Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
IBM Americas, ATS, Washington Systems Center
© 2014 IBM Corporation
Crypto Hardware on System z - Part 1
Greg Boyd ([email protected])
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 2 of 27
Agenda Crypto Hardware - Part 1
– A refresher
– A little bit of history
– Some hardware terminology
– CPACF
Crypto Hardware – Part 2
– A couple of refresher slides
– Crypto Express Cards
– HMC Slides
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 3 of 27
Crypto Functions
Data Confidentiality
–Symmetric – DES/TDES, AES
–Asymmetric – RSA,Diffie-Hellman, ECC
Data Integrity
–Modification Detection
–Message Authentication
–Non-repudiation
Financial Functions
Key Security & Integrity
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 4 of 27
System z Crypto History
Cryptographic Coprocessor Facility – Supports “Secure key” cryptographic processing PCICC Feature – Supports “Secure key” cryptographic processing PCICA Feature – Supports “Clear key” SSL acceleration PCIXCC Feature – Supports “Secure key” cryptographic processing CP Assist for Cryptographic Function allows limited “Clear key” crypto functions from any CP/IFL
– NOT equivalent to CCF on older machines in function or Crypto Express2 capability Crypto Express2 – Combines function and performance of PCICA and PCICC Crypto Express3 – PCIe Interface, additional processing capacity with improved RAS Crypto Express4S - IBM Standard PKCS #EP11
2001 2002 2003 2004 2006 2005 2007 2008 2010/11 2009
Crypto Express3 z10 EC/BC z196/z114
z9 EC z9 BC z10 EC/BC Crypto Express2
Cryptographic Coprocessor Facility (CCF)
PCI Cryptographic Coprocessor (PCICC)
PCI Cryptographic Accelerator (PCICA)
PCIX Cryptographic Coprocessor (PCIXCC)
CP Assist for Cryptographic Functions
z990/z890
G3, G4, G5, G6, z900, z800
G5, G6, z900, z800
z800/z900
z9 EC z9 BC z10 EC/BC z990 z890
z990
z990
z890
z890
Crypto Express4S
2012/13
z196/z114 zEC12/ zBC12
zEC12/ zBC12
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 5 of 27
Clear Key / Secure Key / Protected Key
Clear Key – key may be in the clear, at least briefly, somewhere in the environment
Secure Key – key value does not exist in the clear outside of the HSM (secure, tamper-resistant boundary of the card)
Protected Key – key value does not exist outside of physical hardware, although the hardware may not be tamper-resistant
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 6 of 27
Visual Representation of Clear Key Processing
Process Encryption Request
Encrypt/Decrypt User Data with User Clear Key
Encryption Request
Data to be Encrypted/Decrypted
Encryption – Decryption Services
Key Repository
User Clear Key Value (ABCDEF)
ABCDEF In-Data
Out-Data
Clear Key User Data
Visible to Intruder
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 7 of 27
Visual Representation of Secure Key Processing
Process Encryption Request Encrypt/Decrypt User Data with User Secure Key
Encryption Request
Data to be Encrypted/Decrypted
Enciphered Key Value (EFGHJK)
Key Repository
User Secure Key Value (EFGHJK)
ABCDEF In-Data
Out-Data
Clear Key User Data
Not-Visible to Intruder
EFGHJK Master Key Decrypt Secure Key
Secure – Tamper Resistant Device
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 8 of 27
Protected Key – How it works
Create a key, with the value ‘ABCD’ and store it as a secure key in the CKDS (i.e. encrypted under the Master Key, MK)
–EMK(x’ABCD’) => x’4A!2’ written to the CKDS and stored with a label of MYKEY
Execute CSNBSYE (the clear key API to encrypt data), but pass it the key label of our secure key, MYKEY; and text to be encrypted of ‘MY MSG ’
–CALL CSNBSYE(….,
MYKEY,
‘MY MSG ’ ….)
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 9 of 27
Protected Key – How it works (cont …) ICSF will read MYKEY from the CKDS and pass the key value
x’4A!2’ to the CEX3
Inside the CEX3, recover the original key value and then wrap it using the wrapping key
–DMK(x’ 4A!2’) => x’ ABCD’
–EWK(x’ABCD’) => x’*94E’
ICSF will pass the wrapped key value of x’*94E’ to the CPACF, along with the message to be encrypted
In the CPACF, we’ll retrieve the wrapping key, WK
–Dwk(x’*94E’) => x’ABCD’
–Ex’ABCD’(‘MY MSG ’) => ciphertext of x’81FF18019717D183’
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 10 of 27
CPACF Wrapping Key
Pair of wrapping keys, stored in HSA
– AES Wrapping Key – 256 bits
– DES Wrapping Key – 192 bits
Terminology
– CPACF Wrapping Key – CPACF generated key to encrypt clear keys used by the CPACF
– CPACF Wrapped Key – operational key encrypted with CPACF wrapping key
Transient
– Generated each time an LPAR is activated or a clear reset is performed
– A wrapping key verification pattern is used to identify a specific instance
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 11 of 27
CPACF Machines (z890/z990 & later)
CPACF
CP
CEC Cage Memory
CP
CPACF
CP
I/O Cage or I/O
Drawer
Crypto Expressn
FICON
MBA STI
CP Crypto
Expressn-1P
CP Assist for Cryptographic Function (CPACF)
Peripheral Component Interconnect (PCI Cards)
PCIXCC
CPACF CPACF
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 12 of 27
CP Assist for Cryptographic Function – CPACF FC #3863 (No charge) is
required to enable some functions and is also required to support Crypto Express4S or Crypto Express3 feature
– DEA (DES, TDES2, TDES3) – SHA-1 (160 bit) – SHA-2 (244, 256, 384, 512 bit) – AES (128, 192, 256 bit)
Coprocessor dedicated to each core – Independent cryptographic engine – Available to any processor type – Owning processor is busy when it’s
coprocessor is busy – Independent compression engine
IB IB OB OB TLB TLB
2nd Level Cache
Cmpr Exp
Cmpr Exp 16K 16K
Crypto Cipher
Crypto Hash
Core 0 Core 1
Crypto Cipher
Crypto Hash
2nd Level Cache
12
zEC12 Cryptographic (and Compression) Engine
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 13 of 27
Core 0 Core 1
IB IB OB OB TLB TLB
2nd Level Cache
Cmpr Exp
Cmpr Exp 16K 16K
Crypto Cipher
Crypto Hash
Core 0 Core 1
IB IB OB OB TLB TLB
2nd Level Cache
Cmpr Exp
Cmpr Exp 16K 16K
Crypto Cipher
Crypto Hash
Core 0 Core 1
IB IB OB OB TLB TLB
2nd Level Cache
Cmpr Exp
Cmpr Exp 16K 16K
Crypto Cipher
Crypto Hash
Core 0 Core 1
IB IB OB OB TLB TLB
2nd Level Cache
Cmpr Exp
Cmpr Exp 16K 16K
Crypto Cipher
Crypto Hash
z196/z114/z10 Compression and Cryptographic Engine CP Assist for Cryptographic Function
– CPACF FC #3863 (No charge) is required to enable some functions and is also required to support Crypto Express4S or Crypto Express3 feature
– DEA (DES, TDES2, TDES3) – SHA-1 (160 bit) – SHA-2 (244, 256, 384, 512 bit) – AES (128, 192, 256 bit)
Coprocessor dedicated to each core – Independent cryptographic engine – Available to any processor type – Owning processor is busy when it’s
coprocessor is busy – Independent compression engine
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 14 of 27
zEC12 HMC/SE Screens – Crypto support
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 15 of 27
MSA – Message Security Assist
MSA
– Cipher Message
– Cipher Message with Chaining
– Compute Intermediate Message Digest
– Compute Last Message Digest
– Compute Message Authentication Code
– Query Functions
MSA Extension 4
– Cipher Message With CFB
– Cipher Message With Counter
– Cipher Message With OFB
– Perform Cryptographic Computation
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 16 of 27
System z CPACF Hardware – z890/z990
Message-Security Assist
–DES (56-, 112-, 168-bit)
–SHA-1
TechDoc WP100810 – A Synopsis of System z Crypto Hardware
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 17 of 27
System z CPACF Hardware – z9 EC & BC
Message-Security-Assist Extension 1
–DES (56-, 112-, 168-bit)
–AES-128
–SHA-1, SHA-256
–PRNG
TechDoc WP100810 – A Synopsis of System z Crypto Hardware
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 18 of 27
System z CPACF Hardware – z10 EC & BC
Message-Security-Assist Extension 2
–DES (56-, 112-, 168-bit)
–AES-128, AES-192, AES-256
–SHA-1, SHA-256, SHA-512 (SHA-2 Suite)
–PRNG
TechDoc WP100810 – A Synopsis of System z Crypto Hardware
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 19 of 27
System z CPACF Hardware – z10 EC (GA3) & BC (GA2)
Message-Security-Assist Extension 3
–DES (56-, 112-, 168-bit)
–AES-128, AES-192, AES-256
–SHA-1, SHA-256, SHA-512 (SHA-2 Suite)
–PRNG
–Protected Key
TechDoc WP100810 – A Synopsis of System z Crypto Hardware
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 20 of 27
System z CPACF Hardware – z196 (GA2) & z114 & zEC12
Message-Security-Assist Extension 4
–DES (56-, 112-, 168-bit), new chaining options
–AES-128, AES-192, AES-256, new chaining options
–SHA-1, SHA-256, SHA-512 (SHA-2 Suite)
–PRNG
–Protected Key
TechDoc WP100810 – A Synopsis of System z Crypto Hardware
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 21 of 27
Cipher Block Chaining
New Instructions
–KMF - Cipher Message with CFB
–KMCTR - Cipher Message with Counter
–KMO - Cipher Message with OFB
Images from Wikipedia
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 22 of 27
CPU Measurement Facility What is CPU MF?
– z10 and later facility that provides cache and memory hierarchy counters – Provides hardware instrumentation data for production systems – CPU MF Counters also useful for performance analysis – Data gathering controlled through z/OS HIS (HW Instrumentation Services)
How can the COUNTERS be used today? – For performance analysis – Supplement current performance data from SMF, RMF, DB2, CICS, etc. – Measure (count) CPACF Usage – Recorded in SMF Type 113
Counter # Counter Counter # Counter
64 PRNG function count 72 DEA function count
65 PRNG cycle count 73 DEA cycle count
66 PRNG blocked function count 74 DEA blocked function count
67 PRNG blocked cycle count 75 DEA blocked cycle count
68 SHA function count 76 AES function count
69 SHA cycle count 77 AES cycle count
70 SHA blocked function count 78 AES blocked function count
71 SHA blocked cycle count 79 AES blocked cycle count
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 23 of 27
APIs and Hardware
HCR77A1 APIs(from Application Programmer's Guide SC14-7508-00)
8
74
2619
0
10
20
30
40
50
60
70
80
Hardware Required
APIs
CPACF onlyPCI CardICSF only (no hardware)PKCS #11
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 24 of 27
IBM Resources (on the web)
Redbooks – www.redbooks.ibm.com (search on ‘crypto’)
–IBM zEnterprise EC12 Configuration Setup, SG24-8034
– IBM zEnterprise EC12 Technical Introduction, SG24-8050
– IBM System EC12 Technical Guide, SG24-8049
ATS TechDocs Website – www.ibm.com/support/techdocs (search on ‘crypto’)
–WP100810 – A Synopsis of System z Crypto Hardware
–WP100647 – A Clear Key / Secure Key /Protected Key Primer
–TC000066 – CPU MF - 2012 Update and WSC Experiences
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 25 of 27
IBM Resources (on the web)
Manuals
–z/Architecture Principles of Operations, SA22-7832
ATS TechDocs Website – www.ibm.com/support/techdocs (search on ‘crypto’)
–PRS2669 – CPACFZ9S – How to Use the z9/z10 CPACF Crypto Functions
–PRS822 – CALCPACF: Callable z/OS Routine to Invoke z9/z10 CPACF Crypto Functions
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 26 of 27
Agenda Crypto Hardware - Part 1
– A refresher
– A little bit of history
– Some hardware terminology
– CPACF
Crypto Hardware – Part 2
– A couple of refresher slides
– Crypto Express Cards
– HMC Slides
IBM ATS, Washington Systems Center
Crypto Hardware Part 1 February, 2014 © 2014 IBM Corporation Page 27 of 27
Questions?