ICSF protects data from unauthorized disclosure or modification. It protects data that is stored within a system, stored in a file on magnetic tape off a system, and sent between systems. It can also be used to authenticate identities of senders and receivers and to ensure the integrity of messages transmitted over a network. It uses cryptography to accomplish these functions.

Cryptography enciphers data, using an algorithm and a cryptographic key, so the data is in an unintelligible form. Deciphering data involves reproducing the intelligible data from the unintelligible data. To encipher and decipher data, ICSF uses either the U.S. National Institute of Science and Technology Data Encryption Standard (DES) algorithm, Advanced Encryption Standard (AES), Elliptic Curve Cryptography (ECC), or the Commercial Data Masking Facility (CDMF).

Restrictions:

• The CDMF defines a scrambling technique for data confidentiality. It is a weakened form of DES and is only supported on IBM zSeries 900 servers.
• ECC is supported only on the z196 with a CEX3C.

ICSF supports several Public Key Algorithms (PKA), which do not require exchanging a secret key. You can use these algorithms to exchange AES, DES, or CDMF secret keys securely and to compute digital signatures for authenticating messages and users. For digital signatures, you use a pair of keys: a private (secret) key to sign a message and a corresponding public key to verify the signature. ICSF supports the RSA, ECC, and DSS algorithms. (Refer to the Federal Information Processing Standard (FIPS) Publication 186 for DSS standards.)

Restrictions:

• DSS is only supported on IBM zSeries 900 servers.
• ECC is supported only on the z196 with a CEX3C.

A key can be any combination of hexadecimal characters. A key determines how ICSF uses the algorithm to uniquely encipher data.

You can call an ICSF callable service from an application program to perform a cryptographic function. ICSF uses keys in cryptographic functions to:

• Protect data
• Protect other keys
• Verify that messages were not altered between sender and receiver
• Generate, protect, and verify personal identification numbers (PINs)
• Distribute AES, DES and CDMF keys
• Generate and verify digital signatures

You use ICSF callable services and programs to generate, maintain, and manage keys that are used in the cryptographic functions. A unique key performs each type of cryptographic function on ICSF. AES keys, except the AES master key, are enciphered under another key. The AES master key, which is physically secure, enciphers each AES key that is used on the system. All DES keys, except the DES master key, are enciphered under another key. The DES master key, which is physically secure, enciphers each DES key that is used on the system. AES keys are enciphered under an AES master key (AES-MK). The AES master key is 256-bits long. It is only available on the Crypto Express2 Coprocessor or Crypto Express3 Coprocessor with the Nov. 2008 or later licensed internal code (LIC). DES keys are enciphered under the DES master key or a DES key-encrypting key. The DES master key (DES-MK or SYM-MK) is a double-length key that is used only to encrypt other DES keys. The AES and DES master keys are physically secure.

On CCF systems, the DES-MK must be the same as the DES master key on the Cryptographic Coprocessor Feature. On systems with PCI X Cryptographic Coprocessors, Crypto Express2 Coprocessors, or Crypto Express3 Coprocessor, the DES-MK verification pattern must match the hash pattern of the CKDS.

On Crypto Express2 Coprocessors and Crypto Express3 Coprocessors, the AES master key verification pattern must match the AES master key verification pattern stored in the CKDS. The AES master key (AES-MK) is a 32 byte key that is used only to encrypt AES keys.

There are two public key master keys available — the RSA master key (RSA-MK) and the ECC master key (ECC-MK). ICSF handles each master key independently. Either, both, or neither of the master keys can be set.

• RSA master keys protect RSA private keys. There are two RSA master keys on the Cryptographic Coprocessor Feature. One RSA master key, the signature master key (SMK), protects private keys that are intended for creating digital signatures. The other RSA master key, the key management master key (KMMK), protects private keys that are used in DES key distribution. Private keys that are protected by the KMMK can also be used to generate digital signatures.

  The RSA master key (RSA-MK) on the PCICC, PCIXCC, CEX2C, or CEX3C is a triple-length key used to encipher and decipher RSA keys. In order for the PCI Cryptographic Coprocessor to function, the value of the RSA-MK must have the same value as the SMK on the Cryptographic Coprocessor Feature. If the PCICC master key values are different, then the PCICC will not be made active. On systems with a PCIXCC, CEX2C, or CEX3C, the RSA-MK hash pattern must match the hash pattern of the PKDS.

• ECC master keys protect ECC keys. The ECC master key is a 256-bit AES key used to protect ECC private keys. ECC keys are supported only on the z196 with a CEX3C coprocessor. Although a CEX3C card is not necessary to load a PKDS with ECC keys, those keys will not be usable without a CEX3C.