IBM Z Dataset Encryption: How does the mechanism encryption function? IBM Client Center Montpelllier – Arnaud MANTE / © 2017 IBM Corporation November 10, 2017 - http://www.ibm.com/support/techdocs
A video of this presentation is available at: https://www.youtube.com/watch?v=TdGoTNIC-lc IBM Client Center Montpelllier – Arnaud MANTE / © 2017 IBM Corporation – November 10, 2017 - http://www.ibm.com/support/techdocs page 2
Data encryption Something encrypted Crypto Express Card (Hardware Security Modul) Hardware Storage Area CPACF (for CPU) & HSA (memory) wrapping key AES key label F Data encryption IPL Domain 1 data key AES data key AES wrapping key DES master key AES Domain 2 data key in protected mode master key AES master key DES Domain 3 CPACF (for CPU) & HSA (memory) master key DES master key AES master key RSA Crypto Express Card ICSF address space master key DES master key ECC master key RSA key label F decrypt key label F key label F master key ECC master key RSA data key AES data key AES - F data key AES data key AES dataset: DATA.** master key ECC protected flag data key in protected mode data key in protected mode CKDS data key DES A key label A RACF data key AES B encrypted by: secure, secure (protected flag) or clear key data key DES key label B call of key label associated data key AES key label E Creation of dataset DATA.** Cryptographic Key Dataset DFSMS symmetric key data key HMAC E data key HMAC key label F JCL: DSKeyLbl data key AES ICSF: To generate all type of keys. data key AES F AES: advanced encryption standard DEA: Data Encryption Algorithm MSA: message security assist CPACF: CP assist for crypto functions DES: data encryption standard HMAC: hashing CCA: common cryptographic architecture SHA: secure hash algorithm MAC: message authentication code PRNG: pseudo random number generator PCKMO: perform cryptographic key management p60: The z10 GA3 microcode introduces wrapping keys , which are created each time that an LPAR undergoes a System z clear/reset operat ion. This operation is normally performed each time that the z/OS system is IPLed. The wrapping keys are held in the HSA and are specific to each LPAR. PKDS TKDS key label C Certificate: Name I + public key key label I data key RSA C encrypted by: secure or clear key data key RSA key label D encrypted by: secure or clear key certificate token Something encrypted asymmetric key PKA Key Dataset Token Key Dataset data key RSA D data key RSA key label G key label H PKCS#11 H data key ECC PKCS#11 data key ECC G IBM Client Center Montpelllier – Arnaud MANTE / © 2017 IBM Corporation – November 10, 2017 - http://www.ibm.com/support/techdocs page 3
Now, we will explain step by step! IBM Client Center Montpelllier – Arnaud MANTE / © 2017 IBM Corporation – November 10, 2017 - http://www.ibm.com/support/techdocs page 4
Data encryption Something encrypted Crypto Express Card (Hardware Security Modul) Hardware Storage Area CPACF (for CPU) & HSA (memory) wrapping key AES key label F Data encryption IPL Domain 1 data key AES data key AES wrapping key DES master key AES Domain 2 data key in protected mode master key AES master key DES Domain 3 CPACF (for CPU) & HSA (memory) master key DES master key AES master key RSA Crypto Express Card ICSF address space master key DES master key ECC master key RSA key label F decrypt key label F key label F master key ECC master key RSA data key AES data key AES - F data key AES data key AES dataset: DATA.** master key ECC protected flag data key in protected mode data key in protected mode CKDS data key DES A key label A RACF data key AES B encrypted by: secure, secure (protected flag) or clear key data key DES key label B call of key label associated data key AES key label E Creation of dataset DATA.** Cryptographic Key Dataset DFSMS symmetric key data key HMAC E data key HMAC key label F JCL: DSKeyLbl data key AES ICSF: To generate all type of keys. data key AES F AES: advanced encryption standard DEA: Data Encryption Algorithm MSA: message security assist CPACF: CP assist for crypto functions DES: data encryption standard HMAC: hashing CCA: common cryptographic architecture SHA: secure hash algorithm MAC: message authentication code PRNG: pseudo random number generator PCKMO: perform cryptographic key management p60: The z10 GA3 microcode introduces wrapping keys , which are created each time that an LPAR undergoes a System z clear/reset operat ion. This operation is normally performed each time that the z/OS system is IPLed. The wrapping keys are held in the HSA and are specific to each LPAR. PKDS TKDS key label C Certificate: Name I + public key key label I data key RSA C encrypted by: secure or clear key data key RSA key label D encrypted by: secure or clear key certificate token Something encrypted asymmetric key PKA Key Dataset Token Key Dataset data key RSA D data key RSA key label G key label H PKCS#11 H data key ECC PKCS#11 data key ECC G IBM Client Center Montpelllier – Arnaud MANTE / © 2017 IBM Corporation – November 10, 2017 - http://www.ibm.com/support/techdocs page 5