With the incidence of cyber hacks increasing on a regular basis, data security becomes more important than ever to IT professionals and CTOs. Recently, the z/OS Integrated Cryptographic Service Facility (ICSF ) team released their sixteenth downloadable web deliverable, FMID HCR77C0. The updates contained in this release are designed to enhance security, from improvements in ICSF administration to increased audit capabilities in support of compliance requirements. Let’s take a look at how the new features and functionality in the z/OS Integrated Cryptographic Service Facility (ICSF ) can help enhance the security of data, keys and digital signatures.
Ensuring Keys & Digital Signatures: Common Cryptographic Architecture (CCA) release 5.3 support
In conjunction with the release of ICSF WD#16, a new version of IBM’s Common Cryptographic Architecture was released, CCA Release 5.3. Improvements include:
- When generating RSA public keys, an application can now specify any one of the first five Fermat numbers (3, 5, 17, 257, 65537) for the public key exponent, providing the performance improvements associated with using Fermat prime numbers while allowing for additional options other than 3 and 65537.
- The Digital Signature Generate (CSNDDSG) and Digital Signature Verify (CSNDDSV) callable services have been updated to support RSASSA-PSS signature algorithm, which is becoming the preferred signature scheme for RSA keys (See RFC 4055 Additional RSA Algorithms and Identifiers). In addition, a “signature restriction” field has been added to certain RSA key tokens so that it is possible to restrict the use of a key to a single signature algorithm.
Unsupported key detection
In the HCR77A1 release from several iterations ago, ICSF deprecated support for Cryptographic Coprocessor Facility (CCF) hardware platforms. Along with the HW restriction came a deprecation of algorithms that were specific to CCF hardware. Since it is possible that algorithm specific CCF-only keys could remain in a Key Data Set (or KDS, either the CKDS for symmetric keys or PKDS for asymmetric keys), ICSF provided the means for customers to easily identify and remove those unsupported keys.
- A new health check has been created: IBMICSF,ICSF_UNSUPPORTED_CCA_KEYS. This health check will scan the CKDS and PKDS and list the labels of any records that contain unsupported keys.
- The CSFKDSL (Key Data Set List) callable service will accept a new search criteria that can be used to return a list of KDS records that contain unsupported key types. This list of labels can then be used with the appropriate Key Record Delete (CSNBKRD or CSNDKRD) service to delete the records permanently.
Simplifying dynamic options dataset refresh and avoiding downtime
ICSF supports many configuration options in what is referred to as the “Installation Options Dataset”. Prior to HCR77C0, in order to change most of these options (a small subset of ICSF configuration options already had other dynamic controls), it was necessary to stop and restart ICSF so that the options dataset would be read again during ICSF initialization. With this release, it is now possible to use an operator command (SETICSF OPTIONS,REFRESH) to cause the options dataset to be read again without stopping ICSF. Not all options can be “refreshed” with this technique, but many are supported which can help customers avoid downtime associated with changing ICSF options.
Enhanced audit capabilities help meet industry regulations
Along with the ever growing threat of security incidents comes an increased emphasis on standards compliance. Any business that handles sensitive data (e.g. financial, medical, personnel) will be required to meet industry specific regulations. To help, ICSF is continuing to refine its abilities to generate audit records for specific events. In HCR77C0, this includes:
- Key Lifecycle: Key material has a defined life cycle – keys are generated, updated, activated/deactivated, imported/exported, archived/restored, and perhaps eventually destroyed. ICSF now has the ability to generate SMF audit data for each of these key transitions. Also, for the first time, it is possible to audit the ICSF relevant life cycle of keys that are not stored in a KDS.
- Key Usage: ICSF now has the capability of generating audit data related to how a key is used, connecting the key to the application or user of that key.
- Old Master Key: When a master key is changed on a CCA coprocessor, knowledge of the previous master key is retained as the “old master key”. Key tokens that were enciphered under this key are still usable in services, but their use generates a warning reason code that indicates that the key should be reenciphered under the current master key. ICSF now has the ability to audit the use of “old master key” tokens.
- FIPSMODE adherence: ICSF supports a FIPS 140-2 compliant mode of operation. With HCR77C0, ICSF can generate audit data that verifies that cryptographic resources are used in a FIPS compliant manner.
Regional crypto enablement
Cryptographic technology is typically subject to a variety of import and export regulations strictly enforced by host governments. Businesses find themselves in a difficult situation where they are required to adhere to these regulations, which often mandate specific algorithms or product development standards, but have no support for this technology within their current IT infrastructure. z/OS and ICSF have addressed this situation with the concept of “regional crypto enablement” where ICSF can communicate with network attached cryptographic hardware as long as that hardware adheres to IBM’s Enterprise PKCS#11 (EP11) interface specification and can be authenticated by an IBM supplied certificate.
With HCR77C0, ICSF added support for Chinese specific encryption and hashing algorithms SM2, SM3, and SM4. The benefit is that now customers can deploy z/OS applications and make use of Chinese developed and supplied cryptography providers.
Note: Support for ICSF Regional Crypto Enablement was delivered via APAR OA49069.
As we’ve already discussed, the need to comply with security and cryptography related regulations is rampant in the industry. With that in mind, ICSF continues to renew and refresh its FIPS 140-2 certification in conjunction with z/OS System SSL. With HCR77C0, ICSF added four new callable services which allow SSL to exploit ICSF’s FIPS compliant PKCS#11 services for RSA operations. Rather than specifying a handle to an existing PKCS#11 key object, these services accept ASN.1 clear key structures.
The new services are:
- CSFPPPS2 PKCS#11 Private Key Structure Sign
- CSFPPPV2 PKCS#11 Public Key Structure Verify
- CSFPPPE2 PKCS#11 Public Key Structure Encrypt
- CSFPPPD2 PKCS#11 Private Key Structure Decrypt
Note: Support for the new callable services was delivered via APAR OA50113.
As an element of z/OS, ICSF is constantly striving to improve its usability in terms of basic administration, user interfaces, and RAS (Reliability, Availability, and Serviceability) characteristics. For HCR77C0, the following enhancements are available:
- Serviceability – Return and reason codes associated with SAF requests for ICSF resources are now logged in internal component trace records, to improve system configuration problem debug.
- Serviceability – The ICSF started task will terminate if one of the security or mainline installation exists fail. With HCR77C0, a message will be written to the console indicating which exit caused the problem.
- Usability – ICSF has long required a CKDS or PKDS even if the system is not using them to store keys. HCR77C0 lifts this restriction and allows ICSF to start without a CKDS or PKDS for CPACF or Accelerator functions.
- Serviceability – When performing a “Master Key Set” operation from the ICSF panel interface, a new long explanation message has been added to provide more information when the set fails.
- Usability – Scrolling on the coprocessor status panel has been improved.
Additional algorithm support
The PKCS#11 Secret Key Encrypt (CSFPSKE) and PKCS#11 Secret Key Decrypt (CSFPSKD) services have been added to support CS1 ciphertext stealing algorithm via new keyword CBC-CS.
For more information on IBM’s Integrated Cryptographic Service Facility (ICSF)
The IBM download page has additional information on the ICSF release as well as links to the product publications.
About the Author
Bob Petti is a Senior IBM z/OS Security ICSF Development and Test Engineer. Bob holds a degree in Electrical Engineering from the Rochester Institute of Technology.