Decrypt Data Block

Command:

Decrypt a block of data.

Notes:

Use of this command requires the optional Message Encryption licence. Error code 67 will be returned if a command is not licenced.

If a ZEK is used as the encryption key, the contents of the plaintext message must comply with the CS “ZEK encryption” setting. This imposes certain restrictions on the contents of the message.

There are no restrictions on the contents of the message when a DEK key is used.

The data to be decrypted by this command may be presented to the HSM in different formats, as indicated by the Input Format Flag field.

The decrypted data block may be returned to the host in different formats, as indicated by the Output Format Flag field.

Note: When Input Format Flag = 2, the input message goes through a conversion process (from EBCDIC to ASCII) when the HSM is configured as using EBCDIC.

Note: No padding is applied – the input message must be a multiple of 8 (or 16 for hex-encoded messages).

Field	Length & Type	Details
COMMAND MESSAGE
Message Header	m A	Will be returned to the Host unchanged.
Command Code	2 A	Value M2.
Mode Flag	2 N	Describes the decryption mode: 00 : ECB 01 : CBC (requires IV) 02 : CFB8 (requires IV) 03 : CFB64 (requires IV)
Input Format Flag	1 N	Describes the format of the input message: 0 : Binary 1 : Hex-Encoded Binary
Output Format Flag	1 N	Describes the format of the output message: 0 : Binary 1 : Hex-Encoded Binary 2 : Text
Key Type	3 H	Type of Key. The following Key Types are permitted: 00A : ZEK 00B : DEK
Key	16H or 1A+32H or 1A+48H	Decryption Key. Used (in conjunction with the IV if appropriate) to decrypt the supplied Message.
IV	16 H	The input IV, to be used in conjunction with the Decryption Key. When decrypting the first of a series of blocks, this initial IV should match the initial IV used to encrypt the original message. For subsequent blocks, this value should be the IV returned from decrypting the previous block. Only present if the Mode Flag is 01, 02 or 03.
Message Length	4 H	The length of the following field, in bytes. This must be a multiple of 8 for binary formatted messages, or a multiple of 16 for hex-encoded binary messages.
Encrypted Message		The encrypted message. The type of the message will depend on the value of the Format Flag field:
	n B	Input Format Flag = 0 (Binary); n = multiple of 8.
	n H	Input Format Flag = 1 (Hex-Encoded Binary); n = multiple of 16.
End Message Delimiter	1 C	Optional. Must be present if a message trailer is present. Value X'19.
Message Trailer	n A	Optional. Maximum length 32 characters.
RESPONSE MESSAGE
Message Header	m A	Will be returned to the Host unchanged.
Response Code	2 A	Value M3.
Error Code	2 N	00 : No error 02 : Invalid Mode Flag field 03 : Invalid Input Format Flag field 04 : Invalid Output Format Flag field 05 : Invalid Key Type field 06 : Invalid Message Length field 10 : Encryption Key Parity Error 35 : Illegal Message Format Any standard error code.
IV	16 H	The output IV. When decrypting a series of blocks, this IV should be supplied as input when encrypting the next block. Only present if the Mode Flag is 01, 02 or 03.
Message Length	4 H	The length of the following field, in bytes.
Decrypted Message		The decrypted message. The type of the message will depend on the value of the Format Flag field.
	n B	Output Format Flag = 0 (Binary); n = multiple of 8.
	n H	Output Format Flag = 1 (Hex-Encoded Binary); n = multiple of 16.
	n A	Output Format Flag = 2 (Text) n = multiple of 8.
End Message Delimiter	1 C	Will only be present if present in the command message. Value X'19.
Message Trailer	n A	Will only be present if present in the command message. Maximum length 32 characters.