IBM® z/OS® Version 2 Release 2 System SSL Cryptographic …...z/OS Version 2 Release 2 System SSL Security Policy Page 5 of 27 Figure 1: System SSL Cryptographic Module Physical

z/OSVersion2Release2SystemSSLSecurityPolicy

Page1of27

IBM®z/OS®Version2Release2SystemSSLCryptographicModule

FIPS140-2

Non-ProprietarySecurityPolicy

PolicyVersionv1.2

IBMSystems&TechnologyGroupSystemzDevelopmentPoughkeepsie,NewYork

November2nd,2017

©CopyrightInternationalBusinessMachinesCorporation2017Thisdocumentmaybereproducedonlyinitsoriginalentiretywithoutrevision.


Page2of27

TableofContents1. SCOPEOFDOCUMENT............................................................................................................................................................32. CRYPTOGRAPHICMODULESPECIFICATION.............................................................................................................................33. CRYPTOGRAPHICMODULESECURITYLEVEL...........................................................................................................................54. PORTSANDINTERFACES.........................................................................................................................................................65. ROLES,SERVICESANDAUTHENTICATION...............................................................................................................................7

5.1 ROLES.......................................................................................................................................................................................75.2 SERVICES...................................................................................................................................................................................7

6. OPERATIONALENVIRONMENT.............................................................................................................................................137. KEYMANAGEMENT..............................................................................................................................................................168. PHYSICALSECURITY..............................................................................................................................................................189. EMI/EMC..............................................................................................................................................................................2010. SELF-TESTS.......................................................................................................................................................................20

10.1 SYSTEMSSLMODULE................................................................................................................................................................2011. OPERATIONALREQUIREMENTS(OFFICER/USERGUIDANCE)............................................................................................21

11.1 MODULECONFIGURATIONFORFIPS140-2COMPLIANCE................................................................................................................2111.2 DETERMININGMODEOFOPERATION............................................................................................................................................2211.3 TESTING/PHYSICALSECURITYINSPECTIONRECOMMENDATIONS.........................................................................................................23

12. MITIGATIONOFOTHERATTACKS.....................................................................................................................................2313. CRYPTOGRAPHICMODULECONFIGURATIONDIAGRAMS.................................................................................................2314. GLOSSARY........................................................................................................................................................................2515. REFERENCES.....................................................................................................................................................................2616. TRADEMARKS..................................................................................................................................................................26


Page3of27

1. ScopeofDocumentThisdocumentdescribestheservicesthatthez/OSSystemSSLcryptographicmodule(“SystemSSLmodule”or“module”)providestosecurityofficersandendusers,andthepolicygoverningaccesstothoseservicesbythez/OSSystemSSLelement.Itcomplementsofficialz/OSSystemSSLelementdocumentation,whichconcentratesonapplicationprogramminginterface(API)levelusageandenvironmentalsetup[1].

Thez/OSSystemSSLcryptographicmoduleprovidescryptographicfunctionality,ASN.1processing,x.509certificate,PKCS#7anddataconversionfunctionalityforusebytheSystemSSLelementofz/OS(hereafterreferredtoas“SystemSSLelement”).Thez/OSSystemSSLcryptographicmoduleinitsFIPS140-2configurationconsistsofasinglesharedlibrary(DLL).Thesharedlibrarybinaryiseithera31or64-bitversion.Thedeployedversionconsistsofthefollowingmodules:

Table1:SystemSSLLibraryModules

31-bit 64-bitGSKC31F GSKC64F

Thez/OSSystemSSLcryptographicmoduleispackagedwithintheSystemSSLelementofz/OS.TheSystemSSLelementcontainsexternalapplicationprogramminginterfaces(APIs)whichallowshostapplicationstoutilizefunctionalitywithintheSystemSSLelementandthez/OSSystemSSLcryptographicmodule.Communicationtothez/OSSystemSSLcryptographicmoduleisthroughC-languageapplicationsprogramminginterfaces(APIs)knownonlytotheSystemSSLelement’sDLLsandexecutables.TheseDLLsandexecutablesarenotpartofthecryptographicmodule.AllinterfacestotheSystemSSLmodulearethroughtheSystemSSLelement.Thez/OSSystemSSLcryptographicmoduledoesnotimplementtheTLSprotocol.Itprovidesthecryptographicprimitives(ie.KeyDerivationFunction(KDF))andfunctionstoallowtheSystemSSLelementtosupportTLS.

2. CryptographicModuleSpecificationThez/OSSystemSSLcryptographicmoduleisclassifiedasamulti-chipstandalonesoftware-hybridmoduleforFIPSPub140-2purposes.TheactualcryptographicboundaryforthisFIPS140-2modulevalidationincludestheSystemSSLmodulerunninginconfigurationssupplementedbyhardwarecryptography.TheSystemSSLmoduleconsistsofsoftware-basedcryptographicalgorithms,aswellassymmetricandhashingalgorithmsprovidedbytheCPAssistforCryptographicFunction(CPACF).TheSystemSSLmoduleusesthez/OSVersion2Release2SecurityServerRACFSignatureVerification(hereafterreferredtoas“IRRPVERS”)withFIPS140-2Validation#2691formoduleintegritycheckingservices.TheSystemSSLmoduleusesthez/OSVersion2Release2ICSFPKCS#11(hereafterreferredtoas“ICSFPKCS#11”)withFIPS140-2Validation#3019forcertifiedcryptographicalgorithmsnotavailablewithintheSystemSSLmodule(i.e.randomnumbergeneration)andhardwareRSAsignatureverificationandkeywrapping.TheIRRPVERSandICSFPKCS#11arealsoknownas“bound”modules.


Page4of27

Table2:SystemSSLModuleComponents

Type/Name VersionSoftwareComponentsSystemSSLDLLs(GSKC31Fand

GSKC64F)

z/OSVersion2Release2withSystemSSLlevelHCPT420/JCPT421withAPAROA52653

HardwareComponentsCPACF

Firmware-CPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863(akaFC3863)withSystemDriverLevel27IHardware–COPchipsintegratedwithinprocessorunit

Documentation SC14-7495z/OSSystemSSLProgrammingftp://public.dhe.ibm.com/eserver/zseries/zos/ssl/pdf/oa50589_22.pdf

SystemSSLmodulevalidationwasperformedusingthez/OSVersion2Release2operatingsystemwiththefollowingplatformconfigurations:

1. IBMz13withCPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863(BaseGPC)

2. IBMz13withCPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863andoptionalCryptoExpress5card(Accelerator(CEX5A))-CEX5AcardmaybeusedbyICSFPKCS#11forRSAhardwareclearkeymodulemathcryptographytosupportRSAdigitalsignatureverificationandkeywrapping.

TheSystemSSLmodulerunningontheaboveplatformsmetallFIPSPub140-2Level1securityrequirements.SeeSection13,CryptographicModuleConfigurationDiagrams,formoreinformationaboutthevalidatedplatforms.Inadditiontotheconfigurationstestedbythelaboratory,vendor-affirmedtestingwasperformedusingz/OSVersion2Release2onthefollowingplatforms:

1. IBMSystemzEnterprise™EC12(zEC12)withCPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863(BaseGPC)

2. IBMSystemzEnterprise™BC12(zBC12)withCPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863(BaseGPC).

Note(IGG.5):theCMVPmakesnostatementastothecorrectoperationofthemoduleorthesecuritystrengthsofthe

generatedkeyswhenportedandexecutedinanoperationalenvironmentnotlistedonthevalidationcertificate.

Securitylevel:Thisdocumentdescribesthesecuritypolicyforthez/OSSystemSSLmodulewithLevel1overallsecurityasdefinedinFIPSPub140-2[2].Figure1belowshowsthephysicalboundaryoftheSystemzmachineaswellasthelogicalboundaryofthemodule.AmoredetailedviewconsistingofthemoduleandboundmodulesisshownFigure2intheCryptographicModuleConfigurationDiagramssection.


Page5of27

Figure1:SystemSSLCryptographicModulePhysicalandLogicalBoundaries

3. CryptographicModuleSecurityLevelTheSystemSSLmoduleisintendedtomeetrequirementsofSecurityLevel1overall,withcertaincategoriesofsecurityrequirementsnotapplicable(Table3).

Table3:ModuleSecurityLevelSpecification

SecurityRequirementsSection LevelCryptographicModuleSpecification 1ModulePortsandInterfaces 1Roles,ServicesandAuthentication 1FiniteStateModel 1PhysicalSecurity 1OperationalEnvironment 1CryptographicKeyManagement 1EMI/EMC 1


Page6of27

Self-Tests 1DesignAssurance 1Mitigationofotherattacks N/AOverall 1

4. PortsandInterfaces

Asamulti-chipstandalonemodule,theSystemSSLmodulephysicalinterfacesaretheboundariesofthehostrunningSystemSSLmodulecode.Theunderlyinglogicalinterfacesofthemoduleareinternalapplicationprogramminginterfaces(APIs)totheSystemSSLelementandlogicalinterfacestotheICSFPKCS#11module.

Table4:Datainput,dataoutput,controlinputandstatusoutput

InterfacesintoandoutoftheModuleFIPS140-2Interface LogicalInterface Description

DataInput API Inputvariablesarepassedontheinternalapplicationprogramminginterface(API)

DataOutput API OutputresultsarepassedbackthroughtheAPIControlInput APIfunctioncallsand

environmentvariableSettingofGSK_HW_CRYPTOenvironmentvariable

StatusOutput APIreturncodes StatusoutputisprovidedinreturncodesPower Notapplicable Notapplicable

InterfacebetweenmoduleandICSFPKCS#11FIPS140-2Interface LogicalInterface–ICSF

PKCS#11APIs(CSFPPD2,CSFPPE2,CSFPPV2)

Description

DataInput API InputvariablespassedontheICSFPKCS#11APIinvocationDataOutput API OutputresultspassedbackbytheICSFPKCS#11APIControlInput API ICSFPKCS#11vendordefinedPKCS#11attribute

CKA_IBM_FIPS140passedonAPIinvocationStatusOutput APIreturnandreason

codesStatusoutputreturnedfromICSFPKCS#11APIasreturn

andreasoncodesCryptographicbypasscapabilityisnotsupportedbytheSystemSSLmodule. ModuleStatus:TheSystemSSLmodulecommunicatesanyerrorstatussynchronouslythroughtheuseofreturncodestotheSystemSSLelementwhichthensurfacesthemtothecallingapplication.AcompletelistofreturncodesreturnedbytheSystemSSLelementareprovidedintheSystemSSLelementdocumentation.ItistheresponsibilityoftheapplicationtohandleexceptionalconditionsinaFIPS140-2appropriatemanner.TheSystemSSLmoduleisoptimizedforlibraryuseanddoesnotcontainanyterminatingassertionsorexceptions.AnyinternalerrordetectedbytheSystemSSLmoduleandnotinducedbyuserdatawillbereflectedbacktotheapplication withanappropriatereturncode.ThecallingapplicationmustexaminethereturncodeandactinaFIPS140-2appropriatemannertosuchfailuresandreflectthiserrorinafashionconsistentwiththisapplication.User-inducedorinternalerrorsdonotrevealanysensitivematerialtocallers.ReturncodesanderrorconditionssurfacedbytheSystemSSLelementarefullydocumentedintheSystemSSLelement’sprogrammingdocumentation.


Page7of27

5. Roles,ServicesandAuthentication

5.1 RolesThemodulesupportstworoles:acryptographicofficer(Officer)roleandaUserrole(Table5).Themoduledoesnotsupportuseridentificationorauthenticationthatwouldallowthemoduletodistinguishbetweenthetwosupportedroles.Eachoftherolesisauthenticatedthroughtheoperatingsystempriortousinganysystemservices.TheOfficerroleisapurelyadministrativerolethatdoesnotinvolvetheuseofcryptographicservices.Theroleisnotexplicitlyauthenticatedbutassumedimplicitlyonimplementationofthemodule’sinstallationandconfiguration.TheUserrolehasaccesstoallofthemodule’sservices.Theroleisnotexplicitlyauthenticated,butassumedimplicitlyonaccessofanyofthenon-Officerservices.AnoperatorisimplicitlyintheUserorOfficerrolebasedupontheservice(s)chosen.IfanyoftheUser-specificservicesarecalled,thentheoperatorisintheUserrole;otherwisetheoperatorisintheOfficerrole.

Table5:RolesandAuthenticationMechanisms

Role Purpose/PermittedActions TypeofAuthentication AuthenticationData StrengthofMechanism

User Requestthecryptographicalgorithmslistintables6and7

None(Automatic) None N/A

Officer Moduleinstallationandconfiguration.Thisroledoesnotinvolvetheuseofcryptographic

services.

Implicit N/A N/A

5.2 ServicesThemoduleprovidescommands(services-Tables6,7and8)andqueries(Table9).Queriesreturnstatusofcommandsorcommandgroups;commandsexercisecryptographicfunctionsorservices.Officersperformqueries;Usersmayperformbothqueriesandcommands.ServicesareaccessedthroughSystemSSLelementAPIinterfacesfromthecallinghostapplication.TheSystemSSLmoduleprovidesbothnon-cryptographicandcryptographicservices.Thenon-cryptographicservicescanbeutilizedbythecallingapplication(i.e.x.509certificateencoding/decoding)withoutcausinganyimpacttothemodule’scryptographicsupport.Cryptographicprimitives(i.e.KeyDerivationFunction(KDF),AESencrypt/decrypt)providetherequiredcryptographicprimitivesfortheSystemSSLelementtosupporttheTLSprotocol.ThecryptographicalgorithmsassociatedwiththeTLSciphersarerestrictedtoFIPSapprovedalgorithmsonly.AdditionalservicesandprocessingareprovidedbyboundmodulesIRRPVERSandICSFPKCS#11.TheSystemSSLmoduleutilizesthemoduleintegritycheckingservicesprovidedbyIRRPVERSandthecryptographicservicesprovidedbyICSFPKCS#11.

Table6:ApprovedServices

Service Roles CSP Modes/Notes Cert# Access

(Read, StandardUser Crypto


Page8of27

Officer write,execute)

ModuleinstallationAndConfiguration

X N/A N/A N/A N/A N/A

SoftwareSymmetricAlgorithms

AESEncryptionandDecryption

X AESSymmetrickey(128,256bit)

CBC Certs.#4757#4758

ReadWriteExecute

FIPS197SP800-38A

TripleDESEncryptionAndDecryption

X TripleDESSymmetrickey(192bit)

CBC Certs.#2527#2528

ReadWriteExecute

SP800-67

PublicKeyAlgorithmsDSAParameter/KeyGeneration

X DSAParameterAndAsymmetrickeysL=2048,N=256

N/A Certs.#1277#1278

ReadWriteExecute

FIPS186-4

DSASignatureGeneration

X DSAAsymmetricPrivateKeyL=2048,N=256withSHA2(1/224/256)

SHA-1affirmedforusewithprotocolsonly.

ReadWriteExecute

FIPS186-4

DSASignatureVerification

X DSAAsymmetricPublicKeyL=1024,N=160withSHA(1/224/256)L=2048,N=256withSHA(1/224/256)

N/A ReadExecute

FIPS186-4

RSAKeygeneration

X RSAAsymmetricKey2048and3072

N/A Certs.#2600#2601

ReadWriteExecute

FIPS186-4

RSASignatureGeneration(includingvariouscombinationofSystemSSLRSAwitheither

X RSAAsymmetricPrivateKey2048and3072withSHA1(1/224/256/384/512)

SHA-1affirmedforusewithprotocolsonly.

ReadWriteExecute

FIPS186-4

1 Use of SHA1 for digital signature generation is deprecated and should not be used.


Page9of27

SystemSSLorCPACFSHA)RSASignatureVerification(includingvariouscombinationofSystemSSLorICSFPKCS#11RSAwitheitherSystemSSLorCPACFSHA)

X RSAAsymmetricPublicKey2048and3072withSHA(1/224/256/384/512)

N/A ReadExecute

FIPS186-4

HashFunctionsSHSMessageDigest

X N/A SHA-1SHA-224SHA-256SHA-384SHA-512

Certs.#3899#3900

N/A FIPS180-4

MessageAuthenticationCodes(MACs)HMACMessageAuthentication(includingCPACFimplementationsforSHA)

X Keysizes112bitsinlengthandgreater2

HMACSHA-1,HMACSHA-256HMACSHA-384

Certs.#3168#3169

ReadWriteExecute

FIPS198-1

ComponentTLSKeyDerivation(includingCPACFimplementationsforSHA)

X TLSV1.0,V1.1,V1.2premastersecret,readMACkey,readkey,readIV,writeMACkey,writekeyandwriteIV

N/A CVLCerts.#1396#1397

ReadWriteExecute

SP800-135

CPAssistforCryptographicFunctionsSymmetricAlgorithms

AESEncryptionandDecryption

X AESSymmetrickey(128,256bit)

CBC Cert.#45793

ReadWriteExecute

FIPS197SP800-38A

TripleDES X TripleDESSymmetric CBC Cert. Read SP800-67

2 Per FIPS 198-1 and SP 800-107, keys less than 112 bits in length are not approved for HMAC generation.3 There are algorithms that have been CAVS tested with key sizes and block chaining modes for which the module does not provide interfaces. Only the algorithms’ key sizes and block chaining modes present in this table are made available by the module.


Page10of27

EncryptionAndDecryption

key(192bit) #2432

WriteExecute

HashFunctionSHSMessageDigest

X N/A SHA-1SHA-224SHA-256SHA-384SHA-512

Cert.#3661

ReadWriteExecute

FIPS180-4

ICSFboundmoduleAES X AESsymmetrickeys

(128/256-bitkeys)GCM Cert.

#4586ReadWriteExecute

SP800-38D

RSASignatureverification

X RSAAsymmetricpublickeys(1024/2048/3072-bitkeys)

PKCS1.5 Cert.#2501

ReadWriteExecute

FIPS186-4

Diffie-Hellman X Diffie-HellmanAsymmetricprivatekeys(L=2048,N=224;L=2048,N=256)

N/A CVLCert.#1259

ReadWriteExecute

FIPS186-4

ECDiffie-Hellman

X ECDiffie-HellmanAsymmetricprivatekeys(keysaccordingtoP-224,P-256,P-384andP-521)

N/A CVLCert.#1259

ReadWriteExecute

FIPS186-4

ECDSAKeygeneration,Signaturegeneration,Signatureverification

X ECDSAAsymmetricprivatekeys(keysaccordingtoP-224,P-256,P-384andP-521)

N/A Cert.#1123

ReadWriteExecute

FIPS186-4

DRBG X Entropyinput,Seed,V,C(Hash-SHA-512)

N/A Cert.#1526#1530

ReadWriteExecute

SP800-90A

4767-001(CEX5A)fromICSFboundmoduleDiffie-Hellman X Diffie-Hellman

Asymmetricprivatekeys(L=2048,N=224;L=2048,N=256)

N/A CVLCert.#1322

ReadWriteExecute

SP800-56A,Revision2

RSASignatureverification

X RSAAsymmetricpublickeys(1024/2048/3072-bitkeys)

PKCS1.5 Cert.#2548

ReadWriteExecute

FIPS186-4

IRRPVERSboundmoduleRSASignatureVerification

X RSAAsymmetricpublickeys(2048-bitkeys)

PKCS1.5 Cert.#2283

ReadWriteExecute

FIPS186-4


Page11of27

Table7:AllowedServices

ServiceRoles

CSP

Access(Read,write,

execute)

Standard/Mode Caveat

User CryptoOfficer

PublicKeyAlgorithmsRSAKeyWrapping

X RSAAsymmetricPrivateKeyModulussizefromatleast2048anduptoandincluding4096bits

ReadWriteExecute

N/A keywrapping;keyestablishmentmethodologyprovidesbetween112and150bitsofencryptionstrength

RSADigitalSignatureGeneration

X RSAAsymmetricPrivateKeyModulussize2048anduptoandincluding4096bits(except2048and3072bits)

ReadWriteExecute

FIPS186-4 N/A

RSADigitalSignatureVerification

X RSAAsymmetricPublicKeyModulussize1024uptoandincluding4096bits(except2048and3072bits)

Read,Execute

FIPS186-2FIPS186-4

N/A

RSAKeyGeneration

X RSAAsymmetricPrivateandPublicKeyKeylengthsmultipleof16bitsbetween2048and4096bitsinclusive(except2048and3072bits)

Read,Write,Execute

FIPS186-4 N/A

MessageAuthenticationCodes(MACs)HMACMessageAuthentication

X HMACkeyKeysizes112bitsinlengthandgreater

ReadWriteExecute

IETFRFC2104

HMACwithMD5(PartofTLSSpecificservice)

HashFunctionsMD5 X N/A Read N/A MD5(PartofTLSSpecific


Page12of27

WriteExecute

service)

ICSFboundmoduleRSA X RSAAsymmetric

keysReadWriteExecute

FIPS186-4Keywrapping

keywrapping;keyestablishmentmethodologyprovidesbetween112and150bitsofencryptionstrength;non-compliantlessthan112bitsofencryptionstrengthThemodulussizeatleast2048bitsanduptoandincluding4096bits

Signatureverification

Anymodulussizesmallerthanorequalto4096bitsexcept1024,2048and3072bits

NDRNG X N/A ReadWriteExecute

N/A SeedingfortheDRBGs

4767-001(CEX5A)fromICSFboundmoduleRSA X RSAAsymmetric

keysReadWriteExecute

FIPS186-4Signatureverification

With4096-bitkeys

Table8:Non-approvedServices

Service NotesSoftware

PublicKeyAlgorithmsRSAKeyGeneration,KeyWrapping,DigitalSignatureGeneration

Keybitsizeslessthan2048notapproved(non-compliantlessthan112bitsofencryptionstrength)

DSAParameterGeneration,KeyGeneration,DigitalSignatureGeneration

KeyParametersL=1024,N=160notapproved

MessageAuthenticationCodes(MACs)HMAC Keysizeslessthan112bits

HMAC-MD5usageoutsideoftheTLSprotocol

MessageDigestMD5 MD5usageoutsideoftheTLSprotocol

ICSFboundmoduleRSAKeyWrapping Keybitsizeslessthan2048noapproved

(non-compliantlessthan112bitsofencryptionstrength)

ECDiffie-Hellman Keygeneration/Keyagreement:CurveP-192


Page13of27

notapprovedECDSA Keygeneration/Digitalsignaturegeneration:

CurveP-192notapprovedNote:Whenanyoftheservicesintable8areutilized,themodulewillbeinnon-FIPSmode.

Table 9: Queries

Service Notes RolesModuleStatus Officer User

Error WhentheSystemSSLmodulehasenteredtheerrorstate,oneofthefollowingreturncodesispresentedwhenanattemptismadetousethemodule:CMSERR_KATPW_FAILED,CMSERR_KATPW_ICSF_FAILEDorCMSERR_FIPS_KEY_PAIR_CONSISTENCY

No Yes

IntegrityChecks

Power-upTests Automaticbeforefirstuse

Yes No

Self-Tests Applicationcancallthe“performKAT”functionanytimeaftertheSystemSSLmodulehasbeenloaded

Yes Yes

OperationalCorrectnessChecksPair-wiseconsistency

Continuouslyperformed(automatic) Yes Yes

6. OperationalEnvironment InstallationandInvocationSystemSSLelementlevelsHCPT420andJCPT421areinstalledaspartofthez/OSVersion2Release2ServerPacusingthe“InstallingYourOrder”documentationprovidedwiththeServerPac(prepackagedtailoredz/OSinstallationincludingz/OSSystemSSL).TheevaluatedconfigurationrequirestheinstallationofserviceprovidedthroughSystemSSLAPAROA52653andisboundtotheIRRPVERSandICSFPKCS#11modules.TheSystemSSLmodulerequiresthatacopyofbothIRRPVERSandICSFPKCS#11beinstalledandoperationalonthesystemfortheSystemSSLmoduletooperateinavalidatedmode.TheCPACFEnablementFeature3863mustbeinstalledpriortoloadingtheSystemSSLDLL.ThisfeaturecodemaybeorderedfromIBMthendownloadedthroughRETAINandinstalledusingtheHardwareManagementConsole(HMC).TheSystemSSLcryptographicmodulecanonlybeusedinconjunctionwiththeSystemSSLelementofz/OS.TheSystemSSLelementprovidesexternalAPIsandaccessestheSystemSSLmodulethroughinternalClanguageAPIs.ModuleOperationTheSystemSSLmoduleisintendedtooperatewithinz/OSVersion2Release2inasingle-usermodeofoperation.UsingtheSystemSSLmoduleinaFIPS140-2approvedmannerassumesthatthefollowingdefinedcriteriaarefollowed:


Page14of27

• TheOperatingSystemenforcesauthenticationmethod(s)topreventunauthorizedaccesstoModuleservices.• Allhostsystemcomponentsthatcancontainsensitivecryptographicdata(mainmemory,systembus,disk

storage)mustbelocatedwithinasecureenvironment.• TheapplicationusingthemoduleservicesthroughtheSystemSSLelementmustconsistofoneormore

processesinwhicheachprocessisutilizingaseparatecopyoftheexecutablecode.• Theapplicationdesignermustbesurethattheapplicationisdesignedcorrectlyanddoesnotcorruptthestorage

intheaddressspacewheretheinstanceofSystemSSLmoduleisloaded.• AninstanceoftheSystemSSLmodule mustbeaccessedonlybyasingleprocess(addressspace).Thismeansthat

eachprocesshasitsowninstanceoftheSystemSSLelementhenceoneinstanceoftheSystemSSLmodule. • TheSystemSSLmodulesetupproceduresdocumentedintheprogrammingdocumentationmustbefollowed

andsetupdonecorrectly.• TheCPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863mustbeinstalledandenabled.• IRRPVERSmoduleisinstalledandconfiguredaccordingtoitsSecurityPolicy[7].• ICSFPKCS#11moduleisinstalledandconfiguredaccordingtoitsSecurityPolicy[6].• ApplicationsrequiringFIPSadherencemustfollowtherecommendationsfoundinNISTSpecialPublication800-

131ARevision1[8](“SP800-131ARevision1”).

Thismoduleimplementsbothapprovedandnon-approvedservices.Thecallingapplicationcontrolstheinvocationoftheservicesandthecryptographicmaterialbeingsuppliedorusedbytheservices.Whenthemoduleisloaded,themodulewillallow non-approvedalgorithmsandkeysizesto beused.Themodulealsooffersnon-approvedbutallowedRSAkeyestablishmentandexchangeservicesevenwhenoperatingFIPSrestricted.Note:ThemoduledoesnotenforcethemorerecentrestrictionsintroducedbySP800-131ARevision1.Insomecases,it’snotpossibleforthemoduletodotheenforcementsincethecontextoftherequestisnotknown.Therefore,allapplicationsrequiringFIPSadherencemustexplicitlyfollowtherecommendationsfoundinSP800-131ARevision1andself-enforce.TheSystemSSLmoduleandCPACFrepresentthelogicalboundary.Thephysicalcryptographicboundaryforthemoduleisdefinedastheenclosureofthehostonwhichthecryptographicmoduleistobeexecuted.TheRACFSignatureVerificationmodule(IRRPVERS)isshippedaspartoftheSecurityServerRACFcomponent.IRRPVERSisboundbythismoduleinordertovalidatethesignatureonGSKC31F(orGSKC64F).Itisnotconsideredpartofthecryptographicboundaryofthismodule.TheICSFPKCS#11moduleisshippedaspartoftheIntegratedCryptographicServicesFacility(ICSF)component.ICSFPKCS#11isboundbythismoduleforbasiccryptographicservices.Itisnotconsideredpartofthecryptographicboundaryofthismodule.AsshowninFigure2,SystemSSLCryptographicModule,thecryptographicmodule’sDLLisinstantiatedwithinanapplication’saddressspacebySystemSSLelement.EachapplicationoroperatingsystemcomponentthatutilizestheSystemSSLelementsupportwillcreateanewinstanceofthez/OSSystemSSLcryptographicmodule.UsageoftheFIPScertifiedICSFPKCS#11moduleprovidessupportforcertifiedcryptographicalgorithmsnotavailablewithintheSystemSSLmodule(i.e.randomnumbergeneration)andhardwareRSAsignatureverificationandkeywrapping.TheFIPScertifiedRACFSignatureVerification(IRRPVERS)moduleperformstheinitialintegritypower-uptests.


Page15of27

Figure 2: System SSL Cryptographic Module

AsshowninFigure3,SystemSSLCryptographicModuleinaz/OSSysplexEnvironment,aSystemSSLcryptographicmodulemaybedeployedinahighavailabilityenvironmentwheretheapplicationmayineffectbeinstantiatedonmultiplez/OSsysteminstancesconfiguredina“clustered”environmentknownasaparallelsysplex.Aparallelsysplexmakesthesesystemsbehavelikeasingle,logicalcomputingfacility.Theunderlyingstructureoftheparallelsysplexremainsvirtuallytransparenttousers,networks,applications,andevenoperations.


Page16of27

Figure 3: System SSL Cryptographic Module – Sysplex

7. KeyManagementKeyStorage:TheSystemSSLmoduleprovideskeygeneration,importandexportservicestoapplicationstobeusedinconjunctionwithcryptographicservices.ItistheresponsibilityofapplicationsusingtheservicestoensurethattheseservicesareusedinaFIPS140-2compliantmanner.Inparticular,seetable6andthefootnotesoftable6forinformationondeprecatedkeysizes/usages.Keysmanagedorgeneratedbyapplicationsorlibrariesmaybepassedfromapplicationstothemoduleintheclear,providedthatthesendingapplicationorlibraryexistswithinthephysicalboundaryofthehostcomputer.Keymaterialresidesinapplicationmemoryascleardataorinastandardkeystoreformat.Themostfrequentlyusedstandardformats,usingpassphrase-derivedkeyssuchasPKCS#12,areclassifiedasclear-keystorageaccordingtoFIPSPub140-2guidelines. KeyGenerationKeyGenerationusesanapprovedDRBGalgorithmprovidedasanapprovedservicethroughtheboundICSFPKCS#11module.


Page17of27

TheKeyGenerationmethodsimplementedinthemoduleforApprovedservicesinFIPSmodearecompliantwithSP800-133.RSA,DSAandECDSAkeygenerationisdoneaccordingtoFIPSPub186-4[3].Diffie-HellmankeygenerationissimilartoDSAkeygeneration.ECDiffie-HellmankeygenerationissimilarECDSAkeygeneration.ForgeneratingRSA,DSAandECDSAkeysthemoduleimplementsasymmetrickeygenerationservicescompliantwithFIPSPub186-4andSP800-90A.Aseed(i.e.therandomvalue)usedinasymmetrickeygenerationisdirectlyobtainedfromtheSP800-90ADRBG.ThemoduledoesnotgeneratesymmetrickeysKeyEstablishmentThemoduleprovidessupportforasymmetrickeyestablishmentmethodsasallowedbyAnnexDintheFIPSPub140-2.ThesupportedasymmetrickeyestablishmentmethodsareRSAWrapping/Unwrapping,Diffie-HellmankeyagreementandECDHkeyagreement.Diffie-HellmanandECDHkeyagreementusesapprovedservicesthroughboundICSFPKCS#11module.WhenusingDiffie-HellmaninFIPS140-2mode,theallowedmoduluslengthis2048bits,whichprovides112bitsofencryptionstrength.WhenusingRSAWrapping/UnwrappinginFIPS140-2mode,theallowedmoduluslengthsmustbebetween2048and4096bitswhichprovidesbetween112and150bitsofencryptionstrength.Useofmoduluslengthslessthan2048bitsisnotallowedperSP800-131ARevision1.ApplicationsrequiringFIPSadherencemustnotusemoduluslengthslessthan2048bits.KeyEntryandKeyExitThemoduledoesnotsupportmanualkeyentryorintermediatekeygenerationkeyoutput.Themoduledoesnotoutputorinputkeysoutsideofthephysicalboundary.KeyProtectionToenforcecompliancewithFIPSPub140-2keymanagementrequirementsontheSystemSSLmoduleitself,codeissuingcallsmustmanagekeysinaFIPSPub140-2compliantmethod.KeysmanagedorgeneratedbyapplicationsmaybepassedfromtheapplicationtothemoduleintheclearintheFIPSPub140-2validatedconfiguration.Themanagementandallocationofmemoryistheresponsibilityoftheoperatingsystem.Itisassumedthatauniqueprocessisallocatedforeachrequest,andthattheoperatingsystemandtheunderlyinghardwarecontrolaccesstotheaddressspacewhichcontainstheprocessthatusesthemodule.Eachinstanceofthecryptographicmoduleisself-containedwithinaprocess;themodulereliesonsuchprocessseparationandaddressseparationtomaintainconfidentialityofsecrets.AllplatformsusedduringFIPSPub140-2validationprovidedper-processprotectionforuserdata.KeysstoredinternallywithintheaddressrangeofSystemSSLmodulearesimilarlyseparatedlogically(eveniftheyresideinthesameaddressspace).AllkeysareassociatedwiththeUserrole.ItistheresponsibilityofapplicationprogramdeveloperstoprotectkeysexportedfromtheSystemSSLmodule. KeyDestructionApplicationsmustdestroypersistentkeyobjectsandsimilarsensitiveinformationusingFIPSPub140-2compliantprocedures.TheSystemSSLmoduleitselfdoesnotdestroyexternallystoredkeysandsecrets,asitdoesnotownordiscardpersistentobjects.Objects,whenreleasedonbehalfofacaller,areerasedbeforetheyarereleased.


Page18of27

8. PhysicalSecurityTheSystemSSLmoduleinstallationinheritsthephysicalcharacteristicsofthehostrunningit.TheSystemSSLmodulehasnophysicalsecuritycharacteristicsofitsown.Figure4illustratesanIBMSystemz13mainframecomputer.TheCPAssistforCryptographicFunction(CPACF)(seeFigure6)isalsoahardwaredevice–partoftheCoProcessorUnit(CoP)andoffersthefullcomplementoftheTripleDESalgorithm,AdvancedEncryptionStandard(AES)algorithmandSecureHashAlgorithm(SHA).SecurityLevel1issatisfiedbythedevice(CoP)beingincludedwithinthephysicalboundaryofthemoduleandthedevicebeingmadeofcommercial-gradecomponents.CPACFPhysicalDesign:Eachmicroprocessor(core)onthe8-corechiphasitsowndedicatedCoP,whichimplementsthecryptoinstructionsandalsoprovidesthehardwarecompressionfunction.ThecompressionunitisintegratedwiththeCPAssistforCryptographicFunction(CPACF),benefitingfromcombining(sharing)theuseofbuffersandinterfaces.

Figure 4: IBM z13 Mainframe Computer


Page19of27

Figure 5: Crypto Express5 Card

Figure 6: Processor Unit chip


Page20of27

9. EMI/EMCSystemsutilizingthemodule’sserviceshavetheiroverallEMI/EMCratingsdeterminedbythehostsystem,whichincludestheCPACF.Thevalidationenvironmentsmeettherequirementsof47CFRFCCPART15,SubpartB,ClassA(Businessuse).

10. Self-Tests

10.1 SystemSSLModuleTheSystemSSLmoduleimplementsanumberofself-teststocheckproperfunctioningofthemoduleincludingpower-upself-testsandconditionalself-tests.Conditionaltestsareperformedwhenasymmetrickeysaregenerated.Thesetestsincludepair-wiseconsistencytestsofthegeneratedDSAorRSAkeys.StartupSelf-Tests“Power-up"self-testsconsistofsoftwareintegritytest(s)andknown-answertestsofalgorithmimplementations.Themoduleintegritytestisautomaticallyperformedduringloading.TheintegrityofthemoduleisperformedbyboundcryptographicmoduleIRRPVERSbasedontheverificationofthemodule’sRSA/SHA-256based-digitalsignaturepriortothemodulebeingutilized.Modulesignaturesaregeneratedduringthefinalphaseofthebuildprocess.Initializationwillonlysucceediftheutilizedmodulesignatureisverifiedsuccessfully.TheintegrityverificationstartswithboundmoduleIRRPVERSverifyingitsowndigitalsignature.Onceverified,IRRPVERSverifiesthedigitalsignatureofeitherGSKC31ForGSKC64F.Algorithmknownanswertests(KAT)areinvokedautomaticallyuponloadingtheSystemSSLmodule.TheinitializationfunctionisexecutedviaDEP(defaultentrypoint)asspecifiedinFIPS140-2ImplementationGuidance9.10.Ifanyoftheknownanswertestsfail,themoduleisrenderunusable(allcryptographicservicesreturnanerrorreturncode).Anyattemptstousethemodulewillfail.Priortotheexecutionofthepower-upself-tests,theSystemSSLmodulecheckswhetherenvironmentvariableGSK_HW_CRYPTOhasbeenset.Ifnotset,AES,TDES,SHA-1andSHA-2KATtestsareperformedusingtheCPACF.IfGSK_HW_CRYPTOisset,AES,TDES,SHA-1andSHA-2CPACFcryptographicalgorithmscanbedisabledforusebytheSystemSSLthroughbitsettingswithinthespecifiedvalue.Ifthecryptographicalgorithmhasbeendisabled,theKATisrunagainstthesoftwareversionwithintheSystemSSLmodule.OnlyoneversionofthealgorithmissupportedfortheentireinstanceoftheSystemSSLmodule.Themoduleteststhefollowingcryptographicalgorithms:CPACF:AESencryption/decryption,TripleDESencryption/decryption,SHA-1,SHA-224,SHA-256,SHA-384andSHA-512.SystemSSLmodulesoftware:AESencryption/decryption,TripleDESencryption/decryption,SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,RSA(2048-bitkeysign/verify,wrapping/unwrapping),DSA(2048-bitprimesign/verify),HMAC-SHA-1,HMAC-SHA256andHMAC-SHA384.Duringtheself-testprocessing,alldataoutputisinhibiteduntiltheself-testsarecompleted.StartupRecoveryIfanyofthestartupself-testsfail,theSystemSSLmodulewillterminateFIPS140-2processingandenterintoerrorstate.TheSystemSSLelement’scallingapplicationmustrecognizethiserrorandhandleitinaFIPS140-2appropriatemanner,forexample,byreinitializingthemoduleinstance.


Page21of27

Pair-wiseConsistencyChecksThistestisrunwheneverthemodulegeneratesaRSAorDSApublic/privatekey-pair.Ifthepair-wiseconsistencycheckfails,themoduleentersanerrorstateandreturnsanerrorstatuscode.TheSystemSSLelement’scallingapplicationmustrecognizethiserrorandhandleitinaFIPS140-2appropriatemanner,forexample,byreinitializingthemoduleinstance.InvokingFIPS140-2self-testsondemand.IfausercanaccessSystemSSLservices,themodulehaspasseditsintegrityandpower-upself-tests.Duringregularoperations,ahostapplicationcanasktheSystemSSLelementtorepeattheknownanswertestsondemandforalgorithmswithintheSystemSSLmodule.TheSystemSSLelementinvokesinternalAPI“performKAT”function.Ifthesetestspass,themoduleisworkingproperly.IfaKATfailureisencountered,themoduleentersanerrorstateandreturnsanerrorstatuscode.ThecallingapplicationmustrecognizethiserrorandhandleitinaFIPS140-2appropriatemanner,forexample,byreinitializingthemoduleinstance.

11. OperationalRequirements(Officer/UserGuidance)

11.1 ModuleConfigurationforFIPS140-2ComplianceToensureFIPS140-2compliantusage,thefollowingrequirementsmustbeobserved:

• IRRPVERSmustbeconfiguredtoexecuteinFIPS140-2modeaccordingtoitsSecurityPolicy[7]andbeoperationalpriortoSystemSSLmodulebeingutilized.

• ICSFPKCS#11mustbeconfiguredtoexecuteinFIPS140-2modeaccordingtoitsSecurityPolicy[6]andbe

operationalpriortoSystemSSLmodulebeingutilized.

• CryptoofficersofSystemSSLmustverifythatthecorrectSecurityManagerProfileshavebeendefinedtoensurethatstartupintegritytestsareperformed.EachSystemSSLmoduleDLLcontainsanRSA/SHA-256signature.Thestartupintegritytestsensurethatthesignaturematchestheexpectedvalue.Seez/OSSystemSSLelementdocumentation[1]forSecurityManagerProfilesettings.

• ApplicationsusingSystemSSLelementfeaturesmustobserveFIPSPub140-2rulesforkeymanagementand

providetheirownself-tests.Forproperoperations,thecryptoofficerorusersmustverifythatapplicationscomplywiththisrequirement.Whiledetailsoftheseapplicationrequirementsareoutsideofthescopeofthispolicy,theyarementionedhereforcompleteness.

• TheOperatingSystem(OS)hostingthelibrarymustbesetupinaccordancewithFIPSPub140-2rules.Itmustprovidesufficientseparationbetweenprocessestopreventinadvertentaccesstodataofdifferentprocesses.(Thisrequirementwasmetforallplatformstestedduringvalidation.)

• Aninstanceofthemodulemustnotbeusedbymultiplecallerssimultaneouslysuchthattheymightinterferewitheachother.Notethatforkeysretainedincaller-providedstorage,thisrequirementisautomaticallymetiftheOSprovidessufficientprocessseparation(sincetheownershipofeachmemoryregion,therefore,eachobject,isuniquelydetermined.)


Page22of27

• ApplicationsusingSystemSSLmoduleservicesmustverifythatownershipofkeysisnotcompromised,andkeysarenotsharedbetweendifferentusersofthecallingapplication.NotethatthisrequirementisnotenforcedbytheSystemSSLmoduleitself,butbytheapplicationprovidingthekeystoSystemSSL.

• ApplicationsutilizingSystemSSLservicesmustavoidusingnon-approvedalgorithmsormodesofoperation.Ifnotfeasible,theapplicationmustindicatethattheyuseutilizenon-approvedcryptographicservices.ApplicationsmustalsocomplywiththekeysizeandalgorithmrequirementsspecifiedinthelatestversionofNISTSpecialPublication800-131ARevision1.

• TobeinFIPS140-2mode,theSystemSSLinstallationmustrunonahostwithcommercialgradecomponentsandmustbephysicallyprotectedasprudentinanenterpriseenvironment.

• AccordingtoIGA.13,thesameTriple-DESkeyshallnotbeusedtoencryptmorethan22864-bitblocksofdata.

• Physicalassumptionso Themoduleisintendedforapplicationuseinuserareasthathavephysicalcontrolandmonitoring.Itis

assumedthatthefollowingphysicalconditionswillexist:§ LOCATION

• Theprocessingresourcesofthemodulewillbelocatedwithincontrolledaccessfacilitiesthatwillpreventunauthorizedphysicalaccess.

§ PROTECTION• Themodulehardwareandsoftwarecriticaltosecuritypolicyenforcementwillbe

protectedfromunauthorizedphysicalmodification.• Anysysplexcommunicationsshallbeconfiguredsothatunauthorizedphysicalaccessis

prevented.• Personnelassumptions

o Itisassumedthatthefollowingpersonnelconditionswillexist:§ MANAGE

• Therewillbeoneormorecompetentindividualsassignedtomanagethemoduleandthesecurityoftheinformationitcontains.

§ NOEVILADMINISTRATOR• Thesystemadministrativepersonnelarenotcareless,willfullynegligent,orhostile,and

willfollowandabidebytheinstructionsprovidedbytheCryptoOfficerdocumentation.§ CO-OPERATION

• Authorizeduserspossessthenecessaryauthorizationtoaccessatleastsomeoftheinformationmanagedbythemoduleandareexpectedtoactinacooperativemannerinabenignenvironment.

11.2 DeterminingModeofOperationTheFIPSmodeforthismoduleisenforcedbypolicy.TheapplicationutilizingservicesmustenforcekeymanagementcompliantwithFIPSPub140-2requirements.Thisshouldbeindicatedinanapplication-specificwaythatisdirectlyobservablebycryptoofficersandend-users.


Page23of27

Whilesuchapplication-specificdetailsareoutsidethescopeofthevalidation,theyarementionedhereforcompleteness.TheuserapplicationmustcomplywiththekeysizerequirementsspecifiedinthelatestrevisionoftheNISTSpecialPublication800-131A.Iftheservicesdefinedintable6and7areutilized,themoduleisthenFIPSmode.Iftheservicesdefinedintable8areutilized,themodulewillbeconsiderednotinFIPSmode.

11.3 Testing/PhysicalSecurityInspectionRecommendationsInadditiontoautomatictests,whicharedescribedelsewhereinthisdocument,aSystemSSLelementapplicationmayinvokeFIPS140-2modeself-testsatanytime.Theseself-testsareinitiatedthroughadedicatedfunction“performKAT”function,whichisinvokedautomaticallyatstartup.Continuoustestsresidewithintheirrespectivefunctionsandarecalledimplicitlyduringthefunctionprocessing.Thesetestsarenotobservableunlessafailureisdetected.Apartfromprudentsecuritypracticeofserverapplicationsandthoseofsecurity-criticalembeddedsystems,nofurtherrestrictionsareplacedonhostsutilizingtheseservices.

12. MitigationofOtherAttacksTheMitigationofOtherattackssecuritysectionofFIPS140-2isnotapplicabletotheSystemSSLcryptographicmodule.

13. CryptographicModuleConfigurationDiagramsThefollowingdiagramsillustratethedifferentvalidatedconfigurations.Thesevalidatedconfigurationscanconsistofasinglez/OSSysteminstanceormultiplez/OSSysteminstances.Figure7illustratesIBMz13withCPAssistforCryptographicFunctionsDES/TDESEnablementFeature3863

Figure 7: Validated Configuration with CPACF and ICSF PKCS #11


Page24of27

Figure 8 illustrates IBM z13 with CP Assist for Cryptographic Functions DES/TDES Enablement Feature 3863 and optional Crypto Express5 cards (Accelerator (CEX5A)) configuration.


Page25of27

Figure 8: Validated Configuration with CPACF, ICSF PKCS #11 and CEX5A card

14. GlossaryAddressspace Asetofcontiguousvirtualaddressesavailabletoaprogramanditsdata.Theaddressspaceisa

containerforenclavesandprocesses. [4] [5] API ApplicationProgrammingInterface CEX5A CryptoExpress5Accelerator,mainframenameforIBMHardwareSecurityModules(HSMs). CP CentralProcessor,akaCPUCPACF CPAssistforCryptographicFunction,clearkeyon-chipacceleratorintegratedintomainframe

processors.CPACFfunctionalityisrestrictedtosymmetricandhashingoperations.DLL DynamicLinkLibrary,sharedprogramlibraryinstantiatedseparatelyfrombinariesusingit.FIPS140-

2configurationsofSystemSSLDLLsareneverstaticallylinked.


Page26of27

DRBG DeterministicRandomBitGeneratorEnclave Inthez/OSLanguageEnvironment,acollectionofroutines,oneofwhichisnamedasthemain

routine.Theenclavecontainsatleastonethread.Multipleenclavesmaybecontainedwithinaprocess.[4][5]

ICSF IntegratedCryptographicServiceFacilityKAT KnownAnswerTestOS OperatingSystemProcess Acollectionofresources;bothprogramcodeanddata,consistingofatleastoneenclave.[4][5]RACF ResourceAccessControlFacilityRETAIN IBMdatabasesystemsharedbyIBManditscustomersServerPac Prepackagedversionofthez/OSOperatingSystemThread Anexecutionconstructthatconsistsofsynchronousinvocationsandterminationsofroutines.The

threadisthebasicruntimepathwithinthez/OSLanguageEnvironmentprogrammanagementmodel,andisdispatchedbytheoperatingsystemwithitsownrun-timestack,instructioncounterandregisters.Threadmayexistconcurrentlywithotherthreadswithinanaddressspace.[4][5]

15. References[1]z/OSCryptographicServicesSecureSocketsLayerProgramming(SC41-7495)withOA50589APARdocumentation[2]NationalInstituteofStandardsandTechnology,SecurityRequirementsforCryptographicModules(FIPS140-2),2002[3]NationalInstituteofStandardsandTechnology,FederalInformationProcessingStandards,DigitalSignatureStandard(FIPS186-4),2013[4]ABCsofz/OSSystemProgrammingVolume1(SG24-6981)[5]ABCsofz/OSSystemProgrammingVolume2(SG24-6982)[6]IBM®z/OS®Version2Release2ICSFPKCS#11CryptographicModule[7]IBM®z/OS®Version2Release2SecurityServerRACF®SignatureVerificationModule[8]NationalInstituteofStandardsandTechnology,SpecialPublication800-131ARevision1,Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,November6,2015

16. Trademarks


Page27of27

ThefollowingtermsaretrademarksoftheIBMCorporationintheUnitedStatesorothercountriesorboth:• IBM• RACF• zEnterprise• z/OS• zEC12• z13

Documents

IBM® z/OS® Version 2 Release 2 System SSL Cryptographic …...z/OS Version 2 Release 2 System SSL Security Policy Page 5 of 27 Figure 1: System SSL Cryptographic Module Physical