Jun 8 ’11
Linux for System z Crypto Breaks New Ground
Thanks to client involvement, the secure key and protected key cryptography on System z continue to expand to meet the needs of the most sophisticated applications.
Customers around the globe have helped guide the future of cryptography for System z. Customer Crypto Councils have become a regular forum for IBM to share information about cryptographic offerings while helping discover and respond to client pain points, individual requirements, regulatory hurdles, and future needs. Crypto Councils in Europe and the Americas have brought together IBM and numerous clients to evaluate what’s available today and what’s needed tomorrow.
This customer-driven approach is working and producing clear results; it’s guiding the future of the host library for Linux on System z, Integrated Cryptographic Service Facility (ICSF) for z/OS, and crypto hardware.
This article explores the list of new cryptographic functions available to applications deployed on Linux on System z; it’s an update to the article, “The New Frontier for Cryptography on Linux on System z,” which appeared in the October/November 2010 issue of z/Journal (www.mainframezone.com/it-management/the-new-frontier-for-cryptography-on-linux-on-system-z). It also highlights the new functionality available to applications that depend on either secure key or protected key cryptographic solutions. (The clear key cryptographic support that’s already available to Linux on System z isn’t addressed here.)
What’s New for Secure Key
The third release of IBM’s Common Cryptographic Architecture (CCA) host library, formally known as the IBM CEX3C Common Cryptographic Architecture Support Program for Linux on System z 4.1.0, is available for download. This host library is commonly known as CCA 4.1. For compatibility, this new host library can be used in place of its predecessors, along with the necessary CryptoExpress2 or CryptoExpress3 PCI card, to provide the same functionality these cards previously provided. It’s the combination of the CCA host library and the crypto card, when configured in co-processor mode, that enables applications to solve complex cryptographic problems. This article examines the new host library with the latest CryptoExpress3 card and expands on the four primary areas affected:
- Personal Identification Number (PIN) security was enhanced to implement the processing restrictions as described in the American National Standards Institute (ANSI) X9.8 standard.
- An additional key wrapping method was added for CCA keys.
- Hash Message Authentication Code (HMAC) was expanded with several new verbs.
- A new Elliptic Curve Cryptography (ECC) algorithm, which can be used for digital signature generation and verification, was added.
For more on what’s new for Linux for System z in the 4.1.0 release of the CCA host library, see the latest version of the Secure Key Solution with the Common Cryptographic Architecture Application Programmer’s Guide (SC33-8294-02). You can access this book by selecting the Library tab at www.ibm.com/security/cryptocards/pciecc/overview.shtml. Here’s a brief description of the new functions and features available to both C and Java programs:
Enhanced PIN security mode: This was added to help block PIN attacks. This new support is needed to implement restrictions required by the ANSI X9.8 PIN standard to help block attacks that might come, for example, from rogue Automated Teller Machine (ATM) transactions. It’s important to protect these kinds of transactions from well-documented attacks. The first step to enforcing these restrictions and thwarting such attacks is to enable three new access control points:
- ANSI X9.8 PIN—Enforce PIN block restrictions
- ANSI X9.8 PIN—Allow modification of PAN_01_0350
- ANSI X9.8 PIN—Allow only ANSI PIN block_01_0350.
These new access control points affect the Clear PIN Generate Alternate (CSNBCPA), Encrypted PIN Translate (CSNBPTR), and Secure Messaging for PINs (CSNBSPN) verbs.
CCA key wrapping using a new Cipher-Block Chaining (CBC) mode: While previously, Electronic Code Book (ECB) mode wrapping was the norm, enhanced key wrapping via the more secure CBC mode helps applications comply with current cryptographic standards that require key bundling. Both ECB and CBC mode key wrapping can coexist, letting existing applications expand to use the new CBC mode without sacrificing legacy data.
ECC support: As algorithms age and computing power increases, it’s constantly necessary to evaluate the viability of the current state of cryptography and security of cryptographic algorithms. It is clear there soon will be a need for ECC. This support begins with the ability to perform key generation and digital signature generation and verification using the Elliptic Curve Digital Signature Algorithm (ECDSA). Digital signatures are commonly used to verify that a piece of data wasn’t changed between the time it was signed and the time it was used. Financial institutions do this to ensure a banking transaction initiated by a known customer wasn’t tampered with and can be trusted. Ensuring that a customer has chosen to transfer $10 as opposed to $10,000 is critical to the financial institution’s reputation. The addition of this new algorithm also requires a new Public Key Algorithm (PKA) key token for storing the ECC public key cryptographic keys and a new Asymmetric PKA (APKA) master key—a 32-byte key that complies with the Advanced Encryption Standard (AES) for wrapping an ECC key token. Extended support was also needed for the Master Key Process (CSNBMKP) verb.
HMAC expansion: With CCA 4.1, these verbs were added to enhance key generation and processing:
- The HMAC Generate (CSNBHMG) verb generates a keyed HMAC for the text string provided as input to this verb.
- The HMAC Verify (CSNBHMV) verb verifies a keyed HMAC for the text string provided as input to this verb.
- The Key Generate2 (CSNBKGN2) verb is used to generate one or two HMAC keys. These keys are returned encrypted only, never in the clear. This verb returns a CCA key token.
- The Key Part Import2 (CSNBKPI2) verb is used to enter and combine one or more clear key parts and return a complete key value. The key can be in a variable length, internal key token, or stored in a key file.
- The Key Test2 (CSNBKYT2) verb is used to generate or verify a secure cryptographic verification pattern for keys contained in a key token.
- The Key Token Build2 (CSNBKTB2) verb can build a variable length key token for all supported key types, including HMAC keys. The key token can be used as input to the Key Generate2, Key Part Import2, and Key Test2 verbs.
- The Key Token Change2 (CSNBKTC2) verb is needed to re-encipher a variable-length HMAC key from encryption under an old master key to encryption under a current (new) master key. When master keys are changed as part of the enterprise security policy, it’s necessary to re-encipher HMAC keys under the new master key within the boundaries of the physically secure hardware.
- The Key Translate2 (CSNBKTR2) verb is used to move an HMAC key from encryption under one key to encryption under another key. This verb uses one key-encrypting key to decipher an input HMAC key in the secure hardware environment, then enciphers the HMAC key using a different key-encrypting key—producing an output key, never letting the clear HMAC key leave the secure boundary of the hardware. Only the encrypted input and output HMAC keys are available outside the hardware.
- The Restrict Key Attribute (CSNBRKA) verb is used to modify an exportable internal or external variable-length HMAC key token so its key can no longer be exported.
- The Symmetric Key Import2 (CSNDSYI2) verb is used to import an HMAC key that has been previously formatted and enciphered under an RSA public key by the Symmetric Key Export (CSNDSYX) verb and is contained in an external variable length symmetric key token. The recovered HMAC key is re-enciphered in the physically secure crypto hardware under the AES master key and returned in an internal variable-length symmetric key token.
The Future With ECC
The ECC algorithm is a public key cryptographic approach similar in use to the RSA algorithm. (RSA stands for Rivest, Shamir and Adleman, who first publicly described it.) This new approach uses the algebraic structure of elliptic curves over finite fields. Several protocols were adapted to use elliptic curves, and in this release of the CCA host library, the ECDSA was implemented and can be used for digital signature solutions. From the list of curves available, IBM chose to support the Brainpool and Prime curves.
ECC has been gaining momentum recently and has been recognized internationally by financial institutions as the follow-on to the currently pervasive RSA algorithm. These organizations have been marching toward a timeline when all public key solutions must be switched over to ECC. This process will take years, so it was important that the ECC capability was provided in a timely fashion to ensure a smooth, seamless transition. In the U.S., the National Security Agency (NSA) developed Suite B, which is a group of algorithms they deem worthy to protect our national secrets. Suite B mandates ECC for digital signature generation and key exchange. With that in mind, it’s time to start thinking about ECC and develop a plan for exploiting this new algorithm with new applications. Depending on a client’s security policy or the security requirements for their data and/or process, the client should give consideration to migrating current solutions from their existing RSA implementation to use ECC.
The CCA host library provides several exciting new enhancements. Whether the requirement is for support of sophisticated ECC, extensions to HMAC, or the new CBC mode key wrapping, options are now available to new or existing applications deployed on Linux on System z. With this new support, the host library available to Linux on System z takes another step closer to supporting the robust set of functions available to z/OS applications via ICSF.
The CCA host library can be located by selecting the Software Downloads tab at www.ibm.com/security/cryptocards/pciecc/overview.shtml. There’s no charge for the CCA host library for Linux on System z. The documentation mentioned is an in-depth source of information for getting started and creating both C and Java-based applications to meet the demanding cryptographic needs of today’s secure key solutions.