IBM Global Security Kit, Version 7 - PKCS#11 Device Integration

GSKit Development Team, Software Group, IBM

The GSKit Development Team designs, develops, and maintains IBM's cryptographic toolkit, GSKit. GSKit is a common component used in many IBM software products.

Summary: This article describes the hardware cryptographic devices that support the PKCS#11 standard and have been tested for use with IBM® Global Security Toolkit (GSKit), Version 7.

Tag this!

Date: 01 May 2009 (Published 09 Jul 2007)
Level: Introductory
Also available in: Korean Portuguese

Activity: 2254 views
Comments:

Introduction

Version 7 of the IBM Global Security Toolkit (GSKit) component can integrate with and exploit hardware cryptographic devices that support the PKCS#11 industry standard.

Hardware PKCS#11 devices offer a variety of features across operating system platforms. Please refer to the PKCS#11 device vendor for specific details of their offering. Some of the most common features include:

More secure key storage and protected usage (some with tamper detection).
Offloading of CPU intensive operations to device hardware. For example, most devices support asymmetric key operations.
Some devices are capable of load sharing when more than one of them is installed.

GSKit's use of PKCS#11 is limited to those functions (where available) required for secure communication via SSL:

Asymmetric key generation and secure storage
Certificate storage
Asymmetric key operations (Sign & Verify, and Decryption during SSL key-exchange)
Random number generation
Hash functions (i.e. digest calculation)
Symmetric key operations

Trust Anchor Certificates (Root Certificates) should only be stored on the device where the device offers Certificate modification/replacement protection via the setting of the PKCS#11 CKA_TRUSTED attribute. The support and setting of this attribute is vendor-specific. If in doubt, do not use the PKCS#11 device for Trust Anchor Certificate storage but rather use a GSKit key store.

The GSKit component team performs interoperability testing on specific hardware, firmware, and driver levels for each device. IBM product teams typically test on a subset of these devices. If an integration problem is found, the IBM product team, IBM GSKit component team, and the PKCS#11 device vendor will work together on defect resolution. All IBM product defects should be reported through the standard IBM product support channels.

Operating system platforms

This article does not cover z/OS® or OS/400® variants of GSKit. In general, the list of platforms an IBM product integrates with a PKCS#11 device is the intersection of the IBM product's supported platforms and the PKCS#11 device's supported platforms. Known exceptions are noted below in the section “Card observations” or in IBM product documentation.

Hardware cryptographic devices tested with GSKit, Version 7

Refer issues regarding installation and configuration of these cards and software to the device vendor.

nCipher
- nCipher netHSM (500, 1600 and 2000)
- nCipher nForce (300 and 1600)
- nCipher nShield (800, F2 and F3)
SafeNet
- Orange (CSA8000)
Sun
- The on-chip cryptography within the Sun Ultra-SPARC T1 CMT processor (Solaris 10 on Sparc)
IBM
- IBM 4758 PCI Cryptographic Coprocessor (4758-002/023)
- IBM 4764 PCI Cryptographic Coprocessor (4764-001)
- IBM e-business Cryptographic Accelerator (4960, PCICA)
- IBM PCICC (feature 860 for S/390®, feature 861 for zSeries®)
- IBM PCICA (feature 862 for zSeries)
- IBM PCIXCC (feature 868 for zSeries)
- IBM Crypto Express2 (CEX2) (feature 863 for zSeries)
- IBM CP Assist for Cryptographic Function - CPACF (feature 3863 for zSeries)

Observations on specific cards

nCipher nForce, nShield, and; netHSM

Set the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES to weak-des;tokenkeys;silent. This setting is required when using an nCipher device for symmetric key operations when enabled with GSKit. In this mode of operation, GSKit directly creates the SSL Session Key as a PKCS#11 Session Object during the SSL handshake. Despite the security override being required, no security issue is caused as the SSL Session Key is created by GSKit as part of the SSL handshake. nCipher devices do not provide Symmetric Key acceleration and as such, GSKit should not be enabled for the mode of operation when using nCipher devices.
CipherTools, Version 10.15 or higher is required
Mechanisms available to GSKit in the nCipher "Security World" differ with the FIPS Level choice. For example, in strict FIPS 140-2 Level 3, MD5 is not available and is therefore performed by GSKit software when required for TLS FIPS approved CipherSuites.
Linux® support is restricted to libc 6.2 and up, and Linux kernels 2.4.0 and higher.

IBM PCICA and PCICC

GSKit, Version 7 is restricted to Linux on zSeries. Please refer to System SSL documentation for z/OS crypto device information.
These devices require Linux for zSeries crypto driver - z90crypt 1.1.2.

IBM CEX2

GSKit, Version 7 is restricted to Linux on zSeries. Please refer to SystemSSL documentation for z/OS crypto device information.
There are 2 modes for this device:
- CEX2C mode - requires Linux for zSeries crypto driver - z90crypt 1.3.2
- CEX2A mode - requires Linux for zSeries crypto driver - z90crypt 1.3.3

IBM PCICA and PCICC

GSKit, Version 7 is restricted to Linux on zSeries. Please refer to System SSL documentation for z/OS crypto device information.
There are machine instructions included on z890, z990 and z9 processors. Feature code 3863 enables them.
On z990, this feature accelerates the following symmetric and hashing cryptographic algorithms: DES, DES3 and SHA-1
• In addition, this feature accelerates AES128 on z9 machines.

About the author

The GSKit Development Team designs, develops, and maintains IBM's cryptographic toolkit, GSKit. GSKit is a common component used in many IBM software products.

Comments

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=Tivoli, WebSphere

ArticleID=238979

ArticleTitle=IBM Global Security Kit, Version 7 - PKCS#11 Device Integration

publish-date=05012009

author1-email=mjthomas@au1.ibm.com

author1-email-cc=

Introduction
Operating system platforms
Hardware cryptographic devices tested with GSKit, Version 7
Observations on specific cards
About the author
Comments

Next steps from IBM

WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.