Cryptography concepts

This topic provides a basic understanding of cryptographic function and an overview of the cryptographic services for the systems running the IBM i operating system.

Cryptography

Cryptography is the study and implementation of processes, which manipulate data for the purpose of hiding and authenticating information.

The IBM i cryptographic services help ensure data privacy, maintain data integrity, authenticate communicating parties, and prevent repudiation when a party refutes having sent a message.

Cryptographic algorithms

A cryptographic algorithm is a mathematical procedure that is used in the transformation of data for the purpose of securing data.

Cipher algorithms
A cipher algorithm transforms understandable information (plaintext) into an unintelligible piece of data (ciphertext), and can transform that unintelligible data back into understandable information.
There are two types of cipher algorithms:
• Symmetric

With a symmetric or secret key algorithm, the key is a shared secret between two communicating parties. Encryption and decryption both use the same key. The Advanced Encryption Standard (AES) is an example of a symmetric key algorithm.

There are two types of symmetric key algorithms:
• Block cipher

In a block cipher, the cipher algorithm works on a fixed-size block of data. For example, if the block size is eight, eight bytes of plaintext are encrypted at a time. Normally, the user's interface to the encrypt/decrypt operation handles data longer than the block size by repeatedly calling the low-level cipher function.

• Stream cipher

Stream ciphers do not work on a block basis, but convert 1 bit (or 1 byte) of data at a time. Basically, a stream cipher generates a keystream based on the provided key. The generated keystream is then XORed with the plaintext data.

• Asymmetric

With an asymmetric or public key algorithm (PKA), a pair of keys is used. One of the keys, the private key, is kept secret and not shared with anyone. The other key, the public key, is not secret and can be shared with anyone. When data is encrypted by one of the keys, it can only be decrypted and recovered by using the other key. The two keys are mathematically related, but it is virtually impossible to derive the private key from the public key. The RSA algorithm is an example of a public key algorithm.

Public key algorithms are slower than symmetric key algorithms. Applications typically use public key algorithms to encrypt symmetric keys (for key distribution) and to encrypt hashes (in digital signature generation).

Together, the key and the cryptographic algorithm transform data. All of the supported algorithms are in the public domain. Therefore, it is the key that controls access to data. You must safeguard the keys to protect data.

One-way hash algorithms
A cryptographic hash algorithm produces a fixed-length output string (often called a digest) from a variable-length input string. For all practical purposes, the following statements are true of a good hash function:
• Collision resistant: If any portion of the data is modified, a different hash will be generated.
• One-way: The function is irreversible. That is, given a digest, it is not possible to find the data that produces it.
Key distribution algorithms
When encrypted data must be decrypted at another location, distributing the key in a secure manner can be a challenge. There are many methods of key distribution. Some employ a cryptographic algorithm.
• RSA: An RSA public key is used to encrypt a symmetric key which is then distributed. The corresponding private key is used to decrypt it.
• Diffie-Hellman: The communicating parties generate and exchange D-H parameters which are then used to generate PKA key pairs. The public keys are exchanged and each party is then able to compute the symmetric key independently.
Random number generation algorithms
Many security-related functions rely on random number generation. Random number generation is performed both in IBM i using Cryptographic Services and on the cryptographic coprocessors using CCA. Both use a FIPS approved pseudorandom number generator (PRNG).

On the cryptographic coprocessor, an electronic noise source provides unpredictable input to a random bit-value accumulator. Periodically the hardware outputs seed to a FIPS 140-1 approved pseudorandom number generator.

The IBM i pseudorandom number generator resides in the IBM i LIC (Licensed Internal Code). It uses a PRNG algorithm from Appendix 3 of FIPS 186-2, Digital Signature Standard (DSS).

Cryptographically strong pseudorandom numbers rely on good seed. The FIPS 186-2 algorithm is seeded from a system seed digest. The system automatically generates seed using data collected from system information or by using the random number generator function on a cryptographic coprocessor if one is available. System-generated seed can never be truly unpredictable. If a cryptographic coprocessor is not available, you should add your own random seed (via the Add Seed for Pseudorandom Number Generator API) to the system seed digest. This should be done as soon as possible any time the Licensed Internal Code is installed.

Cryptographic operations

Different cryptographic operations may use one or more algorithms. You choose the cryptographic operation and algorithm(s) depending on your purpose. For example, for the purpose of ensuring data integrity, you might want to use a MAC (message authentication code) operation with the AES algorithm.

The system provides several API sets that support cryptographic operations. See the System cryptography overview information at the bottom of this topic for more information.

Data privacy

Cryptographic operations for the purpose of data privacy (confidentiality) prevent an unauthorized person from reading a message. The following operations are included in data privacy:

Encrypt and Decrypt
The encrypt operation changes plaintext data into ciphertext through the use of a cipher algorithm and key. To restore the plaintext data, the decrypt operation must employ the same algorithm and key.
Encryption and decryption may be employed at any level of the operating system. There are three levels:
Field level encryption
With field level encryption, the user application explicitly requests cryptographic services. The user application completely controls key generation, selection, distribution, and what data to encrypt.
Session level encryption
With encryption at the session layer, the system requests cryptographic services instead of an application. The application may or may not be aware that encryption is happening.
Link level encryption is performed at the lowest level of the protocol stack, usually by specialized hardware.
The Cryptographic Coprocessors may be used for both field level encryption and Transport Layer Security (TLS) session establishment encryption. While VPN is supported in IBM i, it does not use the coprocessor. Furthermore, the system does not support SNA session level encryption at all.
Translate
The translate operation decrypts data from encryption under one key and encrypts the data under another key. This is done in one step to avoid exposing the plaintext data within the application program.

Data integrity, authenticity, and non-repudiation

Encrypted data does not mean the data can not be manipulated (for example, repeated, deleted, or even altered). To rely on data, you need to know that it comes from an authorized source and is unchanged. Additional cryptographic operations are required for these purposes.

Hash (Message Digest)
Hash operations are useful for authentication purposes. For example, you can keep a copy of a digest for the purpose of comparing it with a newly generated digest at a later date. If the digests are identical, the data has not been altered.
MAC (Message Authentication Code)
A MAC operation uses a secret key and cipher algorithm to produce a value (the MAC) which later can be used to ensure the data has not been modified. Typically, a MAC is appended to the end of a transmitted message. The receiver of the message uses the same MAC key, and algorithm as the sender to reproduce the MAC. If the receiver's MAC matches the MAC sent with the message, the data has not been altered.

The MAC operation helps authenticate messages, but does not prevent unauthorized reading because the transmitted data remains as plaintext. You must use the MAC operation and then encrypt the entire message to ensure both data privacy and integrity.

HMAC (Hash MAC)
An HMAC operation uses a cryptographic hash function and a secret shared key to produce an authentication value. It is used in the same way a MAC is used.
Sign/Verify
A sign operation produces an authentication value called a digital signature. A sign operation works as follows:
1. The data to be signed is hashed, to produce a digest.
2. The digest is encrypted using a PKA algorithm and a private key, to produce the signature.
The verify operation works as follows:
1. The signature is decrypted using the sender's PKA public key, to produce digest 1.
2. The data that was signed is hashed, to produce digest 2.
3. If the two digests are equal, the signature is valid.
Theoretically, this also verifies the sender because only the sender should posses the private key. However, how can the receiver verify that the public key actually belongs to the sender? Certificates are used to help solve this problem.

Key and random number generation

Many security-related functions rely on random number generation, for example, salting a password or generating an initialization vector. An important use of random numbers is in the generation of cryptographic key material. Key generation has been described as the most sensitive of all computer security functions. If the random numbers are not cryptographically strong, the function will be subject to attack.

Financial PINs

Personal identification number (PIN) generation and handling are also considered cryptographic operations.

A PIN is a unique number assigned to an individual by an organization. PINs are commonly assigned to customers by financial institutions. The PIN is typed in at a keypad and compared with other customer associated data to provide proof of identity.

To generate a PIN, customer validation data is encrypted by a PIN key. Other processing is done on the PIN as well, such as putting it in a particular format.

Key management

Key management is the secure handling and storage of cryptographic keys. This includes key storage and retrieval, key encryption and conversions, and key distribution.

Key storage

Key storage on the system includes the following:

• Cryptographic Services keystore

In addition, keys can also be stored on the Cryptographic Coprocessors themselves.

• Digital certificate manager certificate store
• CCA keystore (used with the Cryptographic Coprocessors)
• JCE keystore

Key Encryption and Conversions

Keys must be encrypted prior to sending or storing them outside the secured system environment. In addition, keys should be handled in encrypted form within the system as much as possible to reduce the risk of exposure. The management of encrypted keys is often done via a hierarchical key system.
• At the top is a master key (or keys). The master key is the only clear key value and must be stored in a secure fashion.
• Key-encrypting keys (KEKs) are used to encrypt other keys. Typically, a KEK is used to encrypt a stored key, or a key that is sent to another system. KEKs are normally encrypted under a master key.
• Data keys are keys used directly on user data (such as to encrypt or MAC). A data key may be encrypted under a KEK or under a master key.
Various uses of a key will require the key to be in different forms. For example, keys received from other sources will normally be converted to an internal format. Likewise, keys sent out of the system are converted to a standard external format before sending. Certain key forms are standard, such as an ASN.1 BER-encoded form, and others are peculiar to a cryptographic service provider, such as the Cryptographic Coprocessors.

Key Distribution

Typically, data encryption is performed using symmetric key algorithms. The symmetric keys are distributed using asymmetric key algorithms as described above. Keys are made ready to send by using an Export operation. Keys are received into the system using an Import operation.

System cryptography overview

Cryptographic Service Providers
A cryptographic service provider (CSP) is the software or hardware that implements a set of cryptographic operations. The system supports several CSPs:
• 4769 Cryptographic Coprocessor
• 4767 Cryptographic Coprocessor (no longer available, but still supported)
• IBM i LIC
• Java™ Cryptography Extensions
Cryptographic API sets
User applications can utilize cryptographic services indirectly via IBM i functions such as TLS, VPN IPSec, and LDAP. User applications can also access cryptographic services directly using the following APIs:
• CCA

The Common Cryptographic Architecture (CCA) API set is provided for running cryptographic operations on a Cryptographic Coprocessor.

• IBM i Cryptographic Services

The IBM i Cryptographic Services API set is provided for running cryptographic operations within the Licensed Internal Code.

• Java Cryptography

Java Cryptography Extension (JCE) is a standard extension to the Java Software Development Kit.

• Network Authentication Service

GSS (Generic Security Services), Java GSS, and Kerberos APIs are part of the Network Authentication Service which provides authentication and security services. These services include session level encryption capability.

• IBM i TLS and JSSE

IBM i TLS and JSSE support the Transport Layer Security Protocol. APIs provide session level encryption capability.

• SQL

Structured Query Language is used to access or modify information in a database. SQL supports encryption/decryption of database fields.

This table indicates what CSPs are used under each user interface.
Table 1. CSPs used under each user interface
CSP APIs IBM i LIC JCE 4769, 4767
CCA     X
IBM i Cryptographic Services X
Java Cryptography   X X
Network Authentication Service X X
IBM i TLS and JSSE X X X
SQL X