Previous topic |
Next topic |
Contact z/OS |
The basic elements of a cryptographic system
z/OS Cryptographic Services ICSF Overview
Most practical cryptographic systems combine two elements:
ICSF supports two main types of cryptographic processes:
Secret key cryptography
Secret key cryptography uses a conventional algorithm such as the Data Encryption Standard (DES) algorithm or the Advanced Encryption Standard (AES) algorithm that are supported by ICSF. Another term for secret key cryptography is symmetric cryptography. To have intelligent cryptographic communications between two parties who are using a conventional algorithm, this criteria must be satisfied:
Figure 1 is a simplified illustration of the cryptographic components that are needed to encipher and decipher data in a secret key cryptographic system. In this system, Tom and Linda have established a secure communications channel by sharing a secret key. Tom enciphers the plaintext by using the algorithm and the secret key before sending it to Linda. When she receives the ciphertext, Linda deciphers it using the same algorithm and the same secret key. In a secret key system, it is critically important to maintain the secrecy of the shared key.
Public key cryptography
Each party in a public key cryptography system has a pair of keys. One key is public and is published, and the other key is private. Another term for public key cryptography is asymmetric cryptography because the public key and private key are not identical. The sending party looks up the receiving party's public key and uses it to encipher the data. The receiving party then uses its private key to decipher the data. In a public key system, it is critically important to maintain the secrecy of the private key.
Public key cryptography requires complex mathematical calculations. For this reason, these types of systems are not used for enciphering messages or large amounts of data. They are, however, used to encipher and decipher symmetric keys that are transported between two systems.
Public key cryptography systems are often used to generate and verify digital signatures on electronic documents. The sender uses his or her private key to generate the digital signature. The receiver then uses the sender's public key to verify the identity of the sender. On the emerging information highway, the digital signature replaces the handwritten signature as a legal proof of authenticity. Digital signatures are the principal mechanism in any system of nonrepudiation.
Figure 2 shows an example of a nonrepudiation system that uses digital signatures. Linda sends her broker Tom an electronic order to buy 100 shares of IBM stock. The electronic transmission application on Linda's system attaches Linda's digital signature to the order before sending the order to Tom. Linda's digital signature provides Tom with proof that Linda sent the order. When Tom receives the purchase order, an acknowledgment of his receipt, including his own digital signature, is returned to Linda. This receipt serves as proof that Tom received the order. Nonrepudiation is critical for the security of electronic data interchange (EDI).
Copyright IBM Corporation 1990, 2014