All CCA callable services that accept or generate ECC keys weaker than 224-bit. | When enabled, all requests to CCA callable services with ECC keys weaker than 224-bit (P192, BP160, BP192) will fail. | 004D | DD, SC |
| Disallow 24-byte DATA wrapped with 16-byte Key | All callable services that wrap key under an exporter or importer KEK or a 16-byte DES master key | When enabled, a triple-length 0 CV DATA keys cannot be wrapped by a 16-byte DES Key, either the master key or a key-encrypting key. See Key strength and wrapping of key for more information. | 032D | DD, SC |
| Disallow PIN block format ISO-1 | CSNBCPE / CSNECPE, CSNBCPA / CSNECPA, CSNBEPG / CSNEEPG, CSNBPTR / CSNEPTR, CSNBPTR2 / CSNEPTR2, CSNBPTRE / CSNEPTRE, CSNBPVR / CSNEPVR, CSNBPCU / CSNEPCU, CSNBPFO / CSNEPFO, CSNBSPN / CSNESPN, CSNBDMP / CSNEDMP, CSNBDPMT / CSNEDPMT, CSNBDPC / CSNEDPC, CSNBDPV / CSNEDPV | When the format in the input or output PIN block profile is ISO-1, the request will fail. | 032F | DD, SC |
| Disallow translation from AES wrapping to DES wrapping | CSNBKTR2 / CSNEKTR2, CSNBPTR2 / CSNEPTR2, CSNDPKT / CSNFPKT | Disallows a key, PIN block, or PIN from being unwrapped or generated by an AES key and the wrapped by a DES key. | 01C5 | DD |
| Disallow translation from AES wrapping to weaker AES wrapping | CSNBKTR2 / CSNEKTR2, CSNBPTR2 / CSNEPTR2, CSNDPKT / CSNFPKT | Disallows a key, PIN block, or PIN from being unwrapped or generated by an AES key and the wrapped by a weaker AES key. | 01C6 | DD |
| Disallow translation from DES wrapping to weaker DES wrapping | CSNBAPG / CSNEAPG, CSNBEPG / CSNEEPG, CSNBKTR / CSNEKTR, CSNBKTR2 / CSNEKTR2, CSNBPFO / CSNEPFO, CSNBPTR / CSNEPTR, CSNBPTRE / CSNEPTRE, CSNBPTR2 / CSNEPTR2, CSNBSKY / CSNESKY, CSNDPKT / CSNFPKT | Disallows a key, PIN block, or PIN from being unwrapped or generated by a DES key and the wrapped by a weaker DES key. | 01C7 | DD |
| DUKPT - PIN Verify, PIN Translate | CSNBFPED / CSNEFPED, CSNBFPEE / CSNEFPEE, CSNBFPET / CSNEFPET, CSNBPVR / CSNEPVR, CSNBPTR / CSNEPTR, CSNBPTR2 / CSNEPTR2, CSNBPTRE / CSNEPTRE | When enabled, the listed services can use DUKPT key derivation. | 00E1 | ED |
| Enhanced PIN Security | CSNBCPE / CSNECPE, CSNBCPA / CSNECPA, CSNBEPG / CSNEEPG, CSNBPTR / CSNEPTR, CSNBPTR2 / CSNEPTR2, CSNBPTRE / CSNEPTRE, CSNBPVR / CSNEPVR, CSNBPCU / CSNEPCU, CSNBPFO / CSNEPFO | See Enhanced PIN security mode for a description of this control. | 0313 | DD, SC |
| High-performance secure AES keys | CSNBSYD / CSFNESYD, CSNBSYD1 / CSNESYD1, CSNBSYE / CSNESYE, CSNBSYE1 / CSNESYE1, CSNBFLD / CSNEFLD, CSNBFLE / CSNEFLE, CSNBKRR2 / CSNEKRR2, CSFWRP / CSFWRP6 | When enabled, encrypted AES DATA key tokens in the CKDS can be used for
the CPACF instructions. Required for CSFWRP/CSFWRP6. |
0296 | ED |
| High-performance secure DES keys | CSNBSYD / CSFNESYD, CSNBSYD1 / CSNESYD1, CSNBSYE / CSNESYE, CSNBSYE1 / CSNESYE1, CSNBFLD / CSNEFLD, CSNBFLE / CSNEFLE, CSNBKRR2 / CSNEKRR2 | When enabled, encrypted DES DATA key tokens in the CKDS can be used for the CPACF instructions. | 0295 | ED |
| NOCV KEK usage for export-related functions | CSNBGIM / CSNEGIM, CSNBKEX / CSNEKEX, CSNBSKM / CSNESKM, CSNBKGN / CSNEKGN | When enabled, NOCV key-encrypting keys can be used by the listed services. | 0300 | ED, SC |
| NOCV KEK usage for import-related functions | CSNBKIM / CSNEKIM, CSNBSKI / CSNESKI, CSNBSKM / CSNESKM, CSNBKGN / CSNEKGN | When enabled, NOCV key-encrypting keys can be used by the listed services. | 030A | ED, SC |
| Prohibit weak wrapping – Master keys | All Services that wrap or import keys. Both symmetric and asymmetric keys are affected | When enabled, an error return code will be returned when attempting to wrap a stronger key with a weaker master key. Also, an error return code will be returned when the last part is loaded into the DES or RSA new master key register, if the complete master key is weak. See Key strength and wrapping of key and Key strength and wrapping of key for more information. | 0333 | DD, SC |
| Prohibit weak wrapping – Transport keys | All Services that wrap or import keys. Both symmetric and asymmetric keys are affected | When enabled, an error return code will be returned when attempting to wrap a stronger key with a weaker key-encrypting key. See Key strength and wrapping of key for more information. | 0328 | DD, SC |
| Symmetric Key Token Change – RTCMK | Services that use symmetric key tokens | When enabled, this control allows symmetric key tokens under the old master key to be reenciphered under the current master key. These reenciphered tokens are returned from all callable service that use symmetric tokens. | 0090 | AE |
| Symmetric Key Token Change2 – RTCMK | Services that use the variable-length symmetric key tokens | When enabled, this control allows symmetric key tokens under the old master key to be reenciphered under the current master key. These reenciphered tokens are returned from all callable service that use symmetric tokens. | 00F1 | AE |
| Symmetric token wrapping - internal enhanced method | Services that wrap internal symmetric key tokens | When enabled, this control allows ICSF to change the default wrapping setting for all generated or imported keys to be the enhanced method. The default wrapping can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. | 0139 | AE |
| Symmetric token wrapping - internal original method | Services that wrap internal symmetric key tokens | When enabled, this control allows ICSF to change the default wrapping setting for all generated or imported keys to be the original method. The default wrapping can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. | 013A | AE |
| Symmetric token wrapping - external enhanced method | Services that wrap external symmetric key tokens | When enabled, this control allows ICSF to change the default wrapping setting for all generated or exported keys to be the enhanced method. The default wrapping can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. | 013B | AE |
| Symmetric token wrapping - external original method | Services that wrap external symmetric key tokens | When enabled, this control allows ICSF to change the default wrapping setting for all generated or exported keys to be the original method. The default wrapping can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. | 013C | AE |
| Warn when weak wrap – Master keys | All Services that wrap or import keys. Both symmetric and asymmetric keys are affected | When enabled, an informational return code will be returned when attempting to wrap a stronger key with a master key that is weaker. Also, a warning return code will be returned when the last part is loaded into the DES or RSA new master key register, if the master key is weak. See Key strength and wrapping of key and Key strength and wrapping of key for more information. | 0332 | DD. SC |
| Warn when weak wrap – Transport keys | All Services that wrap or import keys. Both symmetric and asymmetric keys are affected | When enabled, an informational return code will be returned when attempting to wrap a stronger key with a weaker key or when attempting to import a key token that has previously been wrapped with a weaker key, as indicated by its security history field. See Key strength and wrapping of key and Key strength and wrapping of key for more information. | 032C | DD. SC |
There are relationships between certain access control points.
A controlling access control point is required to be enabled before
subordinate access control points can enabled. The TKE workstation
will enable the controlling access control point when a subordinate
access control point is enabled.
- The Allow weak DES wrap of RSA access control point is only checked if the Prohibit weak wrapping – Transport keys access control point is enabled.
- The ANSI X9.8 PIN - Allow modification of PAN and ANSI X9.8 PIN - Allow only ANSI PIN blocks access control points can only be enable when the ANSI X9.8 PIN - Enforce PIN block restrictions access control point is enabled.
This following table lists access control points that affect specific services indicated in the access control point name. There is a description of the usage of the access control point in the Usage Notes section of the callable service description.
Note: If the domain role has been changed via the TKE workstation,
all new access control points are disabled by default.
| Name | Callable service | Value (Hex) | Usage |
|---|---|---|---|
| Authentication Parameter Generate | CSNBAPG / CSNEAPG | 02B1 | ED |
| Authentication Parameter Generate - Clear | CSNBAPG / CSNEAPG | 02B2 | DD |
| Cipher Text Translate2 | CSNBCTT2 / CSNECTT2, CSNBCTT3 / CSNECTT3 | 01C0 | ED |
| Cipher Text Translate2 – Allow only cipher text translate types | CSNBCTT2 / CSNECTT2, CSNBCTT3 / CSNECTT3 | 01C4 | DD |
| Cipher Text Translate2 – Allow translate from AES to TDES | CSNBCTT2 / CSNECTT2, CSNBCTT3 / CSNECTT3 | 01C1 | ED |
| Cipher Text Translate2 – Allow translate to weaker AES | CSNBCTT2 / CSNECTT2, CSNBCTT3 / CSNECTT3 | 01C2 | ED |
| Cipher Text Translate2 – Allow translate to weaker DES | CSNBCTT2 / CSNECTT2, CSNBCTT3 / CSNECTT3 | 01C3 | ED |
| Clear Key Import / Multiple Clear Key Import - DES | CSNBCKI / CSNECKI, CSNBCKM / CSNECKM | 00C3 | ED |
| Clear PIN Encrypt | CSNBCPE / CSNECPE | 00AF | ED |
| Clear PIN Generate - 3624 | CSNBPGN / CSNEPGN | 00A0 | ED |
| Clear Pin Generate Alternate - 3624 Offset | CSNBCPA / CSNECPA | 00A4 | ED |
| Clear PIN Generate Alternate - VISA PVV | CSNBCPA / CSNECPA | 00BB | ED |
| Clear PIN Generate - GBP | CSNBPGN / CSNEPGN | 00A1 | ED |
| Clear PIN Generate - Interbank | CSNBPGN / CSNEPGN | 00A3 | ED |
| Clear PIN Generate - VISA PVV | CSNBPGN / CSNEPGN | 00A2 | ED |
| Control Vector Translate | CSNBCVT / CSNECVT | 00D6 | ED |
| Cryptographic Variable Encipher | CSNBCVE / CSNECVE | 00DA | ED |
| CVV Key Combine | CSNBCKC / CSNECKC | 0155 | ED |
| CVV Key Combine - Allow wrapping override keywords | CSNBCKC / CSNECKC | 0156 | ED |
| CVV Key Combine - Permit mixed key types | CSNBCKC / CSNECKC | 0157 | ED |
| Data Key Export | CSNBDKX / CSNEDKX | 010A | ED |
| Data Key Export - Unrestricted | CSNBDKX / CSNEDKX | 0277 | ED |
| Data Key Import | CSNBDKM / CSNEDKM | 0109 | ED |
| Data Key Import - Unrestricted | CSNBDKM / CSNEDKM | 027C | ED |
| Decipher - DES | CSNBDEC / CSNEDEC, CSNBEVF / CSNEEVF | 000F | ED |
| Digital Signature Generate | CSNDDSG / CSNFDSG | 0100 | ED |
| Digital Signature Generate – PKCS-PSS allow small salt | CSNDDSG / CSNFDSG | 033C | DD |
| Digital Signature Generate - ZERO-PAD restriction lifted | CSNDDSG / CSNFDSG | 030C | DD |
| Digital Signature Verify | CSNDDSV / CSNFDSV | 0101 | ED |
| Digital Signature Verify – PKCS-PSS allow not exact salt length | CSNDDSV / CSNFDSV | 033B | DD |
| Diversified Key Generate2 - Allow length option with KDFFM-DK | CSNBDKG2 / CSNEDKG2 | 02D4 | DD |
| Diversified Key Generate2 - DALL | CSNBDKG2 / CSNEDKG2 | 02CD | DD, SC |
| Diversified Key Generate2 – KDFFM-DK | CSNBDKG2 / CSNEDKG2 | 02D3 | ED |
| Diversified Key Generate2 - MK-OPTC | CSNBDKG2 / CSNEDKG2 | 02D2 | ED |
| Diversified Key Generate2 – SESS-ENC | CSNBDKG2 / CSNEDKG2 | 02CC | ED |
| Diversified Key Generate - Allow wrapping override keywords | CSNBDKG / CSNEDKG | 013D | ED |
| Diversified Key Generate - CLR8–ENC | CSNBDKG / CSNEDKG | 0040 | ED |
| Diversified Key Generate - DKYGENKY - DALL | CSNBDKG / CSNEDKG, CSNBPCU / CSNEPCU | 0290 | DD, SC |
| Diversified Key Generate - SESS-XOR | CSNBDKG / CSNEDKG, CSNBESC / CSNEESC, CSNBEVF / CSNEEVF | 0043 | ED |
| Diversified Key Generate - single length or same halves | CSNBDKG / CSNEDKG | 0044 | ED |
| Diversified Key Generate - TDES-CBC | CSNBDKG / CSNEDKG | 02B8 | ED |
| Diversified Key Generate - TDES-DEC | CSNBDKG / CSNEDKG | 0042 | ED |
| Diversified Key Generate - TDESEMV2/TDESEMV4 | CSNBDCM / CSNEDCM, CSNBDKG / CSNEDKG, CSNBDSK / CSNEDSK, CSNBEAC / CSNEEAC, CSNBESC / CSNEESC, CSNBEVF / CSNEEVF | 0046 | ED |
| Diversified Key Generate - TDES-ENC | CSNBDCM / CSNEDCM, CSNBDKG / CSNEDKG, CSNBDSK / CSNEDSK, CSNBEAC / CSNEEAC, CSNBESC / CSNEESC, CSNBEVF / CSNEEVF | 0041 | ED |
| Diversified Key Generate - TDES-XOR | CSNBDCM / CSNEDCM, CSNBDKG / CSNEDKG, CSNBDSK / CSNEDSK, CSNBEAC / CSNEEAC, CSNBESC / CSNEESC | 0045 | ED |
| Diversify Directed Key | CSNBDDK / CSNEDDK | 0080 | DD |
| Diversify Directed Key – Allow KDFFM DERIVE | CSNBDDK / CSNEDDK | 0081 | DD |
| Diversify Directed Key – Allow KDFFM GENERATE | CSNBDDK / CSNEDDK | 0082 | DD |
| DK Deterministic PIN Generate | CSNBDDPG / CSNEDDPG | 02C6 | DD |
| DK Migrate PIN | CSNBDMP / CSNEDMP | 02CE | DD |
| DK PAN Modify in Transaction | CSNBDPMT / CSNEDPMT | 02C5 | DD |
| DK PAN Translate | CSNBDPT / CSNEDPT | 02C7 | DD |
| DK PIN Change | CSNBDPC / CSNEDPC | 02C2 | DD |
| DK PIN Verify | CSNBDPV / CSNEDPV | 02C1 | DD |
| DK PRW Card Number Update | CSNBDPNU / CSNEDPNU | 02C3 | DD |
| DK PRW Card Number Update2 | CSNBDCU2 / CSNEDCU2 | 0025 | DD |
| DK PRW CMAC Generate | CSNBDPCG / CSNBPCG | 02C4 | DD |
| DK Random PIN Generate | CSNBDRPG / CSNEDRPG | 02C0 | DD |
| DK Random PIN Generate2 | CSNBDRG2 / CSNEDRG2 | 0024 | DD |
| DK Regenerate PRW | CSNBDRP / CSNEDRP | 02C8 | DD |
| ECC Diffie-Hellman | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0360 | ED |
| ECC Diffie-Hellman – Allow BP Curve 160 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0368 | ED |
| ECC Diffie-Hellman – Allow BP Curve 192 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0369 | ED |
| ECC Diffie-Hellman – Allow BP Curve 224 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 036A | ED |
| ECC Diffie-Hellman – Allow BP Curve 256 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 036B | ED |
| ECC Diffie-Hellman – Allow BP Curve 320 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 036C | ED |
| ECC Diffie-Hellman – Allow BP Curve 384 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 036D | ED |
| ECC Diffie-Hellman – Allow BP Curve 512 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 036E | ED |
| ECC Diffie-Hellman – Allow DERIV02 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 035F | ED |
| ECC Diffie-Hellman – Allow key wrap override | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0362 | ED |
| ECC Diffie-Hellman – Allow PASSTHRU | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0361 | ED |
| ECC Diffie-Hellman – Allow Prime Curve 192 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0363 | ED |
| ECC Diffie-Hellman – Allow Prime Curve 224 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0364 | ED |
| ECC Diffie-Hellman – Allow Prime Curve 256 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0365 | ED |
| ECC Diffie-Hellman – Allow Prime Curve 384 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0366 | ED |
| ECC Diffie-Hellman – Allow Prime Curve 521 | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 0367 | ED |
| ECC Diffie-Hellman – Prohibit weak key generate | CSFPDVK / CSFPDVK6, CSNDEDH / CSNFEDH | 036F | DD, SC |
| Encipher - DES | CSNBENC / CSNEENC, CSNBESC / CSNEESC, CSNBEVF / CSNEEVF | 000E | ED |
| Encrypted PIN Generate - 3624 | CSNBEPG / CSNEEPG | 00B0 | ED |
| Encrypted PIN Generate - GBP | CSNBEPG / CSNEEPG | 00B1 | ED |
| Encrypted PIN Generate - Interbank | CSNBEPG / CSNEEPG | 00B2 | ED |
| Encrypted PIN Translate2 – Permit ISO-0 to ISO-4 Reformat | CSNBPTR2 / CSNEPTR2 | 038E | ED |
| Encrypted PIN Translate2 – Permit ISO-1 to ISO-4 Reformat | CSNBPTR2 / CSNEPTR2 | 038C | ED |
| Encrypted PIN Translate2 – Permit ISO-1 to ISO-4 RFMT1TO4 | CSNBPTR2 / CSNEPTR2 | 0393 | DD |
| Encrypted PIN Translate2 – Permit ISO-4 Reformat w/ PAN Chg | CSNBPTR2 / CSNEPTR2 | 038B | DD |
| Encrypted PIN Translate2 – Permit ISO-4 to ISO-0 Reformat | CSNBPTR2 / CSNEPTR2 | 038F | ED |
| Encrypted PIN Translate2 – Permit ISO-4 to ISO-1 Reformat | CSNBPTR2 / CSNEPTR2 | 038D | ED |
| Encrypted PIN Translate2 – Permit ISO-4 to ISO-1 RFMT4TO1 | CSNBPTR2 / CSNEPTR2 | 0394 | DD |
| Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 PTR2AUTH | CSNBPTR2 / CSNEPTR2 | 0395 | DD |
| Encrypted PIN Translate2 – Permit ISO-4 to ISO-4 Translate | CSNBPTR2 / CSNEPTR2 | 038A | ED |
| Encrypted PIN Translate2 – REFORMAT | CSNBPTR2 / CSNEPTR2 | 0391 | ED |
| Encrypted PIN Translate2 – TRANSLAT | CSNBPTR2 / CSNEPTR2 | 0392 | ED |
| Encrypted PIN Translate Enhanced | CSNBPTRE / CSNEPTRE | 02D5 | ED |
| Encrypted PIN Translate - Reformat | CSNBPTR / CSNEPTR, CSNBPTRE / CSNEPTRE, CSNBPTR2 / CSNEPTR2 | 00B7 | ED |
| Encrypted PIN Translate - Translate | CSNBPTR / CSNEPTR | 00B3 | ED |
| Encrypted PIN Verify - 3624 | CSNBPVR / CSNEPVR | 00AB | ED |
| Encrypted PIN Verify - GPB | CSNBPVR / CSNEPVR | 00AC | ED |
| Encrypted PIN Verify - Interbank | CSNBPVR / CSNEPVR | 00AE | ED |
| Encrypted PIN Verify - VISA PVV | CSNBPVR / CSNEPVR | 00AD | ED |
| FPE Decrypt | CSNBFPED / CSNEFPED | 02D0 | ED |
| FPE Encrypt | CSNBFPEE / CSNEFPEE | 02CF | ED |
| FPE Translate | CSNBFPET / CSNEFPET | 02D1 | ED |
| HMAC Generate – SHA-1 | CSNBHMG / CSNEHMG, CSNBHMG1 / CSNEHMG1, CSNBMGN2 / CSNEMGN2, CSNBMGN3 / CSNEMGN3 | 00E4 | ED |
| HMAC Generate – SHA-224 | CSNBHMG / CSNEHMG, CSNBHMG1 / CSNEHMG1, CSNBMGN2 / CSNEMGN2, CSNBMGN3 / CSNEMGN3 | 00E5 | ED |
| HMAC Generate – SHA-256 | CSNBHMG / CSNEHMG, CSNBHMG1 / CSNEHMG1, CSNBMGN2 / CSNEMGN2, CSNBMGN3 / CSNEMGN3 | 00E6 | ED |
| HMAC Generate – SHA-384 | CSNBHMG / CSNEHMG, CSNBHMG1 / CSNEHMG1, CSNBMGN2 / CSNEMGN2, CSNBMGN3 / CSNEMGN3 | 00E7 | ED |
| HMAC Generate – SHA-512 | CSNBHMG / CSNEHMG, CSNBHMG1 / CSNEHMG1, CSNBMGN2 / CSNEMGN2, CSNBMGN3 / CSNEMGN3 | 00E8 | ED |
| HMAC Verify – SHA-1 | CSNBHMV / CSNEHMV, CSNBHMV1 / CSNEHMV1, CSNBMVR2 / CSNEMVR2, CSNBMVR3 / CSNEMVR3 | 00F7 | ED |
| HMAC Verify – SHA-224 | CSNBHMV / CSNEHMV, CSNBHMV1 / CSNEHMV1, CSNBMVR2 / CSNEMVR2, CSNBMVR3 / CSNEMVR3 | 00F8 | ED |
| HMAC Verify – SHA-256 | CSNBHMV / CSNEHMV, CSNBHMV1 / CSNEHMV1, CSNBMVR2 / CSNEMVR2, CSNBMVR3 / CSNEMVR3 | 00F9 | ED |
| HMAC Verify – SHA-384 | CSNBHMV / CSNEHMV, CSNBHMV1 / CSNEHMV1, CSNBMVR2 / CSNEMVR2, CSNBMVR3 / CSNEMVR3 | 00FA | ED |
| HMAC Verify – SHA-512 | CSNBHMV / CSNEHMV, CSNBHMV1 / CSNEHMV1, CSNBMVR2 / CSNEMVR2, CSNBMVR3 / CSNEMVR3 | 00FB | ED |
| Key Encryption Translate – CBC to ECB | CSNBKET / CSNEKET | 030D |
DD,
ED - March 2016 or later licensed internal code (LIC) on z13 and above processors. |
| Key Encryption Translate – ECB to CBC | CSNBKET / CSNEKET | 030E |
DD,
ED - March 2016 or later licensed internal code (LIC) on z13 and above processors. |
| Key Export | CSNBKEX / CSNEKEX | 0013 | ED |
| Key Export - Unrestricted | CSNBKEX / CSNEKEX | 0276 | ED |
| Key Generate2 – DK PIN admin1 key MAC | CSNBKGN2 / CSNEKGN2 | 02BE | DD |
| Key Generate2 – DK PIN admin1 key PINPROT | CSNBKGN2 / CSNEKGN2 | 02BD | DD |
| Key Generate2 – DK PIN admin2 key MAC | CSNBKGN2 / CSNEKGN2 | 02BF | DD |
| Key Generate2 – DK PIN key set | CSNBKGN2 / CSNEKGN2 | 02BB | DD |
| Key Generate2 – DK PIN print key | CSNBKGN2 / CSNEKGN2 | 02BC | DD |
| Key Generate2 – Key set | CSNBKGN2 / CSNEKGN2 | 00EB | ED |
| Key Generate2 – Key set extended | CSNBKGN2 / CSNEKGN2 | 00EC | ED |
| Key Generate2 – OP | CSNBKGN2 / CSNEKGN2 | 00EA | ED |
| Key Generate – Key set | CSNBKGN / CSNEKGN | 008C | ED |
| Key Generate – Key set extended | CSNBKGN / CSNEKGN | 00D7 | ED |
| Key Generate – OP | CSNBGIM / CSNEGIM, CSNBKGN / CSNEKGN, CSNBRNG / CSNERNG | 008E | ED |
| Key Generate - SINGLE-R | CSNBKGN / CSNEKGN, CSNDRKX / CSNFRKX | 00DB | ED |
| Key Import | CSNBKIM / CSNEKIM | 0012 | ED |
| Key Import - Unrestricted | CSNBKIM / CSNEKIM | 027B | ED |
| Key Part Import2 - Add last required key part | CSNBKPI2 / CSNEKPI2 | 029B | ED |
| Key Part Import2 - Add optional key part | CSNBKPI2 / CSNEKPI2 | 029C | ED |
| Key Part Import2 - Add second of 3 or more key parts | CSNBKPI2 / CSNEKPI2 | 029A | ED |
| Key Part Import2 – Complete key | CSNBKPI2 / CSNEKPI2 | 029D | ED |
| Key Part Import2 - Load first key part, require 1 key parts | CSNBKPI2 / CSNEKPI2 | 0299 | ED |
| Key Part Import2 – Load first key part, require 2 key parts | CSNBKPI2 / CSNEKPI2 | 0298 | ED |
| Key Part Import2 – Load first key part, require 3 key parts | CSNBKPI2 / CSNEKPI2 | 0297 | ED |
| Key Part Import - ADD-PART | CSNBKPI / CSNEKPI | 0278 | ED |
| Key Part Import - Allow wrapping override keywords | CSNBKPI / CSNEKPI | 0140 | ED |
| Key Part Import - COMPLETE | CSNBKPI / CSNEKPI | 0279 | ED |
| Key Part Import - First key part | CSNBKPI / CSNEKPI | 001B | ED |
| Key Part Import - Middle and Final | CSNBKPI / CSNEKPI | 001C | ED |
| Key Part Import - Unrestricted | CSNBKPI / CSNEKPI | 027A | ED |
| Key Test2 – AES, ENC-ZERO | CSNBKYT2 / CSNEKYT2 | 0021 | ED |
| Key Test2 – AES, CMACZERO | CSNBKYT2 / CSNEKYT2 | 0022 | ED |
| Key Test2 – DES, CMACZERO | CSNBKYT2 / CSNEKYT2 | 0023 | ED |
| Key Test and Key Test2 | CSNBKYT / CSNEKYT, CSNBKYT2 / CSNEKYT2, CSNBKYTX / CSNEKYTX | 001D | AE |
| Key Test - For encrypted DES keys, warn when keyword inconsistent with DES key length | CSNBKYT / CSNEKYT, CSNBKYTX / CSNEKYTX | 01CB | DD |
| Key Translate | CSNBKTR / CSNEKTR | 001F | ED |
| Key Translate2 | CSNBKTR2 / CSNEKTR2 | 0149 | ED |
| Key Translate2 - Allow use of REFORMAT | CSNBKTR2 / CSNEKTR2 | 014B | ED |
| Key Translate2 - Allow wrapping override keywords | CSNBKTR2 / CSNEKTR2 | 014A | ED |
| Key Translate2 - COMP-CHK | CSNBKTR2/CSNEKTR2 | 02F8 | ED |
| Key Translate2 - COMP-TAG | CSNBKTR2/CSNEKTR2 | 02F9 | ED |
| Key Translate2 - Disallow AES ver 5 to ver 4 conversion | CSNBKTR2 / CSNEKTR2 | 032A | DD |
| Key Translate2 – Translate fixed to variable payload | CSNBKTR2 / CSNEKTR2 | 0334 | DD, SC |
| MAC Generate | CSNBEAC / CSNEEAC, CSNBESC / CSNEESC, CSNBMGN / CSNEMGN | 0010 | ED |
| MAC Generate2 – AES CMAC | CSNBMGN2 / CSNEMGN2 / CSNBMGN3 / CSNEMGN3 | 0336 | ED |
| MAC Verify | CSNBEAC / CSNEEAC, CSNBMVR / CSNEMVR | 0011 | ED |
| MAC Verify2 – AES CMAC | CSNBMVR2 / CSNEMVR2 / CSNBMVR3 / CSNEMVR3 | 0337 | ED |
| Multiple Clear Key Import / Multiple Secure Key Import - AES | CSNBCKM / CSNECKM, CSNBSKM / CSNESKM | 0129 | ED |
| Multiple Clear Key Import - Allow wrapping override keywords | CSNBCKM / CSNECKM | 0141 | ED |
| Multiple Secure Key Import - Allow wrapping override keywords | CSNBSKM / CSNESKM | 0142 | ED |
| Operational Key Load | CSNBOKL / CSNEOKL | 0309 | ED |
| Operational Key Load - Variable-Length Tokens | CSNBOKL / CSNEOKL | 029E | ED |
| Permit X.509 without PKI root validation | CSNDDSV / CSNFDSV, CSNDPKE / CSNFPKE, CSNDSYX / CSNFSYX, CSNDSYG / CSNFSYG, CSNDT34B / CSNFT34B, CSNDT34C / CSNFT34C, CSNDT34D / CSNFT34D, CSNDT34R / CSNFT34R | 01FF | ED |
| PIN Change/Unblock - change EMV PIN with IPINENC | CSNBESC / CSNEESC, CSNBPCU / CSNEPCU | 00BD | ED |
| PIN Change/Unblock - change EMV PIN with OPINENC | CSNBESC / CSNEESC, CSNBPCU / CSNEPCU | 00BC | ED |
| PKA Decrypt | CSNDPKD / CSNFPKD | 011F | ED |
| PKA Decrypt – Disallow PKCS-1.2 | CSNDPKD / CSNFPKD | 020A | DD |
| PKA Decrypt – Disallow PKCSOAEP | CSNDPKD / CSNFPKD | 020C | DD |
| PKA Decrypt - Disallow ZEROPAD | CSNDPKD / CSNFPKD | 020B | DD |
| PKA Encrypt | CSNDPKE / CSNFPKE | 011E | ED |
| PKA Encrypt – Disallow MRP | CSNDPKE / CSNFPKE | 0208 | DD |
| PKA Encrypt – Disallow PKCS-1.2 | CSNDPKE / CSNFPKE | 0206 | DD |
| PKA Encrypt – Disallow PKCSOAEP | CSNDPKE / CSNFPKE | 0209 | DD |
| PKA Encrypt – Disallow ZEROPAD | CSNDPKE / CSNFPKE | 0207 | DD |
| PKA Key Generate | CSNDPKG / CSNFPKG | 0103 | ED |
| PKA Key Generate – Clear ECC keys | CSNDPKG / CSNFPKG | 0326 | ED |
| PKA Key Generate – Clear RSA keys | CSNDPKG / CSNFPKG | 0205 | ED |
| PKA Key Generate - Clone | CSNDPKG / CSNFPKG | 0204 | ED |
| PKA Key Generate - Permit Regeneration Data | CSNDPKG / CSNFPKG | 027D | ED |
| PKA Key Generate - Permit Regeneration Data Retain | CSNDPKG / CSNFPKG | 027E | ED |
| PKA Key Import | CSNDPKI / CSNFPKI | 0104 | ED |
| PKA Key Import – Disallow clear key import | CSNDPKI / CSNFPKI | 003A | DD, SC |
| PKA Key Import - Import an external trusted block | CSNDPKI / CSNFPKI | 0311 | ED |
| PKA Key Token Change RTCMK | CSNDKTC / CSNFKTC | 0102 | ED |
| PKA Key Translate – allow COMP-CHK | CSNDPKT / CSNFPKT | 01EF | ED |
| PKA Key Translate – allow COMP-TAG | CSNDPKT / CSNFPKT | 01EE | ED |
| PKA Key Translate – allow INTUSCHG | CSNDPKT / CSNFPKT | 02EE | ED |
| PKA Key Translate - from CCA RSA CRT to EMVCRT format | CSNDPKT / CSNFPKT | 033A | ED |
| PKA Key Translate - from CCA RSA CRT to EMVDDAE format | CSNDPKT / CSNFPKT | 0339 | ED |
| PKA Key Translate - from CCA RSA CRT to EMVDDA format | CSNDPKT / CSNFPKT | 0338 | ED |
| PKA Key Translate - from CCA RSA to SC CRT format | CSNDPKT / CSNFPKT | 031A | ED |
| PKA Key Translate - from CCA RSA to SC ME format | CSNDPKT / CSNFPKT | 0319 | ED |
| PKA Key Translate - from CCA RSA to SC Visa format | CSNDPKT / CSNFPKT | 0318 | ED |
| PKA Key Translate - from source EXP KEK to target EXP KEK | CSNDPKT / CSNFPKT | 031B | ED |
| PKA Key Translate - from source IMP KEK to target EXP KEK | CSNDPKT / CSNFPKT | 031C | ED |
| PKA Key Translate - from source IMP KEK to target IMP KEK | CSNDPKT / CSNFPKT | 031D | ED |
| PKA Key Translate – Translate external key token | CSNDPKT / CSNFPKT | 00FF | ED |
| PKA Key Translate – Translate internal key token | CSNDPKT / CSNFPKT | 00FE | ED |
| Prohibit Export | CSNBPEX / CSNEPEX | 00CD | ED |
| Prohibit Export Extended | CSNBPEXX /CSNEPEXX | 0301 | ED |
| Public Infrastructure Certificate | CSNDPIC/CSNFPIC | 0070 | ED |
| Public Infrastructure Certificate - PK10SNRQ | CSNDPIC/CSNFPIC | 007C | ED |
| Recover PIN From Offset | CSNBPFO / CSNEPFO | 02B0 | ED |
| Remote Key Export - Allow wrapping override keywords | CSNDRKX / CSNFRKX | 02BA | DD |
| Remote Key Export - Gen or export a non-CCA node key | CSNDRKX / CSNFRKX | 0312 | ED |
| Remote Key Export - include RKX in default wrap config | CSNDRKX / CSNFRKX | 013F | DD |
| Restrict Key Attribute – Export Control | CSNBRKA / CSNERKA | 00E9 | ED |
| Restrict Key Attribute - Permit setting the TR-31 export bit | CSNBRKA / CSNERKA | 0154 | ED |
| Retained Key Delete | CSNDRKD / CSNFRKD | 0203 | ED |
| Retained Key List | CSNDRKL / CSNFRKL | 0230 | ED |
| Secure Key Import2 - IM | CSNBSKI2 / CSNESKI2 | 00F3 | ED |
| Secure Key Import2 - OP | CSNBSKI2 / CSNESKI2 | 00F2 | ED |
| Secure Key Import – DES, IM | CSNBSKI / CSNESKI, CSNBSKM / CSNESKM | 00DC | ED |
| Secure Key Import – DES, OP | CSNBSKI / CSNESKI, CSNBSKM / CSNESKM | 00C4 | ED |
| Secure Messaging for Keys | CSNBSKY / CSNESKY | 0273 | ED |
| Secure Messaging for PINs | CSNBESC / CSNEESC, CSNBSPN / CSNESPN | 0274 | ED |
| SET Block Compose | CSNDSBC / CSNFSBC | 010B | ED |
| SET Block Decompose | CSNDSBD / CSNFSBD | 010C | ED |
| SET Block Decompose - PIN ext IPINENC | CSNDSBD / CSNFSBD | 0121 | ED |
| SET Block Decompose - PIN ext OPINENC | CSNDSBD / CSNFSBD | 0122 | ED |
| Symmetric Algorithm Decipher – GCM/Counter mode AES | CSNBSAD / CSNESAD, CSNBSAD1 / CSNESAD1 | 01CE | ED |
| Symmetric Algorithm Decipher - Secure AES keys | CSNBSAD / CSNESAD, CSNBSAD1 / CSNESAD1 | 012B | ED |
| Symmetric Algorithm Encipher – GCM/Counter mode AES | CSNBSAE / CSNESAE, CSNBSAE1 / CSNESAE1 | 01CD | ED |
| Symmetric Algorithm Encipher - Secure AES keys | CSNBSAE / CSNESAE, CSNBSAE1 / CSNESAE1 | 012A | ED |
| Symmetric Key Export - AES, PKCSOAEP, PKCS-1.2 | CSNDSYX / CSNFSYX, CSNDSXD / CSNFSXD | 0130 | ED |
| Symmetric Key Export - AES, PKOAEP2 | CSNDSYX / CSNFSYX | 00FC | ED |
| Symmetric Key Export - AES, ZERO-PAD | CSNDSYX / CSNFSYX | 0131 | ED |
| Symmetric Key Export - AESKW | CSNDSYX / CSNFSYX | 0327 | ED |
| Symmetric Key Export - AESKWCV | CSNDSYX / CSNFSYX | 02B3 | ED |
| Symmetric Key Export - DES, PKCS-1.2 | CSNDSYX / CSNFSYX, CSNDSXD / CSNFSXD | 0105 | ED |
| Symmetric Key Export - DES, ZERO-PAD | CSNDSYX / CSNFSYX | 023E | ED |
| Symmetric Key Export – HMAC,PKOAEP2 | CSNDSYX / CSNFSYX | 00F5 | ED |
| Symmetric Key Export with Data | CSNDSXD / CSNFSXD | 02B5 | DD |
| Symmetric Key Export with Data - Special | CSNDSXD / CSNFSXD | 02B6 | DD |
| Symmetric Key Generate - AES, PKCSOAEP, PKCS-1.2 | CSNDSYG / CSNFSYG | 012C | ED |
| Symmetric Key Generate - AES, ZERO-PAD | CSNDSYG / CSNFSYG | 012D | ED |
| Symmetric Key Generate - Allow wrapping override keywords | CSNDSYG / CSNFSYG | 013E | ED |
| Symmetric Key Generate - DES, PKA92 | CSNDSYG / CSNFSYG | 010D | ED |
| Symmetric Key Generate - DES, PKCS-1.2 | CSNDSYG / CSNFSYG | 023F | ED |
| Symmetric Key Generate - DES, ZERO-PAD | CSNDSYG / CSNFSYG | 023C | ED |
| Symmetric Key Import2 – AES,PKOAEP2 | CSNDSYI2 / CSNFSYI2 | 00FD | ED |
| Symmetric Key Import2 - AESKW | CSNDSYI2 / CSNFSYI2 | 0329 | ED |
| Symmetric Key Import2 - AESKWCV | CSNDSYI2 / CSNFSYI2 | 02B4 | ED |
| Symmetric Key Import2 - Allow wrapping override keywords | CSNDSYI2 / CSNFSYI2 | 02B9 | ED |
| Symmetric Key Import2 - disallow weak import |
CSNDSYI / CSNFSYI,
CSNDSYI2 / CSNFSYI2, CSNBUKD / CSNEUKD |
032B | DD, SC |
| Symmetric Key Import2 – HMAC,PKOAEP2 | CSNDSYI2 / CSNFSYI2 | 00F4 | ED |
| Symmetric Key Import - AES, PKCSOAEP, PKCS-1.2 | CSNDSYI / CSNFSYI | 012E | ED |
| Symmetric Key Import - AES, ZERO-PAD | CSNDSYI / CSNFSYI | 012F | ED |
| Symmetric Key Import - Allow wrapping override keywords | CSNDSYI / CSNFSYI | 0144 | ED |
| Symmetric Key Import - DES, PKA92 KEK | CSNDSYI / CSNFSYI | 0235 | ED |
| Symmetric Key Import - DES, PKCS-1.2 | CSNDSYI / CSNFSYI | 0106 | ED |
| Symmetric Key Import - DES, ZERO-PAD | CSNDSYI / CSNFSYI | 023D | ED |
| T31I - Permit AES K1/K4:D to AES IMPORTER:IMPTT31D+ VARDRV-D | CSNBT31I / CSNET31I | 01E6 | ED |
| T31I – Permit C0:G/C/V to MAC/MACVER:AMEX-CSC | CSNBT31I / CSNET31I | 015B | DD |
| T31I – Permit C0:G/C/V to MAC/MACVER:CVVKEY-A | CSNBT31I / CSNET31I | 015A | DD |
| T31I - Permit D0:E/D/B to AES CIPHER:ENC/DEC/ENC+DEC | CSNBT31I / CSNET31I | 01E0 | ED |
| T31I – Permit E0:N/X to DKYGENKY:DKYL0+DMAC | CSNBT31I / CSNET31I | 016D | DD |
| T31I – Permit E0:N/X to DKYGENKY:DKYL0+DMV | CSNBT31I / CSNET31I | 016E | DD |
| T31I – Permit E0:N/X to DKYGENKY:DKYL1+DMAC | CSNBT31I / CSNET31I | 016F | DD |
| T31I – Permit E0:N/X to DKYGENKY:DKYL1+DMV | CSNBT31I / CSNET31I | 0170 | DD |
| T31I - Permit E0:X to AES DKYGENKY:DKYL0/L1/L2+D-MAC+GEN+CMAC | CSNBT31I / CSNET31I | 01E7 | ED |
| T31I – Permit E1:N/E/D/B/X to DKYGENKY:DKYL0+DDATA | CSNBT31I / CSNET31I | 0172 | DD |
| T31I – Permit E1:N/E/D/B/X to DKYGENKY:DKYL0+DMPIN | CSNBT31I / CSNET31I | 0171 | DD |
| T31I – Permit E1:N/E/D/B/X to DKYGENKY:DKYL1+DDATA | CSNBT31I / CSNET31I | 0174 | DD |
| T31I – Permit E1:N/E/D/B/X to DKYGENKY:DKYL1+DMPIN | CSNBT31I / CSNET31I | 0173 | DD |
| T31I - Permit E1:X to AES DKYGENKY:DKYL0/L1/L2+D-SECMSG+SMPIN | CSNBT31I / CSNET31I | 01E8 | ED |
| T31I – Permit E2:N/X to DKYGENKY:DKYL0+DMAC | CSNBT31I / CSNET31I | 0175 | DD |
| T31I – Permit E2:N/X to DKYGENKY:DKYL1+DMAC | CSNBT31I / CSNET31I | 0176 | DD |
| T31I - Permit E2:X to AES DKYGENKY:DKYL0/L1/L2+D-MAC+GEN+CMAC | CSNBT31I / CSNET31I | 01E9 | ED |
| T31I - Permit E3:E/B to AES CIPHER:ENCRYPT/ENC+DEC | CSNBT31I / CSNET31I | 01EB | ED |
| T31I – Permit E3:N/E/D/B/G/X to ENCIPHER | CSNBT31I / CSNET31I | 0177 | DD |
| T31I - Permit E3:X to AES DKYGENKY:D-CIPHER+ENC+DEC+CBC | CSNBT31I / CSNET31I | 01EA | ED |
| T31I – Permit E4:N/B/X to DKYGENKY:DKYL0+DDATA | CSNBT31I / CSNET31I | 0178 | ED |
| T31I - Permit E4:X to AES DKYGENKY:DKYL0/L1/L2+D-CIPHER+ENC+DEC | CSNBT31I / CSNET31I | 01EC | ED |
| T31I – Permit E5:N/G/C/V/E/D/G/X to DKYGENKY:DKYL0+DDATA | CSNBT31I / CSNET31I | 017A | DD |
| T31I – Permit E5:N/G/C/V/E/D/G/X to DKYGENKY:DKYL0+DEXP | CSNBT31I / CSNET31I | 017B | DD |
| T31I – Permit E5:N/G/C/V/E/D/G/X to DKYGENKY:DKYL0+DMAC | CSNBT31I / CSNET31I | 0179 | DD |
| T31I - Permit E5:X to AES DKYGENKY:DKYL0/L1/L2/D-MAC+GEN+CMAC | CSNBT31I / CSNET31I | 01ED | ED |
| T31I – Permit K0:B to EXPORTER/OKEYXLAT | CSNBT31I / CSNET31I | 015D | DD |
| T31I – Permit K0:B to IMPORTER/IKEYXLAT | CSNBT31I / CSNET31I | 015F | DD |
| T31I - Permit K0:D to AES IMPORTER | CSNBT31I / CSNET31I | 01E4 | ED |
| T31I – Permit K0:D to IMPORTER/IKEYXLAT | CSNBT31I / CSNET31I | 015E | DD |
| T31I - Permit K0:E to AES EXPORTER | CSNBT31I / CSNET31I | 01E3 | ED |
| T31I – Permit K0:E to EXPORTER/OKEYXLAT | CSNBT31I / CSNET31I | 015C | DD |
| T31I – Permit K1/K4:B to EXPORTER/OKEYXLAT | CSNBT31I / CSNET31I | 0162 | DD |
| T31I – Permit K1/K4:B to IMPORTER/IKEYXLAT | CSNBT31I / CSNET31I | 0163 | DD |
| T31I – Permit K1/K4:D to IMPORTER/IKEYXLAT | CSNBT31I / CSNET31I | 0161 | DD |
| T31I - Permit K1/K4:E to AES EXPORTER:EXPTT31D+ VARDRV-D | CSNBT31I / CSNET31I | 01E5 | ED |
| T31I – Permit K1/K4:E to EXPORTER/OKEYXLAT | CSNBT31I / CSNET31I | 0160 | DD |
| T31I – Permit M0/M1/M3:G/C/V to MAC/MACVER:ANY-MAC | CSNBT31I / CSNET31I | 0164 | ED |
| T31I - Permit M6:G/C/V to AES MAC:CMAC+GENONLY/GEN/VER | CSNBT31I / CSNET31I | 01E1 | ED |
| T31I – Permit override of default wrapping method | CSNBT31I / CSNET31I | 0153 | ED |
| T31I – Permit P0:D to IPINENC | CSNBT31I / CSNET31I | 0166 | ED |
| T31I - Permit P0:E/D to AES PINPROT:ENC/DEC+CBC+ISO-4 | CSNBT31I / CSNET31I | 01E2 | ED |
| T31I – Permit P0:E to OPINENC | CSNBT31I / CSNET31I | 0165 | ED |
| T31I – Permit V0:N/G/C to PINGEN:NO-SPEC | CSNBT31I / CSNET31I | 0167 | DD |
| T31I – Permit V0:N/V to PINVER:NO-SPEC | CSNBT31I / CSNET31I | 0168 | DD |
| T31I – Permit V0/V1/V2:N to PINGEN/PINVER | CSNBT31I / CSNET31I | 017C | DD |
| T31I – Permit V1:N/G/C to PINGEN:IBM-PIN/IBM-PINO | CSNBT31I / CSNET31I | 0169 | ED |
| T31I – Permit V1:N/V to PINVER:IBM-PIN/IBM-PINO | CSNBT31I / CSNET31I | 016A | ED |
| T31I – Permit V2:N/G/C to PINGEN:VISA-PVV | CSNBT31I / CSNET31I | 016B | ED |
| T31I – Permit V2:N/V to PINVER:VISA-PVV | CSNBT31I / CSNET31I | 016C | ED |
| T31I – Permit version A TR-31 key blocks | CSNBT31I / CSNET31I | 0150 | ED |
| T31I – Permit version B TR-31 key blocks | CSNBT31I / CSNET31I | 0151 | ED |
| T31I – Permit version C TR-31 key blocks | CSNBT31I / CSNET31I | 0152 | ED |
| T31I - Permit version D TR-31 key blocks | CSNBT31I / CSNET31I | 0386 | ED |
| T31X - Permit AES CIPHER to D0:E/D/B | CSNBT31X / CSNET31X | 01D0 | ED |
| T31X - Permit AES CIPHER to E3/E/B,DKYGENKY:D-ALL/DCIP to E3:X | CSNBT31X / CSNET31X | 01DC | ED |
| T31X - Permit AES DKYGENKY:D-ALL/D-SECMSG to E1:X | CSNBT31X / CSNET31X | 01DA | ED |
| T31X - Permit AES DKYGENKY:D-ALL/D-CIPHER to E4:X | CSNBT31X / CSNET31X | 01DD | ED |
| T31X - Permit AES DKYGENKY:D-ALL/DMAC to E0:X | CSNBT31X / CSNET31X | 01D9 | ED |
| T31X - Permit AES DKYGENKY:D-ALL/D-MAC to E2:X | CSNBT31X / CSNET31X | 01DB | ED |
| T31X - Permit AES DKYGENKY:D-MAC to E5:X | CSNBT31X / CSNET31X | 01DE | ED |
| T31X - Permit AES EXPORTER to K0:E | CSNBT31X / CSNET31X | 01D3 | ED |
| T31X - Permit AES EXPORTER to K1:E | CSNBT31X / CSNET31X | 01D4 | ED |
| T31X - Permit AES EXPORTER to K4:E | CSNBT31X / CSNET31X | 01D5 | ED |
| T31X - Permit AES IMPORTER to K0:D | CSNBT31X / CSNET31X | 01D6 | ED |
| T31X - Permit AES IMPORTER to K1:D | CSNBT31X / CSNET31X | 01D7 | ED |
| T31X - Permit AES IMPORTER to K4:D | CSNBT31X / CSNET31X | 01D8 | ED |
| T31X - Permit AES KDKGENKY: KDKTYPEA to 11:X | CSNBT31X / CSNET31X | 0383 | DD |
| T31X - Permit AES KDKGENKY: KDKTYPEB to 10:X | CSNBT31X / CSNET31X | 0384 | DD |
| T31X - Permit AES MAC: CMAC to M6:G/C/V | CSNBT31X / CSNET31X | 01D1 | ED |
| T31X - Permit AES PINPROT to P0:E/D | CSNBT31X / CSNET31X | 01D2 | ED |
| T31X – Permit any CCA key if INCL-CV is specified | CSNBT31X / CSNET31X | 0158 | ED |
| T31X – Permit DES DATA/DATAM/DATAMV to C0:G/C/V | CSNBT31X / CSNET31X | 0184 | ED |
| T31X – Permit DES DATA/MAC/CIPHER/ENCIPHER to E3:N/G/E/X | CSNBT31X / CSNET31X | 01A9 | DD |
| T31X – Permit DES DATA to D0:E/D/B | CSNBT31X / CSNET31X | 0186 | ED |
| T31X - Permit DES DKYGENKY: DKYL0:DMPIN to 12:X | CSNBT31X / CSNET31X | 0385 | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DALL to E0:N/X | CSNBT31X / CSNET31X | 019B | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DALL to E1:N/X | CSNBT31X / CSNET31X | 01A1 | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DALL to E2:N/X | CSNBT31X / CSNET31X | 01A6 | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DALL to E4:N/X | CSNBT31X / CSNET31X | 01AB | ED |
| T31X – Permit DES DKYGENKY:DKYL0+DALL to E5:N/X | CSNBT31X / CSNET31X | 01AF | ED |
| T31X – Permit DES DKYGENKY:DKYL0+DDATA to E1:N/X | CSNBT31X / CSNET31X | 019F | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DDATA to E4:N/X | CSNBT31X / CSNET31X | 01AA | ED |
| T31X – Permit DES DKYGENKY:DKYL0+DDATA to E5:N/X | CSNBT31X / CSNET31X | 01AE | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DEXP to E5:N/X | CSNBT31X / CSNET31X | 01AC | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DMAC to E0:N/X | CSNBT31X / CSNET31X | 0199 | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DMAC to E2:N/X | CSNBT31X / CSNET31X | 01A5 | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DMAC to E5:N/X | CSNBT31X / CSNET31X | 01AD | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DMPIN to E1:N/X | CSNBT31X / CSNET31X | 01A0 | DD |
| T31X – Permit DES DKYGENKY:DKYL0+DMV to E0:N/X | CSNBT31X / CSNET31X | 019A | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DALL to E0:N/X | CSNBT31X / CSNET31X | 019E | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DALL to E1:N/X | CSNBT31X / CSNET31X | 01A4 | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DALL to E2:N/X | CSNBT31X / CSNET31X | 01A8 | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DDATA to E1:N/X | CSNBT31X / CSNET31X | 01A2 | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DMAC to E0:N/X | CSNBT31X / CSNET31X | 019C | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DMAC to E2:N/X | CSNBT31X / CSNET31X | 01A7 | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DMPIN to E1:N/X | CSNBT31X / CSNET31X | 01A3 | DD |
| T31X – Permit DES DKYGENKY:DKYL1+DMV to E0:N/X | CSNBT31X / CSNET31X | 019D | DD |
| T31X – Permit DES ENCIPHER/DECIPHER/CIPHER to D0:E/D/B | CSNBT31X / CSNET31X | 0185 | ED |
| T31X – Permit DES EXPORTER/OKEYXLAT to K0:E | CSNBT31X / CSNET31X | 0187 | DD |
| T31X – Permit DES EXPORTER/OKEYXLAT to K1/K4:E | CSNBT31X / CSNET31X | 0189 | DD |
| T31X – Permit DES IMPORTER/IKEYXLAT to K0:D | CSNBT31X / CSNET31X | 0188 | DD |
| T31X – Permit DES IMPORTER/IKEYXLAT to K1/K4:D | CSNBT31X / CSNET31X | 018A | DD |
| T31X – Permit DES IPINENC to P0/D | CSNBT31X / CSNET31X | 0192 | ED |
| T31X - Permit DES KEYGENKY: DUKPT to B0:N/X | CSNBT31X / CSNET31X | 0180 | ED |
| T31X – Permit DES MAC/DATA/DATAM to M0:G/C | CSNBT31X / CSNET31X | 018B | DD |
| T31X – Permit DES MAC/DATA/DATAM to M1:G/C | CSNBT31X / CSNET31X | 018D | ED |
| T31X – Permit DES MAC/DATA/DATAM to M3:G/C | CSNBT31X / CSNET31X | 018F | ED |
| T31X – Permit DES MAC/MACVER:AMEX-CSC to C0:G/C/V | CSNBT31X / CSNET31X | 0181 | DD |
| T31X – Permit DES MAC/MACVER:ANYMAC to C0:G/C/V | CSNBT31X / CSNET31X | 0183 | ED |
| T31X – Permit DES MAC/MACVER: CVV-KEYA to C0:G/C/V | CSNBT31X / CSNET31X | 0182 | DD |
| T31X – Permit DES MACVER/DATA/DATAMV to M0:V | CSNBT31X / CSNET31X | 018C | ED |
| T31X – Permit DES MACVER/DATAMV to M1:V | CSNBT31X / CSNET31X | 018E | ED |
| T31X – Permit DES MACVER/DATAMV to M3:V | CSNBT31X / CSNET31X | 0190 | ED |
| T31X – Permit DES OPINENC to P0/E | CSNBT31X / CSNET31X | 0191 | ED |
| T31X – Permit DES PINGEN:NO-SPEC/IBM-PIN/IBM-PINO to V1:N/V | CSNBT31X / CSNET31X | 0196 | ED |
| T31X – Permit DES PINGEN:NO-SPEC/VISA-PVV to V2:N/C | CSNBT31X / CSNET31X | 0198 | ED |
| T31X – Permit DES PINGEN:NO-SPEC to V0:N/C | CSNBT31X / CSNET31X | 0194 | DD |
| T31X – Permit DES PINGEN to V0:N and DES PINVER to V1/V2:N | CSNBT31X / CSNET31X | 01B0 | DD |
| T31X – Permit DES PINVER:NO-SPEC/IBM-PIN/IBM-PINO to V1:N/V | CSNBT31X / CSNET31X | 0195 | ED |
| T31X – Permit DES PINVER:NO-SPEC/VISA-PVV to V2:N/V | CSNBT31X / CSNET31X | 0197 | ED |
| T31X – Permit DES PINVER:NO-SPEC to V0:N/V | CSNBT31X / CSNET31X | 0193 | DD |
| T31X – Permit version A TR-31 key blocks | CSNBT31X / CSNET31X | 014D | ED |
| T31X – Permit version B TR-31 key blocks | CSNBT31X / CSNET31X | 014E | ED |
| T31X – Permit version C TR-31 key blocks | CSNBT31X / CSNET31X | 014F | ED |
| T31X - Permit version D TR-31 key blocks | CSNBT31X / CSNET31X | 0382 | ED |
| TR-34 Bind-Begin | CSNDT34B / CSNFT34B | 01F0 | ED |
| TR-34 Bind-Begin - allow BINDCR | CSNDT34B / CSNFT34B | 01F1 | ED |
| TR-34 Bind-Begin - allow REBINDCR | CSNDT34B / CSNFT34B | 01F3 | ED |
| TR-34 Bind-Begin - allow UNBINDCR | CSNDT34B / CSNFT34B | 01F2 | ED |
| TR-34 Bind-Complete | CSNDT34C / CSNFT34C | 01F4 | ED |
| TR-34 Bind-Complete - allow BINDKRDC | CSNDT34C / CSNFT34C | 01F5 | ED |
| TR-34 Bind-Complete - allow BINDRV | CSNDT34C / CSNFT34C | 01F6 | ED |
| TR-34 Bind-Complete - allow REBINDRV | CSNDT34C / CSNFT34C | 01F8 | ED |
| TR-34 Bind-Complete - allow UNBINDRV | CSNDT34C / CSNFT34C | 01F7 | ED |
| TR-34 Key Distribution | CSNDT34D / CSNFT34D | 01F9 | ED |
| TR-34 Key Distribution – Allow 1PASSCRE | CSNDT34D / CSNFT34D | 01FB | ED |
| TR-34 Key Distribution – Allow 2PASSCRE | CSNDT34D / CSNFT34D | 01FA | ED |
| TR-34 Key Distribution - Permit AES EXPORTER to K0 | CSNDT34D / CSNFT34D | 0244 | ED |
| TR-34 Key Distribution - Permit AES EXPORTER to K1 | CSNDT34D / CSNFT34D | 0245 | ED |
| TR-34 Key Distribution - Permit AES IMPORTER to K0 | CSNDT34D / CSNFT34D | 0246 | ED |
| TR-34 Key Distribution - Permit AES IMPORTER to K1 | CSNDT34D / CSNFT34D | 0247 | ED |
| TR-34 Key Distribution - Permit DES EXPORTER to K0 or K1 | CSNDT34D / CSNFT34D | 0242 | ED |
| TR-34 Key Distribution - Permit DES IMPORTER to K0 or K1 | CSNDT34D / CSNFT34D | 0243 | ED |
| TR-34 Key Receive | CSNDT34R / CSNFT34R | 01FC | ED |
| TR-34 Key Receive – Allow 1PASSRCV | CSNDT34R / CSNFT34R | 01FE | ED |
| TR-34 Key Receive – Allow 2PASSRCV | CSNDT34R / CSNFT34R | 01FD | ED |
| TR-34 Key Receive – Allow wrapping override keywords | CSNDT34R / CSNFT34R | 01DF | ED |
| TR-34 Key Receive – Permit AES EXPORTER | CSNDT34R / CSNFT34R | 024A | ED |
| TR-34 Key Receive – Permit AES EXPORTER with EXPTT31D | CSNDT34R / CSNFT34R | 024C | ED |
| TR-34 Key Receive – Permit AES IMPORTER | CSNDT34R / CSNFT34R | 024B | ED |
| TR-34 Key Receive – Permit AES IMPORTER with IMPTT31D | CSNDT34R / CSNFT34R | 024D | ED |
| TR-34 Key Receive – Permit DES EXPORTER | CSNDT34R / CSNFT34R | 0248 | ED |
| TR-34 Key Receive – Permit DES IMPORTER | CSNDT34R / CSNFT34R | 0249 | ED |
| Transaction Validation – Generate | CSNBTRV / CSNETRV | 0291 | ED |
| Transaction Validation - Verify CSC-3 | CSNBTRV / CSNETRV | 0292 | ED |
| Transaction Validation - Verify CSC-4 | CSNBTRV / CSNETRV | 0293 | ED |
| Transaction Validation - Verify CSC-5 | CSNBTRV / CSNETRV | 0294 | ED |
| Trusted Block Create - Activate an inactive block | CSNDTBC / CSNFTBC | 0310 | ED |
| Trusted Block Create - Create Block in inactive form | CSNDTBC / CSNFTBC | 030F | ED |
| Trusted Block Create - Disallow triple-length MAC key | CSNDTBC / CSNFTBC | 032E | DD, SC |
| Unique Key Derive | CSNBUKD / CSNEUKD | 01C8 | ED |
| Unique Key Derive - Allow PIN-DATA processing | CSNBUKD / CSNEUKD | 01C9 | DD |
| Unique Key Derive - K3IPEK | CSNBUKD / CSNEUKD | 0335 | DD |
| Unique Key Derive - Override default wrapping | CSNBUKD / CSNEUKD | 01CA | ED |
| VISA CVV Generate | CSNBCSG / CSNECSG | 00DF | ED |
| VISA CVV Verify | CSNBCSV / CSNECSV | 00E0 | ED |
There are relationships between certain access control points.
A controlling access control point is required to be enabled before
subordinate access control points can enabled. The TKE workstation
will enable the controlling access control point when a subordinate
access control point is enabled.
- To use Data Key Export - Unrestricted, the Data Key Export access control point must be enabled.
- To use Data Key Import - Unrestricted, the Data Key Import access control point must be enabled.
- Diversified Key Generate - single length or same halves requires either Diversified Key Generate - TDES-ENC or Diversified Key Generate - TDES-DEC be enabled.
- To use Key Export - Unrestricted, the Key Export access control point must be enabled.
- To use Key Import - Unrestricted, the Key Import access control point must be enabled.
- To use Key Part Import – Unrestricted, the Key Part Import - First key part and Key Part Import - Middle and Final access control points must be enabled.
- To use T31X - Permit PINGEN/PINVER to V0/V1/V2:N, the TR31 Export - Permit version A TR-31 key blocks access control point must be enabled.
- To use Unique Key Derive - Allow PIN-DATA processing or Unique Key Derive - Override default wrapping access control points, Unique Key Derive access control point must be enabled.
- To use SET Block Decompose - PIN ext IPINENC or PIN ex OPINENC, the SET Block Decompose access control point must be enabled.
- To use PKA Key Generate - Permit Regeneration Data, the PKA Key Generate access control point must be enabled.
- To use PKA Key Generate - Permit Regeneration Data Retain, the PKA Key Generate and PKA Key Generate – Clone access control points must be enabled.
- To use PKA Key Generate - Clear or PKA Key Generate - Clone, the PKA Key Generate access control point must be enabled.
- To use any of the following access control points, the ECC Diffie-Hellman
access control point must be enabled:
- ECC Diffie-Hellman - Allow PASSTHRU
- ECC Diffie-Hellman - Allow key wrap override
- ECC Diffie-Hellman - Allow Prime Curve 192
- ECC Diffie-Hellman - Allow Prime Curve 224
- ECC Diffie-Hellman - Allow Prime Curve 256
- ECC Diffie-Hellman - Allow Prime Curve 384
- ECC Diffie-Hellman - Allow Prime Curve 521
- ECC Diffie-Hellman - Allow BP Curve 160
- ECC Diffie-Hellman - Allow BP Curve 192
- ECC Diffie-Hellman - Allow BP Curve 224
- ECC Diffie-Hellman - Allow BP Curve 256
- ECC Diffie-Hellman - Allow BP Curve 320
- ECC Diffie-Hellman - Allow BP Curve 384
- ECC Diffie-Hellman - Allow BP Curve 512
- ECC Diffie-Hellman - Prohibit weak key generate