Getting started with ICSF

Cryptographic keys

In the secret key cryptography system based on DES, two parties share secret keys that are used to protect data and keys that are exchanged on the network. Sharing secret keys establishes a secure communications channel. The only way to protect the security of the data in a shared secret key cryptographic system is to protect the secrecy of the secret key.

ICSF also supports triple DES encryption for data privacy. TDES triple-length keys use three, single-length keys to encipher and decipher the data. This results in a stronger form of cryptography than that available with single DES encipherment.

With AES, data can be encrypted and decrypted using 128-bit, 192-bit, and 256-bit clear keys. CBC and ECB encryption are also supported.

For public key cryptography, ICSF supports both the Rivest-Shamir-Adelman (RSA) algorithm 1, and the NIST Digital Signature Standard algorithm. RSA is one of the most widely used public key encryption algorithms. In this system, each party establishes a pair of cryptographic keys, which includes a public key and a private key. Both parties publish their public keys in a reliable information source, and maintain their private keys in secure storage.

Cryptographic keys and Encryption Facility

Encryption Facility makes use of TDES triple-length keys and 128–bit AES keys for data encryption. On a system with secure cryptographic hardware, you can use Encryption Facility to generate TDES and AES keys and encrypt them for protection through RSA public keys. On systems without secure cryptographic hardware, a password allows the generation of clear TDES and AES keys. The use of these cryptographic keys with Encryption Facility depends on the kind of processor and the type of cryptographic hardware that you have installed.

Generating and placing an RSA key in the PKDS

RSA public and private keys for encryption can be stored in the ICSF public key data set (PKDS). These RSA keys are used by Encryption Facility to protect the symmetric keys that protect the data. You can specify multiple RSA keys as input to Encryption Services or Encryption Facility for z/OS Client and copy and distribute the resulting output file to multiple recipients. You can also use ICSF callable services to generate RSA keys and place them in the PKDS. The required ICSF callable services are CSNDPKB PKA key token build and CSNDPKG PKA key generate.

Using the ICSF utility panels to create or delete PKDS records and import or export RSA keys

You can use ICSF utility panels to create or delete PKDS records and export or import RSA keys to an x.509 certificate. You use x.509 certificates to certify the transmission of the RSA public keys between senders and receivers of encrypted data. For information about using digital certificates, see Using RACF to store keys, manage PKDS labels, and send digital certificates.

Coprocessor Requirements for using the ICSF utility panels

To use the full function of the ICSF utility panels, you must have a PCICC, PCIXCC, or a CEX2C cryptographic coprocessor. If you do not have one of these coprocessors, you cannot generate key pairs using the panels.

For information about using the ICSF utility panels, see Using ICSF utilities panels for PKDS key management. For complete information about using ICSF utility panels and services, see z/OS Cryptographic Services ICSF Administrator's Guide.