Administrator > Security

Features


Cutting-Edge Cryptography

The latest cryptographic solutions from Linux on the System z platform

May | June 2007 | by Peter Spera

Illustration by IMAGEZOO/Images.com

Security - The latest cryptographic solutions from Linux on the System z platform

Print Email


In addition to the aforementioned user-space APIs, kernel cryptography APIs were added to Linux as part of the 2.6 kernel to provide similar cryptography functions to features or applications running in the kernel space. On Linux for the System z platform these kernel APIs were extended to make use of the integrated crypto CP assist instructions that are now part of System z990 and 890 and System z9 EC and BC. A cryptographic file system, such as eCryptfs, and dm_crypt (pictured by the green box in Figure 1) are examples of kernel functions that were ported to Linux on System z. Each of these ports was completed with no modifications needed to utilize cryptography on the System z platform. They seamlessly took advantage of the copy (CP) assist instructions via the built-in kernel crypto APIs.

The pink boxes on the diagram's left side show the diversity of the applications that utilize hardware cryptography acceleration on Linux for the System z platform. To date, the highest exploitation of SSL acceleration comes from Apache*, but as more applications exploit the hardware, and as described above, more algorithms are implemented, this is beginning to shift. Technologies such as WebSphere* Application Server (WAS) with Java applications and IBM HTTP Server (IHS) now support the cryptographic hardware infrastructure on Linux for the System z platform, driving diverse workloads.

Random-number generation (RNG) and pseudo - random-number generation (PRNG) play an important role in many cryptographic solutions. The quality and availability of a steady stream of random numbers can adversely affect the security or acceleration benefits, respectively, realized in an end-to-end encryption solution. The PRNG CP assist instruction is being integrated into the Linux for System z kernel and will be accessible via /dev/prandom. This new device can be used to back /dev/random or /dev/urandom, as appropriate, based on an installations security policy. Implementing the new device will provide installations the necessary flexibility to take advantage of hardware PRNG support from existing applications without the need to recode or recompile their critical applications.

Safe and Secure on the System z Platform

The latest extension to the cryptography support for Linux on the System z platform is the capability to use the secure-key functions that are part of the cryptography hardware. These new functions will be available starting with System z9 EC and BC with the Crypto Express2 card configured as a coprocessor. This support targets distributed applications that can be consolidated on the System z platform, providing an alternative to off-platform cryptographic solutions that can't offer the end-to-end security or consolidation benefits of a System z solution.

The core of the secure-key solution on Linux for the System z platform is a combination of the Crypto Express2 Coprocessor, the device driver and the Common Cryptographic Architecture (CCA) libraries. The cryptography card is represented by the yellow box shown in Figure 2, while the purple box represents the device driver. The base software library needed to access the secure cryptography functionality in the hardware is CCA, pictured in one of the blue boxes in Figure 2. This new CCA support is similar to the support already available on the System i* platform, Linux for the System x* platform and AIX*. The CCA library will provide full support for the secure-key cryptographic functions. Early customer requirements indicated the need to extend the CCA support to include PKCS#11 and Java/JCE APIs for secure key as well. In response to these requirements, limited support has been developed for PKCS#11 and Java/JCE, pictured in the blue boxes of Figure 2, to enable key generation, data encryption and data decryption for the DES, TDES and RSA algorithms. Client applications, pictured by the pink box, can then have access to these secure-key functions.

The availability of secure-key solutions brings with it the requirement for card and key management. It's necessary to configure master keys for both symmetric and asymmetric functions in the hardware. This can be done via the Trusted Key Entry (TKE) utility, a new Linux CCA utility, or by configuring the hardware via z/OS* and then re-assigning the configured crypto card to the Linux image. Any of these solutions will produce the same result and provides the clients the diversity to choose the solution that best fits their existing key management security policies. In addition to key management for master keys, it's necessary to consider the key store that will be required by the application or solution. Again, Linux for the System z platform offers the flexibility to store keys securely using solutions that meet the enterprise's existing security policies. The secure-key solution supports CCA, PKCS#11 or Java JCE as viable key stores.

The introduction of the secure-key support has brought an opportunity to redesign and rename the device driver needed to access the cryptographic PCI card. The device drive previously known as /dev/z90crypt is now known as /dev/zcrypt.

Next page: >>

Page 1 2 3 4

Peter Spera is a senior software engineer with IBM.  Peter can be reached at spera@us.ibm.com.

More Articles From Peter Spera

Most Read Online

The Thin Blue Line

A Beginner's Guide to the REXX Programming Language on z/OS

Exploring TSO and ISPF

System Programmers' Tips and Tricks for ISPF Revisited

Systems Programmers Tips and Tricks for ISPF

presented by: FDRERASE for z/OS-FDRERASE/OPEN: Only US Government certified EAL2+ Data Protection Solutions, erases mainframe-open systems disk.

Advertisement


Buyers Guide

Browse products and services for Administrator.







Advertisement