crypto hardware on system z - part 1 - new era · ibm americas, ats, washington systems center ©...

IBM Americas, ATS, Washington Systems Center

© 2014 IBM Corporation

Crypto Hardware on System z - Part 1

Greg Boyd ([email protected])

IBM ATS, Washington Systems Center

Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation of 27

Agenda Crypto Hardware - Part 1

– A refresher

– A little bit of history

– Some hardware terminology

– CPACF

Crypto Hardware – Part 2

– A couple of refresher slides

– Crypto Express Cards

– HMC Slides



Crypto Functions

Data Confidentiality

–Symmetric – DES/TDES, AES

–Asymmetric – RSA,Diffie-Hellman, ECC

Data Integrity

–Modification Detection

–Message Authentication

–Non-repudiation

Financial Functions

Key Security & Integrity



System z Crypto History

Cryptographic Coprocessor Facility – Supports “Secure key” cryptographic processing PCICC Feature – Supports “Secure key” cryptographic processing PCICA Feature – Supports “Clear key” SSL acceleration PCIXCC Feature – Supports “Secure key” cryptographic processing CP Assist for Cryptographic Function allows limited “Clear key” crypto functions from any CP/IFL

– NOT equivalent to CCF on older machines in function or Crypto Express2 capability Crypto Express2 – Combines function and performance of PCICA and PCICC Crypto Express3 – PCIe Interface, additional processing capacity with improved RAS Crypto Express4S - IBM Standard PKCS #EP11

2001 2002 2003 2004 2006 2005 2007 2008 2010/11 2009

Crypto Express3 z10 EC/BC z196/z114

z9 EC z9 BC z10 EC/BC Crypto Express2

Cryptographic Coprocessor Facility (CCF)

PCI Cryptographic Coprocessor (PCICC)

PCI Cryptographic Accelerator (PCICA)

PCIX Cryptographic Coprocessor (PCIXCC)

CP Assist for Cryptographic Functions

z990/z890

G3, G4, G5, G6, z900, z800

G5, G6, z900, z800

z800/z900

z9 EC z9 BC z10 EC/BC z990 z890

z990

z990

z890

z890

Crypto Express4S

2012/13

z196/z114 zEC12/ zBC12

zEC12/ zBC12



Clear Key / Secure Key / Protected Key

Clear Key – key may be in the clear, at least briefly, somewhere in the environment

Secure Key – key value does not exist in the clear outside of the HSM (secure, tamper-resistant boundary of the card)

Protected Key – key value does not exist outside of physical hardware, although the hardware may not be tamper-resistant



Visual Representation of Clear Key Processing

Process Encryption Request

Encrypt/Decrypt User Data with User Clear Key

Encryption Request

Data to be Encrypted/Decrypted

Encryption – Decryption Services

Key Repository

User Clear Key Value (ABCDEF)

ABCDEF In-Data

Out-Data

Clear Key User Data

Visible to Intruder



Visual Representation of Secure Key Processing

Process Encryption Request Encrypt/Decrypt User Data with User Secure Key

Encryption Request

Data to be Encrypted/Decrypted

Enciphered Key Value (EFGHJK)

Key Repository

User Secure Key Value (EFGHJK)

ABCDEF In-Data

Out-Data

Clear Key User Data

Not-Visible to Intruder

EFGHJK Master Key Decrypt Secure Key

Secure – Tamper Resistant Device



Protected Key – How it works

Create a key, with the value ‘ABCD’ and store it as a secure key in the CKDS (i.e. encrypted under the Master Key, MK)

–EMK(x’ABCD’) => x’4A!2’ written to the CKDS and stored with a label of MYKEY

Execute CSNBSYE (the clear key API to encrypt data), but pass it the key label of our secure key, MYKEY; and text to be encrypted of ‘MY MSG ’

–CALL CSNBSYE(….,

MYKEY,

‘MY MSG ’ ….)



Protected Key – How it works (cont …) ICSF will read MYKEY from the CKDS and pass the key value

x’4A!2’ to the CEX3

Inside the CEX3, recover the original key value and then wrap it using the wrapping key

–DMK(x’ 4A!2’) => x’ ABCD’

–EWK(x’ABCD’) => x’*94E’

ICSF will pass the wrapped key value of x’*94E’ to the CPACF, along with the message to be encrypted

In the CPACF, we’ll retrieve the wrapping key, WK

–Dwk(x’*94E’) => x’ABCD’

–Ex’ABCD’(‘MY MSG ’) => ciphertext of x’81FF18019717D183’



CPACF Wrapping Key

Pair of wrapping keys, stored in HSA

– AES Wrapping Key – 256 bits

– DES Wrapping Key – 192 bits

Terminology

– CPACF Wrapping Key – CPACF generated key to encrypt clear keys used by the CPACF

– CPACF Wrapped Key – operational key encrypted with CPACF wrapping key

Transient

– Generated each time an LPAR is activated or a clear reset is performed

– A wrapping key verification pattern is used to identify a specific instance



CPACF Machines (z890/z990 & later)

CPACF

CP

CEC Cage Memory

CP

CPACF

CP

I/O Cage or I/O

Drawer

Crypto Expressn

FICON

MBA STI

CP Crypto

Expressn-1P

CP Assist for Cryptographic Function (CPACF)

Peripheral Component Interconnect (PCI Cards)

PCIXCC

CPACF CPACF



CP Assist for Cryptographic Function – CPACF FC #3863 (No charge) is

required to enable some functions and is also required to support Crypto Express4S or Crypto Express3 feature

– DEA (DES, TDES2, TDES3) – SHA-1 (160 bit) – SHA-2 (244, 256, 384, 512 bit) – AES (128, 192, 256 bit)

Coprocessor dedicated to each core – Independent cryptographic engine – Available to any processor type – Owning processor is busy when it’s

coprocessor is busy – Independent compression engine

IB IB OB OB TLB TLB

2nd Level Cache

Cmpr Exp

Cmpr Exp 16K 16K

Crypto Cipher

Crypto Hash

Core 0 Core 1

Crypto Cipher

Crypto Hash

2nd Level Cache

12

zEC12 Cryptographic (and Compression) Engine



Core 0 Core 1

IB IB OB OB TLB TLB

2nd Level Cache

Cmpr Exp

Cmpr Exp 16K 16K

Crypto Cipher

Crypto Hash

Core 0 Core 1

IB IB OB OB TLB TLB

2nd Level Cache

Cmpr Exp

Cmpr Exp 16K 16K

Crypto Cipher

Crypto Hash

Core 0 Core 1

IB IB OB OB TLB TLB

2nd Level Cache

Cmpr Exp

Cmpr Exp 16K 16K

Crypto Cipher

Crypto Hash

Core 0 Core 1

IB IB OB OB TLB TLB

2nd Level Cache

Cmpr Exp

Cmpr Exp 16K 16K

Crypto Cipher

Crypto Hash

z196/z114/z10 Compression and Cryptographic Engine CP Assist for Cryptographic Function

– CPACF FC #3863 (No charge) is required to enable some functions and is also required to support Crypto Express4S or Crypto Express3 feature

– DEA (DES, TDES2, TDES3) – SHA-1 (160 bit) – SHA-2 (244, 256, 384, 512 bit) – AES (128, 192, 256 bit)

Coprocessor dedicated to each core – Independent cryptographic engine – Available to any processor type – Owning processor is busy when it’s

coprocessor is busy – Independent compression engine



zEC12 HMC/SE Screens – Crypto support



MSA – Message Security Assist

MSA

– Cipher Message

– Cipher Message with Chaining

– Compute Intermediate Message Digest

– Compute Last Message Digest

– Compute Message Authentication Code

– Query Functions

MSA Extension 4

– Cipher Message With CFB

– Cipher Message With Counter

– Cipher Message With OFB

– Perform Cryptographic Computation



System z CPACF Hardware – z890/z990

Message-Security Assist

–DES (56-, 112-, 168-bit)

–SHA-1

TechDoc WP100810 – A Synopsis of System z Crypto Hardware



System z CPACF Hardware – z9 EC & BC

Message-Security-Assist Extension 1

–DES (56-, 112-, 168-bit)

–AES-128

–SHA-1, SHA-256

–PRNG




System z CPACF Hardware – z10 EC & BC


–DES (56-, 112-, 168-bit)

–AES-128, AES-192, AES-256

–SHA-1, SHA-256, SHA-512 (SHA-2 Suite)

–PRNG




System z CPACF Hardware – z10 EC (GA3) & BC (GA2)


–DES (56-, 112-, 168-bit)

–AES-128, AES-192, AES-256


–PRNG

–Protected Key




System z CPACF Hardware – z196 (GA2) & z114 & zEC12


–DES (56-, 112-, 168-bit), new chaining options

–AES-128, AES-192, AES-256, new chaining options


–PRNG

–Protected Key




Cipher Block Chaining

New Instructions

–KMF - Cipher Message with CFB

–KMCTR - Cipher Message with Counter

–KMO - Cipher Message with OFB

Images from Wikipedia



CPU Measurement Facility What is CPU MF?

– z10 and later facility that provides cache and memory hierarchy counters – Provides hardware instrumentation data for production systems – CPU MF Counters also useful for performance analysis – Data gathering controlled through z/OS HIS (HW Instrumentation Services)

How can the COUNTERS be used today? – For performance analysis – Supplement current performance data from SMF, RMF, DB2, CICS, etc. – Measure (count) CPACF Usage – Recorded in SMF Type 113

Counter # Counter Counter # Counter

64 PRNG function count 72 DEA function count

65 PRNG cycle count 73 DEA cycle count

66 PRNG blocked function count 74 DEA blocked function count

67 PRNG blocked cycle count 75 DEA blocked cycle count

68 SHA function count 76 AES function count

69 SHA cycle count 77 AES cycle count

70 SHA blocked function count 78 AES blocked function count

71 SHA blocked cycle count 79 AES blocked cycle count



APIs and Hardware

HCR77A1 APIs(from Application Programmer's Guide SC14-7508-00)

8

74

2619

0

10

20

30

40

50

60

70

80

Hardware Required

APIs

CPACF onlyPCI CardICSF only (no hardware)PKCS #11



IBM Resources (on the web)

Redbooks – www.redbooks.ibm.com (search on ‘crypto’)

–IBM zEnterprise EC12 Configuration Setup, SG24-8034

– IBM zEnterprise EC12 Technical Introduction, SG24-8050

– IBM System EC12 Technical Guide, SG24-8049

ATS TechDocs Website – www.ibm.com/support/techdocs (search on ‘crypto’)

–WP100810 – A Synopsis of System z Crypto Hardware

–WP100647 – A Clear Key / Secure Key /Protected Key Primer

–TC000066 – CPU MF - 2012 Update and WSC Experiences



IBM Resources (on the web)

Manuals

–z/Architecture Principles of Operations, SA22-7832

ATS TechDocs Website – www.ibm.com/support/techdocs (search on ‘crypto’)

–PRS2669 – CPACFZ9S – How to Use the z9/z10 CPACF Crypto Functions

–PRS822 – CALCPACF: Callable z/OS Routine to Invoke z9/z10 CPACF Crypto Functions



Agenda Crypto Hardware - Part 1

– A refresher

– A little bit of history

– Some hardware terminology

– CPACF

Crypto Hardware – Part 2

– A couple of refresher slides

– Crypto Express Cards

– HMC Slides



Questions?

crypto hardware on system z - part 1 - new era · ibm americas, ats, washington systems center ©...

Documents