©

December 2014

Crypto WrapUpMore Crypto Consumers &

Four Things You Should Be Doing Now In Your Crypto Environment

Greg Boyd

gregboyd@mainframecrypto.com

www.mainframecrypto.com

©

Crypto WrapUp• Crypto Consumers

• Encryption Facility• PKI Services• Java• Electronic Delivery• ISKLM (TKLM & EKM)

• DASD/Tape Encryption• Keystores

• EKMF• Advanced Crypto Service Provider

• Ported Tools

• Four Things• Rotate Your Keys• Secure Your Crypto Resources• Capture Crypto Performance Data• Know Your Users

Page 2December 2014 zExchange – Crypto Wrapup

©

Page 3

Feature:DFSMSdss™ Encryption

Optional Priced Feature

IBM Encryption Facility for z/OS, 1.2Program number: 5655-P97

MSU-based pricing*

Java ClientWeb Download

Feature:

Encryption ServicesOptional Priced Feature

Java technology-based code that

allows client systems (z/OS and

non-z/OS) to decrypt and encrypt

data for exchange with z/OS

systems (zFormat)

z Format

Supports encrypting and

decrypting of data at rest

(tapes, disk)

Supports either Public

Key/Private keys or

passwords to create highly-

secure exchange between

partners

OpenPGP Format

Internet Standard RFC4880

zAAP eligible

X.509 or OpenPGP

Certificates

Allows encryption and

compression of DUMP data

sets created by

DFSMSdss™

Supports decryption and

decompression during

RESTORE

•Variable Workload License Charges (VWLC), Entry Workload License Charges (EWLC), zSeries Entry License Charges™ (zELC), Parallel Sysplex® License Charges (PSLC)

Decryption Client for z/OSWeb Download

Decryption only code designed to run

on z/OS systems. (i.e. zFormat)

December 2014 zExchange – Crypto Wrapup

©

Sharing the Encryption Key

• System z format• Passphrase - Data is protected by a key generated, using

PKCS #12, from that passphrase

• RSA - Data is protected by a random number, and that random number key is protected by a public/private key pair

• OpenPGP format• Data is protected by a random number

• Data key is protected• Passphrase Based Encryption (PBE) – passphrase is used to calculate

a key that is used to encrypt the data key

• OpenPGP Certificates – use a public/private key to protect the data key (does not support Web of Trust)

Page 4December 2014 zExchange – Crypto Wrapup

©

Hardware Usage – Encryption Facility• zFormat

• CLRTDES, CLRAES parms – CPACF• ENCTDES parm – CEX• Passphrase option – CPACF• RSA option – CEX

• OpenPGP – Java based, so the hardware required depends on the security provider you specify

• JCE – software only encryption, does not leverage hardware

• JCECCA – requires Crypto Express cards (even if you only want to use the CPACF)

Page 5December 2014 zExchange – Crypto Wrapup

©

Encryption Facility Resources

• Pubs• SA23-2229 Encryption Facility for z/OS Planning and Customizing• SA23-2230 Encryption Facility for z/OS Using Encryption Facility for

OpenPGP

• Redbooks www.redbooks.ibm.com/• REDP-4334 Encryption Facility R2 for z/OS Performance• SG24-7434 Encryption Facility for z/OS V1.2 OpenPGP Support• SG24-7318 Encryption Facilty for z/OS V1.1

• TechDocs w3.ibm.com/support/techdocs• TD103132 Checklist for Features Required to use the IBM

Encryption Facility• WP100700 Encryption Facility for z/OS – Performance and Sizing

Page 6December 2014 zExchange – Crypto Wrapup

©

Page 7

ƒCA Generates

and distributes

certificate

ƒ Certificate

Expires

Or

ƒ Administrator or

User Revokes

Certificate

ƒ User Requests

Certificate

PKI Services - Certificate Life Cycle Management

ƒ User Renews

Certificate

ƒ Administrator

Approves the

request

ƒ Owner uses the

certificate

December 2014 zExchange – Crypto Wrapup

©

Page 8

End User

Browser

Administrator

Browser

OCSP

Request

SCEP

Request

End User CGI Scripts

Admin CGI Scripts

OCSP CGI program

SCEP CGI program

SMF

z/OS HTTP Server

PC

End User JSPs/Servlets

Admin JSPs/Servlets

Websphere Application

Server

End User

Browser

Administrator

Browser

H

T

T

P

D

CMP CGI program

CMP

Request

RACF Glue Routine

(IRRRPXGL)

SAF Callable Service

(IRRSPX00)

RACF Callable Service

(IRRRPX00 - R_PKIServ)JNI

RACF

Database

Exit

Exit

ICSF

LDAP

Directory

Certificate

Requests

Issued

Certificates

Timer Events thread

CRL processing thread

Service thread Monitor

Service threads

Main thread:

Process Console

Commands

Daily Timer thread

PKI Services Daemon Address Space

VSAM or DB2

VSAM or DB2

Exit Syste

m S

SL A

PIs

PKDS

TKDS

PKI Components

December 2014 zExchange – Crypto Wrapup

©

PKI Services References

• Cryptographic Services• Cryptographic Services PKI Services Guide and

Reference Version 2 Release 1 (SA23-2286)

• PKI Services Website• http://www.ibm.com/servers/eserver/zseries/zos/pki

• PKI Services Redbook – Implementing PKI Services on z/OS

• http://www.redbooks.ibm.com/abstracts/sg246968.html

December 2014 zExchange – Crypto Wrapup Page 9

©

Java – Security Providers (/jre/lib/security/java.security)• IBMJCE – Java Cryptography Extension, does not leverage

hardware

• IBMJCECCA – Java Cryptography Extension, does leverage hardware

• IBMJSSE – Secure Socket Layer (SSL) and Transport Layer Security (TLS), does not leverage hardware

• IBMJSSE2 – Secure Socket Layer and Transport Layer Security, leverages accelerator via JCE and IBMPKCS11 providers

• IBMPKCS11Impl – implements PKCS #11 standards, using IBMJCE and IBMJCA

• IBMJCEFIPS – provides FIPS approved cryptographic operations

• IBMJSSEFIPS – provides FIPS approved TLS ciphers

• IBMJCEHYBRID – this provider does not perform any crypto operations but makes intelligent decisions about where to route work after determining what resources are available

Page 10December 2014 zExchange – Crypto Wrapup

©

Java Keystores#

# Default keystore type.

#

keystore.type=jks

JKS – Java keystore (Sun proprietary)

JCEKS – IBM implementation of Sun keystore

JCERACFKS – uses the RACF database as keystore

JCECCA – use ICSF (PKDS) as keystore

JCECCARACFKS – uses the RACF database for storing the certificates and ICSF for storing the key material

Page 11December 2014 zExchange – Crypto Wrapup

©

Java References

• z/OS Java Security Frequently Asked Questions http://www.ibm.com/systems/z/os/zos/tools/java/faq/javasecurityfaq.html#cca_03

• Redbook• SG24-7610 Java Security and z/OS – The Complete View

• z/OS Unique Considerations for the Java2 SDK, Standard Edition, V7.0 ftp://public.dhe.ibm.com/s390/java/java7/zOSHWCryptoRefGuide.html

• z/OS Unique Considerations for the Java2 SDK, Standard Edition, V6.0 ftp://public.dhe.ibm.com/s390/java/jce4758/java6/zOSHWCryptoRefGuide.html

Page 12December 2014 zExchange – Crypto Wrapup

©

Secure Electronic Delivery

• Secure Delivery relies on System SSL• FTPS - Announcement Letter 212-086

• HTTPS - Announcement Letter 214-311

• SMP/E RECEIVE ORDER performs an additional validation of the data using a Java implementation

• If CPACF and ICSF are available, the hash is performed using the CSNBOWH API to access the CPACF

• If CPACF or ICSF is not available, SMP/E will use the MessageDigest class to perform the hash in software

Page 13December 2014 zExchange – Crypto Wrapup

©

Electronic Delivery - References

• HTTPS Support for Direct-to-Host Download• Announcement Letter 212-086, April 11, 2012• Announcement Letter 214-311, July 29, 2014

• Driver System Software Requirements (z/OS V2R1 Planning for Installation GA32-0890-02)

• http://publibz.boulder.ibm.com/epubs/pdf/e0z3b102.pdf

• Driver System Software Requirements (z/OS V1R13 Planning for Installation GA22-7504-28)

• http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/e0z2b1c3/3.2?SHELF=e0z2inc2&DT=20120919155103

• A (soon to be) practical Guide to TLS secured FTP (FTPS) for z/OS Users of IBM ShopZ

• http://guide.krzn.de/G105_Mar14/Guide%20to%20FTPS%20for%20ShopZ_24.03.2014.pdf

Page 14December 2014 zExchange – Crypto Wrapup

©

IBM Security Key Lifecycle Manager for z/OS• Pre-req for IBM DASD/Tape Encryption

• Serves keys to the drive• Disks at power-up

• Tapes at mount time

• Replaces EKM, TKLM, SKLM• No requirement for DB2, SSRE

December 2014 zExchange – Crypto Wrapup Page 15

EEDK

EAES256(Data)

EAES256(Data)Keystore

ISKLM

Random

Number

EPublic Key

(DataKey)

DataKey

©

Security Key Lifecycle Manager (ISKLM)

• Notification on expiration of certificates and that keys in a key group are running low

• On System z, z/OS can have FIPS 140-2 level 3 hardware key store

• Keystores

Page 16

–JCEKS

–JCECCAKS

–JCERACFKS

–JCECCARACFKS

December 2014 zExchange – Crypto Wrapup

©

ISKLM - References

• Tivoli ISKLM Website• http://www.ibm.com/software/tivoli/products/

security-key-lifecycle-mgr-z/

• Redpaper• REDP-4646 IBM Security Key Lifecycle Manager for z/OS:

Deployment and Migration Considerations• http://www.redbooks.ibm.com/abstracts/redp4646.html

Page 17December 2014 zExchange – Crypto Wrapup

©

IBM Ported Tools - OpenSSH

• OpenSSH provides secure encryption for remote login and file transfer

• OpenSSH will use the Random Number Generator on the Crypto Express card, if available

• With APAR OA37278, OpenSSH will use ICSF to perform TDES, AES (128-, 192- and 256-bit) and Symmetric MAC Verify/Generate using the CPACF

• Requires HCR7770

Page 18December 2014 zExchange – Crypto Wrapup

©

IBM Ported Tools - Ref

• IBM Ported Tools http://www.ibm.com/systems/z/os/zos/features/unix/ported/

• IBM Ported Tools for z/OS: OpenSSH User’s Guide http://www.ibm.com/systems/resources/fotza501.pdf

• Share presentation on OpenSSH https://share.confex.com/share/118/webprogram/Session10865.html

Page 19December 2014 zExchange – Crypto Wrapup

©

Enterprise Key Management Foundation• EKMF – Centralized Key Management Solution

• ACSP – Advanced Crypto Services Provider

• EKMP – Crypto Analytics Tool (CAT)

• IBM Payment Card Industry Hardware Collection

December 2014 zExchange – Crypto Wrapup Page 20

©

21

EKMP – Advanced Crypto Services Provider

The IBM EKMP-ACSP is a client/server solution that enables distributed platforms to use cryptographic hardware on a System z resulting in a cost effective use of available cryptographic capacity; and centralized key storage on System z helping simplify key management

Addresses the growing need for hardware based cryptographic services

on both IBM hardware crypto and on platforms that do not support IBM

hardware crypto or don’t have crypto hardware

Provides applications access to cryptographic services on a remote

System z server

Utilization of the cryptographic capacity – allowing the unused

capacity

Centralization of the operations for key management

DR simplification for business applications

December 2014 zExchange – Crypto Wrapup Page 21

©

22

EKMP-ACSP Components – Crypto as a Service

Business

ApplicationACSP Client ACSP Server

IBM Crypto

Hardware

Distributed Platforms

(System i/p/x or third party)

Server with IBM Crypto Hardware

Secure channel

• Capitalize on an existing scalable infrastructure and add security to new applications and platforms

• Broad platform support with ACSP – One of the pillars of the EKMF Security Solution

• ACSP client platforms• AIX, i5, Linux, Windows

• PureSystems

• (in reality any Java platform)

• ACSP client APIs• CCA in Java and C

• PKCS#11, JCE

Transport network

– IP

– SSL/TLS protected

(client/server auth,)

ACSP server platform

– System z: z/OS (CEX3/4)

– System p: AIX (4765)

– System x: SLES, RHEL (4765)

– PureSystems

December 2014 zExchange – Crypto Wrapup Page 22

©

References - IBM EKMF

Page 23

IBM System z Security: System z Security Page

– http://www.ibm.com/systems/z/solutions/security.html

Crypto Competency Center

– http://www.ibm.com/security/cccc/

– http://www.ibm.com/dk/security/cccc/products/index.html

Announcement Info

– www.ibm.com/systems/zsolutions

– Marketing flyer http://www-01.ibm.com/common/ssi/cgi-

bin/ssialias?subtype=SP&infotype=PM&appname=STGE_ZS_ZS_U

SEN&htmlfid=ZSS03094USEN&attachment=ZSS03094USEN.PDF

December 2014 zExchange – Crypto Wrapup

©

Four Things(you should be doing now)

• Rotate Your Keys• Master Keys

• Yearly/Biyearly/ … Every five years• After a Disaster Recovery Exercise• Document the process

• Application Keys• Frequency depends on the application

• Public/Private Keys• Certificates

December 2014 zExchange – Crypto Wrapup Page 24

©

• Secure Your Crypto Resources• Keystores

• Protect those clear keys

• Keys• Both production and test!

• APIs• Separation of duties

December 2014 zExchange – Crypto Wrapup Page 25

Four Things(you should be doing now)

©

• Capture Your Performance Data• RMF Hardware Activity Report (Type 70, Subtype 2)

• Workload Activity Report (Type 72)

• Type 30s (ICSF Counts in the Common Address Space Work

• CPU Measurement Facility (Type 113)

December 2014 zExchange – Crypto Wrapup Page 26

Four Things(you should be doing now)

©

• Know Your Users

December 2014 zExchange – Crypto Wrapup Page 27

Four Things(you should be doing now)

©

Questions?

Page 28December 2014 zExchange – Crypto Wrapup