For encrypting "data at rest", the CPACF is really all he needs. The
Crypto Express is intended to speed up key negotiations between sites,
something not needed for his intended plans.

Tony Thigpen
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

CPACF is best for bulk encryption. Thousands of times faster than Crypto Express (for bulk and Clear Key). If security of encryption keys is an issue, consider using Protected Key (secure keys running on CPACF - requires RACF/SAF definition).

There are several things intertwined here.


* CPACF is the "crypto on the chip" - z Systems instructions that do AES et al.

* CEX is the z HSM.

* ICSF is, of course, the z/OS service that talks to both (though you can do CPACF operations directly as well).

With just CPACF, you're forced to use what's called Clear Key operation: keys are stored (somewhere, somehow-perhaps in CKDS), are fetched, and are passed to CPACF to do operations.

With CEX in the mix, you add two more options: Secure Key and Protected Key.

Secure Key means that keys are generated by the CEX, wrapped (encrypted) using keys known only to the CEX, and then passed to z/OS, which stores them (usually in CKDS). When an operation is performed, that wrapped key and the data are passed to the CEX, which unwraps the key, does the operation, and returns the result. Very secure, if relatively slow.

Protected Key means that keys are generated by the CEX, wrapped, and stored in CKDS, like Secure Key. BUT when an operation is needed, an ICSF call takes that wrapped key and passes it to the CEX, where it is unwrapped, rewrapped using an ephemeral key generated just for the current IPL, and that key is returned. That ephemeral key is also passed to the firmware, so it's available to CPACF. Then the actual operation is performed by passing the rewrapped key: CPACF unwraps it using that ephemeral key, does the operation, returns the result. And ICSF remembers that it's done this, so the next operation using that key doesn't talk to the HSM at all. This gets you almost all of the performance and pretty well all of the security of Secure Key (arguably the firmware is slightly less secure than the tamper-resistant HSM, but the memory used in the firmware to hold that key is protected-it's apparently not even visible in HMC dumps).

So your customer can switch to using Protected Key, at least in theory. How hard this is will depend on how keys are generated and managed now, as well as whether they're using ICSF or 'raw' CPACF now, as well as whether they're up for reprotecting all of their existing data with the new key.

Does this help?
--
...phsiii

Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
Distinguished Technologist
HPE Data Security

***@hpe.com<mailto:***@hpe.com>
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Since I design some of this stuff, I can help clarify - but others have already done a pretty good job of explaining the various alternatives.

What I'd like to ask is what you are actually trying to do? What is the reason for installing the Crypto Express and trying to use it instead of or in addition to the CPACF? The reason I'd expect is that you want additional security for your keys, but I don't think you've confirmed that.

If you use ICSF as the interface, it automatically selects the most appropriate crypto to use - for example, if you are doing clear-key encryption, it will automatically use CPACF because it knows that will be faster than the CEX, but if you want to do PIN block translation it knows it has to use the CEX because the relevant standards mandate that keys can't be in the clear and that the entire translation operation has to be done atomically.

Most people find that CEX performance is not good enough for disk encryption applications, so they either use clear-key CPACF or protected-key CPACF, depending on their security requirements on the keys. Performance for protected-key operations is only slightly less than for clear-key ones with CPACF - you can see some performance information in this paper: https://public.dhe.ibm.com/common/ssi/ecm/zs/en/zsw03283usen/ZSW03283USEN.PDF

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

That is correct. The memory where the key is held is associated with the CPACF hardware and its operation. That memory is part of the internal z hardware and is completely separate from any memory that the applications or operating system can see or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

For SSL, yes; for basic encryption, no. It will almost certainly be slower. If the blocks are big enough it's possible it might be faster, but I wouldn't bet on it (well, I guess it depends how bad their software encryption implementation is).
Again, if this is for basic AES/DES and the existing implementation isn't too horrible, don't bet on better performance.
Um. OK. Not sure what that means, but I guess that's the point!
--

...phsiii

Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
Distinguished Technologist
HPE Data Security

***@hpe.com<mailto:***@hpe.com>
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

I'm a little late chiming in and I must confess I don't have as much experience with crypto on z/VSE. z/VSE may have changed, but in the past it has not provided a facility like ICSF which provides the interface to the CEX cards.

Going back to the original post, I suspect that the customer is using locally written assembler code to invoke the crypto instructions on the CPACF to encrypt the data before writing it to disk.

How does the customer expect to drive work to the CEX card? Is there a product that they plan on using?

z/VSE can use Total Storage devices which can provide encryption, but the encryption is done on the device, not on the CPACF hardware. In this case, the Crypto Express card can be used to protect (encrypt) the symmetric key, using public key APIs, and then that symmetric key is used in the device to encrypt or decrypt the data depending on whether it's a write or read operation.

In addition, z/VSE supports the Encryption Facility for z/VSE (a z/VSE implementation of the Encryption Facility for z/OS). It can also provide similar support, using a public key to wrap the symmetric key that is then used to protect the data within the file. As with the TotalStorage hardware, the CEX can
perform these public key operations, but the encryption of the data is done elsewhere (not on the card).

But to use the CEX card to actually encrypt/decrypt the data a rest, would a) probably not provide acceptable performance and b) require another product to invoke the APIs that would be executed on the cards.

So, why is the customer considering installing the CEX card? Is it to provide more security for their data at rest? If so, what product do they expect to use to perform the encryption. Bottom line, the CPACF and CEX are compatible, and in fact you must have the CPACF enabled to use the CEX cards, but using
the cards requires software that will leverage the cards.

Or is it for SSL operations? The card can provide a significant performance boost for SSL operations and the real benefit is for authenticating the network communication sessions. In this case, these public key operations are done on the CEX card instead of using software routines (MVC, SLL, Multiple instructions, etc.).

Along those lines, I want to clarify Todd Arnold's comments:
"If you use ICSF as the interface, it automatically selects the most appropriate crypto to use - for example, if you are doing clear-key encryption, it will automatically use CPACF because it knows that will be faster than the CEX ..."

Actually, the specific API that you implement in your code, not ICSF, determines which device will perform the work. For example, CSNBSAE is the Symmetric Algorithm Encipher API and is a secure key API. When you invoke that API, ICSF will always route the work to a CEX card (and there better be a
card available to service that request or the API will fail). On the other hand, if you invoke CSNBSYE, the Symmetric Key Encipher API, then ICSF will use the assembler instructions on the CPACF to perform that operation. So ICSF is not deciding where the operation is performed, your choice of APIs is.

I hope that helps.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

So, the discussion about ICSF is not meaningful - ICSF runs on z/OS, and you're not using z/OS in this case.

In general, the choice between CPACF and CEX is fairly straightforward.

- If the function(s) you need can be done with CPACF, then use CPACF.
It is faster than CEX for everything it does, but it can only do a small
number of things.

- If you need "secure keys" - keys that are protected by hardware that
cannot be subverted, even by the highest-technology methods - then
use CEX. (but if you need a lower level of security, consider CPACF
Protected Key mode.)

- If you need the functions that are available only on CEX, then use CEX.
Some typical examples are public-key cryptography (CPACF only does
symmetric key crypto and hashing) and the wide array of specialized
functions required in banking and payment card systems.

Sometimes, this means using both CEX and CPACF. SSL/TLS is a good example - this is typically done by using CEX for the public-key operations involved in setting up the session, then using CPACF for the symmetric-key operations used to encrypt/decrypt the session traffic. Often, the SSL/TLS software is designed to do this automatically.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Todd pointed me to this topic, because it's a z/VSE related question, not z/OS.
From my point of view Tony and Todd explained everything correctly.
Just one additional info:
There is an optional feature "Encryption Facility for z/VSE" that allows encrypting
data at rest (Librarian members, VSAM files, backup tapes, real tapes and vtapes).
It's functionality and usage is described in the z/VSE Administration Guide:
https://www.ibm.com/systems/z/os/zvse/documentation/#vse
It uses CPACF and crypto cards transparently. CPACF is used for encrypting the
data. A crypto card is needed only when using public-key encryption (refer to the book)
with an RSA key greater than 1024 bits. The other option is "password-based"
encryption, where the symmetric key gets derived from a password/passphrase.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Right - the CPACF Protected Keys are *very* secure and we were very happy with our ability to add that feature. Unfortunately, for some applications (such as payment card systems), the standards require a "Secure Cryptographic Device" (SCD) like an HSM that has advanced active tamper detection and response - so you have no choice in those cases.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN