Mainframe > Administrator > Security

Standing Guard

IBM mainframe encryption solutions offer proven security technology.

A recurring nightmare for CIOs today is the threat of being the next business making headlines with a security breach. This business pressure has many IT teams assessing their data-security processes. One technology comes up often in these assessments: encryption. Once data is encrypted - and the business is sure the data can only be decrypted by the authorized parties - a sigh of relief may be heard from the CIO's office.

With a large percentage of corporate data residing on, or originating from, mainframes, it should be a compelling place to start assessing encryption opportunities. Fortunately, businesses with an IBM* mainframe are well positioned to apply encryption to their datacenter processes, including for applications operating over the Internet, VPNs, tape encryption or encryption within a database. The mainframe has the core encryption and key-management technologies to enable these encryption processes today.

Leading Edge Encryption: A History

Mainframe encryption technologies were built over the past few decades as IBM responded to the security demands of the world's largest banks and financial institutions. The demands of those leading-edge customers eventually became general IT requirements.

The first major demands for mainframe encryption came later in the 1980s, with the requirement for ATM and point-of-sale PIN processing. The PIN was encrypted in the ATM, and decryption occurred at the mainframe host - where the PIN would be authenticated.

Another early encryption requirement was to handle high-value financial transactions, such as the U.S. Federal Reserve's FedWire. To address this requirement, the IBM mainframe provided an encrypted networking session in a point-to-point connection (a Virtual Telecommunications Access Method or VTAM* session level). Encrypted file support was also available with a feature called AMS-repro (Veteran mainframe readers may be exclaiming, "I remember that!"). For this growing set of finance applications, the compelling business requirement was protecting the encryption keys from disclosure, modification and misuse. The IT solution was designed so the keys would never be "in the clear" - not even in the mainframe's memory. Initially, this capability was provided in a channel-attached device - IBM 3848 - where the decryption didn't appear outside of that box.

In 1991, IBM integrated this hardware component into the IBM S/370* mainframe, and over the years the technology continued to improve with support for Advanced Encryption Standard (AES) for 128-bit keys, Secure Hash Algorithm-256 (SHA-256) and Pseudo Random Number Generation (PRNG). Today's System z* mainframes have the optional Crypto Express2 feature that provides tamper-resistant hardware that supports secure key applications. In fact, it supports a mixture of both secure key and clear-key applications based on configuration options. Crypto Express2 also offers card-verification value (CVV) generation and verification services for 19-digit personal-account numbers (PANs) providing advanced anti-fraud security.

In 1997, IBM's PCI Cryptographic Coprocessor (PCICC) and S/390* Cryptographic Coprocessor Facility (CCF) were certified at Federal Information Processing Standard (FIPS) 140-1 Level 4, the highest certification for commercial security awarded by the U.S. and Canadian governments. This certification means that the PCICC and CCF satisfied the requirements for a cryptographic module used to protect Sensitive Information (United States) or Protected Information (Canada) within computer and telecommunications systems. To achieve this certification level, an independent laboratory attempts a variety of physical attacks on the product and must verify internal-software security using a mechanical verification. Since then, follow-on generations of cryptographic-coprocessor features have received this certification for secure-key processing. Today's Crypto Express2 on the System z Enterprise Class (EC) and Business Class (BC) systems has obtained certification at FIPS 140-2 Level 4.

But with all of these advancements, the applications that ran on the early 3848 can still run on today's System z servers (and many do). This is an example of the mainframe's continuing commitment to application-investment protection.

The early use of mainframe encryption required extensive specialized programming and, as the requirements for encryption increased, a more flexible model was needed. A middleware component, Integrated Cryptographic Service Facility (ICSF), was introduced in 1991 for the MVS* (now z/OS*) OS, which provided a programming interface to the encryption hardware. This allowed customers, solution vendors and other IBM middleware users to make encryption requests to the IBM hardware. ICSF provides many encryption capabilities. It frees the application from having to determine what hardware encryption facilities are available. As users move from one server generation to the next, the applications are still supported. ICSF provides load-balancing and intelligent routing capabilities on the available encryption hardware.

"While low-volume traffic could be protected with software-based encryption, the demand for fast hardware-accelerated encryption gave us a great opportunity to deliver mainframe leadership." -Walter Von Dehsen, IBM System z cryptography technology team leader

Tweet