IBM Americas, ATS, Washington Systems Center Crypto Hardware on System z - Part 1 Greg Boyd (boydg@us.ibm.com) 2014 IBM Corporation
Agenda Crypto Hardware - Part 1 A refresher A little bit of history Some hardware terminology CPACF Crypto Hardware Part 2 A couple of refresher slides Crypto Express Cards HMC Slides Page 2 of 27
Crypto Functions Data Confidentiality Symmetric DES/TDES, AES Asymmetric RSA,Diffie-Hellman, ECC Data Integrity Modification Detection Message Authentication Non-repudiation Financial Functions Key Security & Integrity Page 3 of 27
System z Crypto History 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012/13 Cryptographic Coprocessor Facility (CCF) G3, G4, G5, G6, z900, z800 PCI Cryptographic Coprocessor (PCICC) G5, G6, z900, z800 PCI Cryptographic Accelerator (PCICA) z800/z900 z990 z890 PCIX Cryptographic Coprocessor z990 (PCIXCC) CP Assist for Cryptographic Functions z990 z890 z890 z9 EC z9 BC z10 EC/BC z196/z114 zec12/ zbc12 Crypto Express2 Crypto Express3 Crypto Express4S z990/z890 z9 EC z9 BC z10 EC/BC z10 EC/BC z196/z114 zec12/ zbc12 Cryptographic Coprocessor Facility Supports Secure key cryptographic processing PCICC Feature Supports Secure key cryptographic processing PCICA Feature Supports Clear key SSL acceleration PCIXCC Feature Supports Secure key cryptographic processing CP Assist for Cryptographic Function allows limited Clear key crypto functions from any CP/IFL NOT equivalent to CCF on older machines in function or Crypto Express2 capability Crypto Express2 Combines function and performance of PCICA and PCICC Crypto Express3 PCIe Interface, additional processing capacity with improved RAS Crypto Express4S - IBM Standard PKCS #EP11 Page 4 of 27
Clear Key / Secure Key / Protected Key Clear Key key may be in the clear, at least briefly, somewhere in the environment Secure Key key value does not exist in the clear outside of the HSM (secure, tamper-resistant boundary of the card) Protected Key key value does not exist outside of physical hardware, although the hardware may not be tamper-resistant Page 5 of 27
Visual Representation of Clear Key Processing Encryption Request User Clear Key Value (ABCDEF) Data to be Encrypted/Decrypted Encryption Decryption Services Process Encryption Request Key Repository Encrypt/Decrypt User Data with User Clear Key Clear Key ABCDEF User Data In-Data Visible to Intruder Out-Data Page 6 of 27
Visual Representation of Secure Key Processing Encryption Request User Secure Key Value (EFGHJK) Data to be Encrypted/Decrypted Secure Tamper Resistant Device Key Repository Enciphered Key Value (EFGHJK) EFGHJK Process Encryption Request Encrypt/Decrypt User Data with User Secure Key Clear Key ABCDEF Master Key Decrypt Secure Key User Data In-Data Not-Visible to Intruder Out-Data Page 7 of 27
Protected Key How it works Create a key, with the value ABCD and store it as a secure key in the CKDS (i.e. encrypted under the Master Key, MK) E MK (x ABCD ) => x 4A!2 written to the CKDS and stored with a label of MYKEY Execute CSNBSYE (the clear key API to encrypt data), but pass it the key label of our secure key, MYKEY; and text to be encrypted of MY MSG CALL CSNBSYE(., MYKEY, Page 8 of 27 MY MSG.)
Protected Key How it works (cont ) ICSF will read MYKEY from the CKDS and pass the key value x 4A!2 to the CEX3 Inside the CEX3, recover the original key value and then wrap it using the wrapping key D MK (x 4A!2 ) => x ABCD E WK (x ABCD ) => x *94E ICSF will pass the wrapped key value of x *94E to the CPACF, along with the message to be encrypted In the CPACF, we ll retrieve the wrapping key, WK D wk (x *94E ) => x ABCD E x ABCD ( MY MSG ) => ciphertext of x 81FF18019717D183 Page 9 of 27
CPACF Wrapping Key Pair of wrapping keys, stored in HSA AES Wrapping Key 256 bits DES Wrapping Key 192 bits Terminology CPACF Wrapping Key CPACF generated key to encrypt clear keys used by the CPACF CPACF Wrapped Key operational key encrypted with CPACF wrapping key Transient Generated each time an LPAR is activated or a clear reset is performed A wrapping key verification pattern is used to identify a specific instance Page 10 of 27
CPACF Machines (z890/z990 & later) CP Assist for Cryptographic Function (CPACF) Peripheral Component Interconnect (PCI Cards) I/O Cage or I/O Drawer CEC Cage CP CP Memory CP CP MBA STI PCIXCC Crypto Expressn Crypto Expressn- 1P CPACF CPACF CPACF CPACF FICON Page 11 of 27
zec12 Cryptographic (and Compression) Engine CP Assist for Cryptographic Function CPACF FC #3863 (No charge) is required to enable some functions and is also required to support Crypto Express4S or Crypto Express3 feature DEA (DES, TDES2, TDES3) SHA-1 (160 bit) SHA-2 (244, 256, 384, 512 bit) AES (128, 192, 256 bit) Coprocessor dedicated to each core Independent cryptographic engine Available to any processor type Owning processor is busy when it s coprocessor is busy Independent compression engine IB Core 0 Core 1 OB Cmpr Exp Crypto Cipher TLB 2 nd Level Cache 16K Crypto Hash 2 nd Level Cache 16K Crypto Hash TLB OB Cmpr Exp Crypto Cipher IB Page 12 of 27 12
z196/z114/z10 Compression and Cryptographic Engine CP Assist for Cryptographic Function CPACF FC #3863 (No charge) is required to enable some functions and is also required to support Crypto Express4S or Crypto Express3 feature DEA (DES, TDES2, TDES3) SHA-1 (160 bit) SHA-2 (244, 256, 384, 512 bit) AES (128, 192, 256 bit) Coprocessor dedicated to each core Independent cryptographic engine Available to any processor type Owning processor is busy when it s coprocessor is busy Independent compression engine IB Core 0 Core 1 OB Cmpr Exp TLB Crypto Cipher 2 nd Level Cache 16K 16K TLB OB Cmpr Exp Crypto Hash IB Page 13 of 27
zec12 HMC/SE Screens Crypto support Page 14 of 27
MSA Message Security Assist MSA Cipher Message Cipher Message with Chaining Compute Intermediate Message Digest Compute Last Message Digest Compute Message Authentication Code Query Functions MSA Extension 4 Cipher Message With CFB Cipher Message With Counter Cipher Message With OFB Perform Cryptographic Computation Page 15 of 27
System z CPACF Hardware z890/z990 Message-Security Assist DES (56-, 112-, 168-bit) SHA-1 TechDoc WP100810 A Synopsis of System z Crypto Hardware Page 16 of 27
System z CPACF Hardware z9 EC & BC Message-Security-Assist Extension 1 DES (56-, 112-, 168-bit) AES-128 SHA-1, SHA-256 PRNG TechDoc WP100810 A Synopsis of System z Crypto Hardware Page 17 of 27
System z CPACF Hardware z10 EC & BC Message-Security-Assist Extension 2 DES (56-, 112-, 168-bit) AES-128, AES-192, AES-256 SHA-1, SHA-256, SHA-512 (SHA-2 Suite) PRNG TechDoc WP100810 A Synopsis of System z Crypto Hardware Page 18 of 27
System z CPACF Hardware z10 EC (GA3) & BC (GA2) Message-Security-Assist Extension 3 DES (56-, 112-, 168-bit) AES-128, AES-192, AES-256 SHA-1, SHA-256, SHA-512 (SHA-2 Suite) PRNG Protected Key TechDoc WP100810 A Synopsis of System z Crypto Hardware Page 19 of 27
System z CPACF Hardware z196 (GA2) & z114 & zec12 Message-Security-Assist Extension 4 DES (56-, 112-, 168-bit), new chaining options AES-128, AES-192, AES-256, new chaining options SHA-1, SHA-256, SHA-512 (SHA-2 Suite) PRNG Protected Key TechDoc WP100810 A Synopsis of System z Crypto Hardware Page 20 of 27
Cipher Block Chaining New Instructions KMF - Cipher Message with CFB KMCTR - Cipher Message with Counter KMO - Cipher Message with OFB Images from Wikipedia Page 21 of 27
CPU Measurement Facility What is CPU MF? z10 and later facility that provides cache and memory hierarchy counters Provides hardware instrumentation data for production systems CPU MF Counters also useful for performance analysis Data gathering controlled through z/os HIS (HW Instrumentation Services) How can the COUNTERS be used today? For performance analysis Supplement current performance data from SMF, RMF, DB2, CICS, etc. Measure (count) CPACF Usage Recorded in SMF Type 113 Counter # Counter Counter # Counter 64 PRNG function count 72 DEA function count 65 PRNG cycle count 73 DEA cycle count 66 PRNG blocked function count 74 DEA blocked function count 67 PRNG blocked cycle count 75 DEA blocked cycle count 68 SHA function count 76 AES function count 69 SHA cycle count 77 AES cycle count 70 SHA blocked function count 78 AES blocked function count 71 SHA blocked cycle count 79 AES blocked cycle count Page 22 of 27
APIs and Hardware HCR77A1 APIs (from Application Programmer's Guide SC14-7508-00) 80 74 70 60 APIs 50 40 30 20 10 8 26 19 CPACF only PCI Card ICSF only (no hardware) PKCS #11 0 Hardware Required Page 23 of 27
IBM Resources (on the web) Redbooks www.redbooks.ibm.com (search on crypto ) IBM zenterprise EC12 Configuration Setup, SG24-8034 IBM zenterprise EC12 Technical Introduction, SG24-8050 IBM System EC12 Technical Guide, SG24-8049 ATS TechDocs Website www.ibm.com/support/techdocs (search on crypto ) WP100810 A Synopsis of System z Crypto Hardware WP100647 A Clear Key / Secure Key /Protected Key Primer TC000066 CPU MF - 2012 Update and WSC Experiences Page 24 of 27
IBM Resources (on the web) Manuals z/architecture Principles of Operations, SA22-7832 ATS TechDocs Website www.ibm.com/support/techdocs (search on crypto ) PRS2669 CPACFZ9S How to Use the z9/z10 CPACF Crypto Functions PRS822 CALCPACF: Callable z/os Routine to Invoke z9/z10 CPACF Crypto Functions Page 25 of 27
Agenda Crypto Hardware - Part 1 A refresher A little bit of history Some hardware terminology CPACF Crypto Hardware Part 2 A couple of refresher slides Crypto Express Cards HMC Slides Page 26 of 27
Questions? Page 27 of 27