Encrypt Data Block

Command:

Encrypt a block of data.

Notes:

Use of this command requires the optional Message Encryption licence. Error code 67 will be returned if a command is not licenced.

If a ZEK is used as the encryption key, the contents of the plaintext message must comply with the CS “ZEK encryption” setting. This imposes certain restrictions on the contents of the message.

There are no restrictions on the contents of the message when a DEK key is used.

The data to be encrypted by this command may be presented to the HSM in different formats, as indicated by the Input Format Flag field.

Note: When Input Format Flag = 2, the input message goes through a conversion process (from EBCDIC to ASCII) when the HSM is configured as using EBCDIC.

Note: No padding is applied – the input message must be a multiple of 8 (or 16 for hex-encoded messages).

Field	Length & Type	Details
COMMAND MESSAGE
Message Header	m A	Will be returned to the Host unchanged.
Command Code	2 A	Value M0.
Mode Flag	2 N	Describes the decryption mode: 00 : ECB 01 : CBC (requires IV) 02 : CFB8 (requires IV) 03 : CFB64 (requires IV)
Input Format Flag	1 N	Describes the format of the input message: 0 : Binary 1 : Hex-Encoded Binary 2 : Text
Output Format Flag	1 N	Describes the format of the output message: 0 : Binary 1 : Hex-Encoded Binary
Key Type	3 H	Type of Key. The following Key Types are permitted: 00A : ZEK 00B : DEK
Key	16H or 1A+32H or 1A+48H	Encryption Key. Used (in conjunction with the IV if appropriate) to encrypt the supplied Message.
IV	16 H	The input IV, used in conjunction with the Encryption Key. When encrypting the first of a series of blocks, this initial IV should be set by the caller – a typical initial IV is {00 00 00 00 00 00 00 00}. For subsequent blocks, this value should be the IV returned from encrypting the previous block. Only present if the Mode Flag is 01, 02 or 03.
Message Length	4 H	The length of the following field, in bytes. This must be a multiple of 8 for binary and text formatted messages, or a multiple of 16 for hex-encoded binary messages.
Message		The message to be encrypted. The length & type of the field will depend on the value of the Input Format Flag:
	n B	Input Format Flag = 0 (Binary); n = multiple of 8.
	n H	Input Format Flag = 1 (Hex-Encoded Binary); n = multiple of 16.
	n A	Input Format Flag = 2 (Text); n = multiple of 8.
End Message Delimiter	1 C	Optional. Must be present if a message trailer is present. Value X'19.
Message Trailer	n A	Optional. Maximum length 32 characters.
RESPONSE MESSAGE
Message Header	m A	Will be returned to the Host unchanged.
Response Code	2 A	Value “M1”.
Error Code	2 N	00 : No error 02 : Invalid Mode Flag field 03 : Invalid Input Format Flag field 04 : Invalid Output Format Flag field 05 : Invalid Key Type field 06 : Invalid Message Length field 10 : Encryption Key Parity Error 35 : Illegal Message Format Any standard error code.
IV	16 H	The output IV. When encrypting a series of blocks, this IV should be supplied as input when encrypting the next block. Only present if the Mode Flag is 01, 02 or 03.
Message Length	4 H	The length of the following field, in bytes.
Encrypted Message		The encrypted message. The length & type of the field will depend on the value of the Output Format Flag:
	n B	Output Format Flag = 0 (Binary); n = multiple of 8.
	n H	Output Format Flag = 1 (Hex-Encoded Binary); n = multiple of 16.
End Message Delimiter	1 C	Will only be present if present in the command message. Value X'19.
Message Trailer	n A	Will only be present if present in the command message. Maximum length 32 characters.