I am experimenting with ICSF subroutines for encrypting and decrypting
sensitive data. We are on z10 hardware at z/OS 1.10 with only CPACF crypto
instructions in the CPU, we have no crypto cards at all.
I can successfully use the ICSF "clear key" encrypt/decrypt subroutines CSNBSYE
and CSNBSYD (symmetric key encrypt/decrypt) but the disadvantage of those
subroutines is that the clear key must be listed in the code and passed
directly to the ICSF subroutines, which is not very secure. Anyone who could
view the source code would have the information needed to decrypt the data.
My security team created a test "clear key" label for TDES encryption in the
ICSF CKDS database for me, and when I run my test programs the CSFIQF query
facilities subroutine returns results saying that TDES is supported for clear
keys via CPU instructions, as expected.
However, no matter what I do, the CSNBENC and CSNBDEC subroutines (encrypt and
decrypt with ICSF label or token) consistently return RC=12, Reason = 0
(function not available). I am using the ICSF test label created by my
security team to try to get the ICSF subroutines to go get the TDES clear key
from the CKDS and use that key to encrypt passed data. I have fiddled with all
of the input parameters to CSNBENC and CSNBDEC but I just cannot seem to get it
to work. I even tried reading the test label directly with the CSNBKRR
subroutine, which returned RC=4 ("I read it but it's a clear key so you can't
have it"), so I know that the test label is there.
My test programs are built in Enterprise COBOL V4.1, using dynamic calls to the
ICSF subroutines. As I said above, calls to CSNBSYE and CSNBSYD work fine when
called this way, but so far not CSNBENC or CSNBDEC.
Any info or RTFM or suggestions of things to verify that you can provide would
be most appreciated. If there is some ICSF concept that I have misunderstood,
any help you can give to cure my ignorance is also welcome.
Peter
--
This message and any attachments are intended only for the use of the addressee
and
may contain information that is privileged and confidential. If the reader of
the
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
