• A Java layer, the JCA
• A PKCS#11 layer provided by openCryptoki on Linux
• Platform-specific libraries that exploit hardware-specific functions.
The JCA is a plug-in framework that supports registration of multiple providers of cryptographic functions. This lets a program use a cryptographic function from any of the installed providers that support the required function. The provider to be used can either be selected explicitly by the program or automatically, according to a priority assigned to the providers when configured. The JCE is an API for such a JCA provider. The IBMJCE provider is a software implementation of the JCE. Alternatively, the IBMPKCS11Impl provider is an implementation of JCE that calls a function from a library implementing the PKCS#11 standard.
The PKCS#11 standard describes a plug-in framework to address cryptographic functions implemented in hardware; it’s designed to provide a set of slots into which different tokens can be inserted. (To learn more about PKCS #11, the cryptographic token interface standard, see www.rsa.com/rsalabs/node.asp?id=2133.) The terminology, initially developed for smart cards, refers to them as tokens and to the smart card readers as slots. Implementation-wise, a slot is just an identifier (i.e., a small number) and a token is a library providing access to specific cryptographic hardware.
OpenCryptoki is an open source implementation of the PKCS#11 standard. OpenCryptoki comes with two System z-specific tokens, the icatoken for clear key cryptography, which calls the libica library, and the ccatoken for secure key cryptography, which calls the libcsulcca library. In addition, there’s a softtoken that provides software implementations of cryptographic functions and is mainly intended for testing openCryptoki.
The libica library provides an API to access the hash and clear key cryptographic functions available via the CPACF and the clear key RSA functions available from the Crypto Express adapters. The libcsulcca library implements an API for CCA and accommodates secure key cryptography functions provided by Crypto Express coprocessors. To access the Crypto Express adapters, you must install the z90crypt Linux kernel module.
A Simple Java Program
The simple Java program, Encrypt0.java (see Figure 2), can be used to demonstrate how to configure the software stack to exploit System z crypto hardware. This program generates a random AES key and AES cipher object. The AES cipher object is initialized for encryption with the generated key and is used to encrypt a plain text message constant. The AES cipher object is then reinitialized for decryption with the generated key and used to decrypt the cipher text that resulted from the previous encryption. The program outputs the initial plain text, the encrypted plain text and the result of decrypting the encrypted plain text as integer encoded bytes.
The program uses the JCE API to access cryptographic functions and runs on every system because all the needed cryptographic functions are implemented in the IBM JCE provider. To run the program, the source code must first be compiled with:
# javac Encrypt0.java
Then the program can be started with the code shown in Figure 3. The second line of the output, which shows the encrypted message, should look different for every call of the program because it depends on the key that’s randomly generated. The first line, the initial plain text, and the last line, the decrypted cipher text, will look the same.