8. Trademarks
The following terms, denoted by an asterisk (*) in this publication, are trademarks of
the IBM Corporation in the United States or other countries or both:
The following terms, denoted by a double asterisk (**) in this publication, are the
trademarks of other companies:
Diebold Diebold Incorporated
Docutel Docutel
MASTERCARD MasterCard International, Incorporated
Pentium Intel Corporation
NCR National Cash Register Corporation
RSA RSA Data Security, Inc.
UNIX UNIX Systems Laboratories, Incorporated
VISA VISA International Service Association
3090 ACF/VTAM
AIX AIX/6000
Application System/400 AS/400
CICS Enterprise System/3090
Enterprise System/9000 Enterprise System/9370
ES/3090 ES/9000
ES/9370 IBM
IBM Registry IBM World Registry
Micro Channel MVS/DFP
MVS/ESA MVS/SP
MVS/XA Operating System/2
OS/2 Operating System/400
OS/400 Personal Security
Personal System/2 PS/2
PS/ValuePoint POWERserver
POWERstation RACF
RS/6000 SecureWay
System/360 System/370
System/390 S/390 G3 Enterprise Server
S/390 Multiprise Systems Application Architecture
XGA
vi TSS General Information Manual
12. IBM 3172 Interconnect Controller Maintenance Information, GA27-3861
IBM 3172 Interconnect Controller, Diagnostics Guide, GA27-4063
IBM 3172 Interconnect Controller Maintenance Information, SY27-0334
IBM 3172 Interconnect Controller, Channel Adapters Supplement to
Maintenance Information, GA27-4050
IBM 3172 Interconnect Controller, Auxiliary Supplement to Maintenance
Information, GA27-4053
IBM 3172 Interconnect Controller, Safety Notices, GA27-3866
IBM 3172 Interconnect Controller, Hardware Planning Guide, GA27-4003
IBM 3172 Interconnect Controller Status Codes, GA27-3951
IBM 3172 Parts Catalog, Models 1, 2, and 3, S131-0103
IBM 3172 Interconnect Controller, LAN Adapters Supplement to Maintenance
Information, GA27-4020
IBM 9309 Rack Enclosure Setup and Operation Guide (Models 1 and 2),
GA24-4039
IBM 9309 Rack Enclosure General Information and Site Preparation Guide
(Models 2 and 12), GA24-4103
IBM 9309 Rack Enclosure Models 1 and 2 Physical Planning Template,
GX24-4047 (metric scale)
IBM 9309 Rack Enclosure Models 1 and 2 Physical Planning Template,
GX24-4046 (English scale)
IBM 9309 Rack Enclosure Guide to Analyzing Problems, GA24-4077
IBM 9309 Rack Enclosure Service Guide, SY24-4075
IBM 9309 Rack Enclosure Parts Catalog, S124-0155
IBM 9309 Rack Enclosure, Installing the Stabilizer, GA24-4101
Older 4753 Publications
IBM 4753 Network Security Processor MVS Support Program Installation and
Operating Guide, SA34-2139
IBM 4753 Network Security Processor MVS Support Program Licensed
Program Specifications, GC31-2933
IBM 4753 Network Security Processor Models 2 and 12 Installation and
Operating Guide, GA34-2179
IBM 4753 Network Security Processor Models 2 and 12 Installation and Service
Manual, GA34-2183
IBM 4753 Network Security Processor Model 1 Installation and Operating
Guide, GA34-2140
x TSS General Information Manual
13. Other Transaction Security System Publications
IBM Notice to Users, GA34-2149
Canadian Program License Agreement, GA34-2056
Other System Publications
IBM Input/Output Configuration Program User’s Guide and Reference,
ZR23-6613
IBM MVS/ESA System Programming Library: Initialization and Tuning,
GC28-1828
IBM MVS/ESA System Programming Library: Service Aids, GC28-1844
IBM MVS/ESA Hardware Configuration Definition User's Guide, GC33-6457
IBM OS/VS1 and OS/VS2 MVS Programmed Cryptographic Facility Installation
Reference, SC28-1016
IBM Resource Access Control Facility (RACF): General Information,
GC28-0722
IBM Resource Access Control Facility (RACF) General User’s Guide,
SC28-1341
IBM Resource Access Control Facility (RACF) Command Language Reference,
SC28-0733
IBM Resource Access Control Facility (RACF) Auditor’s Guide, SC28-1342
IBM Resource Access Control Facility (RACF) Security Administrator’s Guide,
SC28-1340
IBM System Programming Library: RACF, SC28-1343
IBM System Modification Program Extended Reference, SC28-1107
AS/400 Hardware Cryptographic Product
IBM Common Cryptographic Architecture Services/400 Installation and
Operators Guide, Version 2, SC41-0102-00
IBM Common Cryptographic Architecture Services/400 Installation and
Operators Guide, Version 3, SC41-0102-02
S/390 Large Server Cryptographic Products
IBM ICSF/MVS Application Programmer’s Guide, SC23-0098
IBM ICSF/MVS Administrator’s Guide, SC23-0097
IBM ICSF/MVS General Information, GC23-0093
IBM ES/9000 ES/3090 ICRF User’s Guide, GA22-7142
Cryptography Publications
Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second
Edition, Bruce Schneier, John Wiley & Sons, Inc. ISBN 0-471-12845-7 or ISBN
0-471-11709-9.
IBM Systems Journal Volume 30 Number 2, 1991, G321-0103
IBM Systems Journal Volume 32 Number 3, 1993, G321-5521
Related Publications xi
14. IBM Journal of Research and Development Volume 38 Number 2, 1994,
G322-0191
USA Federal Information Processing Standard Data Encryption Standard,
46-1-1988
VisaNet Electronic Value Exchange Standards Manual
VISA Point-of-Sale Equipment Requirements: PIN Processing and Data
Authentication
ANSI X9.17 - 1985, Financial Institution Key Management (Wholesale)
LAN Distributed Platform Publications
IBM LAN Distributed Platform Program General Information, GC19-5318
IBM LAN Distributed Platform Licensed Programs Family Programmer’s
Reference, SC19-5320
IBM LAN Distributed Platform Licensed Programs Introduction and Planning,
SC33-1550
IBM LAN Distributed Platform Licensed Programs Family Installation and
Customization, SC19-5321
IBM LAN Distributed Platform Licensed Programs Family Program Description,
SC19-5319
Summary of Changes
| This -08 revision of the IBM Transaction Security System General Information
| Manual, GA34-2137, contains product information that is current with the
| Transaction Security System product announcements made in January and
| February, 1997. The manual is substantially rewritten and should be reviewed in its
entirety.
| In editions of this manual prior to the -7 edition, Chapters 3 and 4 contained
| physical planning information for the IBM 4753 Network Security Processor and the
IBM 4754 Security Interface Unit. This information is now contained in the IBM
Transaction Security System Physical Planning Manual, GC31-4505 .
Other Transaction Security System publications generally contained a repeat of the
information found in this general information manual. With revision of those
publications, the product overview information is removed and that information can
be found in this publication.
xii TSS General Information Manual
16. “Product Application Examples” on page 1-15 describe a few typical ways that the
Transaction Security System products address security problems:
Protecting a certification authority private key
Processing financial PINs
Determining data integrity
Providing data confidentiality in an SNA network
Storing sensitive data on portable media.
The Transaction Security System products are distinguished by these capabilities:
Cryptographic functions performed within tamper-resistant hardware for physical
security
Logical security achieved through an implementation of the IBM Common
Cryptographic Architecture (CCA)
Consistent approach to cryptography on the major IBM computing platforms at
a variety of price/performance levels
Flexibility to address new requirements and opportunities through features
enabling secure, custom extensions
Usable by application programmers who may write in any of a wide variety of
programming languages
End-to-end solutions that are not dependent on specific communication links or
other middleware.
The remainder of this chapter discusses:
The Transaction Security System product summary
A cryptographic support overview
Product application examples
Deciding for Transaction Security System SecureWay CCA products.
Transaction Security System Product Summary
This section provides a summary of the Transaction Security System product
family. Additional product detail is provided in Chapter 2, “The Transaction
Security System Products.”
IBM 4755 Cryptographic Adapter
The cryptographic adapter performs many DES and RSA based cryptographic
processes within a secure enclosure. Sensors within the enclosure can
detect temperature, radiation, and mechanical penetration and will cause
active measures to clear sensitive information. Of equal importance, the
logical design of the adapter functions and administrative techniques enable a
secure cryptographic system. This high-security adapter is designed to meet
the security requirements of the FIPS 140 level 3 standard for high-integrity
cryptographic implementations.
The adapter is available in models for use in ISA 1 bus and Micro Channel
bus personal computers and IBM RS/6000 systems. (This adapter is also
used as the cryptographic processor within the AS/400 Hardware
1 Industry Standard Architecture (ISA) bus. This bus is supported by most personal computers and RS/6000 machines.
1-2 TSS General Information Manual
17. Cryptographic features and within the IBM 4753 MVS-system cryptographic
I/O device.)
The securely-enclosed, programmable electronics implement an extended
form of the IBM Common Cryptographic Architecture (CCA). This design
ensures both physical and logical security for cryptographic implementations
in a networked environment. Together with the supporting software, the
adapter provides a consistent and comprehensive set of cryptographic
services for use on all IBM computing platforms.
In addition to supporting the broad requirements for data encryption and
digital signature services, special attention has been given to the varied needs
of the finance industry for support of message authentication (MAC), PIN
processing, and magnetic stripe data verification techniques. To address your
additional cryptographic and security requirements, secure loading of
user-defined custom algorithms and processes is possible with the
cryptographic adapter.
The IBM 4755 cryptographic adapter, first introduced in 1990, has been
| functionally upgraded several times to address application requirements. New
| Models 023 and 024 incorporate all previous capabilities of the adapter and
provide additional RSA-based services consistent with current Internet
security practices.
IBM 4753 Network Security Processor
The Network Security Processor cryptographic I/O unit provides high-security
cryptographic processing for the MVS large server environment. One or more
Network Security Processor I/O units can attach to parallel channel
connections on System/390 large servers that run with a native OS/390
operating system or with MVS as a guest operating system under VM. The
integral cryptographic adapter provides all of the DES and RSA cryptographic
processing addressing the needs of the finance industry and other
cryptographic system applications.
IBM Personal Security Card
The Personal Securitytm smart card is a portable, single-chip security
processor. The card meets ISO 7816-1 and 7816-2 smart card standards and
can be used with the IBM 4754 Security Interface Unit. The generally
available Personal Security card can carry up to 4800 bytes of data, provides
DES cryptographic processing, and can authorize up to four users each
receiving customized and distinct combinations of service from the card. With
custom firmware to your specifications, more storage capacity or features can
be included.
IBM 4754 Security Interface Unit
The Security Interface Unit incorporates a smart card I/O interface, keypad,
DES cryptographic processor, and secured clock-calendar. The unit supports
operations with the Personal Security card and can be attached directly to a
personal computer, or the unit can be used with the IBM 4755 Cryptographic
Adapter and Personal Security card to provide high-security authorization
control over the operation of the adapter. The unit is also used in conjunction
with the IBM 4753 Network Security Processor and the hardware
cryptographic features for the AS/400 systems to provide operator
authorization for sensitive cryptographic administration activities.
Chapter 1. Introduction to the IBM Transaction Security System Products 1-3
18. IBM Workstation Cryptographic Services Licensed Software
The Workstation Cryptographic Services provides access to the IBM 4755
Cryptographic Adapter, and through the adapter supports the IBM 4754 and
IBM Personal Security card. The software provides utility programs for the
administration of the hardware devices, and an extended IBM Common
Cryptographic Architecture (CCA) application programming interface for use
by your application programs.
Workstation Cryptographic Services for OS/2 is used with the adapter
in personal computers that use the OS/2 Warp operating system.
Workstation Cryptographic Services for AIX is used with the adapter in
RS/6000 systems that use the AIX operating system at levels 4.1 and 4.2.
IBM Network Security Processor MVS Support Program, Version 2
This licensed software creates a subsystem within MVS for the support of one
or more IBM 4753 Network Security Processors. Your applications can use
the cryptographic I/O unit via the extended IBM Common Cryptographic
Architecture (CCA) application programming interface. The IBM Network
Security Processor MVS Support Program also provides an application
programming interface consistent with the Programmed Cryptographic Facility
program and the Control Unit Support Program products so that legacy
applications that operated with those products can continue to be used with
the IBM 4753.
IBM Workstation Security Services Program, Release 3.30
Release 3.30 of the Workstation Security Services Program enables use of an
IBM 4754 Security Interface Unit in the absence of an IBM 4755
Cryptographic Adapter under both DOS and OS/2 Warp operating systems.
The IBM 4755 Cryptographic Adapter is also supported by this licensed
software in a DOS personal computer environment. (The Workstation
Security Services Program is not upgraded to support the latest models of the
| IBM 4755, models 023 and 024, and the enhanced RSA support.)
Cryptographic Support Overview
The Transaction Security System products implement many functions based on the
DES and the RSA cryptographic algorithms. Where strong, hardware-assisted
solutions are essential, these algorithms are the most widely used in commercial
practice.
This section provides a brief introduction to the cryptographic processes offered
with the Transaction Security System products. Additional information is included in
Chapter 3, “Cryptographic and Other Function Sets, and the Programming
Interface” and the programming manuals for the products.
Historically, cryptographic techniques have been used to disguise information as it
is moved from place to place so that an adversary will not learn the true meaning of
the information. Recent cryptography techniques address these data protection
methods:
Data Confidentiality This is the classic use of cryptography ...transform
information so that the meaning of the data is not apparent
to an adversary.
Data Integrity Append a code to data so that the recipient can verify that
the data is unmodified.
1-4 TSS General Information Manual
19. Non-repudiation Include a digital signature with data so that the originator can
not later falsely deny originating the data.
In modern life, information and communications are digitized, recorded in data
banks, and transmitted through computer networks. It is increasingly difficult to
know how or where an adversary might intercept, modify, or replay the information.
Therefore, valuable information should be protected at its source and validated
wherever it is used. The Transaction Security System products are designed to be
used within your application programs and middleware to provide ‘end-to-end’ data
protection, at the source and at the destination.
To make your digitized information “secret” (data confidentiality), you can process
the data through an algorithm to encipher the data into ciphertext. Such an
algorithm is called a cipher. Later you can retrieve the original information by
deciphering the data back to the original plaintext.
History records many ciphering schemes that later proved weak. Creating strong
cryptographic systems, and knowing that the systems are strong, is a very
specialized field. For valuable information you will want a strong system. And if
you are going to interchange your information with other organizations or
applications, you will need to be compatible with their approach to data security.
For these reasons, the best approach to commercial cryptography is using
standardized algorithms and processes that have been widely and openly
discussed and reviewed.
DES, Symmetric Key Algorithm
In commercial practice, the most widely used algorithm for implementing strong
data confidentiality is the Data Encryption Algorithm (DEA). This algorithm was
designed by IBM more that twenty years ago in collaboration with the USA National
Security Agency. The algorithm has withstood years of scrutiny by cryptanlaysts,
and although it is now “old,” it is still considered among the strongest block ciphers.
The only known attack is through repetitive trials using all possible combinations of
encryption keys and comparison of known ciphertext to cleartext. Since the DES
algorithm uses a 56 bit encryption key, an exhaustion attack could require up to 256
attempts. With this extremely large number of possible keys, breaking this cipher is
believed impossible for some years.
The DEA is now generally called ‘DES’ (Data Encryption Standard). DES is
standardized by the US Government, ANSI, ISO, and many others. DES is also
the basis for many data protection processes.
DES employs a small data element, a key, to determine the relationship between
the input and output of the DES algorithm. DES is one of a class of symmetric key
algorithms, so named because the algorithm employs the identical key in both the
enciphering and deciphering processes.
Secret ─── (same key) ──── Secret
Key Key
│ │
│ │
┌─── ────┐ ┌─── ────┐
Plaintext──── │Encipher├─── Ciphertext──── │Decipher├─── Original Plaintext
└────────┘ └────────┘
Figure 1-1. DES Algorithm. 56-bit key and 64-bit plaintext and ciphertext
Chapter 1. Introduction to the IBM Transaction Security System Products 1-5
20. Since the DES algorithm is public knowledge, the secrecy of the ciphertext is
related to your ability to keep the key a secret and to be sure that you have used a
sufficiently random quantity as a key.
You can use the Transaction Security System products to address data
confidentiality. The hardware products encrypt data using DES according to ECB,
CBC, ANSI X9.23, ANSI X12.58, and other “last block” padding rules. If you are
not familiar with these terms, more detail is provided in Chapter 3, “Cryptographic
and Other Function Sets, and the Programming Interface.”
You can also use DES to create a message authentication code (MAC). A MAC is
computed on a string of data using the DES algorithm and rules defined in the
ANSI X9.9, ISO 8730, and other standards. A MAC is one way to ensure data
integrity. The data originator uses a secret key and the MAC generation process
and includes the MAC with the data. A data recipient who has the same secret key
can also compute the MAC value. If the received and locally-computed MACs are
| the same, the data can be accepted as unchanged. The IBM Common
| Cryptographic Architecture also makes it possible to separate the ability to verify a
| MAC from the ability to generate one. This makes it possible for the sender of a
| MAC to deny the receiver the capability to generate a valid MAC from the same
| key and data.
Since enciphering and deciphering generally take place at different places and/or
times, keeping the key secret is a major difficulty. Obtaining a really good random
number generator is also of great importance. Key management is the term given
to the set of disciplines that addresses techniques for obtaining keys, keeping keys
secret or private, and knowing that the key is valid. Effective key management
turns out to be a really difficult problem and is a major source of weakness in
cryptographic systems, even when a strong algorithm is employed for data
confidentiality. The IBM Common Cryptographic Architecture, CCA, includes major
improvements in the management of keys in distributed systems and is the basis
for cryptographic support in the Transaction Security System products.
In addition to the CCA key management capabilities, the cryptographic adapter
used in personal computers and the network security processor implement the
cryptographic operations of the ANSI X9.17 key management protocols used in the
finance industry and with North American EDI X12.42 protocols for the distribution
of data encryption and MAC keys. The CCA key management functions support
advanced approaches to local and distributed key management problems.
RSA, Public Key Cryptography
What if you could...
send confidential data to someone without the necessity of first establishing a
shared secret key
know that data was unchanged from when it left the control of the sender until
it reached you, again without the necessity of first establishing a shared secret
key
go to court and have it accepted that the originator of some data must have
originated the data.
Each of these problems have been addressed by another branch of cryptography
known as asymmetric key or public key cryptography. In 1978, Rivest, Shamir, and
1-6 TSS General Information Manual
21. Adleman published their RSA algorithm that is now in wide use in commercial
applications of cryptography.
The RSA algorithm uses two different keys, commonly called the public key and the
private key, to cipher data. The algorithm is based on a specialized field of
mathematics dealing with the difficulty of factoring a large number that is the
product of prime numbers. The RSA algorithm uses keys constructed of several
large integer values. The keys are mathematically related, but in a way such that
even with full knowledge of the public key, cleartext, and ciphertext, an adversary
will still not be able to derive the associated private key.
Public Private
Key Key
│ │
│
┌────────┐ ┌─── ────┐
Plaintext──── │Encipher├─── Ciphertext──── │Decipher├─── Original Plaintext
└────────┘ └────────┘
Figure 1-2. RSA Algorithm. Keys are composed of several large integer numbers, typically
512 to 2048 bits in length.
Whereas symmetric key cryptography enables two parties to exchange information
in a secure manner with equal capabilities and obligations, asymmetric public key
cryptography provides different capabilities and imposes different responsibilities on
the sender and receiver. Public key cryptography has a many-to-one and
one-to-many capability with the requirements that:
A single entity is held responsible for secure storage and controlled usage of a
private key
Users have the obligation to verify the authenticity and status of a public key.
There are two important ways that the RSA algorithm is used:
Distribution of symmetric keys
Generation and verification of digital signatures.
The IBM 4755 Cryptographic Adapter and the IBM 4753 Network Security
Processor provide the capability of generating RSA keys with lengths of 512-bits to
1024-bits. These keys are used with the RSA algorithm to encrypt DES keys for
distribution as well as to generate and verify digital signatures.
Key Distribution Using RSA
You could send a confidential message to someone if you knew their public key.
You would use their public key to encipher the message. Only they have the
corresponding private key, and therefore only they can decipher your message.
Since a public key is not a secret it can be published in a directory. Therefore, with
knowledge of a public key, one could send confidential messages to the holder of
the associated private key without prior bilateral arrangements.
2 United States export regulations restrict distributing a product that performs general data encryption using public cryptography; this
is a reason, secondary to performance, for not ciphering general data using the RSA algorithm.
Chapter 1. Introduction to the IBM Transaction Security System Products 1-7
22. In practice, public key algorithms such as RSA are computationally intensive, and
therefore messages are usually not encrypted with the public key 2. Instead
symmetric key cryptography is used to encipher the message using a fresh,
random key. Then the symmetric key is enciphered using the recipient's public key
and the now-encrypted symmetric key is sent with the encrypted message;, see
Figure 1-3.
The recipient uses his private key to recover the random symmetric key which he
then uses to decipher your message. Given that the public key can be distributed
with integrity, no prior arrangements are required between the message sender and
receiver in order to exchange data in a confidential form.
The IBM 4755 Cryptographic Adapter and the IBM 4753 Network Security
| Processor provide CCA services that programmers can use to implement secure
| message and key exchange:
Key_Generate
Symmetric_Key_Export
Symmetric_Key_Import
Encipher
Decipher
The encipher and decipher services support DES CBC mode of data encryption
and several methods for accommodating data that is not a multiple of 8 bytes
including the ANSI X9.23 method.
The RSA encipherment of the DES data key follows the approach documented in
the PKCS #13 standard that is currently in common use in Internet protocols.
Clear ┌────────┐ Encrypted Encrypted
Message ───── │Encipher├──── Message DES key
└ ───────┘ │└─────────┘and └─ ───────┘├──── ────┐
│ └─────────────────│────────┘ │
│ │ │
│ │ │
┌─────────┐ │ ┌─────────┐ │ Send to
│Generate │ │ │ Encrypt │ │ Recipient
│DES key ├──────┴───────── DES Key ├─────────┘ │
└─────────┘ └─────────┘ │
│
Recipients │ │
Public Key ─────────────────┘ ┌───────────────────────────┘
│
┌─────── ────────────────┐
Encrypted Encrypted
Message DES key
└──┬──────┘and └────┬────┘
│ │
│
│ ┌─────────┐
│ Recipients │ Recover │
│ Private Key── DES Key ├──┐
│ └─────────┘ │
│ │
│ ┌ ───────┐ Original
└────────────────────────── │Decipher├──── Clear
└────────┘ Message
Figure 1-3. Using RSA for DES Key Exchange to Enable Confidential Message Transfer
3 PKCS standards are documented by RSA Data Security, Inc.
1-8 TSS General Information Manual
23. Digital Signatures Using RSA Encryption
A digital signature is computed on a message (or any data object) using a private
key. Since the private key is known only to one entity, no one else can generate
the same digital signature on the message.
The digital signature can be verified by any message recipient who has the
originator's public key. Verification of the digital signature confirms:
Data integrity: The verified message is identical to the originally signed
message
Non-repudiation: The originator must have signed the message because only
he possesses the associated private key needed to compute the digital
signature.
Use of a digital signature is a very powerful capability in electronic commerce and
other networked application systems. However, certain practical problems must be
addressed:
Since public key algorithms are computationally intensive, ciphering a large
data object is not practical
The verifier of a digital signature must be certain that the public key is valid and
unique (at least at the time that the signature was created).
In practice, a digital signature is formed by hashing (or message digesting) the data
object. The result is a sixteen or twenty byte (128 or 160 bit) hash that is
representative of the data. The hash is then formatted, usually with some
signature-method identifying codes, and the result is expanded to a bit length
acceptable to the public key algorithm and the key length that is in use.
A useful hashing process:
Will be very sensitive to any change in the hashed data
Will not allow an adversary to predict a change in the data that will result in the
same hash value
Will be reasonably efficient as some data objects can be quite large
(megabytes in some cases).
It has been difficult to find a hashing algorithm that meets all of the criteria. Recent
research reports have raised questions about algorithms that have been in common
use. Based on research information concerning hashing, the Transaction Security
System products support these algorithms that are generally accepted as strong
(other hashing algorithms are also usable):
SHA-1 (FIPS 180-1, May 31, 1994)
MD5 (RFC 1321, dated April 1992)
IBM MDC (Modification Detection Code, PADMAC2 and PADMAC4).
Chapter 1. Introduction to the IBM Transaction Security System Products 1-9
24. Data Object Digital Signature
...that may be large (Typically 128 bytes)
└────┬─────────────────────────────────────┘└───┬─────────────────┘
│ │
│ ┌───────┐ │ │
│ │Hash │ ┌─────────┐ │ │
└──── │Process├───────── │Digital │ │ │
│ └───────┘ │Signature├────┘ │
│ Signers ───── Generate │ │
│ Private Key └─────────┘ │
│ │
│ │
│ │
│ ┌───────┐ │ ┌─────────┐
│ │Hash │ └──── │Digital │
└────────────────────── │Process├─────────────── │Signature├── OK?
└───────┘ Signers───── │Verify │
Public Key └─────────┘
Figure 1-4. Hashing with Digital Signature Generation and Verification
Unlike the DES algorithm, it is important that the information processed by the RSA
cipher algorithm have certain properties to block attacks an adversary could
attempt. Therefore, the formatting of the information to be ciphered with RSA has
to be carefully considered. The IBM 4755 Cryptographic Adapter and the IBM 4753
| Network Security Processor provide CCA services to format the hash according to
| both the ISO 9796-1 standard and the PKCS #1 standard.
Note that an RSA-ciphered data item is the same length in bits as the length of the
key. Typical RSA key lengths range from 512 to 2048 bits. Digital signatures are
often 96 bytes or more in length before they are formatted into an identifying
structure.
Certification Authorities
There are important considerations in the use of public key cryptography:
You must be certain that a public key is the correct value that belongs to the
entity of interest
You must know that the public key is (was) considered valid.
A common way to address these considerations is to have a public key distributed
in the form of a certificate. A certificate is a message that is digitally signed by a
certification authority (CA).
The certification authority will ensure that credentials presented by the public-key
owner are appropriate and that the public key is unique among the set of public
keys certified by the authority. On this basis the CA will create (sign) the certificate
and distribute the certificate to the public key owner or often to a directory service.
The certificate contains:
The public key
An identifier for the public key owner
Usually an expiration date
Often certification authority identifier
And other information to qualify format and usage criteria.
A certificate is usually many hundreds of bytes in length and formatted into a
| complicated structure, typically according to the ISO X.509 version 3 standard.
1-10 TSS General Information Manual
25. Problem:
Verify a signature from User...
Given:
─Certificate_User, signed by CA2
─Certificate_CA1 (CA1 trusted)
Solution:
─Validate Certificate_CA1 (self signature)
─Obtain Certificate_CA2, signed by CA1
─Validate Certificate_CA2 using Public_key_CA1,
─Public_key_CA2 now trusted
─Validate Certificate_User using Public_key_CA2
─Public_key_User now trusted
─Validate Signature from User using Public_key_User
┌──(Self certification)┐
│
││Public_key_CA1││Signature (self)││
│└┬─────────────┘└────────────────┘│
└─│────────────────────────────────┘
│ Certificate_CA1
│ │
│
Public_key_CA1─ Used to verify──┐ │
│ │
This can be a
││Public_key_CA2││Signature by CA1││ longer chain
│└┬─────────────┘└────────────────┘│ of certificates.
└─│────────────────────────────────┘ │
│ Certificate_CA2 │
│ │
│
Public_key_CA2─ Used to verify──┐
│
││Public_key_User││Signature by CA2││
│└┬──────────────┘└────────────────┘│
└─│─────────────────────────────────┘
│ Certificate_User
│
Public_key_User─ Used to verify──┐
│
│Signature from User│
└───────────────────┘
Figure 1-5. Digital Signature Verification Using a Certificate Chain
In general, a certification authority may sign a large number of certificates and the
certificates often have a validity period of a year or more. Therefore it is very
important that the certificate authority private key can be well protected. It is also
required that the use of the certificate authority private key can be closely
controlled.
The IBM 4755 Cryptographic Adapter is ideally suited for use in a certification
authority application since it can provide:
Excellent protection for a private key
Authorization control based on passwords or tokens
Backup and recovery for the private key.
Chapter 1. Introduction to the IBM Transaction Security System Products 1-11
26. The certificate scheme also requires that the certification authority public key be
trusted by the users of the certificates. So there must be a means for users to
obtain the certificate of the certification authority containing the certification authority
public key. Users must receive the certification authority certificate from a trusted
source. Sometimes the public key can be hard-coded into an application, or the
certification authority certificate may be given to the user as he joins some
consortium of users.
Given that a user trusts the public key of some certification authority, that key can
in some arrangements be used to validate the certificates of other certification
authorities, see Figure 1-5 on page 1-11. The IBM Net.Registry and
World.Registry products and services can employ the IBM 4755 in the protection of
the certification authority's private key.
Clearly there is great value in the application of public key cryptography to address
the security problems of our electronic world. In addition to the cryptographic
support available with the Transaction Security System family products, the IBM
| SecureWay offerings can help you apply the technology in your systems. In
| addition, the IBM 4755 Cryptographic Adapter can be used by the IBM Registry*
| and IBM World Registry* product and service in the protection of a certification
| authority's private key.
Managing Keys at a Cryptographic Node
A cryptographic node must accomplish two tasks, perform its data protection
functions (e.g data encryption, generation of digital signatures, etc.), and manage
the keys required to accomplish the data protection tasks. The Transaction
Security System products feature the following key management capabilities:
High quality pseudo random number generation
Master-key protection for an unlimited number of local keys
Dynamic master key change capability
Application or cryptographic-system storage of keys
Ability to “lock” a key to a node
Key distribution techniques based on CCA, ANSI X 9.17, and RSA.
Most programming languages provide support for generating pseudo random
numbers. However, cryptography relies on the availability of very unpredictable
keys and therefore one measure of a cryptographic implementation is its random
number generator. The Transaction Security System products use advanced
techniques in the seeding of the random number generators and in the generation
of the numbers.
The Transaction Security System products store a single master key in a register
within the secure hardware. Other keys are then triple-encrypted under the master
key and can be securely held outside of the secure hardware until they are
required for use. In order to support continuous operation, the IBM 4753 network
security processor provides support for dynamically changing the master key and
re-encrypting working keys to an updated master key during operation. With the
other products, working keys are securely re-encrypted by utility or application
programs after any master key change. Usually, a master key would only be
changed on a yearly basis.
* Trademark of IBM
1-12 TSS General Information Manual
27. These products support storage of keys under a key label in a data set managed
by the cryptographic support software. This approach is most often taken for
long-life keys. Keys can also be stored by application programs and passed to the
cryptographic system as required. This approach is most often taken for short-life
keys. Regardless, however, of key-life, you can use either approach in the storage
of keys as required by your application
Since working keys are not generally stored within the hardware, except in the case
of the IBM Personal Security card, CCA provides the ability to flag a key as “not
exportable.” This allows you to be sure that keys can not be removed from the
system even though they are temporarily outside of the hardware (remember, keys
outside of the hardware are triple encrypted by the master key).
The products provide the following set of key management functions:
Securely introducing keys based on split-knowledge, dual-control techniques
Implementing key generation centers and key translation centers
Managing the classes of keys that can be transported between nodes
Providing for the backup of RSA private keys
Distributing keys using IBM Common Cryptographic Architecture, ANSI X9.17,
and RSA techniques.
The flexibility and completeness of the key management techniques available with
the Transaction Security System products are one of the hallmarks of the system
design.
Governmental Regulations on Cryptography, CDMF
In the interest of national security and law enforcement, almost all governments
exercise some form of control on the distribution of cryptographic implementations,
whether these are based on software or hardware. In the past the use of strong
cryptography was largely confined to the military, governmental security agencies,
and the financial services infrastructure. More recently software implementations of
strong cryptographic techniques have become widely available. With the
recognition that our “wired world” will depend on strong, practical applications of
cryptography, the subject of legitimate data protection versus suppression of
terrorist and criminal activity is causing a re-evaluation of past practices relating to
controls on the distribution of implementations of cryptography. It is reasonable to
expect changes in the regulations pertaining to cryptographic product distribution
and allowable products.
With respect to Transaction Security System, other than being prohibited from
delivering any cryptographic product for customers in a few selected countries,
there are limitations in two areas:
| The strength of the encryption process used to encrypt general data
The key length used in public key cryptography when distributing keys that can
be used for protecting general data.
4 Effective in 1997, new rules by the US government will cause this situation to be re-evaluated. Regulations by other governments
are also likely to change.
Chapter 1. Introduction to the IBM Transaction Security System Products 1-13
28. Generally, the governments are only concerned about the concealment of
information other than information used to identify someone (e.g. a PIN). So there
is little restriction on cryptographic implementations related to digital signatures and
other data integrity controls. Likewise, there is little restriction in using triple DES
for the encipherment of keys.
The Transaction Security System products generally address three export-control
defined customer sets:
1. USA and Canadian customers, and USA companies and subsidiaries outside of
the USA and Canada
Generally there are no restrictions.
2. Financial institutions outside of the USA and Canada
Generally RSA key lengths are limited to 512-bits for symmetric key
encipherment (no restriction of key lengths when the RSA keys are used
for digital signatures).
3. Other customers outside of the USA and Canada
In addition to the restrictions from (2), services that can obscure information
in data may not use DES keys with an effective strength beyond 40 bits4.
To address the requirement for a good data encryption approach while building on
existing infrastructure and knowledge of the strength of DES, IBM defined and
implemented the Commercial Data Masking Facility (“CDMF”) algorithm. This
algorithm operates in the same way as DES CBC except that the cryptographic key
is weakened within the data ciphering services. Key management services are not
affected.
When distributing keys used in data confidentiality services, there are restrictions
on public-key-system key lengths. Generally RSA keys are limited to a key length
of 512 bits. Note that RSA key lengths used for digital signature services are not
restricted.
The limitations on the key distribution capabilities and the type of data encryption
support provided are specified at the time products are ordered from IBM. IBM
applies for appropriate export and import licenses.
Finance Industry Support
Besides the useful message authentication and key distribution techniques that are
standardized within the finance industry, the IBM 4755 Cryptographic Adapter and
the IBM 4753 Network Security Processor also support many services for
processing financial PINs, the personal identification numbers used with automated
teller machines and point-of-sale devices. A PIN is typically a four to six digit
decimal number that is derived from the encryption of an account number. The
actual details of the PIN generation algorithms vary and the Transaction Security
System devices support the five most common cases.
When a point-of-sale device or an automated teller machine is used to
communicate a customer PIN, the PIN is mixed with other data into an 8-byte “PIN
block.” Then the PIN block is encrypted for transmission. The Transaction Security
System devices support eleven of the most common schemes for holding a PIN in
a PIN block.
1-14 TSS General Information Manual
29. The PIN generation algorithm and PIN block support is provided in nine separate
services that enable PINs to be kept encrypted at all times while addressing the
problems associated with PIN handling (see “Processing Financial PINs” on
page 1-16).
Visa and Mastercard have addressed a problem of fraudulent magnetic stripe data
on their cards by the inclusion of cryptographically-derived security codes. The IBM
4753 Network Security Processor and the IBM 4755 Cryptographic Adapter provide
specific support for generating and verifying these codes.
In summary, the Transaction Security System products provide extensive,
standards-based support for DES and RSA cryptographic techniques that enable
your application programs to take advantage of very secure approaches to
protecting your data.
Product Application Examples
| This section describes typical applications that exploit the capabilities of the
| Transaction Security System product family. Included are discussions of the
| following:
Protecting a certification authority private key
Processing financial PINs
Determining data integrity
Providing data confidentiality in an SNA network
Storing sensitive data on portable media.
Protecting a Certification Authority Private Key
Underlying the use of public key cryptography is the requirement to know, with
certainty, that you have the correct, current public key for an entity with whom you
will communicate (see “Certification Authorities” on page 1-10). The usual
| technique is to obtain a certificate that contains the other entity's public key. A
| certificate is simply a data structure that contains the entity's public key and the
| digital signature of the certification authority from which the certificate was issued.
| The digital signature is generated with the private key of the certification authority.
Either you trust the public key that you must have for the certification authority that
signed the certificate, or you must obtain a chain of certificates with public keys to
verify the previous public key until you finally have a certificate signed by a public
key that you do trust.
In any case, the problem for a high-level certification authority (CA) is that its public
key can be in widespread use and replacement of that key in other than a planned
change to a new key can be nearly impossible. Therefore, protection of a CA
private key can be of paramount importance.
The design of the IBM 4755 Cryptographic Adapter and the IBM Common
Cryptographic Architecture PKA96 function set is well suited to protection of CA
private keys. The cryptographic adapter's advanced physical security design will
render the active copy of the private key useless if a tamper situation arises and
the logical design of the key management services insures that the non-repudiation
characteristics of a digital signature can exist.
Chapter 1. Introduction to the IBM Transaction Security System Products 1-15
30. Use of the CA private key in the cryptographic adapter can be conditioned on
specific authorization by one or more individuals. Optionally you can require that
the authorized individuals identify themselves through possession of an
appropriately initialized Personal Security card and present their PIN for access to
their authority.
The private key can be distributed to backup cryptographic adapters at the same or
other locations through the use of CCA DES key management practices thereby
solving potential availability and/or performance problems while still ensuring very
tight control over the private key.
Generally an entity can not present itself in person to the CA to obtain their
certificate. To satisfy this operational problem, the CA establishes a network of
trusted local registration authorities (LRAs). After being satisfied that the entity
should have a certificate, an LRA will transmit a certificate request in the form of a
credentials message to the CA. Such a message is generally not confidential but
does require data integrity protection that can be obtained with the use of a digital
signature or a MAC applied to the message. The various Transaction Security
System products can be used at differing price/performance points in the design of
your LRA solutions. Once again you can employ smart-card based operator
identification at the LRA to further ensure the integrity of your solution.
Processing Financial PINs
Automated teller networks and point-of-sale networks use DES processes to
encipher and authenticate end-user PINs and transaction messages. Many
different standards and formats are currently used for this purpose.
The IBM 4755 Cryptographic Adapter and the IBM 4753 Network Security
Processor provide a comprehensive set of services to support the following:
PIN generation
PIN block formatting and encipherment
PIN block reformatting
PIN block re-encipherment
PIN block verification
Card-verification value calculation
Unique-key-per-transaction key generation.
The services support 11 different PIN block formats and five major PIN generation
algorithms, including support for customer-selected PINs. When you use these
services, you can securely do the following:
Format PIN blocks at a transaction terminal
Generate PINs as an issuer
Verify PINs as an acquirer
Re-encipher or reformat PIN blocks at a network “switch”
Reformat a PIN database to adapt to new standards or to consolidate
databases from several merged institutions
Support debit card unique-key-per-transaction acquirer or switch processing
Verify PINs in automatic voice-response systems.
For unique PIN block formats or PIN generation services, IBM can prepare custom
solutions to meet your specifications. The resulting code can be securely loaded
into the cryptographic adapter where your cryptographic keys and other data can
be safely processed.
1-16 TSS General Information Manual
31. Determining Data Integrity
The ANSI X9.9 message authentication standard, as well as similar country and
| ISO standards, defines a DES-based process for computing a 64-bit MAC for a
data string of any length. For example, to send a message through a
communication network or keep a record in storage, you can use a secret
cryptographic key to compute the MAC and append this value to the data.
To validate the data, you use your secret key to recompute the MAC and then
compare the result to the MAC that was sent with the data. If they match, you can
be confident that the data is unchanged.
The Transaction Security System products provide specific MAC generation and
verification services as well as the required services and support for distributing the
keys and keeping them secret.
If you need to associate a MAC with a particular individual (for example, someone
who has the authority to issue a batch of payment orders), the secret cryptographic
key for MAC generation can be stored on a Personal Security card that is issued to
this individual. The institution that receives the payment orders uses its copy of the
secret cryptographic key and the cryptographic support to verify that the orders
originated from an authorized source and that they were not changed.
You can configure Personal Security cards to require individuals to enter a secret
PIN of their choice when using the key and MAC-generation processes.
The IBM Common Cryptographic Architecture, through the control vector
technology, can allow you to practice asymmetric message authentication where
only the issuer has the ability to create the MAC; the MAC verification nodes will
not have the ability to create the MAC. This may offer a way to implement some of
the features of a digital signature service based on DES techniques that might be
more readily installable in your infrastructure.
Providing Data Confidentiality in an SNA Network
The SNA communications architecture defines how data can be enciphered
between logical units in a network. This architecture has been implemented by the
following products:
IBM ACF/VTAM
IBM LAN Distributed Platform
IBM LAN Distributed Platform/2
IBM Communications Manager/2
IBM Communications Server/2.
Each of these products makes calls to cryptographic facilities in their environments
for cryptographic key management and for DES-based data enciphering and
deciphering.
Chapter 1. Introduction to the IBM Transaction Security System Products 1-17
32. The ACF/VTAM product can use any of the following products for the required
services:
IBM 4753 Network Security Processor and its support program
IBM System/390 Integrated Cryptographic Coprocessor
Integrated Cryptographic Feature on high-end Enterprise System/9000
processors
PCF program product.
The CS/2, CM/2, and LANDP/2 products can use the cryptographic adapter or the
security interface unit for the required services.
Storing Sensitive Data on Portable Media
The IBM Personal Security Card can be used to transport small quantities of data
securely between locations. For example, you can use the card to transport clear
cryptographic key components, medical case histories or prescription data, or
entitlements to certain services. The Personal Security card can hold between
4000 and 6500 bytes of data in data blocks on the card, depending on the
particular features of the card.
To enable a card data block to be read or written, you can configure the card to
require a password, a secret key for deciphering stored data, or a PIN.
Deciding for Transaction Security System SecureWay CCA Products
Once you have addressed your security application requirements and have
determined that cryptographic techniques are part of the solution, how do you
decide what products should be used? Consider these points:
Is there an off-the-shelf application that can be used that provides adequate
security? Does that application support CCA or the Transaction Security
System products? Can that application be extended to take advantage of
CCA?
In the case of SNA session level encryption, there is support in the IBM
communication and transaction middleware products that is designed to
operate with CCA and Transaction Security System products, see “Providing
Data Confidentiality in an SNA Network” on page 1-17.
If custom applications are used, are the cryptographic processes only employed
within the application set?
In this case you have greater freedom to select your techniques and
implementations. However, caution is in order. The history of cryptographic
practice is rife with failed approaches, often the result of very subtle mistakes.
Adherence to standards and the use of products designed to a carefully
constructed architecture will help you avoid the pitfalls of the past. There are
many complex aspects of cryptographic practice. Implementing sound
cryptographic solutions is a discipline best addressed by experts.
Support of a wide variety of DES and RSA based standards is a hallmark of
the Transaction Security System products. Often systems are defeated not by
breaking the cryptographic algorithm but through attacks against the key
management system. The CCA, Common Cryptographic Architecture,
organizes the implementation of the cryptographic functions into a set of
services that afford your secret and private keys full protection. The
1-18 TSS General Information Manual
33. Transaction Security System implementation of CCA provides the controls and
services that enable a secure solution.
| The IBM Registry* product and other electronic commerce middleware products
| can use the TSS products to enhance data security.
What application programming language is best for your applications?
The CCA application programming interface has been designed to Systems
Application Architecture concepts. The programming interface can be used
from essentially any application programming language and the same interface
is available on each of the supported computing platforms so that your
investment in coding can be transferred between platforms.
Why use a hardware implementation when software solutions are usually less
expensive?
A software solution may be an appropriate choice ...consider:
– Is the software environment trustworthy?
- Could a virus obtain your keys?
- Does the open, “personal” environment that makes personal computers
and workstations so useful allow your users to misuse their authority or
bypass controls?
With a secure hardware implementation, it is far more difficult to bypass
controls established by security management.
– Can you demonstrate to your auditors that you are practicing a realistic
approach to security given the exposure to loss versus the cost of
hardware-based protection?
– Are there important performance issues that only a hardware
implementation can address?
When your application system spans several different computing platforms, the
Transaction Security System product family provides consistent,
multiple-platform options that can make realizing your total solution more
effective and less costly to implement than independent solutions unique to a
platform.
The Transaction Security System product family is a complete system with
secure hardware and the supporting software that makes the hardware usable
by your application programs.
Because the Transaction Security System products are internally
programmable, and because there are secure techniques for loading the
internal software, it is possible for IBM to design and implement new functions
at your request. It is also possible to combine many different functions into a
single application call so that performance can be improved for complex
processes.
Finally, IBM has a long tradition of creating security solutions based on research
and development in cryptography. It was IBM work on Lucifer (an early encryption
algorithm developed by IBM) and then the DEA that led to DES. And in the
present day, IBM was instrumental in outlining, in an open dialog, how credit
transactions might be protected in Internet-based electronic commerce. Then, IBM
| * Trademark of IBM
Chapter 1. Introduction to the IBM Transaction Security System Products 1-19
34. played a key role in bringing Mastercard, Visa, and other card organizations
together to establish a single standard for the industry, the Secure Electronic
Transaction (SET) standard. Likewise there have been continuing improvements to
the Transaction Security System product family through the years. Now, as
evidenced by the introduction of the SecureWay logo, IBM is accelerating its
investments in cryptographic developments. Examples include:
The latest developments in the Transaction Security System product family
described in this book
The System/390 Integrated Cryptographic Coprocessor for high-performance
cryptography on large server machines
The introduction of the family of IBM Multi-function smart cards and associated
readers such as the IBM 4779 Hybrid Smart Card Device.
IBM and the SecureWay team would like to work with you to address solutions to
your security problems.
1-20 TSS General Information Manual
36. Workstation Products
This section describes the Transaction Security System workstation cryptographic
hardware products and their supporting software that are used with personal
computers and RS/6000 computers:
IBM 4755 Cryptographic Adapter
Workstation Cryptographic Services for OS/2
Workstation Cryptographic Services for AIX
IBM Personal Security Card
IBM 4754 Security Interface Unit
Workstation Security Services Program, release 3.30.
IBM 4755 Cryptographic Adapter
When personal computers and IBM RS/6000 computers require DES and RSA
cryptographic processing, the IBM 4755 Cryptographic Adapter can provide a
high-security solution. The adapter supports a broad range of DES and public-key
cryptographic processes that are performed within a highly secure module that is
mounted on the adapter. With the use of the Workstation Cryptographic Services
licensed software and Workstation Security Services Program licensed software,
the adapter can be used in DOS, OS/2, and AIX environments. In the first half of
1997, models 023 and 024 will replace all earlier adapter models. The new models
provide all of the functions of the older models as well as ‘PKA96’ RSA function
support (see Chapter 3, “Cryptographic and Other Function Sets, and the
Programming Interface”). Figure 2-1 shows the cryptographic adapter.
Figure 2-1. IBM 4755 Cryptographic Adapter
Overview
The IBM 4755 Cryptographic adapter offers the following:
Extensive DES and RSA Cryptographic Functions to support the
cryptographic data security requirements of the financial industry, the Internet,
and other environments. The cryptographic capabilities are accessed via the
IBM Common Cryptographic Architecture that features control-vector-based key
separation techniques providing logical security to match the physical security
of the hardware.
| 1 Industry Standard Architecture (ISA) bus. This bus is supported by most personal computers and some RS/6000 machines.
2-2 TSS General Information Manual
37. Application Development in a Common Manner through use of the
Workstation Cryptographic Services licensed software for OS/2 Warp
(Version 3) and for AIX 4.1 and 4.2 that offers a consistent approach to
application usage of cryptography with IBM's other SecureWay cryptographic
products on DOS, OS/400, and MVS.
ISA and Micro Channel models for use in a single, full-length, slot in most
personal computers1 and IBM RS/6000 systems.
High-security design implemented to conform to FIPS 140 level 3
requirements for resistance to high-tech attacks.
Cryptographic Data Protection Capabilities for data encryption, digital
signatures and hashing, message authentication, extensive finance industry
support for PIN processing and magnetic stripe verification. The cryptographic
requirements of industry standards such as PKCS#12, SHA-1, and ANSI X9.8,
X9.9, X9.17, X9.23, ISO 9796, etc. are addressed by the products.
Sophisticated Key Management Techniques based on the IBM Common
Cryptographic Architecture that features control-vector-based key separation to
assure uniform and controlled capabilities in distributed systems as well as
support of industry-standard techniques based on RSA key distribution and
ANSI X9.17. The CCA master key concept allows the adapter to securely
manage an unlimited number of cryptographic keys.
Custom Cryptographic Applications to your specifications can be supported
within the adapter through IBM system integration services. This capability
addresses the many unique cryptographic processes that continue to arise in
practical applications without the need to compromise key protection and
process integrity.
Hardware for Security and Performance when your requirements demand
strong security. In distributed processing systems and this era of virus
infection, the secured-hardware cryptographic adapter solves the problem of
keeping your cryptographic keys secure and assuring that only authorized
individuals can access them to perform sensitive operations.
Smart Card Support for the IBM Personal Security Card via optional
attachment of the IBM 4754 Security Interface Unit provides additional
protection for assuring proper and authorized cryptographic system
administration.
International Export Options to meet normal and exceptional export
conditions associated with the delivery of strong-cryptography equipment. The
maximum key lengths used with data confidentiality and key management
services are available to meet export license restrictions. The IBM-defined
Commercial Data Masking Facility algorithm addresses restrictive export
situations.
2 PKCS standards and the MD5 hashing algorithm (see RFC 1321) are developments of RSA Data Security, Incorporated.
Chapter 2. The Transaction Security System Products 2-3
38. Intended Applications
The following is a partial list of the intended applications for the IBM 4755
Cryptographic Adapter.
Personal computer and RS/6000 systems that require cryptographic capabilities
that benefit from a hardware implementation.
Support for secure generation of an RSA key-pair for use with the System/390
Integrated Cryptographic Co-processor.
Current systems that use the IBM 4755s that also require support for industry
standard RSA digital signature and data key exchange.
Description
The IBM 4755 Cryptographic Adapter implements DES and RSA based
cryptographic operations within an enclosed, high-security processor on board the
adapter. Adapter model 023 is used in machines that support the ISA bus and
model 024 is used machines that support the Micro Channel Architecture(MCA)3.
The functional capabilities of the ISA and MCA adapters are comparable except
that the MCA models will have a somewhat greater throughput for DES operations.
The MCA adapter requires a full-length slot. The ISA bus adapters can operate on
an 8-bit bus, but they have improved throughput when operated on a 16-bit bus.
Two versions of the Workstation Cryptographic Services licensed software are
available for the adapter for use with OS/2 Warp (Version 3) and with RS/6000
computers with AIX 4.1 or AIX 4.2. This software enables application programs to
exploit the many cryptographic operations via an application program interface
based on the IBM Common Cryptographic Architecture (CCA). This same
application interface is supported in a consistent way by other IBM SecureWay
cryptographic products that are available on IBM AS/400 systems and large server
systems that run the IBM MVS operating system. The software also provides utility
programs for configuring the adapter and performing simple key management.
The adapter and support software are a cryptographic facility that your application
programs and system software can use in workstation and server equipment to:
Encrypt application data using one of the following:
– DES CBC and DES ECB (export restrictions apply)
– CDMF -- Commercial Data Masking Facility
Generate and verify RSA digital signatures using SHA-1, MD54, or MDC
hashing
Distribute keys using RSA, IBM CCA, or ANSI X9.17 techniques (X9.17 is not
supported on AIX)
Perform the cryptographic operations that underlie the following:
– PIN processing with support for many formats and PIN algorithms
– ANSI X9.9 message authentication
– Visa CVV and Mastercard CVC magnetic stripe data validation
– Unique (per transaction) key generation for Point Of Sale(POS) applications
Custom cryptographic functions you define to operate within the secured
processor.
| 3 Industry Standard Architecture (ISA) bus. This bus is supported by most personal computers and some RS/6000 machines.
4 PKCS standards and the MD5 hashing algorithm (see RFC 1321) are developments of RSA Data Security, Incorporated.
2-4 TSS General Information Manual
39. Optionally, an IBM 4754 Security Interface Unit and IBM Personal Security Card
can be used to authenticate the role and authorize the actions of your security
administrators to ensure proper setup and operation of the cryptographic system.
Secure Module: The actual cryptographic processing and the storage of primary
cryptographic keys occurs within a secure module that is mounted on the
cryptographic adapter. The module contains the following:
A variety of tamper-detection mechanisms, which, if tampering is detected,
cause the cryptographic keys and access control tables within the module to be
cleared
An general purpose processor and memory
Special hardware to implement the DES algorithm
Special hardware to implement the RSA algorithm
Special hardware to implement the math functions required for the RSA
| algorithm to provide fast RSA operations
An electronically protected bus to external memory and the RS-232 electronics
for attachment of the Security Interface Unit
Protected programming storage for additional cryptographic functions that IBM
can develop under contract for individual customers.
A portion of the memory within the secured electronics package is used for the
storage of security relevant data items or SRDI data. The SRDI consists of the
master key used to encrypt an unlimited number of locally-used keys, the access
control values, and several other data items that you configure for an adapter. The
SRDI memory is cleared on detection of a tampering event. The adapter also has
an electrical input that you can use to connect additional tamper sensors.
The cryptographic adapter has a battery for powering the SRDI data memory when
system power is removed from the adapter. A jumper on the adapter is used to
specify whether the SRDI data will be saved or cleared if the adapter is removed
from its bus connections. You can issue a software command to override the
jumper setting and ensure that the SRDI data is cleared when the adapter is
removed from the bus even if the jumper is set to save the SRDI data.
Access Controls and Commands: Every function that the adapter can be
requested to perform is part of some command. The access control tables define
which commands can be performed and under what conditions. Many of the
commands are the basic functions that underlie the implementation of the IBM
Common Cryptographic Architecture (CCA). Other commands control the access
control system, and still others are used to control an attached Security Interface
Unit or Personal Security Card.
Using the access control system, the adapter can be set up to ensure that
split-knowledge, dual control procedures are followed to securely activate the
cryptographic processor, and to selectively enable commands in order to limit use
of sensitive commands. In combination with an attached Security Interface Unit.
you can ensure that your security personnel or authorized users have a Personal
Security Card initialized for use with the adapter to enable sensitive functions.
The access controls are based on two sets of registers within the SRDI data
memory of the adapter, the global set and the profile set. You set the values of
Chapter 2. The Transaction Security System Products 2-5
40. these registers through utilities in the software support or from your application
programs through a supplied set of callable services.
The global registers store device and application identifiers, any dates on which
| time and date checking should fail, and the rules that permit a command to be
| performed.
The contents of the six profile registers define which commands can be performed,
subject to the global criteria, and the priority level of the profile. There are four
profile registers that can be activated when their individual authorization password
from an application is validated. Another profile register can be loaded via a
cyptographically secured session with a Personal Security card. And lastly, there is
the profile register that is used when no other profile register is authorized.
The access control system provides you with a secure and flexible approach to
control what functions are permissible and to ensure that defined procedures will be
followed in the administration of the cryptographic facility.
Export Controlled Cryptographic Function: Feature codes 9710, 9730, and
9750 specify the cryptographic capabilities of the adapter to satisfy governmental
export/import control requirements; certain feature codes may normally be
unavailable in a specific geography. The IBM export regulation coordinator can
assist you in determining limitations that apply in each case and in applying for any
deviations to standard practice.
Feature codes 9710, 9730, and 9750 are available at time of initial order.
Feature code 9710 is available to all customers in the USA and Canada.
Feature code 9710 provides DES data confidentiality service and DES key
encryption using an RSA key length up to 1024-bits.
Feature code 9730 is generally available to financial institutions outside of the
USA and Canada. 9730 provides DES data confidentiality service and DES
key encryption using an RSA key length up to 512-bits.
Feature code 9750 is generally available to all customers outside of the USA
and Canada. 9750 provides CDMF data confidentiality service and DES key
encryption using an RSA key length up to 512-bits.
In all cases, digital signature operations are supported with an RSA key length up
to 1024 bits.
Ordering Information
When ordering the IBM 4755 Cryptographic Adapter:
1. Select a bus type (by model, one required, see “Models” on page 2-7):
ISA (also usable in ISA slots of PCI bus machines), Model 023
Micro Channel, Model 024
2. Select a level of cryptographic function with export control considerations (one
required):
FC9710 -- DES and 1024 RSA distribution of DES keys
FC9730 -- DES and 512 RSA distribution of DES keys
FC9750 -- CDMF and 512 RSA distribution of DES keys
2-6 TSS General Information Manual
41. 3. Select Workstation Cryptographic Services licensed software support (one
required):
FC8210 -- Workstation Cryptographic Services for OS/2, includes
distribution media (3.5in., 1.44MB diskettes)
FC8211 -- Workstation Cryptographic Services for OS/2, additional license
charge
FC8610 -- Workstation Cryptographic Services for AIX, includes distribution
media (3.5in., 1.44MB diskettes)
FC8611 -- Workstation Cryptographic Services for AIX, additional license
charge.
Models: The bus type, ISA or Micro Channel, and the export-controlled
cryptographic function is reflected in the model and feature code designations, see
Figure 2-2 for the models of the adapter.
Figure 2-2. IBM 4755 Cryptographic Adapter Models and Export Function Control
Model and
Feature Code
Bus
Type
Cryptographic Function
Data
Confidentiality
Algorithm RSA Support
RSA Key
Length for
DES Key
Distribution
023, FC9710 ISA DES PKA96 and PKA92 1024
023, FC9730 ISA DES PKA96 and PKA92 512
023, FC9750 ISA CDMF PKA96 and PKA92 512
024, FC9710 MCA DES PKA96 and PKA92 1024
024, FC9730 MCA DES PKA96 and PKA92 512
024, FC9750 MCA CDMF PKA96 and PKA92 512
Note: As of April 1997, only models 023 and 024 will be in new production.
“PKA96” and “PKA92” are defined on page 3-1.
Older models for reference follow.
003 ISA DES
L03 ISA CDMF
004 MCA DES
L04 MCA CDMF
005 for
RS/6000
MCA DES
L05 for
RS/6000
MCA CDMF
013 ISA DES PKA92 512
L13 ISA CDMF PKA92 512
014 MCA DES PKA92 512
L14 MCA CDMF PKA92 512
Note: Models 001, L01, 002, and L02 of the cryptographic adapter are obsolete. You can replace
these models with the more current models. If you replace an older cryptographic adapter,
remember that you must also upgrade the software support.
001 ISA DES
L01 ISA (none)
002 MCA DES
L02 MCA (none)
Chapter 2. The Transaction Security System Products 2-7
42. Workstation Cryptographic Services Licensed Software
Two variations of the licensed software are available:
Workstation Cryptographic Services for OS/2, Release 1.0
Workstation Cryptographic Services for AIX, Release 1.0.
The software supports the IBM 4755 Cryptographic Adapter in a personal computer
with OS/2 Warp Version 3, and the RS/6000 computers with AIX versions 4.1 and
4.2. The software also supports the use of IBM Personal Security cards and IBM
4754 Security Interface Units when the unit is directly connected to the
cryptographic adapter.
Note: The Workstation Security Services Program, release 3.30, licensed software
is also available to support the cryptographic adapter and the security interface unit
in DOS environments, and to support the security interface unit attached to the
serial port of a personal computer, see “IBM Workstation Security Services
Program Licensed Software” on page 2-16.
Overview
The Workstation Cryptographic Services licensed software offers:
High-Security Cryptographic Implementation for OS/2 Warp (Version 3) and
for AIX 4.1 and 4.2 via the IBM Common Cryptographic Architecture that is
consistent with the programming interface and cryptographic services available
with IBM's other SecureWay cryptographic products on DOS, OS/400, and
MVS enabling common application development.
LAN Cryptographic Server enabling applications that employ LANDP/2 and
LANDP to share a cryptographic adapter(s).
Encrypted SNA Communications provided through the use of the
Communication Server/2 and Communication Manager/2 products that
implement support for IBM SNA session level encryption.
Administrative Controls to ensure appropriate usage and to enforce
established procedures that are enabled through use of the supplied utilities to
manage the hardware access controls integral to the Transaction Security
System devices.
Intended Applications
Workstation Cryptographic Services supports the Transaction Security System
hardware products in OS/2 and AIX environments.
Description
The Workstation Cryptographic Services, release 1.0, licensed software is used
when an IBM 4755 Cryptographic Adapter is installed in a personal computer with
OS/2 Warp (Version 3) or in an IBM RS/6000 with AIX Version 4.1 or 4.2. The
software provides device drivers, utility programs, and an access method for use by
your application programs. The Workstation Cryptographic Services is licensed for
use with the IBM 4755 Cryptographic Adapter models 023 and 024. The software
for both OS/2 and AIX workstations is package is supplied on 1.44-megabyte,
3.5-inch diskettes. Each package includes the IBM Transaction Security System
Workstation Cryptographic Services Installation and I/O Guide, form number
GC31-4509 with information about the software.
Note: Although certain of the utilities in Workstation Cryptographic Services for
OS/2 operate in a DOS virtual machine under OS/2, general support for
applications that operate in the DOS virtual machine is not provided with
2-8 TSS General Information Manual