Use the symmetric key encipher callable service to encipher data
using one of the supported modes. ICSF supports several processing
rules to encipher data. You choose the type of processing rule that
the Symmetric Key Encipher callable service should use for the block
chaining. See Modes of Operation for more information.
- Processing
Rule
- Purpose
- ANSI X9.23
- For cipher block chaining. The ciphertext must be an exact multiple
of the block size for the specified algorithm (8 bytes for DES). The
plaintext will be between 1 and 8 bytes shorter than the ciphertext.
This process rule always pads the plaintext during encryption so that
ciphertext produced is an exact multiple of the block size, even if
the plaintext was already a multiple of the blocksize.
- CBC
- For cipher block chaining. The ciphertext must be an exact multiple
of the block size for the specified algorithm (8 bytes for DES, 16
bytes for AES). The plaintext will have the same length as the ciphertext.
- CBC-CS
- For cipher block chaining. The ciphertext can be any length.
The plaintext will have the same length as the ciphertext.
- CFB
- Performs cipher feedback encryption with the segment size equal
to the block size. The ciphertext can be of any length. The plaintext
will have the same length as the ciphertext.
- CFB-LCFB
- Performs cipher feedback encryption with the segment size set
by the caller. The ciphertext can be of any length. The plaintext
will have the same length as the ciphertext.
- CUSP
- For cipher block chaining. The ciphertext can be of any length.
The plaintext will have the same length as the ciphertext.
- ECB
- Performs electronic code book encryption. The ciphertext must
be an exact multiple of the block size for the specified algorithm
(8 bytes for DES, 16 bytes for AES). The plaintext will have the same
length as the ciphertext.
- GCM
- Perform Galois/Counter mode decryption, which provides both
confidentiality and authentication for the plaintext and authentication
for the additional authenticated data (AAD). The ciphertext can be
any length. The plaintext will have the same length as the ciphertext.
Additionally, the authentication tag will be verified before any data
is returned.
- IPS
- For cipher block chaining. The ciphertext can be any length.
The plaintext will have the same length as the ciphertext.
- OFB
- Perform output feedback mode encryption. The ciphertext can
be any length. The plaintext will have the same length as the ciphertext.
- PKCS-PAD
- For cipher block chaining. The ciphertext must be an exact multiple
of the block size (8 bytes for DES and 16 bytes for AES). The plaintext
will be between 1 and the blocksize (8 bytes for DES, 16 bytes for
AES) bytes shorter than the ciphertext. This process rule always pads
the ciphertext so that ciphertext produced is an exact multiple of
the blocksize, even if the plaintext was already a multiple of the
blocksize.
The Advanced Encryption Standard (AES) and Data Encryption Standard
(DES) are supported. AES encryption uses a 128-, 192-, or 256-bit
key. The CBC, CBC-CS, CFB, CFB-LCFB, ECB, GCM, OFB, and XTS-AES modes
are supported.
All modes except ECB and XTS-AES use an initial chaining vector
(ICV) in their processing.
All modes that tolerate chaining produce a resulting chaining value
called the output chaining vector (OCV). The application can pass
the OCV as the ICV in the next encipher call. This results in record
chaining.
The selection between single-DES decryption mode and triple-DES
decryption mode is controlled by the length of the key supplied in
the key_identifier parameter. If a single-length key is
supplied, single-DES decryption is performed. If a double-length or
triple-length key is supplied, triple-DES decryption is performed.
The key may be specified as a clear key value, an internal clear
key token, or the label name of a clear key or an encrypted key in
the CKDS.
|