IBM Ported Tools for z/OS is a program product to deliver applications and tools for z/OS platform and it is supported on z/OS 1.10 and above. OpenSSH is a ported application provided by IBM Ported Tools for z/OS and it provides secure encryption for both remote login and file transfer.
The latest features for IBM Ported Tools for z/OS include MAC algorithms of OpenSSH and the new z/OS extensions ICSF ciphers. As an update now OpenSSH can be set up to use Integrated Cryptographic Service Facility (ICSF) to implement Message Authentication Code (MAC) algorithms and certain ciphers. This extension is provided by PTF for APAR OA37278. It enables OpenSSH to use hardware support.
Allowing ICSF in OpenSSH helps minimizing the CPU time consumed by SSH sessions on z/OS resulting in increased data transfer. This support applies to all the client and server commands ssh, scp, sftp, sshd and sftp-server. ICSF enables the use of cryptographic function CPACF (CP Assist for Cryptographic Function) hardware support. This new feature addresses the following requirements
Eliminate unnecessary SMF error messages
Added internal serviceability improvements
Modified buffer relocation to minimize heap fragmentation
The rapid data processing automation enables the businesses to transmit sensitive data on open communication networks and store confidential data offline, increasing the potential threat of the sensitive data being accessed by unauthorized persons. To make a distributed computing environment secure, a combination of elements must work together. According to International Organization for Standardization (ISO) standard 7498-2 the security functions are as follows
Identification and authentication of the user
Access control for resources
Security management and
To provide data confidentiality and identity authentication and in turn protect the business commerce on Internet, cryptographic services are mandatory.
Cryptography represents a set of techniques for disguising data. The encrypted data is only available to the authorized persons who can readily restore the data to its original form. The growth of distributed systems and the vast use of Internet have resulted in increased data security needs and cryptography efficiently solves this purpose by maintaining data confidentiality and verifying data integrity. The common processes dealt by Cryptography are
Enciphering or encrypting the plain text
Deciphering or decrypting the cipher text
Condensing a long message into a compact bit string called hashing and
Generating and verifying digital signatures
ICSF supports IBM’s Common Cryptographic Architecture (CCA), which is based on the ANSI Data Encryption Algorithm (DEA) and the Advanced Encryption Standard (AES). In these cryptographic systems secret keys are shared in between two parties to protect data and keys that are exchanged on the network and establish and secured communications channel. ICSF uses triple DES encryption for data privacy and AES for encrypting and decrypting using 128-bit, 192-bit and 256-bit secure and clear keys. For public key cryptography, ICSF supports both NIST Digital Signature Standard algorithm and Rivest-Shamir-Adelman algorithm, where each party establishes a pair of public key and private key. The public keys are published in a reliable information source and private keys are maintained in secure storage.
Apart from encryption and decryption of data, ICSF provides application programs for the following tasks
Generate, verify and translate Personal Identification Number (PIN)
Ensure data integrity by using Message Authentication Codes (MACs), digital signatures, hashing algorithms or VISA card / Master card Verification Code
Provide enhanced key management for Crypto Assist instructions
Provide remote key loading for Automated Teller Machines (ATMs)
Develop Secure Electronic Transaction (SET) applications and acquire payment gateway
PKA-encrypt and PKA-decrypt symmetric key data
Develop EMV ICC applications using CSNBSKY, CSNBPCU, CSNBDKG and CSNBSPN callable services