Integrated Key Controller - IBM z13s Technical Manual

exportable. The applet also creates two Advanced Encryption Standard (AES) symmetric
keys. One of these AES keys is known as the key-encrypting key (KEK), which is retained on
the smart card. The KEK can also be exported. The other AES key becomes the
encryption key/authentication key
A buffer is allocated containing the KEK-encrypted flash encryption key/authentication key
and the unique serial number of the SE. The buffer is padded per Public-Key Cryptography
Standards #1 (PKCS #1) and then encrypted by the smart card RSA public key. The
encrypted content is then written to a file on the SE hard disk.
This design defines a tight coupling of the file on the SE to the smart card. The coupling
ensures that any other SE is not able to share the file or the smart card that is associated with
an SE. It ensures that the encrypted files are unique and all such smart cards are uniquely
tied to their SEs.
All key generation, encryption, and decryption occur on the smart card. Keys are never in the
clear. The truly sensitive key, the flash encryption key/authentication key, is only in the file on
the SE until it is served to the firmware management of the Flash Express adapter.
Figure H-6 shows the cryptographic keys that are involved in creating this tight-coupling
design.
Support Element (SE)
AES Key-Encrypting Key AES Flash Encryption Key /
Figure H-6 Integrated Key Controller
The flash encryption key/authentication key can be served to the firmware management of
the Flash Express adapter. This process can be either upon request from the firmware at
initial microcode load (IML) time or from the SE as the result of a request to "change" or "roll"
the key.
536
IBM z13s Technical Guide
Integrated
Key
Controller
Keys Generated in the Smart Card
Authentication Key
RSA Public Key
RSA Private Key
and is encrypted by the KEK.
SE
Hard
Disk
Flash Encryption Key
/ Authentication Key
Flash
Support
Element
Serial Number