ICSF HCR77C1, the z14 and Pervasive Encryption
ICSF is a component of z/OS and IBM is touting HCR77C1 and the z14 to deliver pervasive encryption.
The new IBM z14 server and Crypto Express6S card, which provides new cryptographic functionality, became generally available from IBM in September 2017. To exploit that new hardware, IBM introduced the latest level of Integrated Cryptographic Services Facility (ICSF), which provides additional functionality for managing your crypto environment and securing your data. ICSF is a component of z/OS and IBM is touting HCR77C1 and the z14 to deliver pervasive encryption.
This level of ICSF is formally called ”Cryptographic Support for z/OS V2R1 – z/OS V2R3” by IBM, but is often referred to by its FMID, HCR77C1. When the ICSF FMID ends in 0, that level of code will be incorporated into a base OS. z/OS 2.3 comes with HCR77C0 already installed. When the FMID ends in 1, as with HCR77C1, this is an orphan level of ICSF that will be replaced by another level before the next release of z/OS. This orphan will not be shipped as part of an OS release but can be downloaded from http://www.ibm.com/systems/z/os/zos/downloads/.
SHA-3 and SHAKE Hashing
The z14 server provides new functionality both in the CP Assist for Cryptographic Function (CPACF) hardware and the Crypto Express6S card. The CPACF hardware provides symmetric encryption and hashing functionality. New with the z14, the CPACF supports SHA-3 and SHAKE hashing. SHA-3 is the newest approved standard for the Secure Hashing Algorithm. When weaknesses were identified with the SHA-1 hash, there was a fear that SHA-2 might have similar issues, so the cryptographic experts started looking for a replacement algorithm. SHA-3 was selected by the National Institutes of Standards and Technology in the United States in 2015. It’s likely that current protocols will be updated to allow for the use of SHA-3, but no pressing requirement exists to replace SHA-2, which has proven to be resilient and has no current issues with the algorithm.
SHA-3 also includes two new variable-length hash functions, SHAKE128 and SHAKE256. These extendable-output functions (XOF) are also called sponge functions because they take an input message and ”squeeze” out bits, so the length of the output hash can be variable, as specified by the user.
The CPACF provides a true random number generator as well, via an instruction. Earlier generations of hardware provided a pseudo random number generator. Random numbers are valuable as key material or for one-time passwords.
Crypto Express 6S and PCI HSM
A new hardware security module (HSM) for the z14, called the Crypto Express6S or CEX6S, is also available. The CEX6S relies on the new 4768 Cryptographic Coprocessor Security Module. While your CEX5S can be brought forward from your z13, when ordering a new crypto card from IBM, the CEX6S is the only option for the z14. The crypto express cards are designed to meet stringent security standards, specifically FIPS 140-2. The new CEX6S is also designed to meet Payment Card Industry Hardware Security Module (PCI HSM) as well as several other industry standards. PCI HSM is a relatively new requirement, created by the PCI Security Standards Council. It defines a set of logical and physical security compliance standards for hardware that deals with credit card data. Note that a Trusted Key Entry workstation (TKE), running TKE 9.0 LIC, is required to enable PCI HSM mode.
Finally, both cryptographic devices are substantially faster than previous generations of the hardware. Those metrics are documented in the IBM z14 Performance of Cryptographic Operations document. This speed improvement, especially on the CPACF hardware, is critical to the success of pervasive encryption.
The new level of ICSF is required to exploit the new functionality in the CEX6S hardware. In addition, HCR77C1 introduces two new facilities that customers will find valuable.
CDKS Keys Utility and Pervasive Encryption
HCR77C1 provides a new Cryptographic Key Data Set (CKDS) Keys Utility that will be valuable for clients that want to kick the tires of pervasive encryption. The CKDS is the ICSF key repository for symmetric keys. To support data set encryption, the utility can generate an AES secure key, including AES-256 bit keys that are required for encrypting data sets under the pervasive encryption banner. The user simply provides the key label and length, and the utility will create a key and insert that key into the keystore. This utility is really for generating a low-volume of keys such as for prototyping data set encryption. For larger key volumes or for creating other key types, clients should consider a key management tool like the Key Generation Utility Program (KGUP) that comes with ICSF and is valuable for a moderate volume of keys. For larger volumes, Enterprise Key Management Foundation (EKMF) is IBM’s solution. EKMF can also help automate the process of managing keys especially for key rotation.
In addition to inserting key material, the CKDS Keys Utility can also be used to manage keys in the CKDS, not just the AES secure keys. Managing keys includes deleting and changing the archive status. And probably most valuable, the utility can simply list the keys in the keystore. The information displayed includes the key label and attributes (e.g., key type, key length and key check value). The CKDS Keys Utility will also display metadata (e.g., validity dates, date last used, date last updated) associated with the key. And some of this metadata can be modified using the panel interface. Note that the user of the utility needs the appropriate System Authorization Facility (SAF) authority to view or change this data.
HCR77C1 Performance Metrics
Also new with HCR77C1 are additional performance metrics. Prior to this new SMF record, crypto metrics were woefully lacking and the data that was available had to be interpreted carefully. By specifying the STATS parameter, in the ICSF Options, ICSF can capture one or more new counters:
- ENG–usage tracking of crypto engines including CPACF, crypto express cards, regional cryptographic servers and even software engines
- SERV–usage tracking of crypto services (i.e., ICSF APIs and UDXes)
- ALG–usage tracking of crypto algorithms including limited support for key generation, key derivation and key import
In addition to counting calls to the CPACF engine or the Crypto Express cards, these metrics could identify the use of weak algorithms or keys, such as single- or double-length DES keys. These counters are reported in the new SMF Cryptographic Usage Statistics record (Type 82, Subtype 31).
A new STATSFILTERS parm specified in the ICSF Options, which will cause this data to be aggregated in high volume environments, such as with CICS, was also introduced.
Finally, consistent with IBM’s recommendation that ICSF be ”always up,” the ICSF manuals now document that ICSF can be started even before JES is active by specifying SUB=MSTR. Once pervasive encryption is enabled, ICSF must be active to service requests to encrypt an decrypt all of those data sets. ICSF has also been updated to be better behaved in terms of cross memory usage and it can now be started with REUSASID=YES.
Simplifying Key Generation
Going back to my systems programming roots, now that HCR77C1 has been aged for over six months, it’s probably safe to consider downloading and installing this new level of ICSF. If you are upgrading your OS, instead of simply upgrading to the level of ICSF that’s packaged with z/OS, you should consider laying HCR77C1 down on top of that before going into production. With the new Cryptographic Usage Stats record you can get a better idea of what your typical ICSF workload looks like and then watch for impacts as you implement new cryptographic functions like pervasive encryption. And the CKDS Keys Utility will certainly simplify key generation for testing pervasive encryption.