Post on 19-May-2018
©
December 2014
Crypto WrapUpMore Crypto Consumers &
Four Things You Should Be Doing Now In Your Crypto Environment
Greg Boyd
gregboyd@mainframecrypto.com
www.mainframecrypto.com
©
Crypto WrapUp• Crypto Consumers
• Encryption Facility• PKI Services• Java• Electronic Delivery• ISKLM (TKLM & EKM)
• DASD/Tape Encryption• Keystores
• EKMF• Advanced Crypto Service Provider
• Ported Tools
• Four Things• Rotate Your Keys• Secure Your Crypto Resources• Capture Crypto Performance Data• Know Your Users
Page 2December 2014 zExchange – Crypto Wrapup
©
Page 3
Feature:DFSMSdss™ Encryption
Optional Priced Feature
IBM Encryption Facility for z/OS, 1.2Program number: 5655-P97
MSU-based pricing*
Java ClientWeb Download
Feature:
Encryption ServicesOptional Priced Feature
Java technology-based code that
allows client systems (z/OS and
non-z/OS) to decrypt and encrypt
data for exchange with z/OS
systems (zFormat)
z Format
Supports encrypting and
decrypting of data at rest
(tapes, disk)
Supports either Public
Key/Private keys or
passwords to create highly-
secure exchange between
partners
OpenPGP Format
Internet Standard RFC4880
zAAP eligible
X.509 or OpenPGP
Certificates
Allows encryption and
compression of DUMP data
sets created by
DFSMSdss™
Supports decryption and
decompression during
RESTORE
•Variable Workload License Charges (VWLC), Entry Workload License Charges (EWLC), zSeries Entry License Charges™ (zELC), Parallel Sysplex® License Charges (PSLC)
Decryption Client for z/OSWeb Download
Decryption only code designed to run
on z/OS systems. (i.e. zFormat)
December 2014 zExchange – Crypto Wrapup
©
Sharing the Encryption Key
• System z format• Passphrase - Data is protected by a key generated, using
PKCS #12, from that passphrase
• RSA - Data is protected by a random number, and that random number key is protected by a public/private key pair
• OpenPGP format• Data is protected by a random number
• Data key is protected• Passphrase Based Encryption (PBE) – passphrase is used to calculate
a key that is used to encrypt the data key
• OpenPGP Certificates – use a public/private key to protect the data key (does not support Web of Trust)
Page 4December 2014 zExchange – Crypto Wrapup
©
Hardware Usage – Encryption Facility• zFormat
• CLRTDES, CLRAES parms – CPACF• ENCTDES parm – CEX• Passphrase option – CPACF• RSA option – CEX
• OpenPGP – Java based, so the hardware required depends on the security provider you specify
• JCE – software only encryption, does not leverage hardware
• JCECCA – requires Crypto Express cards (even if you only want to use the CPACF)
Page 5December 2014 zExchange – Crypto Wrapup
©
Encryption Facility Resources
• Pubs• SA23-2229 Encryption Facility for z/OS Planning and Customizing• SA23-2230 Encryption Facility for z/OS Using Encryption Facility for
OpenPGP
• Redbooks www.redbooks.ibm.com/• REDP-4334 Encryption Facility R2 for z/OS Performance• SG24-7434 Encryption Facility for z/OS V1.2 OpenPGP Support• SG24-7318 Encryption Facilty for z/OS V1.1
• TechDocs w3.ibm.com/support/techdocs• TD103132 Checklist for Features Required to use the IBM
Encryption Facility• WP100700 Encryption Facility for z/OS – Performance and Sizing
Page 6December 2014 zExchange – Crypto Wrapup
©
Page 7
ƒCA Generates
and distributes
certificate
ƒ Certificate
Expires
Or
ƒ Administrator or
User Revokes
Certificate
ƒ User Requests
Certificate
PKI Services - Certificate Life Cycle Management
ƒ User Renews
Certificate
ƒ Administrator
Approves the
request
ƒ Owner uses the
certificate
December 2014 zExchange – Crypto Wrapup
©
Page 8
End User
Browser
Administrator
Browser
OCSP
Request
SCEP
Request
End User CGI Scripts
Admin CGI Scripts
OCSP CGI program
SCEP CGI program
SMF
z/OS HTTP Server
PC
End User JSPs/Servlets
Admin JSPs/Servlets
Websphere Application
Server
End User
Browser
Administrator
Browser
H
T
T
P
D
CMP CGI program
CMP
Request
RACF Glue Routine
(IRRRPXGL)
SAF Callable Service
(IRRSPX00)
RACF Callable Service
(IRRRPX00 - R_PKIServ)JNI
RACF
Database
Exit
Exit
ICSF
LDAP
Directory
Certificate
Requests
Issued
Certificates
Timer Events thread
CRL processing thread
Service thread Monitor
Service threads
Main thread:
Process Console
Commands
Daily Timer thread
PKI Services Daemon Address Space
VSAM or DB2
VSAM or DB2
Exit Syste
m S
SL A
PIs
PKDS
TKDS
PKI Components
December 2014 zExchange – Crypto Wrapup
©
PKI Services References
• Cryptographic Services• Cryptographic Services PKI Services Guide and
Reference Version 2 Release 1 (SA23-2286)
• PKI Services Website• http://www.ibm.com/servers/eserver/zseries/zos/pki
• PKI Services Redbook – Implementing PKI Services on z/OS
• http://www.redbooks.ibm.com/abstracts/sg246968.html
December 2014 zExchange – Crypto Wrapup Page 9
©
Java – Security Providers (/jre/lib/security/java.security)• IBMJCE – Java Cryptography Extension, does not leverage
hardware
• IBMJCECCA – Java Cryptography Extension, does leverage hardware
• IBMJSSE – Secure Socket Layer (SSL) and Transport Layer Security (TLS), does not leverage hardware
• IBMJSSE2 – Secure Socket Layer and Transport Layer Security, leverages accelerator via JCE and IBMPKCS11 providers
• IBMPKCS11Impl – implements PKCS #11 standards, using IBMJCE and IBMJCA
• IBMJCEFIPS – provides FIPS approved cryptographic operations
• IBMJSSEFIPS – provides FIPS approved TLS ciphers
• IBMJCEHYBRID – this provider does not perform any crypto operations but makes intelligent decisions about where to route work after determining what resources are available
Page 10December 2014 zExchange – Crypto Wrapup
©
Java Keystores#
# Default keystore type.
#
keystore.type=jks
JKS – Java keystore (Sun proprietary)
JCEKS – IBM implementation of Sun keystore
JCERACFKS – uses the RACF database as keystore
JCECCA – use ICSF (PKDS) as keystore
JCECCARACFKS – uses the RACF database for storing the certificates and ICSF for storing the key material
Page 11December 2014 zExchange – Crypto Wrapup
©
Java References
• z/OS Java Security Frequently Asked Questions http://www.ibm.com/systems/z/os/zos/tools/java/faq/javasecurityfaq.html#cca_03
• Redbook• SG24-7610 Java Security and z/OS – The Complete View
• z/OS Unique Considerations for the Java2 SDK, Standard Edition, V7.0 ftp://public.dhe.ibm.com/s390/java/java7/zOSHWCryptoRefGuide.html
• z/OS Unique Considerations for the Java2 SDK, Standard Edition, V6.0 ftp://public.dhe.ibm.com/s390/java/jce4758/java6/zOSHWCryptoRefGuide.html
Page 12December 2014 zExchange – Crypto Wrapup
©
Secure Electronic Delivery
• Secure Delivery relies on System SSL• FTPS - Announcement Letter 212-086
• HTTPS - Announcement Letter 214-311
• SMP/E RECEIVE ORDER performs an additional validation of the data using a Java implementation
• If CPACF and ICSF are available, the hash is performed using the CSNBOWH API to access the CPACF
• If CPACF or ICSF is not available, SMP/E will use the MessageDigest class to perform the hash in software
Page 13December 2014 zExchange – Crypto Wrapup
©
Electronic Delivery - References
• HTTPS Support for Direct-to-Host Download• Announcement Letter 212-086, April 11, 2012• Announcement Letter 214-311, July 29, 2014
• Driver System Software Requirements (z/OS V2R1 Planning for Installation GA32-0890-02)
• http://publibz.boulder.ibm.com/epubs/pdf/e0z3b102.pdf
• Driver System Software Requirements (z/OS V1R13 Planning for Installation GA22-7504-28)
• http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/e0z2b1c3/3.2?SHELF=e0z2inc2&DT=20120919155103
• A (soon to be) practical Guide to TLS secured FTP (FTPS) for z/OS Users of IBM ShopZ
• http://guide.krzn.de/G105_Mar14/Guide%20to%20FTPS%20for%20ShopZ_24.03.2014.pdf
Page 14December 2014 zExchange – Crypto Wrapup
©
IBM Security Key Lifecycle Manager for z/OS• Pre-req for IBM DASD/Tape Encryption
• Serves keys to the drive• Disks at power-up
• Tapes at mount time
• Replaces EKM, TKLM, SKLM• No requirement for DB2, SSRE
December 2014 zExchange – Crypto Wrapup Page 15
EEDK
EAES256(Data)
EAES256(Data)Keystore
ISKLM
Random
Number
EPublic Key
(DataKey)
DataKey
©
Security Key Lifecycle Manager (ISKLM)
• Notification on expiration of certificates and that keys in a key group are running low
• On System z, z/OS can have FIPS 140-2 level 3 hardware key store
• Keystores
Page 16
–JCEKS
–JCECCAKS
–JCERACFKS
–JCECCARACFKS
December 2014 zExchange – Crypto Wrapup
©
ISKLM - References
• Tivoli ISKLM Website• http://www.ibm.com/software/tivoli/products/
security-key-lifecycle-mgr-z/
• Redpaper• REDP-4646 IBM Security Key Lifecycle Manager for z/OS:
Deployment and Migration Considerations• http://www.redbooks.ibm.com/abstracts/redp4646.html
Page 17December 2014 zExchange – Crypto Wrapup
©
IBM Ported Tools - OpenSSH
• OpenSSH provides secure encryption for remote login and file transfer
• OpenSSH will use the Random Number Generator on the Crypto Express card, if available
• With APAR OA37278, OpenSSH will use ICSF to perform TDES, AES (128-, 192- and 256-bit) and Symmetric MAC Verify/Generate using the CPACF
• Requires HCR7770
Page 18December 2014 zExchange – Crypto Wrapup
©
IBM Ported Tools - Ref
• IBM Ported Tools http://www.ibm.com/systems/z/os/zos/features/unix/ported/
• IBM Ported Tools for z/OS: OpenSSH User’s Guide http://www.ibm.com/systems/resources/fotza501.pdf
• Share presentation on OpenSSH https://share.confex.com/share/118/webprogram/Session10865.html
Page 19December 2014 zExchange – Crypto Wrapup
©
Enterprise Key Management Foundation• EKMF – Centralized Key Management Solution
• ACSP – Advanced Crypto Services Provider
• EKMP – Crypto Analytics Tool (CAT)
• IBM Payment Card Industry Hardware Collection
December 2014 zExchange – Crypto Wrapup Page 20
©
21
EKMP – Advanced Crypto Services Provider
The IBM EKMP-ACSP is a client/server solution that enables distributed platforms to use cryptographic hardware on a System z resulting in a cost effective use of available cryptographic capacity; and centralized key storage on System z helping simplify key management
Addresses the growing need for hardware based cryptographic services
on both IBM hardware crypto and on platforms that do not support IBM
hardware crypto or don’t have crypto hardware
Provides applications access to cryptographic services on a remote
System z server
Utilization of the cryptographic capacity – allowing the unused
capacity
Centralization of the operations for key management
DR simplification for business applications
December 2014 zExchange – Crypto Wrapup Page 21
©
22
EKMP-ACSP Components – Crypto as a Service
Business
ApplicationACSP Client ACSP Server
IBM Crypto
Hardware
Distributed Platforms
(System i/p/x or third party)
Server with IBM Crypto Hardware
Secure channel
• Capitalize on an existing scalable infrastructure and add security to new applications and platforms
• Broad platform support with ACSP – One of the pillars of the EKMF Security Solution
• ACSP client platforms• AIX, i5, Linux, Windows
• PureSystems
• (in reality any Java platform)
• ACSP client APIs• CCA in Java and C
• PKCS#11, JCE
Transport network
– IP
– SSL/TLS protected
(client/server auth,)
ACSP server platform
– System z: z/OS (CEX3/4)
– System p: AIX (4765)
– System x: SLES, RHEL (4765)
– PureSystems
December 2014 zExchange – Crypto Wrapup Page 22
©
References - IBM EKMF
Page 23
IBM System z Security: System z Security Page
– http://www.ibm.com/systems/z/solutions/security.html
Crypto Competency Center
– http://www.ibm.com/security/cccc/
– http://www.ibm.com/dk/security/cccc/products/index.html
Announcement Info
– www.ibm.com/systems/zsolutions
– Marketing flyer http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=SP&infotype=PM&appname=STGE_ZS_ZS_U
SEN&htmlfid=ZSS03094USEN&attachment=ZSS03094USEN.PDF
December 2014 zExchange – Crypto Wrapup
©
Four Things(you should be doing now)
• Rotate Your Keys• Master Keys
• Yearly/Biyearly/ … Every five years• After a Disaster Recovery Exercise• Document the process
• Application Keys• Frequency depends on the application
• Public/Private Keys• Certificates
December 2014 zExchange – Crypto Wrapup Page 24
©
• Secure Your Crypto Resources• Keystores
• Protect those clear keys
• Keys• Both production and test!
• APIs• Separation of duties
December 2014 zExchange – Crypto Wrapup Page 25
Four Things(you should be doing now)
©
• Capture Your Performance Data• RMF Hardware Activity Report (Type 70, Subtype 2)
• Workload Activity Report (Type 72)
• Type 30s (ICSF Counts in the Common Address Space Work
• CPU Measurement Facility (Type 113)
December 2014 zExchange – Crypto Wrapup Page 26
Four Things(you should be doing now)
©
• Know Your Users
December 2014 zExchange – Crypto Wrapup Page 27
Four Things(you should be doing now)