If you intend to use the key entry panels to enter master keys,
you need to generate and record these values when you begin:
- Key parts
- Checksums
- Verification patterns (optional)
- Hash patterns (optional)
Note:
If you are reentering master keys when they have been
cleared, use the same master key part values as when you originally
entered the keys. You should have saved the key part values in a secure
place when you entered the master keys previously.
A DES master key is 16 bytes long. A symmetric-keys master key
(SYM-MK) is 24 bytes long. ICSF enforces the SYM-MK to be 16 bytes
long. ICSF defines these master keys by exclusive ORing two or more
key parts. Each of the master key parts is also 16 bytes long. To
enter either a DES master key or a SYM-MK, you must enter a first
key part and a final key part. If you choose to, you can also enter
one or more intermediate key parts when entering the first key part
and when entering the final key part.
Note:
The combined DES master key is forced to have odd
parity, but the parity of the individual key parts can be odd, even
or mixed. We refer to even or mixed parity keys as non-odd parity
keys.
Attention: The PCICC will not allow certain 'weak' keys as
master keys. The list of weak keys are documented in Appendix F. Questionable (Weak) Keys.
If you have an existing CCF installed with a weak master key, you
can not install that master key in the PCICC. You must change the
CCF master keys and load those same master keys in the PCICCs.
PKA master keys and the ASYM-MKs are each 24 bytes long. ICSF defines
these master keys by exclusive ORing two or more key parts. Each of
the PKA master key parts is also 24 bytes long.
If you are using ICSF to generate random numbers, generate a
random number for each key part that you need to enter to create the
master key.
Note:
It is recommended that you enter the same
key value for the SMK and KMMK of the Cryptographic Coprocessor Feature and the ASYM-MK of the
PCI Cryptographic Coprocessor Feature. This will allow ICSF flexibility in workload balancing.
A 16-byte key part consists of 32 hexadecimal digits. A 24-byte
key part consists of 48 hexadecimal digits. To make this process easier,
each part is broken into segments of 16 digits each.
When you are manually entering
the master key parts, you also enter a checksum that verifies whether
you entered the key part correctly. A checksum is a two-digit result
of putting a key part value through a series of calculations. The
coprocessors calculate the checksum with the key part you enter and
compare the one they calculated with the one you entered. The checksum
verifies that you did not transpose any digits when entering the key
part. If the checksums are equal, you have successfully entered the
key.
When you enter a key part and its checksum for a DES master
key or SYM-MK, the coprocessor calculates an eight-byte verification
pattern and sixteen byte hash pattern. When you enter a key part and
its checksum for a PKA master key (SMK, KMMK or ASYM-MK), the coprocessor
calculates a sixteen-byte hash pattern.
When the verification and hash patterns can be calculated, the
DES master key must have been set.
The ICSF Master Key Entry panel displays the verification pattern
or hash pattern. Check the displayed verification pattern against
the optional verification pattern you may have generated at the time
you generated the DES or SYM-MK master key parts and the checksum.
Check the displayed hash pattern against the optional hash pattern
that you may have generated at the same time you generated the PKA
master key part and the checksum. The verification pattern or hash
pattern checks whether you entered the key part correctly, and whether
you entered the correct key type.
ICSF displays a verification and hash pattern for each DES master
key part. It also displays a verification and hash pattern for the
DES master key when you enter all the key parts. If the verification
and hash patterns are the same, you have entered the key part correctly.
Likewise, in addition to displaying a hash pattern for each PKA master
key part, ICSF also displays a hash pattern for the PKA master key
when you enter all the key parts. If the hash patterns are the same,
you have entered the key part correctly.
Note:
Keys stored in the CKDS are enciphered under the DES
master key. The master key verification pattern is stored in the CKDS
header record. Checking the verification pattern is optional; it is
not required for key entry.
To generate the value for a key part, you can use one of these
methods:
- Choose a random number yourself.
- Access the ICSF utility panels to generate a random number.
- Call the random number generate callable service. For more information,
see z/OS Cryptographic Services ICSF Application Programmer’s Guide.
Note:
ICSF must
be initialized with a DES master key to use the random number generate
callable service or the Random Number Generator panel.
These topics describe using the ICSF utilities to generate key
parts, checksums, verification patterns, and hash patterns.
Steps for generating key parts using ICSF utilities
- Access ICSF utilities by choosing option 5, UTILITY, on the
Primary Menu panel, as shown in Figure 30.
Figure 30. Selecting the Utility Option on the ICSF Primary Menu Panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 5
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Utilities panel appears. See Figure 31. You
use the RANDOM and CHECKSUM options to generate random numbers, checksums,
and verification patterns for master key management.
Figure 31. ICSF Utilities Panel
CSFUTL00 ---------------- ICSF - Utilities --------------------------
OPTION ===> 3
Enter the number of the desired option.
1 ENCODE - Encode data
2 DECODE - Decode data
3 RANDOM - Generate a random number
4 CHECKSUM - Generate a checksum and verification and
hash pattern
5 PPKEYS - Generate master key values from a pass phrase
6 PKDSKEYS - Manage keys in the PKDS
- Choose option 3, RANDOM, to access the Random Number Generator
panel, shown in Figure 32.
Figure 32. ICSF Random Number Generator Panel
CSFRNG00 ---------------- ICSF - Random Number Generator -------------
COMMAND ===>
Enter data below:
Parity Option ===> RANDOM ODD, EVEN, RANDOM
Random Number1 : 0000000000000000 Random Number 1
Random Number2 : 0000000000000000 Random Number 2
Random Number3 : 0000000000000000 Random Number 3
Random Number4 : 0000000000000000 Random Number 4
- To select the parity of the random numbers, enter ODD, EVEN, or
RANDOM next to Parity Option and press ENTER.
The DES master key
is forced to have odd parity, regardless of the parity option you
select for each key part. Parity is not checked for PKA master
keys.
A random 16-digit number appears in each of the
Random Number fields. You can use each of these random numbers for
a segment of a key part.
Note:
The third random number
is only for PKA master keys. It is not used for DES master keys or
operational keys.
Figure 33. ICSF Random Number Generator Panel with Generated Numbers
CSFRNG00 ---------------- ICSF - Random Number Generator -------------
COMMAND ===>
Enter data below:
Parity Option ===> RANDOM ODD, EVEN, RANDOM
Random Number1 : 51ED9CFA90716CFB Random Number 1
Random Number2 : 58403BFA02BD13E8 Random Number 2
Random Number3 : 9B28AEFA8C47760F Random Number 3
Random Number4 : 0000000000000000 Random Number 4
- When you end the utility panels and access the Master Key Part
Entry panel, the key parts you generated are transferred automatically
to the Master Key Part Entry panels. For this reason, you will not
need to enter the key parts on the Master Key Part Entry panels.
Important:
Although the key parts are automatically
transferred to the Master Key Entry panels, make sure you record the random numbers and store them in a safe place.
You must have these numbers in case you ever need to reenter the master
key values. If you ever need to restore a master key that has been
cleared for any reason, you will need the key part values.
- Press END to return to the Utilities panel.
- Continue with Steps for generating a checksum, verification pattern, or hash
pattern for a key part.
Steps for generating a checksum, verification pattern, or hash
pattern for a key part
You can use the ICSF utilities panel to generate a checksum and
either an optional verification pattern or an optional hash pattern
for a key part. You can use this panel to generate a checksum for
a key part even if ICSF has not been initialized. The random number
generator and the hash and verification pattern, however, do not work
until ICSF has been initialized with a valid master key.
Note:
The use of these utility panels to generate the key
part, the checksum, and the verification pattern exposes the key part
in storage for the duration of the dialogs. For this reason, you can
choose to calculate both the checksum, the verification pattern or
the hash pattern values manually or by using a PC program. See Checksum Algorithm for a description of the checksum algorithm. See Algorithm for calculating a verification pattern for a description of the algorithm for the verification
pattern. See The MDC–4 Algorithm for Generating Hash Patterns for a description of the MDC-4 algorithm
that is used to calculate a hash pattern for a key part. The use of
the verification pattern or hash pattern is optional.
Follow these steps to generate a checksum and the optional verification
pattern or hash pattern for a key part.
- Select option 4, CHECKSUM, on the ICSF Utilities panel as shown
in Figure 34.
Figure 34. Selecting the Checksum Option on the ICSF Utilities Panel
CSFUTL00 ---------------- ICSF - Utilities -------------------------
OPTION ===> 4
Enter the number of the desired option above.
1 ENCODE - Encode data
2 DECODE - Decode data
3 RANDOM - Generate a random number
4 CHECKSUM - Generate a checksum and verification and
hash patterns
5 PPKEYS - Generate master key values from a pass phrase
6 PKDSKEYS - Manage keys in the PKDS
The Checksum and Verification and Hash Pattern panel appears.
See Figure 35.
Figure 35. ICSF Checksum and Verification and Hash Pattern Panel
CSFMKV00 ------------ ICSF - Checksum and Verification and Hash Pattern -----
COMMAND ===>
Enter data below:
Key Type ===> (Selection panel displayed if blank)
Key Value ===> 51ED9CFA90716CFB Input key value 1
===> 58403BFA02BD13E8 Input key value 2
===> 9B28AEFA8C47760F Input key value 3 (AES & ECC & RSA Keys)
===> 0000000000000000 Input key value 4 (AES & ECC Keys only)
Checksum : 00 Check digit for key value
Key Part VP : 0000000000000000 Verification Pattern
Key Part HP : 0000000000000000 Hash Pattern
: 0000000000000000
If you accessed the Random Number Generator panel before
this panel, the random numbers that are generated appear automatically
in the Key Value fields.
- If you did not use the Random Number Generator panel to generate
random numbers, enter the numbers for which you want to create checksum,
verification pattern, or hash patterns into the key value fields.
Because these will be the key part values you will later specify in
the Master Key Entry panels, make sure you record the numbers.
- In the Key Type field, specify either:
- MASTER to generate a checksum and hash and verification pattern
for a DES master key part.
- PKAMSTR to generate a checksum and hash pattern for a PKA master
key part.
If you leave the Key Type field blank and press ENTER, the
Key Type Selection panel appears. See Figure 36.
Figure 36. Key Type Selection Panel Displayed During Hardware Key Entry
CSFMKV10 ------------- ICSF - Key Type Selection Panel ---- ROW 1 to 12 OF 12
COMMAND ===> SCROLL ===> PAGE
Select one key type only
KEY TYPE DESCRIPTION
AES-MK AES Master Key
ASYM-MK Asymmetric Master key
DES-MK DES Master key
ECC-MK ECC Master key
EXPORTER Export key encrypting key
IMP-PKA Limited authority importer key
IMPORTER Import key encrypting key
IPINENC Input PIN encrypting key
s MASTER DES master key
OPINENC Output PIN encrypting key
PINGEN PIN generation key
PINVER PIN verification key
PKAMSTR PKA/Asymmetric Master key
RSA-MK RSA Master key
***************************** BOTTOM OF DATA *****************************
- Type 'S' to the left of the MASTER key type, and press
ENTER to return to the Checksum and Verification Pattern panel as
shown in Figure 37.
In this example, we have selected
the DES master key.
Figure 37. ICSF Checksum and Verification Pattern Panel
CSFMKV00 ------ ICSF - Checksum and Verification and Hash Pattern ---
COMMAND ===>
Enter data below:
Key Type ===> MASTER (Selection panel displayed if blank)
Key Value ===> 51ED9CFA90716CFB Input key value 1
===> 58403BFA02BD13E8 Input key value 2
===> 9B28AEFA8C47760F Input key value 3 (AES & ECC & RSA Keys)
===> 0000000000000000 Input key value 4 (AES & ECC Keys only)
Checksum : 00 Check digit for key part
Key Part VP : 0000000000000000 Verification Pattern
Key Part HP : 0000000000000000 Hash Pattern
: 0000000000000000
- On the Checksum and Verification Pattern panel, press ENTER.
ICSF calculates
the checksum, verification pattern, and hash pattern for the key
part segments and displays them on the panel as shown in Figure 38. Since a DES master key was selected for this example,
the key part last segment was not used in the calculations. The key
part last field is zeroed out on the panel. For a PKA master key,
ICSF uses all three key part segments to calculate the checksum and
hash pattern.
Figure 38. Checksum, Verification Pattern, and Hash Pattern Calculated for a DES Master Key Part
CSFMKV00 ------ ICSF - Checksum and Verification and Hash Pattern ---
COMMAND ===>
Enter data below:
Key Type ===> MASTER (Selection panel displayed if blank)
Key Value ===> 51ED9CFA90716CFB Input key value 1
===> 58403BFA02BD13E8 Input key value 2
===> 0000000000000000 Input key value 3 (AES & ECC & RSA Keys)
===> 0000000000000000 Input key value 4 (AES & ECC Keys only)
Checksum : 40 Check digit for key part
Key Part VP : 0CCE190A635A6C89 Verification Pattern
Key Part HP : EA58E51179754FB7 Hash Pattern
: C102957465CE479E
- Record the checksum, verification pattern,
and hash pattern.
Save these values in a secure place along
with the key part values in case of a tamper. If the Cryptographic Coprocessor Feature detects
tampering, it clears the master key, and you have to reenter the same
master key again.
- Press END to return to the Utilities panel.
- Press END again to return to the ICSF Primary menu.
Continue with the appropriate topic for steps to enter the master
key part you have just generated.
|