Thanks to all who responded. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Greg Boyd Sent: Saturday, September 26, 2015 11:57 AM To: [email protected] Subject: Re: CP Assist for Cryptographic Functions (CPACF)
Cipher Feedack Mode in the hardware was introduced with MSA-4 which came with the z196/z114 machines. That means that these machines (and later) support new assembler instructions that prefrom chaining operations: KMF (Cipher Message with CFB (Cipher Feedback Mode)), KMCTR (Cipher Message with Counter) and KMO (Cipher Message with OFB (Output Feedback Mode)). You can read more about these instructions in the Principles of Operations manuals. I don't remember whether these instructions were retrofitted to the z10 CPACF hardware. Although according to IBM's TechDoc 'Cryptographic Support for for z/OS V1R10-V1R12 (HCR7780)' at https://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10716, similar support was retrofitted to the CEX3C on the z10. Prior to this hardware technology being available, ICSF supported cipher feedback mode. That is, by specifying the appropriate parm in the rule array, ICSF would handle the chaining while using the KM and KMC instructions to perform the encryption. The new instructions provided a) better performance by doing the work in hardware instead of relying on software to do the chaining and b) some new chaining options. All that said, do you want to use CFB in your app (using the new instructions)? or in an app using the ICSF APIs? or with System SSL (since you reference the SSL messages)? If you want to use the native instructions on a z10, I'd try coding a simpler assembler routine to perform a KMF instruction and see if you get an OC1. If you want to use the APIs, that should also work, even if the hardware support isn't there. However, if your concern is about System SSL support, then you have to refer the System SSL manuals. I just did a quick search in both the z/OS 1.13 and z/OS 2.1 System SSL Programming manuals and found no reference to 'Cipher Feedback'. I found one reference, in a message, about 'Cipher Block Chaining'. And https://www.ietf.org/rfc/rfc5246.txt, the RFC for TLS Protocol V1.2, says 'All block cipher encryption is done in CBC (Cipher Block Chaining) mode ...'. So I don't think CFB is even supported by the SSL protocol. Greg Boyd Mainframe Crypto www.mainframecrypto.com On Thu, 24 Sep 2015 10:17:13 -0400, Dazzo, Matt <[email protected]> wrote: >I have searched the archives but not finding the specific answer I need. We >have feature CPACF (#3863) on our z10-BC 2098 (zos1.13) but I am told that >CFB (Cipher FeedBack) is not enabled on our CPACF. I looked at out HMC >Activation profiles and can't determine if CFB feature is enabled but appears >crypto is enabled. Can one point me in the right direction to get the info? >How is CFB enabled? And how do you determine if it's enabled or not? > >I do see this in the TN3270 start up. > >System SSL: SHA-1 crypto assist is available System SSL: SHA-224 crypto >assist is available System SSL: SHA-256 crypto assist is available >System SSL: SHA-384 crypto assist is available System SSL: SHA-512 >crypto assist is available System SSL: DES crypto assist is available >System SSL: DES3 crypto assist is available System SSL: AES 128-bit >crypto assist is available System SSL: AES 256-bit crypto assist is >available System SSL: ICSF services are not available > >Thanks, > >Matt Dazzo >Senior Systems Programmer >Publishers Clearing House > > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, send >email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
