z/OS Version 2 Release 3 Cryptographic Services Integrated Cryptographic Service Facility Overview IBM SC14-7505-08 Note Before using this information and the product it supports, read the information in “Notices” on page 81. This edition applies to ICSF FMID HCR77D0 and Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2020-05-25 © Copyright International Business Machines Corporation 1996, 2020. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures................................................................................................................ vii Tables.................................................................................................................. ix About this information.......................................................................................... xi ICSF features...............................................................................................................................................xi Who should use this information................................................................................................................ xi How to use this information........................................................................................................................ xi Where to find more information.................................................................................................................xii The ICSF library.....................................................................................................................................xii Related publications............................................................................................................................ xiii Information on other IBM cryptographic products.............................................................................xiii IBM Crypto Education.......................................................................................................................... xiii How to send your comments to IBM......................................................................xv If you have a technical problem.................................................................................................................xv Summary of changes..........................................................................................xvii Changes made in Cryptographic Support for z/OS V2R2 - z/OS V2R3 (FMID HCR77D0)...................... xvii Changes made in Cryptographic Support for z/OS V2R1 - z/OS V2R3 (FMID HCR77C1)...................... xvii Changes made in Cryptographic Support for z/OS V2R1 - z/OS V2R2 (FMID HCR77C0)..................... xviii Changes made in Cryptographic Support for z/OS V1R13 - z/OS V2R2 (FMID HCR77B1).....................xix Chapter 1. Introducing cryptography and ICSF.......................................................1 What is cryptography?................................................................................................................................. 1 The basic elements of a cryptographic system..................................................................................... 1 How does ICSF support cryptography?.......................................................................................................3 How does ICSF extend the uses of cryptography?..................................................................................... 4 Key generation and distribution.............................................................................................................4 Personal Identification Numbers (PINs)................................................................................................5 Message Authentication Codes (MACs).................................................................................................5 Hashing algorithms.................................................................................................................................5 Digital signatures....................................................................................................................................5 Payment card verification values........................................................................................................... 6 Translation of data and PINs in networks............................................................................................. 6 SET Secure Electronic Transaction ....................................................................................................... 6 Secure Sockets Layer (SSL)....................................................................................................................7 EMV integrated circuit card specifications............................................................................................ 7 ATM remote key loading.........................................................................................................................8 Public Key Cryptography Standard #11 (PKCS #11)............................................................................ 8 DK AES PIN support............................................................................................................................... 8 Chapter 2. Solving your business needs with ICSF..................................................9 Keeping your data private............................................................................................................................9 Transporting data securely across a network............................................................................................. 9 Supporting the Internet Secure Sockets Layer protocol.....................................................................11 Transacting commerce on the Internet.................................................................................................... 11 Exchanging keys safely between networks.............................................................................................. 11 Exchanging symmetric keys using callable services...........................................................................11 iii Exchanging DES or AES data-encrypting keys using an RSA key scheme..........................................12 Creating DES or AES Keys using an ECC Diffie-Hellman key scheme.................................................13 Exchanging keys and their attributes with non-CCA systems............................................................ 13 Managing master keys using a Trusted Key Entry workstation................................................................13 Integrity and Privacy............................................................................................................................ 13 Using Personal Identification Numbers (PINs) for personal authentication........................................... 14 Verifying data integrity and authenticity................................................................................................... 14 Using Message Authentication Codes................................................................................................. 15 Generating and verifying digital signatures......................................................................................... 15 Using modification detection codes and message hashing................................................................ 15 Verifying payment card data................................................................................................................ 16 Maintaining continuous operations...........................................................................................................16 Dynamic service update............................................................................................................................ 17 Reducing costs by improving productivity................................................................................................ 17 Improving cryptographic performance..................................................................................................... 17 Using RMF and SMF to monitor z/OS ICSF events.............................................................................. 17 Improving performance in a CICS environment..................................................................................18 Customizing ICSF to meet your installation's needs................................................................................ 18 Using ICSF exits to meet special needs.............................................................................................. 18 Creating installation-defined callable services................................................................................... 19 Using options to tailor ICSF................................................................................................................. 19 Isolating and protecting PR/SM partitions................................................................................................19 Enabling growth......................................................................................................................................... 20 Protecting your investment......................................................................................................................