One of the fundamental design points for CCA is that keys are protected. Once
they are inside the CCA system, they are always encrypted if they are outside
the physically secure HSM module. Thus, most crypto functions in the CCA API
("verbs") only accept keys in encrypted form - wrapped with the appropriate CCA
master key. They are decrypted on the fly inside the HSM and used for the
desired operation. Thus, before you can use a key in the Encipher verb, you
need to get the key into such a form - wrapped by the master key. That's the
purpose of the import operation in the sequence you posted.
With any cryptographic system today, the biggest exposure is protection of your
keys. Hardly anyone actually "breaks" the crypto algorithms themselves - they
find ways to get to the keys.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
