ICSF supports several symmetric cryptography algorithms: The Data Encryption Algorithm, the Advanced Encryption Standard, and the Commercial Data Masking Facility.

The Data Encryption Algorithm and the Data Encryption Standard

For commercial business applications, the cryptographic process that is known as the Data Encryption Algorithm (DEA)¹ has been widely adopted. The Data Encryption Standard (DES), as well as other documents, defines how to use the DES algorithm to encipher data. The Data Encryption Standard is the basis for many other processes for concealing data, such as protection of passwords and personal identification numbers (PINs). DES uses a key to vary the way that the algorithm processes the data. DES data-encrypting keys can be single-, double-, or triple-length. A single-length DES key is a 56-bit piece of data that is normally retained in 8 bytes of data. Each eighth bit of the key data is designated as a parity bit. A symmetric cryptographic system uses the same key both to transform the original data (plaintext) to its disguised, enciphered form (ciphertext) and to return it to its plaintext form.

The DES algorithm, which has been proven to be efficient and strong, is widely known. For this reason, data security is dependent on maintaining the secrecy of the cryptographic keys. Because the DES algorithm is common knowledge, you must keep the key secret to ensure that the data remains secret. Otherwise, someone who has the key that you used to encipher the data would be able to decipher the data. Key management refers to the procedures that are used to keep keys secret.

When you want someone to be able to confirm the integrity of your data, you can use the DES algorithm to compute a message authentication code (MAC). When used in this way, the DES algorithm is a powerful tool. It is almost impossible to meaningfully change the data and still have it produce the same MAC for a given key. The standardized approaches authenticate data such as financial transactions, passwords, and computer programs.

The originator of the data sends the computed MAC with the data. To authenticate the data, the receiver uses the DES algorithm to recompute the MAC. The receiver's application then compares this result with the MAC that was sent with the data. Someone could, of course, change both the data and the MAC. Therefore, the key that is used to compute the MAC must be kept a secret between the MAC's originator and the MAC's authenticator.

An alternative approach to data-integrity checking uses a standard key value and multiple iterations of the DES algorithm to generate a modification detection code (MDC). In this approach to data-integrity checking, the MDC must be received from a trusted source. The person who wants to authenticate the data recomputes the MDC and compares the result with the MDC that was sent with the data.

Advanced Encryption Standard

ICSF supports the Advanced Encryption Standard algorithm for data privacy. This provides strong encryption. Key lengths of 128-bits, 192-bits and 256-bits are supported. Secure key AES is available if running on an IBM System z9 EC, z9 BC, z10 EC, or z10 BC with the Nov. 2008 or later licensed internal code (LIC).

The Commercial Data Masking Facility

The Commercial Data Masking Facility (CDMF) defines a scrambling technique for data confidentiality. CDMF is a substitute for DES for those customers who have been previously prohibited from receiving IBM products that support DES data confidentiality services.

Restriction: CDMF is only supported on the IBM zSeries 900.

The CDMF data confidentiality algorithm is a cryptographic system that provides data masking and unmasking. The algorithm includes both a key-shortening process and a standard DES encryption and decryption process. The first process shortens the key to an effective length of 40 bits prior to its use in the data masking process. CDMF uses the DES algortihm with the shortened key to ensure confidence in the CDMF algorithm.