Hello,

I have been looking at the random number generate callable service to generate a random enough number to be used as the Initialization Vector (IV) in AES (CBC). We have our security review team asking if this is a reliable enough random number generator.

Going through the manuals, I could not find much information except this:

The callable service uses a cryptographic feature to generate a random number.
The foundation for the random number generator is a time variant input with a
very low probability of recycling.

And some information about RNGL algorithm here:

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.csfb400/iqacon.htm

Can someone at IBM provide some more information about how this works?

Regards,
Deepak

@EChan_pok b9fd5a66-c04a-4618-9d04-63cb8e5407ef,

For some reason, I got an email about your response, but I cannot see an entry in the conversations. Hope you can post your response here once again.

Regards

Deepak

Hello Eleanor,

I also notice that the random number generation does not provide a true numeric format but rather provides hex values.

From the ICSF - Random Number Generator (ISPF Panel), I see the following:

Parity Option  ===> RANDOM            ODD, EVEN, RANDOM
Random Number1    : 77034B41AFABC444  Random Number 1  
Random Number2    : 9ABF339EC4D057F1  Random Number 2  
Random Number3    : 4A87073D23E52B69  Random Number 3  
Random Number4    : 7C8095E603548FB5  Random Number 4 

And when I try to use CSFBRNG to generate an 8 byte random number, I see it as this in the spool:

WS-RANDOM-NO-PIC-X: ýÐNÝI¤¾

And UTF-8 of this as:

UTF-8: C¨C°+C¸ñ)B´

Is this working as designed? I am wondering if it is possible to generate a proper numeric value as well?

Regards,

Deepak

Paul, what do you mean by a "true numeric format"?  The RNG CCA verbs return a string of random bits.  They are not converted to decimal numbers or anything like that.  It's what you would expect from a random value generator.  You said that you want to use the random value as an IV, and this is just what AES or TDES needs for its IV - a string of random bits.

Can you explain in more detail what the problem is that you see?  Is it really just confusion resulting from the way this test program displays the random value?

Hello Todd,

Thank you for clarifying. Yes, my confusion was regarding the way the callable service was described as a random number generator in the manuals. There is not much description about the output of the service in the manuals, except that the data type is string. But looking at the number generated on the panel, it looks like it is a hexadecimal random number. This should suit my requirement for the IV and I would not require a decimal number generator.

Thanks again for taking time to respond.

Regards

Deepak

The concept of a "string" can be a bit confusing in CCA.  Many people will automatically think it is a string of readable characters, like ASCII or EBCDIC, and possibly null-terminated.  However, the CCA definition of string is not at all like that.  Here's the definition from the ICSF Application Programmer's Guide:

This (and the overall characteristics of CCA parameters) come from the ancient IBM "Systems Application Architecture" (SAA), which was defined in the late 1980s.  The idea was to define APIs in a way that would make them consistent across different computer architectures and programming languages.  However, while CCA was defined according to SAA rules, SAA itself pretty much faded away.