z/OS Cryptographic Services ICSF Overview
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF

The basic elements of a cryptographic system

z/OS Cryptographic Services ICSF Overview
SA22-7519-16

Most practical cryptographic systems combine two elements:

• A process or algorithm which is a set of rules that specify the mathematical steps needed to encipher or decipher data.
• A cryptographic key (a string of numbers or characters), or keys. The algorithm uses the key to select one relationship between plaintext and ciphertext out of the many possible relationships the algorithm provides. The selected relationship determines the composition of the algorithm's result.

ICSF supports two main types of cryptographic processes:

• Symmetric, or secret key, algorithms, in which the same key value is used in both the encryption and decryption calculations.
• Asymmetric, or public key, algorithms, in which a different key is used in the decryption calculation than was used in the encryption calculation.

#### Secret key cryptography

Secret key cryptography uses a conventional algorithm such as the Data Encryption Standard (DES) algorithm or the Advanced Encryption Standard (AES) algorithm that are supported by ICSF. Another term for secret key cryptography is symmetric cryptography. To have intelligent cryptographic communications between two parties who are using a conventional algorithm, this criteria must be satisfied:

• Both parties must use the same cryptographic algorithm.
• The cryptographic key that the sending party uses to encipher the data must be available to the receiving party to decipher the data.

Figure 1 is a simplified illustration of the cryptographic components that are needed to encipher and decipher data in a secret key cryptographic system. In this system, Tom and Linda have established a secure communications channel by sharing a secret key. Tom enciphers the plaintext by using the algorithm and the secret key before sending it to Linda. When she receives the ciphertext, Linda deciphers it using the same algorithm and the same secret key. In a secret key system, it is critically important to maintain the secrecy of the shared key.

#### Public key cryptography

Each party in a public key cryptography system has a pair of keys. One key is public and is published, and the other key is private. Another term for public key cryptography is asymmetric cryptography because the public key and private key are not identical. The sending party looks up the receiving party's public key and uses it to encipher the data. The receiving party then uses its private key to decipher the data. In a public key system, it is critically important to maintain the secrecy of the private key.

Public key cryptography requires complex mathematical calculations. For this reason, these types of systems are not used for enciphering messages or large amounts of data. They are, however, used to encipher and decipher symmetric keys that are transported between two systems.

Public key cryptography systems are often used to generate and verify digital signatures on electronic documents. The sender uses his or her private key to generate the digital signature. The receiver then uses the sender's public key to verify the identity of the sender. On the emerging information highway, the digital signature replaces the handwritten signature as a legal proof of authenticity. Digital signatures are the principal mechanism in any system of nonrepudiation.

Figure 2 shows an example of a nonrepudiation system that uses digital signatures. Linda sends her broker Tom an electronic order to buy 100 shares of IBM stock. The electronic transmission application on Linda's system attaches Linda's digital signature to the order before sending the order to Tom. Linda's digital signature provides Tom with proof that Linda sent the order. When Tom receives the purchase order, an acknowledgment of his receipt, including his own digital signature, is returned to Linda. This receipt serves as proof that Tom received the order. Nonrepudiation is critical for the security of electronic data interchange (EDI).