Using the Symmetric Key Export (CSNDSYX, CSNFSYX, or CSNDSXD) callable service, an application can transfer a symmetric (AES or DES) key from encryption under a master key to encryption under an application-supplied RSA public key. This callable service is used because a secure key (which is encrypted under a master key in the ICSF environment) might need to be shared with a partner, and to transfer it to that partner securely, it will need to be encrypted under an RSA key provided by the partner. The partner will then be able to decrypt it using a corresponding private key.
The export operation performed by the Symmetric Key Export callable service does not fit into a traditional access control hierarchy. Due to the nature of the export operation, you might want to restrict users from accessing a symmetric key for the purpose of exporting it, while still allowing users to access the key for other purposes. By enabling the Symmetric Key Label Export control for AES or DES keys, and creating profiles in the XCSFKEY resource class, you can increase the level of access authority needed to export AES or DES keys without increasing the level of authority needed to access the keys for other operations.
By default, the CSFKEYS class determines access authority to cryptographic keys passed to callable services (including the Symmetric Key Export and Symmetric Key Export with Data services). When the Symmetric Key Label Export control for AES or DES keys is not enabled and the Symmetric Key Export or Symmetric Key Export with Data service is called, a user needs only READ authority for the key (as specified in a CSFKEYS class profile). If, however, the Symmetric Key Label Export control for AES or DES keys is enabled and the Symmetric Key Export or Symmetric Key Export with Data callable service is called, then a user needs UPDATE authority for the key (as specified in an XCSFKEY class profile). The Symmetric Key Label Export controls affect only the Symmetric Key Export and Symmetric Key Export with Data services; for all other callable services, access to cryptographic keys is checked against profiles in the CSFKEYS class. Furthermore, the Symmetric Key Label Export controls affect access only to the symmetric key the application is attempting to export and do not affect access to the RSA key that is being used to re-encrypt the symmetric key. Access authority to the AES or DES key will be checked against XCSFKEY class profiles, while access to the RSA key will still be checked against CSFKEYS class profiles.
The following table shows the controls for enabling Symmetric Key Label Export for AES or DES keys. To enable the controls, create the appropriate profile in the XFACILIT class. There are separate Symmetric Key Label Export controls for AES and DES keys so you can require UPDATE authority (which will be checked against XCSFKEY profiles) for export of one type of key, while still requiring only READ authority (which will still be checked against CSFKEY profiles) for export of the other type of key. There are no Symmetric Key Label Export controls that enable the policy in a warning mode. However, you can use the WARNING operand on XCSFKEY profiles to achieve the same results.
The existence of this resource profile in the XFACILIT class: | Does this: |
---|---|
CSF.XCSFKEY.ENABLE.AES | Enables Symmetric Key Label Export for AES keys. Specifies that profiles in the XCSFKEY class should determine access to an AES key when an application is attempting to export it using the Symmetric Key Export (CSNDSYX, CSNFSYX, or CSNDSXD) callable service. |
CSF.XCSFKEY.ENABLE.DES | Enables Symmetric Key Label Export for DES keys. Specifies that profiles in the XCSFKEY class should determine access to a DES key when an application is attempting to export it using the Symmetric Key Export (CSNDSYX, CSNFSYX, or CSNDSXD) callable service. |
RDEFINE XCSFKEY AES* UACC(NONE) WARNING
RDEFINE XCSFKEY DES* UACC(NONE) WARNING
The XCSFKEY class
will need to be activated and placed in common storage:SETROPTS CLASSACT(XCSFKEY)
SETROPTS RACLIST(XCSFKEY)
RDEFINE XFACILIT CSF.XCSFKEY.ENABLE.AES
RDEFINE XFACILIT CSF.XCSFKEY.ENABLE.DES
PERMIT AES* CLASS(XCSFKEY) ID(BOBADMIN) ACCESS(UPDATE)
PERMIT DES* CLASS(XCSFKEY) ID(BOBADMIN) ACCESS(UPDATE)
RDEFINE XCSFKEY DES.BURDA.MEDINC UACC(NONE)
PERMIT DES.BURDA.MEDINC CLASS(XCSFKEY) ID(GWEN) ACCESS(UPDATE)
The
XCSFKEY class will need to be refreshed in common storage:SETROPTS RACLIST(XCSFKEY) REFRESH
RALTER XCSFKEY AES* UACC(NONE) NOWARNING
RALTER XCSFKEY DES* UACC(NONE) NOWARNING
The XCSFKEY class
will need to be refreshed in common storage:SETROPTS RACLIST(XCSFKEY) REFRESH