If you intend to use the key entry panels to enter master keys,
you need to generate and record these values when you begin:
- Key parts
- Checksums
- Verification patterns (optional)
- Hash patterns (optional)
Note:
If you are reentering master keys when they have been
cleared, use the same master key part values as when you originally
entered the keys. You should have saved the key part values in a secure
place when you entered the master keys previously.
The DES master key (DES-MK) is 16 bytes long. ICSF defines
these master keys by exclusive ORing two or more key parts. Each of
the master key parts is also 16 bytes long. To enter a DES-MK,
you must enter a first key part and a final key part. If you choose
to, you can also enter one or more intermediate key parts when entering
the first key part and the final key part.
Note:
The combined DES-MK master key is forced
to have odd parity, but the parity of the individual key parts can
be odd, even or mixed. We refer to even or mixed parity keys as non-odd
parity keys.
Attention: The PCIXCC, CEX2C, or CEX3C will not allow certain 'weak'
keys as DES and asymmetric master keys. The list of weak
keys are documented in Appendix F. Questionable (Weak) Keys.
The AES master key (AES-MK) is 32 bytes long. ICSF defines these
master keys by exclusive ORing two or more key parts.
The RSA master key (RSA-MK) is 24 bytes long. ICSF defines
these master keys by exclusive ORing two or more key parts.
The ECC master key (ECC-MK) is 32-bytes long. ICSF
defines these master keys by exclusive ORing two or more key parts.
ECC master key support is available on the CEX3C.
If you are using ICSF to generate random numbers, generate a
random number for each key part that you need to enter to create the
master key.
A 16-byte key part consists of 32 hexadecimal digits. A 24-byte
key part consists of 48 hexadecimal digits. To make this process easier,
each part is broken into segments of 16 digits each. A 32-byte
key part consists of 64 hexadecimal digits.
When you are manually entering
the master key parts, you also enter a checksum that verifies whether
you entered the key part correctly. A checksum is a two-digit result
of putting a key part value through a series of calculations. The
coprocessors calculate the checksum with the key part you enter and
compare the one they calculated with the one you entered. The checksum
verifies that you did not transpose any digits when entering the key
part. If the checksums are equal, you have successfully entered the
key.
When you enter a key part and its checksum for a DES-MK,
the coprocessor calculates an eight-byte verification pattern and
sixteen byte hash pattern. When you enter a key part and its checksum
for a AES-MK, the coprocessor calculates an eight-byte verification
pattern. When you enter a key part and its checksum for the RSA-MK,
the coprocessor calculates a sixteen-byte verification pattern. When
you enter a key part and its checksum for an ECC-MK, the coprocessor
calculates an eight-byte verification pattern.
Before the verification and hash patterns can be calculated, the DES-MK master
key must have been set.
The ICSF Master Key Entry panel displays the verification
pattern. Check that the displayed verification pattern against the
option verification pattern you may have generated at the time you
generated the AES, DES, ECC, or RSA master key parts. The verification
pattern checks whether you entered the key part correctly, and whether
you entered the correct key type.
ICSF displays a verification and/or hash pattern for each master
key part. It also displays a verification and/or hash pattern for
the master key when you enter all the key parts. If the verification
and hash patterns are the same, you have entered the key parts correctly.
To generate the value for a key part, you can use one of these
methods:
- Choose a random number yourself.
- Access the ICSF utility panels to generate a random number.
- Call the random number generate callable service. For more information,
see z/OS Cryptographic Services ICSF Application Programmer’s Guide.
Note:
ICSF must
be initialized with a DES-MK or AES-MK master
key to use the random number generate callable service or the Random
Number Generator panel.
Steps for generating key parts using ICSF utilities
- Access ICSF utilities by choosing option 5, UTILITY, on the
Primary Menu panel, as shown in Figure 77.
Figure 77. Selecting the Utility Option on the ICSF Primary Menu Panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 5
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Utilities panel appears. See Figure 78. You
use the RANDOM and CHECKSUM options to generate random numbers, checksums,
and verification patterns for master key management.
Figure 78. ICSF Utilities Panel
CSFUTL00 ---------------- ICSF - Utilities --------------------------
OPTION ===> 3
Enter the number of the desired option.
1 ENCODE - Encode data
2 DECODE - Decode data
3 RANDOM - Generate a random number
4 CHECKSUM - Generate a checksum and verification and
hash pattern
5 PPKEYS - Generate master key values from a pass phrase
6 PKDSKEYS - Manage keys in the PKDS
- Choose option 3, RANDOM, to access the Random Number Generator
panel, shown in Figure 79.
Figure 79. ICSF Random Number Generator Panel
CSFRNG00 ---------------- ICSF - Random Number Generator -------------
COMMAND ===>
Enter data below:
Parity Option ===> RANDOM ODD, EVEN, RANDOM
Random Number1 : 0000000000000000 Random Number 1
Random Number2 : 0000000000000000 Random Number 2
Random Number3 : 0000000000000000 Random Number 3
Random Number4 : 0000000000000000 Random Number 4
- To select the parity of the random numbers, enter ODD, EVEN, or
RANDOM next to Parity Option and press ENTER.
The DES-MK master
key is forced to have odd parity, regardless of the parity option
you select for each key part. Parity is not checked for AES, ECC, or PKA master keys.
A random 16-digit
number appears in each of the Random Number fields. You can use each
of these random numbers for a segment of a key part.
The DES
master key uses random numbers 1 and 2. The PKA master key uses random
numbers 1 through 3. The AES and ECC master keys
use random numbers 1 through 4.
Figure 80. ICSF Random Number Generator Panel with Generated Numbers
CSFRNG00 ---------------- ICSF - Random Number Generator -------------
COMMAND ===>
Enter data below:
Parity Option ===> RANDOM ODD, EVEN, RANDOM
Random Number1 : 51ED9CFA90716CFB Random Number 1
Random Number2 : 58403BFA02BD13E8 Random Number 2
Random Number3 : 9B28AEFA8C47760F Random Number 3
Random Number4 : 8453313235ABF69C Random Number 4
- When you end the utility panels and access the Master Key Part
Entry panel, the key parts you generated are transferred automatically
to the Master Key Part Entry panels. For this reason, you will not
need to enter the key parts on the Master Key Part Entry panels.
Although
the key parts are automatically transferred to the Master Key Entry
panels, make sure you record the random numbers and
store them in a safe place. You must have these numbers in case
you ever need to reenter the master key values. If you ever need to
restore a master key that has been cleared for any reason, you will
need the key part values.
- Press END to return to the Utilities panel.
- Continue with Steps for generating a checksum, verification pattern, or hash
pattern for a key part.
Steps for generating a checksum, verification pattern, or hash
pattern for a key part
You can use the Utilities panel to generate a checksum and either
an optional verification pattern or an optional hash pattern for a
key part. You can use this panel to generate a checksum for a key
part even if ICSF has not been initialized.
Note:
The use of the Utilities panel to generate the key
part, the checksum, and the verification pattern exposes the key part
in storage for the duration of the dialogs. For this reason, you can
choose to calculate both the checksum, the verification pattern or
the hash pattern values manually or by using a PC program. See Checksum Algorithm for a description of the checksum algorithm. See Algorithm for calculating a verification pattern for a description of the algorithm for the verification
pattern. See The MDC–4 Algorithm for Generating Hash Patterns for a description of the MDC-4 algorithm
that is used to calculate a hash pattern for a key part. The use of
the verification pattern or hash pattern is optional.
Follow these steps to generate the checksum and the optional verification
pattern or hash pattern for a key part.
- Select option 4, CHECKSUM, on the ICSF Utilities panel as shown
in Figure 81.
Figure 81. Selecting the Checksum Option on the ICSF Utilities Panel
CSFUTL00 ---------------- ICSF - Utilities -------------------------
OPTION ===> 4
Enter the number of the desired option above.
1 ENCODE - Encode data
2 DECODE - Decode data
3 RANDOM - Generate a random number
4 CHECKSUM - Generate a checksum and verification and
hash patterns
5 PPKEYS - Generate master key values from a pass phrase
6 PKDSKEYS - Manage keys in the PKDS
The Checksum and Verification and Hash Pattern panel appears.
See Figure 82.
Figure 82. ICSF Checksum and Verification and Hash Pattern Panel
CSFMKV00 ------------ ICSF - Checksum and Verification and Hash Pattern -----
COMMAND ===>
Enter data below:
Key Type ===> (Selection panel displayed if blank)
Key Value ===> 51ED9CFA90716CFB Input key value 1
===> 58403BFA02BD13E8 Input key value 2
===> 9B28AEFA8C47760F Input key value 3 (AES & ECC & RSA Keys)
===> 8453313235ABF69C Input key value 4 (AES & ECC Keys only)
Checksum : 00 Check digit for key value
Key Part VP : 0000000000000000 Verification Pattern
Key Part HP : 0000000000000000 Hash Pattern
: 0000000000000000
If you accessed the Random Number Generator panel prior
to this panel, the random numbers that are generated appear automatically
in the Key Value fields.
- If you did not use the Random Number Generator panel to generate
random numbers, enter the numbers for which you want to create checksum,
verification pattern, or hash patterns into the key value fields.
Because these will be the key part values you will specify in the
Master Key Entry panels, make sure you record the numbers.
- In the Key Type field, specify either:
- MASTER or DES-MK to generate a checksum and
hash and verification pattern for a DES master key part
- AES-MK to generate a checksum and verification pattern for an
AES master key part
- RSA-MK or PKAMSTR to generate a checksum and verification
pattern for an RSA master key part
- ECC-MK to generate a checksum and verification pattern
for an ECC master key part.
If you leave the Key Type field blank and press ENTER, the
Key Type Selection panel appears. See Figure 83.
Figure 83. Key Type Selection Panel Displayed During Hardware Key Entry
CSFMKV10 ------------- ICSF - Key Type Selection Panel ---- ROW 1 to 9 OF 9
COMMAND ===> SCROLL ===> PAGE
Select one key type only
KEY TYPE DESCRIPTION
AES-MK AES Master key
DES-MK DES Master key
ECC-MK ECC Master key
EXPORTER Export key encrypting key
IMP-PKA Limited authority importer key
IMPORTER Import key encrypting key
IPINENC Input PIN encrypting key
s MASTER DES Master key
OPINENC Output PIN encrypting key
PINGEN PIN generation key
PINVER PIN verification key
PKAMSTR PKA/Asymmetric Master key
RSA-MK RSA Master key
***************************** BOTTOM OF DATA *****************************
- Type 'S' to the left of the MASTER key type, and press
ENTER to return to the Checksum and Verification Pattern panel as
shown in Figure 84.
In this example, we have selected
the DES-MK master key.
Figure 84. ICSF Checksum and Verification Pattern Panel
CSFMKV00 ------ ICSF - Checksum and Verification and Hash Pattern ---
COMMAND ===>
Enter data below:
Key Type ===> MASTER (Selection panel displayed if blank)
Key Value ===> 51ED9CFA90716CFB Input key value 1
===> 58403BFA02BD13E8 Input key value 2
===> 0000000000000000 Input key value 3 (AES & ECC & RSA Keys)
===> 0000000000000000 Input key value 4 (AES & ECC Keys only)
Checksum : 40 Check digit for key part
Key Part VP : 0CCE190A635A6C89 Verification Pattern
Key Part HP : EA58E51179754FB7 Hash Pattern
: C102957465CE479E
- Record the checksum, verification pattern,
and hash pattern.
Save these values in a secure place along
with the key part values in case of a tamper. If the PCIXCC, CEX2C,
or CEX3C detects tampering, it clears the master key, and you
have to reenter the same master key again.
- Press END to return to the Utilities panel.
- Press END again to return to the ICSF Primary menu.
Continue with the appropriate topic for steps to enter the master
key part you have just generated.
|