IBM z Systems Security Conference Business Security for today and tomorrow > September Montpellier

Transcription

1 IBM Systems IBM z Systems Security Conference Business Security for today and tomorrow > September Montpellier z/os TCP/IP Hardware Cryptography Usage plus a sneak peek at VTAM 3270 Intrusion Detection Services Chris Meyer, CISSP (meyerchr@us.ibm.com) z/os Communications Server security architect IBM z Systems Security Conference September Montpellier 1

2 Trademarks, notices and disclaimers The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. CICS* DFSMShsm FlashCopy* IBM logo* RACF* WebSphere* zenterprise* CICS Explorer DFSMSrmm GDPS* Infoprint* REXX z10 BC z Systems DB2* DFSORT HiperSockets Language Environment* RMF z10 EC z/os* DFSMS DS8000* HyperSwap* NetView* System z9* z13 DFSMSdfp Easy Tier* HyperWrite Parallel Sysplex* System z10 z/architecture* DFSMSdss FICON* IBM* PrintWay* Tivoli* * Registered trademarks of IBM Corporation The following are trademarks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. OpenStack is a trademark of OpenStack LLC. The OpenStack trademark policy is available on the OpenStack website. RSA and SecurID are registered trade-marks of EMC Corporation in the United States and/or other countries. TEALEAF is a registered trademark of Tealeaf, an IBM Company. Windows Server and the Windows logo are trademarks of the Microsoft group of countries. Worklight is a trademark or registered trademark of Worklight, an IBM Company. UNIX is a registered trademark of The Open Group in the United States and other countries. VISA is a registered trademark of Visa, Inc. * Other product and service names might be trademarks of IBM or other companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental cost and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-ibm products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. This information provides only general descriptions of the types and portions of workloads that are eligible for execution on Specialty Engines (e.g, ziips, zaaps, and IFLs) ("SEs"). IBM authorizes customers to use IBM SE only to execute the processing of Eligible Workloads of specific Programs expressly authorized by IBM as specified in the Authorized Use Table for IBM Machines provided at ( AUT ). No other workload processing is authorized for execution on an SE. IBM offers SE at a lower price than General Processors/Central Processors because customers are authorized to use SEs only to process certain types and/or amounts of workloads as specified by IBM in the AUT. 2

3 Agenda Review of basic cryptographic operations TCP/IP hardware crypto usage Background FIPS 140 and network security protocols Relevant System z and z/os cryptographic componentry Communications Server usage of hardware crypto facilities OpenSSH usage of hardware crypto facilities New: VTAM 3270 Intrusion Detection Services Background Solution 3

4 Agenda Review of basic cryptographic operations TCP/IP hardware crypto usage Background Network security protocols and FIPS 140 Relevant System z and z/os cryptographic componentry Communications Server usage of hardware crypto facilities OpenSSH usage of hardware crypto facilities New: VTAM 3270 Intrusion Detection Services Background Solution 4

5 Why this presentation? To answer the questions What hardware crypto facilities get used when? and Who gets charged for the crypto cycles? 5

6 z/os TCP/IP secure networking protocols Four ways to protect z/os TCP/IP traffic: 1 2 TLS/SSL direct usage Application is explicitly coded to use these Per-session protection TCP only JSSE offloaded to zaap (JSSE not covered here) Application Transparent TLS (AT-TLS) TLS/SSL applied in TCP layer as defined by policy Typically applied transparently to application TCP/IP stack is user of System SSL services WAS, Java applications 1 JSSE System SSL MQ, CICS, Connect:Direct, 2 AT-TLS System SSL DB2, CICS, IMS Connect, Guardium, FTP, TN3270, JES/NJE, RACF RRSF,. Any application or subsystem z/os sftp, TCP appls (port forwarding) Open SSH 4 Comm Server Virtual Private Networks using IPSec and IKE Platform to platform encryption IPSec implemented in IP layer as defined by policy Wide variety (any to all) of traffic is protected Completely transparent to application IKE negotiates IPSec tunnels dynamically IPSec can be offloaded to ziips Secure Shell using z/os OpenSSH Mainly used for sftp on z/os, but also offers secure terminal access and TCP port forwarding TCP only When do you use one form versus another? Depends on client, application, topology, performance requirements, and so forth. Beyond scope of this presentation Protected Protected TCP/IP TLS/SSL Application 3 IKE IPSec Protected VPN IPSec Systems Protected SSH

7 Establishing TLS/SSL sessions 1 TLS handshake identifies and authenticates SSL client and server and negotiates cipher suite to be used for data protection RSA, DSA, ECDSA signature operations for peer authentication Crypto functions performed under SSL user s context 2 Data flows through protected session using symmetric encryption and message authentication negotiated during handshake RC2, RC4, DES, 3DES or AES encryption of data packets MD5, SHA-1 or SHA-2 for packet authentication All crypto operations performed under application s security context and charged to the application s address space. 7

8 AT-TLS sessions 1 A z/os application issues a connect() or accept() on a socket to establish a new outbound or inbound connection, respectively. Within the transport layer of the stack, AT-TLS policy is consulted to decide if TLS protection is configured for this traffic. If so, the stack s AT-TLS support establishes the TLS connection Application AT-TLS System SSL TCP/IP stack AT-TLS policy 2 AT-TLS directs the SSL handshake. All identities, cipher suites, etc. are defined in AT-TLS policy. Note that sessions established by AT-TLS on z/os interoperate seamlessly with regular TLS applications on remote nodes. AT-TLS RSA, DSA, ECDSA signature operations for peer authentication Crypto operations performed under the application s security context, but within the transport layer in the stack (so TCP/IP stack is charged for crypto operations) 3 AT-TLS takes outbound cleartext and sends it over the TLS-protected session. Likewise, it receives encrypted data off the session and presents it to the application as cleartext. Many applications never know the TLS session exists, although some may want/need to (AT-TLS aware, AT-TLS controlling) Appl n AT-TLS RC2, RC4, DES, 3DES or AES encryption of data packets MD5, SHA-1 or SHA-2 for packet authentication Crypto operations are charged to the TCP/IP stack 8

9 Creating IPSec Security Associations (SAs) 1 IKE peers negotiate an IKE ( phase 1 ) tunnel (one bidirectional SA) over an unprotected UDP socket. RSA, ECDSA signature operations for peer authentication Diffie-Hellman based symmetric key generation IKE and (in some cases) NSS daemons charged for crypto operations 2 3 IKE peers negotiate IPSec ( phase 2 ) tunnel (two unidirectional SAs) under protection of the IKE tunnel Data flows through IPSec tunnel using Authentication Header (AH) and/or Encapsulating Security Payload (ESP) protocol DES, 3DES or AES encryption of IKE messages MD5, SHA-1, SHA-2 or AES-based MACing for IKE message authentication IKE and (in some cases) NSS daemons charged for crypto operations DES, 3DES or AES encryption of ESP packets MD5, SHA-1, SHA-2 or AES-based MACing for AH and ESP packet authentication TCP/IP stack charged for crypto operations 9

10 Establishing Secure Shell (SSH) sessions 1 SSH client program initiates a TCP connection to the SSH server. Once connected, a handshake occurs to authenticate the server and client to each other, negotiate cryptographic algorithms to use and exchange session keys. Upon successful completion of the handshake, a secure connection exists between the client and the server. SSH client TCP connection Handshake messages: Wide variety of peer authentication, key exchange, symmetric encryption, and message authentication algorithms and methods All crypto operations charged to the ssh client or daemon (whichever is running on z/os) SSH server 2 SSH SSH connection client Data channels (e.g., login, sftp, scp, port forwarding etc.) are created and mutiplexed under protection of the secure connection using symmetric encryption and message authentication negotiated during handshake Data flows through channels protected by SSH connection All crypto operations charged to the ssh client or daemon (whichever is running on z/os) SSH server 2016 by SHARE Inc. and IBM

11 What is FIPS 140? United States Federal Information Processing Standards (FIPS) are written for a wide variety of information technologies: From punched card codes to COBOL language standards to rules on the use of cryptographic technologies Many of these standards are now focused on cryptography FIPS 140: Security Requirements for Cryptographic Modules Applies only to Cryptographic Modules not whole systems or even applications Originally written for hardware devices. Later extended to software modules Covers: Clearly defining and documenting the boundaries and interfaces of cryptographic modules Ensuring integrity of crypto algorithms (signed binaries, self-test, environment, and so on) Limits supported algorithms (for example, MD5, DES, 512-bit RSA, some AES modes are not allowed) Ensures security of keys and key management Other things that don t affect this discussion, such as roles, physical characteristics of hardware modules, and so on Current version is FIPS FIPS is out for review The US government as well as others expect cryptographic modules to meet the FIPS 140 specifications. 11

12 z13 and older Hardware Cryptographic components* CP Assist for Cryptographic Function (CPACF) Hardware assist for specific System z instructions that perform cryptographic primitives (DES, 3DES, AES encrypt/decrypt and SHA-1, SHA-2 hashing) Available on general processors as well as ziips Accessed directly through z series instruction set or through ICSF Clear keys only (unencrypted key is kept in storage) Comm Server, OpenSSH do not use protected key facilities Available since z890/z990 Cryptographic adapters (Crypto Express5, for example) Accelerators (CEX5A, for example) Performs RSA encrypt/decrypt and RSA signature operations Accessed through ICSF Clear keys only Coprocessors (CEX5C, for example) Focus on secure keys (no unencrypted keys in storage) and tamper detection and countermeasures Provides RSA acceleration as well (slower than accelerators, though) Accessed through ICSF Crypto Express4S and 5S also provides a secure key PKCS#11 mode Integrated Information Processor (ziip) (since z9) Can be tasked to perform some crypto-intensive portions of IPsec processing * - capabilities are described relative to their usage by z/os Communications Server, System SSL and Open SSH only 12

13 z/os Software Cryptographic components (1 of 3) z/os Cryptographic Services Integrated Cryptographic Service Facility (ICSF) z/os component that provides secure, high-speed cryptographic services Offers a full suite of cryptographic primitives Provides all application access to z/os hardware crypto features List of algorithms and services offered has grown over time (which continues) Can be configured as a FIPS 140 cryptographic module (FIPS mode provided through its PKCS #11 interface only) System SSL z/os component that provides TLS, SSL implementation Also provides a set of X.509 certificate-related APIs, including RSA and ECDSA signature generation and verification. These APIs are used by other components like IKED, NSSD and OpenSSH Contains own software implementations of most crypto algorithms List of algorithms has grown over time (which continues) Makes use of cryptographic adapters through ICSF Uses CPACF instructions directly Can be configured as a FIPS 140 cryptographic module 13

14 z/os Software Cryptographic components (2 of 3) z/os Communications Server TCP/IP stack implements: Application Transparent TLS IPsec (Authentication Header (AH) and Encapsulating Security Payload (ESP)) Internet Key Exchange daemon (IKED) implements: IKEv1 and IKEv2 protocols TCP/IP stack s IPsec support and IKED both contain software implementations of some older cryptographic algorithms Both use hardware crypto facilities to varying degrees Both offer a FIPS 140 mode under which only FIPS 140 mode crypto modules are used. Network security services daemon (NSSD) performs certificate-based operations on behalf of IKED Optional for IKEv1, mandatory for IKEv2 Also offers a FIPS 140 mode like IKED and the TCP/IP stack 14

15 z/os Software Cryptographic components (3 of 3) z/os OpenSSH Implements all of the SSH-related protocols, including sftp Uses a complete set of cryptographic algorithms in software (provided by OpenSSL) Originally shipped as part of z/os Ported Tools offering, but merged directly into z/os in V2R2 Ported Tools V1.3.0 ~= z/os V2R2 (V1.3.0 is the last Ported Tools release) Note: In this presentation, V2R2 also implies Ported Tools V1.3.0 Previous version: Ported tools V1.2.0 z/os Ported Tools V1.2.0 added: Use RSA and DSA keys in SAF keyring, but does not use X.509 certificates for authentication Hardware random number generation via Crypto Express adapters (through /dev/random) CPACF exploitation for many cryptographic algorithms (via ICSF) 15 z/os V2R2, added: FIPS 140 mode under which only FIPS 140 mode crypto modules are used Use of System SSL for RSA and DSA signature verification and generation (FIPS mode only) ICSF for all other cryptographic algorithms (uses CPACF where possible)

16 Agenda Review of basic cryptographic operations TCP/IP hardware crypto usage Background FIPS 140 and network security protocols Relevant System z and z/os cryptographic componentry Communications Server usage of hardware crypto facilities OpenSSH usage of hardware crypto facilities New: VTAM 3270 Intrusion Detection Services Background Solution 16

17 z/os Comm Server TCP/IP Cryptographic Landscape (non-fips) Optional IKEv1 X.509 Cert Support NSSD IKED DES, 3DES, MD5, SHA-1 All IKEv2 X.509 Cert Support RSA, ECDSA signatures All AES and SHA-2 ops ICSF System SSL V2R1: All algorithm All alg ms except ECC-based and AES-GCM ones TLS/SSL All AES s/w ops, & 3DES & SHA-2 CPACF support AT-TLS TCP/IP Stack IPSec DES, 3DES, MD5, SHA-1 3DES, AES-CBC, SHA-1, SHA-2 CPACF (z instruction set) (3DES, AES-CBC, AES-GCM, SHA-1, SHA-2) Coprocessors / Accelerators (RSA operations) Asymmetric Operations Symmetric Operations 17

18 z/os Comm Server TCP/IP Cryptographic Landscape (FIPS mode) RSA, ECDSA signatures RSA signatures FIPS 140 boundary System SSL TLS/SSL NSSD V2R1:All algorithms alg ms except ECC-based, except ECC-based AES-GCM, DH and onesrng AT-TLS Optional IKEv1& mandatory IKEv2 X.509 Cert Support X All internal crypto algorithms disabled IKED 3DES, AES, SHA-1, SHA-2 ICSF CCA (passthrough only) AES-GCM V2R1: RNG,DH ECDSA signatures CPACF FIPS 140 boundary ICSF PKCS #11 services 3DES, AES, SHA-1, SHA-2 TCP/IP stack IPSec X X Direct CPACF usage disabled All internal crypto algorithms disabled All algorithms CPACF Asymmetric Operations Symmetric Operations 18

19 System SSL (and AT-TLS) hardware crypto usage Crypto Type Asymmetric Encrypt/Decrypt Symmetric Encrypt/Decrypt Symm Auth Algorithm CPACF only CPACF + Crypto Express card RSA signature generation In software In coprocessor (non-fips) or CEX4/5P (FIPS or non-fips), else in software. RSA signature verification In software In coprocessor or accelerator, else in software RSA encrypt for handshake In software In coprocessor or accelerator, else in software RSA decrypt for handshake In software In coprocessor, accelerator or CEX4/5P ECDSA signature generation In software ECDSA signature verification In software In software DES 3DES AES-CBC-128 AES-CBC-256 AES-GCM-128, AES-GCM-256 MD5 SHA-1 SHA-224, SHA-256 SHA-384, SHA-512 In coprocessor on z10, z196/z114, zec12/zbc12, z13 or CEX4/5P, else in software CPACF (non-fips mode only: DES not allowed in FIPS mode) CPACF CPACF CPACF on z10, z196/z114, zec12/zbc12, z13, in software on z9 CPACF on z196/z114, zec12/zbc12, z13, in software on z9, z10 In software (non-fips mode only: MD5 not allowed in FIPS mode) CPACF CPACF CPACF on z10, z196/z114, zec12/zbc12, z13, in software on z9 19

20 IKED hardware crypto usage RSA signature generate, signature verify for peer authentication Prior to V2R2, IKED only used a single Coprocessor or Accelerator In V2R2, IKED uses multiple Coprocessors or Accelerators effectively DES, 3DES, AES encryption of IKE payloads SHA-1 and MD5 HMACs for IKE message authentication SHA-2 HMACs and AES-XCBC MAC for IKE message authentication Crypto Type Asymmetric Enc/Dec Symmetric Enc/Dec Symmetric Authentication Algorithm CPACF available only CPACF + Coprocessor/Accelerator* Diffie-Hellman (MODP) In software via System SSL In software via System SSL EC Diffie-Hellman (requires ICSF) In software via ICSF In software via ICSF RSA signature generation (clear key only) In software via System SSL In Coprocessor (non-fips mode only), else in software via System SSL RSA signature verification In software via System SSL In Coprocessor/Accelerator DES 3DES AES-CBC-128 (requires ICSF) AES-CBC-256 (requires ICSF) SHA-1 SHA-256 (requires ICSF) SHA-384, -512 (requires ICSF) AES-XCBC (requires ICSF) MD5 In software (non-fips mode only: DES not allowed in FIPS mode) In software (non-fips mode), via CPACF via ICSF (FIPS mode) In CPACF via ICSF In software on z9, CPACF in z10, z196/z114, zec12/zbc12, z/13 all via ICSF In software (non-fips mode), via CPACF via ICSF (FIPS mode) In CPACF via ICSF In software on z9, CPACF in z10, z196/z114, zec12/zbc12, z/13 all via ICSF In software via ICSF (non-fips mode only: FIPS 140 doesn t allow algorithm) In software (non-fips mode only: FIPS 140 doesn t allow algorithm) * IKED does not support PKCS#11 tokens or CEX4/5 P 20

21 NSSD hardware crypto usage (supporting the IKE protocol) RSA and ECDSA signature generate, signature verify for peer authentication NSSD uses multiple Coprocessors or Accelerators effectively and can help pre-v2r2 IKED throughput when IKED is acting as an NSS client. SHA-1 and MD5 HMACs used in digital signature operations SHA-2 HMACs and AES-XBC MAC for IKE message authentication Crypto Type Asymmetric Encrypt/Decrypt Algorithm RSA signature generation (clear key only) CPACF only In software via System SSL CPACF + Coprocessor/Accelerator* In coprocessor (non-fips mode only), else in software via System SSL RSA signature verification In software via System SSL In coprocessor/accelerator ECDSA signature generation In software via System SSL In coprocessor on z10, z196/z114, zec12/zbc12, z/13, else in software ECDSA signature verification In software via System SSL In software via System SSL Hashing for digital signatures SHA-1 SHA-256 (requires ICSF) SHA-384, -512 (requires ICSF) AES-XCBC (requires ICSF) MD5 In CPACF via ICSF In CPACF via ICSF In CPACF in z10, z196/z114, zec12/zbc12, z/13 all via ICSF, in software on z9 In software via ICSF (non-fips mode only: FIPS 140 doesn t allow algorithm) In software via ICSF (non-fips mode only: FIPS 140 doesn t allow algorithm) * NSSD does not support PKCS#11 tokens or CEX4/5 P 21

22 Stack hardware crypto usage (IPSec: AH, ESP): Non-FIPS 140 mode DES, 3DES, AES encryption of data traffic SHA-1 and MD5 HMACs for message authentication SHA-2 HMACs, AES-XCBC, and AES-GMAC MACs for message authentication All SRB-based processing in stack, including these crypto operations, can be offloaded to ziip to reduce cost of IPSec protection. Crypto Type Symmetric Symmetric Enc/Dec Authentication Algorithm DES 3DES AES-CBC-128 AES-CBC-256 AES-GCM-128, -256 SHA-1 SHA-256 CPACF (stack doesn t use crypto adapters) In CPACF (via ICSF) In CPACF In CPACF In software via ICSF on z9, CPACF in z10, z196/z114, zec12/zbc12 In software via ICSF In CPACF In CPACF SHA-384, -512 In software via ICSF on z9, CPACF in z10, z196/z114, zec12/zbc12, z/13 AES-XCBC MAC and AES-GMAC-128, -256 In software via ICSF MD5 In software 22

23 Stack hardware crypto usage (IPSec: AH, ESP): FIPS 140 mode 3DES, AES encryption of data traffic SHA-1 HMACs SHA-2 HMACs, AES-GMAC MACs for message authentication Note: FIPS 140 does not allow DES, MD5 or AES-XCBC All SRB-based processing in stack, including these crypto operations, can be offloaded to ziip to reduce cost of IPSec protection. Crypto Type Symmetric Symmetric Enc/Dec Authentication Algorithm 3DES AES-CBC-128 AES-CBC-256 AES-GCM-128, -256 SHA-1 SHA-256 SHA-384, -512 AES-GMAC-128, -256 CPACF (stack doesn t use crypto adapters) In CPACF via ICSF In CPACF via ICSF In software on z9, CPACF in z10, z196/z114, zec12/zbc12, z13, all via ICSF In software via ICSF In CPACF via ICSF In CPACF via ICSF In software on z9, CPACF in z10, z196/z114, zec12/zbc12, z13, all via ICSF In software via ICSF 23

24 IPSec processing using ziip No IPSec IPSec and no ziip IPSec and ziip Application CPU consumption Application processing processing IPSec processing Application processing IPSec (SRB Mode) processing IPSec TCP/IP TCP/IP TCP/IP processing General CPs General CPs General CPs ziips CPACF is exploited in the same manner on both the general CPs and the ziips Function enabled through a TCP/IP configuration keyword when ziip hardware and pre-req software is in place 24

25 What IPSec workload is eligible for ziip? The ziip assisted IPSec function is designed to move most of the IPSec processing from the general purpose processors to the ziips z/os CS TCP/IP recognizes IPSec packets and routes a portion of them to an independent enclave SRB this workload is eligible for the ziip Inbound operation (not initiated by z/os) All inbound IPSec processing is dispatched to enclave SRBs and is eligible for ziip All subsequent outbound IPSec responses from z/os are dispatched to enclave SRB. This means that all encryption/decryption of message integrity and IPSec header processing is sent to ziip Source Source IPSec z/os z/os ziip ziip Outbound operation (initiated by z/os) Operation which starts on a TCB is not ziip eligible BUT any inbound response or acknowledgement is SRB-based and therefore ziip eligible AND all subsequent outbound IPSec responses from z/os are also ziip eligible Sink Sink Sink IPSec z/os z/os z/os ziip ziip ziip 25

26 Agenda Review of basic cryptographic operations TCP/IP hardware crypto usage Background FIPS 140 and network security protocols Relevant System z and z/os cryptographic componentry Communications Server usage of hardware crypto facilities OpenSSH usage of hardware crypto facilities New: VTAM 3270 Intrusion Detection Services Background Solution 26

27 z/os OpenSSH Cryptographic Landscape (non-fips) NOTE: Some algorithms added to OpenSSH and ICSF via new function APARs. Please refer to the OpenSSH User s Guide for details. OpenSSH PT1.2: X.509 cert access for RSA, DSA keys in SAF keyrings System SSL All algorithms except ECC-based and AES-GCM All supported algorithms (OpenSSH and OpenSSL) PT1.2: RNG via /dev/random ICSF Coprocessors / Accelerators (RSA operations) CPACF (z instruction set) (3DES, AES-CBC, rijndael (via AES-CBC-256), SHA-1) (Additional OpenSSH use in V2R2: AES-CTR, SHA2 plus ETM modes of SHA1 & SHA2) Asymmetric Operations Symmetric Operations Other Operations 27

28 z/os OpenSSH Cryptographic Landscape (FIPS mode V2R2) OpenSSH RSA, DSA signature validation and generation FIPS 140 boundary System SSL V2R1:All algorithms alg ms except ECC-based, except ECC-based DH and RNG ones ICSF CCA (passthrough only) CPACF X All internal crypto algorithms disabled AES-CTR, AES-CBC, 3DES, rijndael, SHA1, SHA2 including ETM modes FIPS 140 boundary ICSF PKCS #11 services AES-CTR, AES-CBC, 3DES, rijndael. SHA1, SHA2 including ETM modes All algorithms CPACF Asymmetric Operations Symmetric Operations Other Operations 28

29 OpenSSH hardware crypto usage Crypto Type Asym Enc/Dec Algorithm CPACF only CPACF + Crypto Express card Diffie-Hellman (MODP) EC Diffie-Hellman RSA signature generation In software via OpenSSL (non-fips) or ICSF (FIPS and non-fips mode) In software via OpenSSL (non-fips) or ICSF (FIPS and non-fips mode) In software via OpenSSL (non- FIPS) or System SSL (FIPS mode) In coprocessor (non-fips) or CEX4/5P (FIPS or non-fips), else in software. RSA signature verification Same as RSA signature generation In coprocessor or accelerator, else in software DES In software via OpenSSL (non-fips only: DES not allowed in FIPS mode) 3DES-CBC In software via OpenSSL (non-fips only) or CPACF via ICSF (FIPS and non-fips mode) AES-CBC-128, AES-CBC-192 In software via OpenSSL (non-fips only) or CPACF via ICSF (FIPS and non-fips mode) Symmetric Encrypt/Decrypt AES-CBC-256, rijndael-cbc AES-CTR-128, AES-CTR-192, AES-CTR- 256 AES-GCM-128, AES-GCM-256 In software via OpenSSL (non-fips only) or CPACF via ICSF on z10, z196/z114, zec12/zbc12, z13 (FIPS and non-fips mode) In software via OpenSSL (non-fips) or CPACF via ICSF (FIPS and non-fips mode) In software via OpenSSL (non-fips only; not allowed in FIPS mode) blowfish In software via OpenSSL or ICSF (non-fips only; not allowed in FIPS mode) CAST-128 In software via OpenSSL (non-fips only; not allowed in FIPS mode) arcfour, arcfour-128, arcfour-256 In software via OpenSSL or ICSF (non-fips only; not allowed in FIPS mode) MD5 In software via OpenSSL or ICSF (non-fips only; not allowed in FIPS mode) Symm 29 Auth SHA-1 SHA-384 (only used in ecdh-sha2- nistp384 key exchange not for MAC) SHA-256, SHA-512 In software via OpenSSL (non-fips) or CPACF via ICSF (FIPS and non-fips mode) In software via OpenSSL (non-fips) or CPACF via ICSF (FIPS and non-fips mode) In software via OpenSSL (non-fips) or CPACF via ICSF on z10, z196/z114, zec12/zbc12, z13, in software on z9 (FIPS and non-fips mode)

30 Checking OpenSSH hardware crypto usage To determine the encrypt/decrypt (cipher), symmetric auth (MAC), and asymmetric encrypt/decrypt (key exchange) algorithm source and FIPS status used by OpenSSH, start ssh in debug mode and look for debug statements like the following examples: FIPS mode: debug1: mac_setup_by_alg: hmac-sha1 from source ICSF, used in FIPS mode debug1: cipher_init: aes128-cbc from source ICSF, used in FIPS mode debug1: choose_kex: ecdh-sha2-nistp384 from source ICSF, used in FIPS mode Non-FIPS mode: debug1: mac_setup_by_alg: hmac-sha1 from source ICSF debug1: cipher_init: aes128-cbc from source ICSF 30

31 Agenda Review of basic cryptographic operations TCP/IP hardware crypto usage Background FIPS 140 and network security protocols Relevant System z and z/os cryptographic componentry Communications Server usage of hardware crypto facilities OpenSSH usage of hardware crypto facilities New: VTAM 3270 Intrusion Detection Services Background Solution 31

32 Background: 3270 data streams The 3270 data stream protocol is part of SNA (Systems Network Architecture) Set of rules that governs how data is transmitted in a SNA network When communicating with a 3270 display terminal or printer Can also be used between application programs Historically, 3270 devices were exactly that hardware devices that enforced adherence to the 3270 data stream protocol in hardware. As such, they were fairly impenetrable to protocol violations or attack based applications and middleware are still quite pervasive: From IBM: TSO/E, ISPF, CICS, IMS, etc. Many vendor products Even more customer-written applications (compiled languages as well as CLISTs and REXX execs) Older software was often written under the assumption that hardware devices would ensure the integrity of the 3270 data streams, so little or no defensive code was included with 3270 protocol processing However, Since the 1980s, hardware devices have been almost completely replaced by software emulators. As such, the promise of hardware-enforced protocol adherence has all but disappeared Since the 1990s, native SNA connectivity for 3270 emulators has been largely replaced by TN3270 connections over TCP/IP. As such, the closed nature of SNA networks has been replaced by a more open and accessible network in TCP/IP. 32

33 Background: Potential 3270 data stream protocol manipulation A modified 3270 emulator could expose issues for z/os 3270 applications that do not carefully validate input data streams from their clients Overrun of input fields (similar to buffer overflow) Overlay of protected fields Such an emulator has been implemented and discussed at a hacker s conference All IBM z/os software products (OS, middleware, and applications) were assessed and, if necessary, any exposures were closed via the service stream However, customers have many home grown and 3 rd party 3270 applications and the level of support varies greatly. In some cases, source code may no longer be available. IBM wants to help customers protect such applications 33

34 Solution: 3270 Intrusion Detection Services in key IBM software 3270 protocol validation logic has/is being developed for three key z/os components: CICS BMS (for CICS applications that use BMS to build their 3270 data streams) IMS MFS (for IMS applications that use MFS to build their 3270 data streams) VTAM (for any 3270 data streams) Focus of this presentation All of these solutions are purely reactive in detecting protocol violations in real time None of them are designed to search for or identify vulnerabilities in your z/os 3270 applications All solutions available through the respective product service streams CICS BMS and IMS MFS solutions Fairly lightweight since they are built into existing 3270 protocol handling logic Colin Penfold will be speaking more about this later today VTAM solution handles any 3270 application data streams Provides protocol violation reporting as well as optional defensive action (session termination) Why VTAM? It is the only single point in the overall 3270 network through which all z/os-related 3270 application traffic passes Note that this solution has no relationship to Communication Server s TCP/IP IDS functions (In addition, a white paper entitled 3270 Emulation: Security Considerations was published in February, 2015 to recommend best practices for minimizing the 3270 emulation exposure) 34

35 Solution: Architecture 3270 Data Stream Protocol Validation A real-time detection and prevention system to guard against potential exploitation of 3270 vulnerabilities for CICS BMS, IMS MFS and all other 3270 applications z/os 3270 protocol SNA TN3270 BMS API IDS 2 Non-BMS API CICS Application Layer (Customer written, ISV, IBM) 3 MFS API IDS Non-MFS API IMS VTAM 3270 IDS Other Subsystems/ Middleware ( TSO, IBM, ISV, etc.) TN3270 Clients TCP/IP VTAM Laptops, workstations running TN3270 emulators(ibm, ISV) Distributed Servers -Programmatic invocation of legacy 3270 applications (HATS, ISV, Customer written) Native 3270 SNA Clients Emulators and physical terminals Programmatic invocation Small and decreasing use case TN3270 Clients TN3270 protocol (TCP/IP) 3270 protocol (SNA) 3270 Clients 35

36 VTAM solution We are 6 months into a beta test (currently with 8 customers) to identify and remove false positives V2R1: Will be delivered as APAR OA48802 for z/os Communications Server V2R1 Includes rollback of VTAM 64-bit support from V2R2 (relies heavily on 64-bit storage) TSO APAR OA49682 is highly recommended V2R2: Will be delivered as APAR OA49911 for z/os Communications Server TN3270E server APAR PI57735 is required before starting the VTAM IDS function In general: NO application changes are required to exploit this function Function is disabled by default must be explicitly enabled PDF documentation is included with APARs 36

37 VTAM solution: Performance CPU utilization Early internal benchmarks of modeled 3270 workload to CICS show a CPU increase for the workload. Most of the CPU increase seen in the address space that is the target of the 3270 session (for example, a CICS TOR) Final benchmarks pending The overhead of the solution will depend on many factors in your environment, including Amount of 3270 traffic/workload on the system and complexity of 3270 screens Overall overhead of your 3270 transactions Memory consumption You should not experience a significant change in below-the-bar storage usage You could experience significant change in above-the-bar storage usage Correlates with number of monitored sessions 37

38 VTAM solution: Externals overview New VTAM start options Global options that allow IDS to be enabled/disabled globally or to disable by default and allow selective application enablement New major node APPL and GROUP parameters to override VTAM-wide start options Enable/disable on an application basis Updated reports from the following commands: DISPLAY ID DISPLAY SESSION DISPLAY STATS,TYPE=VTAM DISPLAY VTAMOPTS,FUNCTION=SECURITY New parameters on the MODIFY CSM and MODIFY VTAMOPTS command Ability to modify configuration dynamically New SMF 119 SMF records (subtype 81 (X 51 ) and new GTF trace records (Event Identifier (EID) F90) New records that captures detected IDS event (along with outbound and inbound data stream) Serviceability updates 38

39 VTAM solution: Reporting (1 of 3) Message group IST2424I IST2431I this is displayed when a 3270 protocol violation is detected IST2424I 3270 DATA STREAM ERROR netid.pluname netid.sluname IST2425I {PLU SLU} SUBAREA = X'saHex' INDEX = X'indHex' ELEMENT = X'elHex IST2441I JOBNAME = jobname SID = sessionid [IST2426I IPADDR = ipaddress..port] IST2427I DATE = date TIME = time ID = id IST2428I ROW = row COLUMN = col IST2429I OUTBOUND SEQ = X'seq_num' OFF = offset LEN = len IST2431I hex_data1 hex_data2 hex_data3 hex_data4 *EBCDIC_data* IST2430I INBOUND - SEQ = X'seq_num' OFF = offset LEN = len IST2431I hex_data1 hex_data2 hex_data3 hex_data4 *EBCDIC_data* IST314I END Here is an example: IST2424I 3270 DATA STREAM ERROR - NETA.APPL1 NETA.TCPM1001 IST2425I PLU SUBAREA = X'0001' INDEX = X'0000' ELEMENT = X'0058' IST2425I SLU SUBAREA = X'0001' INDEX = X'0001' ELEMENT = X'0009' IST2441I JOBNAME = USER1 SID = C2A38D1523D347A IST2426I IPADDR = IST2427I DATE = 2016/01/21 TIME = 13:33:50 ID = 5 IST2428I ROW = 6 COLUMN = 37 IST2429I OUTBOUND - SEQ = X'0010' OFF = 113 LEN = 42 IST2431I E2D6D540 C9E240C9 D540D7D9 C5D26040 *SON IS IN PREK- * IST2430I INBOUND - SEQ = X'0010' OFF = 116 LEN = 42 IST2431I E2D6D540 C9E240C9 5B40D7D9 C5D26040 *SON IS I$ PREK- * IST314I END 39

40 VTAM solution: Reporting (2 of 3) New GTF trace records under a new GTF Event Identifier (EID) F90 Each time an inbound (from the emulator to the application) protocol violation is encountered, the offending inbound PIU as well as the prior DSCOUNT outbound PIUs are written as F90 records USRFD F90 ASCB 00F8EC00 JOBN APPLSIM **** 3270 Data Stream Error **** 3270 NETA.L7201A /NETA.APPL1 LRC(000,000) OUTBOUND COMPLETE SEGMENT Time UTC 2016/01/28 15:01: LOC 2016/01/28 10:01: Event Token SID EAABEEC Buffer 15 of 15 Overlap Row 003 Col 072 OUT SEQ X'002B' Offset Length D5D5D5D5 F5F6F7F *NNNN * *... * IN SEQ X'0029' Offset Length D5D5D5D5 F5F6F7F8 4E4E C6 D2C5C6C7 *NNNN5678++apar.FKEFG* C8F5F6F7 F811C7E4 F3F4F5F6 *H5678.GU3456 * Buffer UTC 2016/01/28 15:01: LOC 2016/01/28 10:01: VTAM TH= A 00B5002B 000A RH= SEQ 002B-002B F1C211C3 5E1D21 *1B.C;.. * GMT-01/28/ :01: LOC-01/28/ :01: (continued on next slide) 40

41 VTAM solution: Reporting (3 of 3) USRFD F90 ASCB 00F8EC00 JOBN APPLSIM **** 3270 Data Stream Error **** 3270 NETA.APPL1 /NETA.L7201A LRC(000,000) INBOUND COMPLETE SEGMENT Time UTC 2016/01/28 15:01: LOC 2016/01/28 10:01: Event Token SID EAABEEC CODE U('E4') Overlap Row 003 Col 072 OUT SEQ X'002B' Offset Length D5D5D5D5 F5F6F7F *NNNN * *... * IN SEQ X'0029' Offset Length D5D5D5D5 F5F6F7F8 4E4E C6 D2C5C6C7 *NNNN5678++apar.FKEFG* C8F5F6F7 F811C7E4 F3F4F5F6 *H5678.GU3456 * Buffer UTC 2016/01/28 15:01: LOC 2016/01/28 10:01: VTAM TH= C0000B5 003A RH= SEQ DC36D11 C1D2C1C2 C3C4F1F2 F3F411C3 5D11C35F *'C_.AKABCD1234.C).C^* D5D5D5D5 F5F6F7F8 4E4E C6 D2C5C6C7 *NNNN5678++apar.FKEFG* C8F5F6F7 F811C7E4 F3F4F5F6 F7F8F9F9 F9F9F9F9 *H5678.GU * Also providing a new IPCS formatter that displays new VTAM IDS GTF trace records in a more userfriendly fashion Reduces need for detailed 3270 data stream knowledge Displays outbound screen fields with position and field attribute information Makes it easier to determine the reason for the violation in the inbound data stream 41

42 Summary z/os TCP/IP Hardware Cryptography usage z/os platform provides rich set of hardware and software cryptographic functions Deep exploitation of these functions for TLS/SSL, IPSec (including IKE) and SSH Exploitation of the functions has evolved over many releases and continues to do so The tables in this presentation are intended for your reference. Please report any errors or omissions to the author 3270 IDS 3270 protocol vulnerabilities result from evolving 3270 and SNA connectivity technologies 3270 data streams are still heavily used on z/os systems throughout the industry IBM 3270-based software products have been vetted and, if necessary, corrected, to defend against 3270 protocol attacks. Many ISV- and customer-written 3270 applications may still be vulnerable 3 solutions being delivered by IBM to help customers protect their 3270 applications: CICS BMS for CICS applications that use BMS IMS MFS for IMS applications that use MFS VTAM 3270 IDS as a general solution 42

43 z/os Communications Server on the Web 43

44 IBM Systems IBM z Systems Security Conference September Montpellier 44