One of the fundamental design points for CCA is that keys are protected. Once they are inside the CCA system, they are always encrypted if they are outside the physically secure HSM module. Thus, most crypto functions in the CCA API ("verbs") only accept keys in encrypted form - wrapped with the appropriate CCA master key. They are decrypted on the fly inside the HSM and used for the desired operation. Thus, before you can use a key in the Encipher verb, you need to get the key into such a form - wrapped by the master key. That's the purpose of the import operation in the sequence you posted.
With any cryptographic system today, the biggest exposure is protection of your keys. Hardly anyone actually "breaks" the crypto algorithms themselves - they find ways to get to the keys. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN