Who is Monty~~ ?

I am a mainframe techie working in mainframe for 5.5 years in India and in UK. For last 2.5 years I have been involved in protecting sensitive data through cryptography woking for 2-3 major UK banks. If you have any comments/suggestions/questions on my stuff below juz fire an email mojozmania@gmail.com.

Here is a presentation for you on Introduction To Cryptography. Enjoy !!

Cryptography - Lets meet the Crypto Life

This is where I define and understand the Crypto basics. These crypto idea/algorithms/standards can then be implemented on any hardware.
Various TERMS:
  1. Encryption & Decryption
  2. Symmetric Key Cryptography
  3. Assymmetric Key Cryptography
  4. DES
  5. AES
  6. Block Cipher
  7. Block Cipher Modes Of Operation
  8. IV - Initialization Vector
  9. ECB
  10. CBC - Ciher Block Chaining
  11. CFB - Cipher Feedback
  12. OFB - Output Feedback
  13. PKA
  14. PKCS - (Public key Cryptography Standards)
  15. RSA - (Rivest-Shamir-Adleman)
  16. DSS - (Digital Signature Standard)
  17. SHA - (Secure Hash Algorithm)
  18. SHA Types: SHA-0, SHA-1, SHA-256 etc.
  19. MAC - (Message Authentication Codes)
  20. MAC Types - UMAC, HMAC, CMAC
  21. PIN Blocks
  22. Others - About HASH Functions & HASH Algorithms.

RSA EXAMPLE: This is a good worked example on how the RSA encryption and decryption works.

ATALLA

Here goes all my research on Atalla.
To start with here is the link to HP Atalla NSP (Network Security Processor) - www.atalla.com.
A good introduction to Atalla NSP is here. This talks about the new HP Atalla Ax150 NSP product line, a successor of Atalla Ax100 NSP. Hew 'x' can be either 8 or 9 or 10 corresponding to entry-level, mid-range and high-end model respectively.

A while paper by HP which titles "Combining Key Management with triple-DES to maximize security" talks about the vunerability of 3-DES as a way to protect data. It is already known that with the computing power available DES was already broken at the start of this centuary.

HSM - Hardware Security Modules

The HSM List:
  1. In THALES world also know as Host Security Modules.
  2. Thales HSM 8000

IBM Crypto Life

My research on IBM stuff goes here. The List of IBM Stuff..
  1. PCICC card (IBM 4758 card)
  2. PCIXCC (IBM 4764 card - PCI Extended Cryptographic Co-processor)
  3. CEX2C (Crypto Express 2 Coprocessor)
  4. CEX2A (Crypto Express 2 Accelator)
  5. CPACF (CP Assist For Cryptographic Functions)
  6. ICSF (Integrated Cryptographic Service Facility)
  7. ICRF (Integrated Cryptographic Facility)
  8. TKE (Trusted Key Entry)
  9. 'EZASOKET' command for TCP/IP communication

ICSF - Integrated Cryptographic Service Facility

  • Document on ICSF Mainframe panel. These screenshots are from a mainframne I worked on.
  • KGUP - Key Generator Utiliy Program

EZASOKET:

  1. A good link to a lot of Mainframe and Socket docs and ppts. Here.
  2. A very good PPT on TCP/IP socket programming on MVS. Socket, Socket, Who has the Socket !! . This explaing the basics and how to program in COBOL, ASSEMBLER etc. Impressing must read.
  3. There is more information in the MVS manual--> A Beginner’s Guide to MVS TCP/IP Socket Programming GG24-2561-00 (pdf version not available). More links present in the PDF which reads EZA Sockets - User Experience.
  4. Example: COBOL program. This demonstrates the use of EZASOKET. This particular program writes a HSM request on soket and listens for response.

IBM DKMS:- Distributed key Management System

  1. IBM page here.
  2. A good IBM RED book is Distributed Key Management System Installation and Customization Guide. Actually this is the only DKMS IBM book available online. The other manuals are not available directly to download but need to be requested. Pretty strange for IBM's product line manuals.
  3. IBM 4753 - Network Security Processor is used by DKMS.
  4. ICRF - Integrated Cryptographic Facility, a general key Management System.
  5. KMG Package - Key Mgmt Software package, for the DKMS Online Version. The KMG Package has 2 parts:
    i) The first part maintains information on all of the DKMS host DB2 tables, and directs all requests related to IBM host environment cryptographic devices to the second part.
    ii) The second part adds, lists, verifies and deletes keys in IBM 4753 NSP key storage and Integrated Cryptographic Feature CKDS.
  6. PMV Package - DKMS MVS Crypto API Program Package
    contains the API for terminals and ATMs.
  7. Host DB2 tables - KMGxxxx
    > total 12 tables
    > e.g. KMG0004, KMG0214

IBM TKE - Trusted Key Entry

  1. This is a non mainframe based application having a good GUI which can be used for entering/manipulating keys on mainframe ICSF system.
  2. Current/latest version = V5.2 (as of Dec 2005). Version 5+ is required on z9 and above machines.
  3. Good Docs =
  4. TKE requires the IBM 4764 Cryptographic Adapter
  5. CNM = Cryptographic Node Management Utility
  6. CNI = Cryptographic Node batch Initialization

OTHERS:

  1. IBM Redbook on TCP/IP supposdly good - TCP/IP Tutorial and Technical Overview.
  2. IBM Redbook on BASE24 - A Guide to the ACI Worldwide BASE24-eps on z/OS.
  3. Good PPT explaing with good diagrams but is old. Still good to know how CCA architecture started - zSeries Cryptographic Coprocessors.

Crypto Secret Links

My study and research on IBM's Crypto Cards (PCICC, PCIXCC (4764 Card), CEX2C, CPACF etc), software part ICSF(Integrated Cryptographic Service Facility), Thales HSMs (Hardware Security Module esp HSM 8000), Atalla NSP (network security processor) etc.

General:
  1. Links to different Crpto Hardware. Here.
  2. Mike has done some good research. Saving his page. Click here.How about Godzilla Crypto tutorial. By Peter Gutmann.
IBM's Stuff here:

  1. All ICSF manuals. Here. I prefer to see the z/OS version and not OS390.
  2. IBM Crypto Cards. Here.
  3. PCIXCC or IBM 4764 card. Here.
  4. A good IBM research Report on Building s High-Performance, Programmable Secure Coprocessor- RC21102.
  5. PPT - Using Cryptography on z/OS - here.
    This is a simple easy to understand presentation discussing about z/OS Crypto API, ICSF, SSL, OCSF, PKI Services and Kerberos.

HSMs.

HSM stuff over the internet is difficult to find. Thanks to 2 of my collegues for giving me the 1270A351 HSM-8000 Command Reference Manual Issue 6.1 March 2007 which helped me in understanding the HSM Host commands (API requests and response). It also gives a good view of various PIN BLOCK formats. This is located at my storage area. :)

  1. HSM Basics 1 - Good Article. Here.
  2. HSM Basics 2 - A lot of clarification on the Cryptographic Keys like MFK, KEK, BDK, PVK etc. Here.
  3. Overview of HSM - By SANS. Here.
  4. Into to Thales HSM 8000. Here. The same info in a pdf by Thales here.
  5. PDF Article - Maximize the Use of HSM. Here.
  6. PDF on HSM 8000 new base software V3.1 - here.

Others:

  1. Vector Microprocessors for Cryptography - By Jean & Fournier
    TECHNICAL REPORT - UNIVERSITY OF CAMBRIDGE
    This is a report which I would waana go through when I have time. Pretty deep.Here.

Subscribe to: Posts (Atom)