Sharing Secrets Using Encryption Facility



Similar documents
Tools for Managing Big Data Analytics on z/os

Configuring and Tuning SSH/SFTP on z/os

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Digital Certificates Demystified

Understanding Digital Certificates on z/os Share Anaheim, CA Session 8349 March 2nd 2011

Deploying PGP Encryption and Compression for z/os Batch Data Protection to (FIPS-140) Compliance

WiMAX Public Key Infrastructure (PKI) Users Overview

PGP from: Cryptography and Network Security

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

Cryptography and Network Security Chapter 15

Introduction to Cryptography

Angel Dichev RIG, SAP Labs

Chapter 6 Electronic Mail Security

Electronic Mail Security

Crypto and Disaster Recovery. Greg Boyd

A guide for creating a more secure, efficient managed file transfer methodology

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Elements of Security

Implementing SSL Security on a PowerExchange Network

Network Security Essentials Chapter 7

Ciphire Mail. Abstract

Enabling SSL and Client Certificates on the SAP J2EE Engine

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)

DRAFT Standard Statement Encryption

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

Getting Started with Digital Certificates Part II (RACDCERT)

SMF Digital Signatures in z/os 2.2. Anthony Sofia Software Engineer at IBM August 14 th 2015

SBClient SSL. Ehab AbuShmais

Digital Signatures in a PDF

Encrypting and signing

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Computer System Management: Hosting Servers, Miscellaneous

An Introduction to Cryptography as Applied to the Smart Grid

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Overview. SSL Cryptography Overview CHAPTER 1

Secure Part II Due Date: Sept 27 Points: 25 Points

Security in Android apps

z/os Cryptographic Services - ICSF Best Practices

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Cryptography and Security

How Secure are your Channels? By Morag Hughson

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

SecureStore I.CA. User manual. Version 2.16 and higher

Introduction to Security and PIX Firewall

End-to-End Enterprise Encryption:

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Introduction to Computer Security

WS_FTP Professional 12. Security Guide

Cryptography and Network Security

CALIFORNIA SOFTWARE LABS

Lecture 9: Application of Cryptography

MySQL Security: Best Practices

How To Encrypt A Traveltrax Report On Gpg On A Pc Or Mac Or Mac (For A Free Download) On A Thumbdrive Or Ipad Or Ipa (For Free) On Pc Or Ipo (For An Ipo)

Digital Certificate Goody Bags on z/os

SQL Server Encryption Overview. September 2, 2015

1.2 Using the GPG Gen key Command

Secure Data Transfer

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Key Management Interoperability Protocol (KMIP)

SDS E-Business Server. Research report by Clabby Analytics October 2012

Chapter 17. Transport-Level Security

How To Encrypt Data With Encryption

Overview Keys. Overview

IBM Security Key Lifecycle Manager for z/os: Deployment and Migration Considerations

PGP Command Line Version 10.0 Release Notes

IBM Crypto Server Management General Information Manual

WS_FTP Professional 12

E-CERT C ONTROL M ANAGER

Alliance Key Manager Solution Brief

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

Internet Programming. Security

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

SkyRecon Cryptographic Module (SCM)

Cryptography & Digital Signatures

PUBLIC Connecting a Customer System to SAP HCI

PkBox Technical Overview. Ver

SafeNet KMIP and Amazon S3 Integration Guide

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

SafeNet MSSQL EKM Provider User Guide

PGP - Pretty Good Privacy

Sync Security and Privacy Brief

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

NETWORK SECURITY. Farooq Ashraf. Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia

IBM Sterling Connect:Direct Secure Plus for UNIX. Implementation Guide. Version 4.1

Ubuntu Open PGP IMPLEMENTATION. Dr. ENİS KARAARSLAN 2014

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Verify Needed Root Certificates Exist in Java Trust Store for Datawire JavaAPI

[SMO-SFO-ICO-PE-046-GU-

Transcription:

Sharing Secrets Using Encryption Facility Eysha S. Powers IBM Corporation Insert Custom Session QR if Desired Tuesday, August 11, 2015: 6:00pm 7:00pm Session Number 17624

Cryptography is used in a variety of places Data in flight Virtual Private Networks (VPNs) SSL/TLS connections (using public/private keys and certificates and symmetric encryption) Messaging infrastructures (using SSL/TLS or shared secrets) WS-Security and SOA Data at rest File and folder encryption including the use of intermediate devices Removable media (tape) encryption Transactional environments Industry specific finance Mandates highly trust-worthy cryptography Smart ID cards, epassports For sharing user credentials between organizations the establishment of trust Via certificate exchanges Federated Identity Management Credential formats such as SAML, OpenID Connect 3

Encryption Facility for z/os The Encryption Services feature supports encrypting and decrypting various file formats on z/os. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. Encryption Facility for z/os provides services for: Public-key based encryption Passphrase-based encryption Modification detection of encrypted data Compression of packaged data before encryption Importing and exporting of OpenPGP certificates Binary or ASCII armor format Digital signatures of data Encryption Facility can be run from the USS command line or from the JZOS Batch Launcher 4

Encryption Facility for z/os: Components Encryption Facility for z/os consists of two priced optional features: Encryption Services For encryption and decryption of z/os files and datasets. Uses OpenPGP or System z message format. DFSMSdss Encryption For encryption and decryption of z/os dump datasets. Independently, the Encryption Facility for z/os Client is a no-cost, separately licensed program (which is offered as is, with no warranty) and is designed to enable the exchange of encrypted data: Client Encrypt non-z/os files to be sent to z/os. Decrypt z/os files to be sent to non-z/os platforms. Uses a System z message format. 5

OpenPGP Support OpenPGP is a widely accepted, open standard for handling encryption of data files and messages. (RFC 4880) OpenPGP allows customers to exchange an encrypted, compressed, and/or digitally signed file with business partners who have an installed OpenPGP client running on z/os and other operating systems. OpenPGP is: A file format for exchanging encrypted data. It is not an encryption algorithm. Is standardized by the IETF and has been adopted as the format for encrypted files by a wide-range of open-source and commercial products Does not define how encryption keys should be managed Allows a wide range of choices for key exchange and trust model Provides additional flexibility and interoperability for tape exchanges with external business partners and vendors

OpenPGP Support for Encryption Facility Provides at a minimum, support for all Mandatory/Must Do s identified in the OpenPGP standard (RFC 4880). File Operations Encryption Passphrase-based encryption Public key encryption Compression Digital Signatures Public Key Generation Generating RSA, DSA and Elgamal keys Open PGP Certificates Importing and Exporting OpenPGP Certificates ASCII Armor for OpenPGP Certificates Compression Algorithms ZLIB Hardware-Based (zedc) Software-Based ZIP Symmetric Encryption Algorithms AES 128, 192 and 256 bits Triple DES Blowfish Asymmetric Encryption Algorithms RSA Elgamal Digest / Hash Algorithms MD2, MD5 SHA1, SHA-256, SHA-384, SHA-512 Digital Signature Algorithms RSA with all supported hash algorithms above DSA with SHA1

Using Certificates Digital certificates contain a public key, information to identify who the key belongs to, and a digital signature to authenticate and bind together the public key with the identity information. Digital signatures are made by taking a hash of message, in this case the digital certificate, and then encrypting the hash value with the signer s private key. Encryption Facility can use public keys to encrypt data. Public keys are exchanged between business partners using digital certificates. Only the signer has the private key that was used to create the signature. The business partners must have the associated public key in order to verify the signature. X.509 Certificates Use a hierarchical authentication model Each X.509 certificate contains one digital signature, either self signed or signed by a CA A root Certificate Authority (CA) is established and trusted as a self signed certificate Other certificates are signed by a CA within the hierarchy Open PGP Certificates Use a decentralized authentication model Each OpenPGP certificate can be self signed and can contain multiple signatures from other keys OpenPGP sub-keys are all signed by the Primary key to bind together the Primary and sub-keys Encryption Facility for z/os provides an option to sign your OpenPGP certificates with a CA.

Configuring Encryption Facility for z/os Encryption Facility leverages ICSF, RACF and/or JCE to: 1. Setup keys to be used for encryption 2. Call the appropriate library to encrypt data with a given key 3. Format the output encrypted data into a message that can be later decrypted ICSF Only (JCECCA) Generate clear or secure RSA key pairs in the PKDS Use existing RSA key pairs in the PKDS RACF Only (JCERACFKS) Use existing RSA key pairs connected to a RACF key ring ICSF & RACF (JCECCARACFKS) JCE Only (JCEKS) Generate clear or RSA key pairs with software based cryptography Use existing RSA key pairs in a Java keystore in Unix Systems Services (USS) Use existing RSA key pairs connected to a RACF key ring that reference private keys stored in the PKDS

EF OpenPGP Command Syntax Encryption Facility for OpenPGP commands have the following syntax: [-homedir <path>] [-options [<arguments>]] -commands [<arguments>] homedir: indicates the path to the ibmef.config file which can be used to set default configuration options. options: the name of one or more configuration options. Options always start with - and may be followed by one or more arguments. These values override any values set in the configuration file. commands: Name of one or more operational commands. Commands always start with - and may be followed by one or more arguments. 10

Invoking Encryption Facility for z/os Encryption Facility can be invoked in the following two ways: USS using a command terminal or shell script JCL using the IBM JZOS Java Batch Launcher The IBM JZOS Java Batch Launcher is a standard feature of the IBM's Java SDK and provides the ability to launch Java applications through JCL. Using the JZOS Batch Launcher requires the following: JZOS Procedure in PROCLIB Shell script to configure environment variables JCL/Batch job that calls the procedure in PROCLIB Sample JZOS files are provided as part of the Encryption Facility for z/os package and can also be found under the references and sample section within the user guide. 11

Use of ziip and zaap Specialty Engines ziip and zaap processors are specialty processors designed to lower overall computing cost by offloading certain types of workloads, such as Java workloads. If a zaap or ziip processor is available on the system, Encryption Facility OpenPGP jobs will be off-loaded to those processors. When called from Java using the JCE HW provider, ICSF code remains ziip and zaap eligible. 12

Java 8 Performance Improvements The combined benefits of IBM Java 8 and z13 features including Single Instruction Multiple Data (SIMD) vector engine, simultaneous multithreading (SMT) and improved CP Assist for Cryptographic Function (CPACF) are providing up-to 2X improvement in throughputper-core for security-enabled applications and up-to 50% improvement for other generic applications. IBM Encryption Facility for z/os is another Java application that leverages the new Java 8 CPACF exploitation. Encryption of text files and SVC dumps completed in half the elapsed time and one third the CPU time. 13

Encryption Facility for z/os: Hands-On Lab 14

Additional Resources Encryption Facility for z/os SA23-2229 IBM Encryption Facility for z/os: Planning and Customizing SA23-2230 IBM Encryption Facility for z/os: Using Encryption Facility for OpenPGP Publications may be downloaded from the z/os Internet Library http://www-03.ibm.com/systems/z/os/zos/library/bkserv/v2r1pdf/#csd Encryption Facility for z/os Website http://www-03.ibm.com/systems/z/os/zos/tools/encryption_facility/

Thank You! Feel free to connect Email: eysha@us.ibm.com Twitter: http://www.twitter.com/eyshashirrine LinkedIn: http://www.linkedin.com/in/eysha 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information