Overview of Latest Features for IBM Ported Tools

IBM Ported Tools for z/OS is a program product to deliver applications and tools for z/OS platform and it is supported on z/OS 1.10 and above. OpenSSH is a ported application provided by IBM Ported Tools for z/OS and it provides secure encryption for both remote login and file transfer.

The latest features for IBM Ported Tools for z/OS include MAC algorithms of OpenSSH and the new z/OS extensions ICSF ciphers. As an update now OpenSSH can be set up to use Integrated Cryptographic Service Facility (ICSF) to implement Message Authentication Code (MAC) algorithms and certain ciphers. This extension is provided by PTF for APAR OA37278. It enables OpenSSH to use hardware support.

Allowing ICSF in OpenSSH helps minimizing the CPU time consumed by SSH sessions on z/OS resulting in increased data transfer. This support applies to all the client and server commands – ssh, scp, sftp, sshd and sftp-server. ICSF enables the use of cryptographic function CPACF (CP Assist for Cryptographic Function) hardware support. This new feature addresses the following requirements

•Eliminate unnecessary SMF error messages

•Added internal serviceability improvements

•Modified buffer relocation to minimize heap fragmentation

The rapid data processing automation enables the businesses to transmit sensitive data on open communication networks and store confidential data offline, increasing the potential threat of the sensitive data being accessed by unauthorized persons. To make a distributed computing environment secure, a combination of elements must work together. According to International Organization for Standardization (ISO) standard 7498-2 the security functions are as follows

•Identification and authentication of the user

•Access control for resources

•Data confidentiality

•Data integrity

•Security management and

•Non-repudiation

To provide data confidentiality and identity authentication and in turn protect the business commerce on Internet, cryptographic services are mandatory.

Cryptography represents a set of techniques for disguising data. The encrypted data is only available to the authorized persons who can readily restore the data to its original form. The growth of distributed systems and the vast use of Internet have resulted in increased data security needs and cryptography efficiently solves this purpose by maintaining data confidentiality and verifying data integrity. The common processes dealt by Cryptography are

•Enciphering or encrypting the plain text

•Deciphering or decrypting the cipher text

•Condensing a long message into a compact bit string called hashing and

•Generating and verifying digital signatures

ICSF supports IBM’s Common Cryptographic Architecture (CCA), which is based on the ANSI Data Encryption Algorithm (DEA) and the Advanced Encryption Standard (AES). In these cryptographic systems secret keys are shared in between two parties to protect data and keys that are exchanged on the network and establish and secured communications channel. ICSF uses triple DES encryption for data privacy and AES for encrypting and decrypting using 128-bit, 192-bit and 256-bit secure and clear keys. For public key cryptography, ICSF supports both NIST Digital Signature Standard algorithm and Rivest-Shamir-Adelman algorithm, where each party establishes a pair of public key and private key. The public keys are published in a reliable information source and private keys are maintained in secure storage.

Apart from encryption and decryption of data, ICSF provides application programs for the following tasks

•Generate, verify and translate Personal Identification Number (PIN)

•Ensure data integrity by using Message Authentication Codes (MACs), digital signatures, hashing algorithms or VISA card / Master card Verification Code

•Provide enhanced key management for Crypto Assist instructions

•Provide remote key loading for Automated Teller Machines (ATMs)

•Develop Secure Electronic Transaction (SET) applications and acquire payment gateway

•PKA-encrypt and PKA-decrypt symmetric key data

•Develop EMV ICC applications using CSNBSKY, CSNBPCU, CSNBDKG and CSNBSPN callable services