Coding a simple mainframe cryptography program

Integrated Cryptographic Service Facility
The Integrated Cryptographic Service Facility (ICSF) provides the application programming interfaces (APIs) to System z cryptographic facilities. A quick glance at the Application Programmer's Guide (APG) table of contents reveals calls that can do everything from creating an export key to generating random numbers. Resource Access Control Facility (RACF) globally controls access to ICSF APIs through the CSFSERV resource class. Likewise, each call has its own profile within that class.

Diving deeper into the APG, you will find encryption/decryption services named encipher/decipher, which are called via the CSNBENC and CSNBDEC functions. Both routines can be called from Assembler as well as high-level languages. RACF protects these APIs with profiles CSFENC and CSFDEC, respectively.

Choosing an algorithm
Many of the following steps depend on the chosen cryptography algorithm. Selecting a technique depends on security requirements as well as available hardware. Speed and performance may also come into consideration for online or mission-critical applications.

The ICSF software supports a number of encryption schemes and algorithms. In the simple case of encrypting an "at-rest" dataset to be decrypted for later use, we must use a symmetric algorithm that allows us to encrypt and decrypt the file with just one key. For this type of processing, the two...

BROWSE BY TAG Mainframe security and disaster recovery,   Server hardware,   Mainframe computers,   Mainframe operating systems and management,   Enterprise Systems Update Newsletter,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mainframe security and disaster recovery Improve CICS Web services security and handle Web transaction requests Using cryptography on the mainframe: An amateur's guide Sun Chemical updates two data centers to handle SAP integration Mainframe vulnerabilities: Be proactive rather than reactive Disaster recovery on the mainframe: New options for site recovery Mainframers need to focus on process not piecemeal disaster recovery Legacy protocol puts IBM mainframes at risk Securing a CICS screen CICS command security How to authenticate users accessing CICS legacy transactions? Mainframe operating systems and management Roadmap to mainframe application modernization Improve CICS Web services security and handle Web transaction requests How is CICS prepared for future IT market demands? Why IBM should listen to Neon Software, customers on zPrime Aussie financial firms dump Unix, Windows for Linux on the mainframe Using cryptography on the mainframe: An amateur's guide How mainframes fit into cloud computing IBM z/OS 1.11 preview: New features and functions Neon Software CEO rejects IBM warnings on mainframe licensing issues due to zPrime IBM upgrades Parallel Sysplex, boosts importance of mainframe clustering Enterprise Systems Update Newsletter Roadmap to mainframe application modernization Weighing the costs and risks of mainframe application modernization The mainframe's potential for Web services and cloud computing Modernizing mainframe applications after a migration project: Part 4 The unforeseen costs of migrating off the mainframe Migrating off the mainframe, part 3: Tuning apps for the new platform Mainframe migration strategy, part 2: Segmenting the job Developing a successful mainframe migration strategy How is CICS prepared for future IT market demands? Troubleshooting mainframe application performance variables

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary epoch  (SearchDataCenter.com) ISPF  (SearchDataCenter.com) job  (SearchDataCenter.com) Job Entry Subsystem  (SearchDataCenter.com) job scheduler  (SearchDataCenter.com) job step  (SearchDataCenter.com) MVS  (SearchDataCenter.com) P/390  (SearchDataCenter.com) Remote Job Entry  (SearchDataCenter.com) z/OS  (SearchDataCenter.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

leading candidates are different flavors of the Data Encryption Standard (DES). The strongest candidate is Triple DES (TDES), with a 168 bit key, and an alternative is the Advanced Encryption Standard (AES), supporting 128 bit keys.

AES is newer and considered the stronger of the two algorithms. However, there are some hardware dependencies as well as implications if the data is to be exchanged with other agencies. In this instance we can settle on TDES as the lowest common denominator.

After choosing the algorithm, the brave programmer must contact the security department to generate the key. Once security has the key, it does not send the key back to the programmer. Instead, the key is stored in ICSF with an appropriate label, which is passed back to the programmer. The programmer, of course, uses the label to reference the key during any encryption or decryption calls.

As you've probably guessed, protecting the key is paramount in symmetric cryptography, which is why ICSF keeps an encrypted copy in a VSAM data set with carefully controlled access. In addition, RACF controls access to the key based on the key label in resource class CSFKEYS. Administering this rule may get interesting if, for instance, an enterprise uses cryptography in an online application where all the users, including Web clients, need access to the key.

Encipher and decipher
The encryption/decryption routines both have long, complicated parameter lists that the APG describes with daunting cryptographic jargon. However, after some careful reading and crossed fingers, you can code acceptable encryption and decryption routines without making anything too complicated.

The high points of the parameter lists include the following:

• ICSF return code
• ICSF reason code. You will need both the return and reason codes to understand why something went wrong.
• Key label, which can be up 64 bytes
• Cipher text and length
• Clear text and length
• An 18-byte ICSF work area described as a chaining vector. According to the documentation, the calling program must not change this area between ICSF calls, as the work area comes into play depending on the information in the rule array (as explained below).
• A rule array consisting of 8-byte control words specifying processing control information. The control word, representing the processing rule, is mandatory, while the subsequent ones are optional. The programming guide dedicates a lot of verbiage to describing the processing rules, as well as how they operate and affect the cipher text length. For this example I choose a processing rule of CUSP, ensuring the cipher text will be the same length as the plain text. CSUP also avoids specifying additional rules.
• Number of rules in the above array.

In addition to the other parameters there are some others that aren't necessary for simple cryptography. These include exit data, exit data length, pad character and initialization vector.

Once the cryptographic calls work it becomes a simple matter of wrapping it with code for reading clear text records and writing encrypted data. The CUSP option ensures the cipher text will have the same length as the input records so the program won't have to worry about changing logical record lengths or block sizes.

Decrypting the cipher text becomes the reverse of the above in calling CSNBDEC with a very similar parameter list. A relatively simple encryption/decryption program can also easily expand into some sort of utility by including the flexibility to use different key labels.

As long as the requirements stay the same, this technique can be used in online applications as well. However, as mentioned before, the basic technique may need modification for performance and operational concerns. In addition, cryptography of operational data opens a huge can of worms for disaster recovery.

ABOUT THE AUTHOR: For 24 years, Robert Crawford has worked off and on as a CICS systems programmer. He is experienced in debugging and tuning applications and has written in COBOL, Assembler and C++ using VSAM, DLI and DB2.

What did you think of this feature? Write to SearchDataCenter.com's Matt Stansberry about your data center concerns at mstansberry@techtarget.com.

Rate this Tip To rate tips, you must be a member of SearchDataCenter.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.