Overview of digital signatures and SMF
This topic describes what digital signatures are and how SMF uses them to sign records.
What are digital signatures?
- The signer hashes the data and then encrypts the hash using the signer’s private key. The encrypted hash is the signature.
- A consumer can hash the same data and decrypt the signature using the public key to obtain the signer’s hash. The hashes can then be compared.
- When the consumer’s hash value matches the signer’s decrypted hash value, the data is considered to be verified. If the hashes do not match, it indicates that some form of data corruption or tampering has occurred.
How SMF digitally signs records
- As each record is written to the log stream, it is hashed. SMF maintains a running hash for each unique record type and subtype.
- Periodically, SMF digitally signs the hash by encrypting it with the private key, and writes the signature data to the log stream as a signature record.
- On the global interval, SMF creates a signature for all of the data hashed during the interval (again using the private key) and writes the signature data to the log stream.
The IFASMFDL dump program understands signature records and, optionally, moves them along with the records of an associated SMF record type and subtype.
When signature records are available in the data, the IFASMFDP dump program can verify that a set of SMF records has not been corrupted or tampered with. IFASMFDP uses the public key to perform this operation.
To perform all hash and signature processing, SMF uses the PKCS #11 services provided by Integrated Cryptographic Services Facility (ICSF), specifically, the CSFPOWH function. For information about the requirements for using PKCS #11 services, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. For more information about the requirements for using ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide.