Abstract: A facility for making dynamic changes to a system master key without stopping the system, and without loss of integrity to ongoing cryptographic operations. A version number is generated and associated with the current master key. A dynamic change is made to the master key, resulting in the then current master key becoming the old master key, and a "new" current master key (with a new version number) being placed into operation. Subsequent cryptographic requests using a supplied key enciphered under the old master key are identified by means of a supplied version number associated with the supplied key. This identification triggers a reencipher operation, reenciphering the supplied key under the now current master key--after which the cryptographic operation proceeds. Unique patterns are generated to verify the contents of the master key registers, and to authorize normal use of the cryptographic facility, and issuers of key-change operations.

Abstract: A method and apparatus is provided to translate the contents of access registers into information for use in performing addressing functions for multiple virtual address spaces. The access registers represent the full addressing capability of the system but do not directly contain the addressing information. The system has a plurality of general purpose registers, a plurality of access registers associated with the general registers, an access list having access list entries which is addressed by the contents of the access register, memory storage for holding address space number second table entries (ASTE), where the contents of the access list entry locate the ASTE and where the ASTE contains the addressing information needed to translate a virtual address when combined with the contents of a general purpose register. Access register translation (ART) consists of the process of determining addressing information by using the access list entry and the ASTE.

Abstract: The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key.

Abstract: Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys.Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification).

Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention.