IBM Crypto Education Community

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

Hi,
Thank you the script is working, but...
On z/OS the encrypt and decrypt works with confirmation that input/output is the same after the process.
For testing purposes I'm running the same encrypt/decrypt on a distributed machine.
The problem comes in that the correlating encrypted text from the REXX scripts when decrypted by the distributed environment does not correlate at all.
The same with the provided sample data.

Currently I'm specifying the key details as as follows:
aes_key_label = left('MY.CLEAR.KEY.V000001',64);
rule_array_count      = '00000003'X;               
rule_array            = 'AES     PKCS-PADKEYIDENT';
key_identifier_length = '00000040'X;
init_vector_length    = '00000010'X;                        
init_vector           = '00000000000000000000000000000000'X;

I've compared the Key check value in both environments and it matches.
Any idea where I'm going wrong or need to look further?

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

If the key check value matches but the decrypted data does not, that tells me that it's most likely the initialization vector that is causing the difference. Can you confirm what API you are using on the distributed environment and that it is using the same IV?

Hi,
Thank you the script is working, but...
On z/OS the encrypt and decrypt works with confirmation that input/output is the same after the process.
For testing purposes I'm running the same encrypt/decrypt on a distributed machine.
The problem comes in that the correlating encrypted text from the REXX scripts when decrypted by the distributed environment does not correlate at all.
The same with the provided sample data.

Currently I'm specifying the key details as as follows:
aes_key_label = left('MY.CLEAR.KEY.V000001',64);
rule_array_count      = '00000003'X;               
rule_array            = 'AES     PKCS-PADKEYIDENT';
key_identifier_length = '00000040'X;
init_vector_length    = '00000010'X;                        
init_vector           = '00000000000000000000000000000000'X;

I've compared the Key check value in both environments and it matches.
Any idea where I'm going wrong or need to look further?

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

Tested with both hex zeros and a null on the z/OS environment.
On distributed environment it just makes use of the key and IV=0.

The data and key are provided by a third party.
On distributed the key is used with IV=0 and can successfully decrypt the provided data and encrypt the clear text provided data successfully.
On z/OS we now have the script working and doing tests before running on the full data and already there's a conflict in the resulting encrypt/decrypt data.
Still busy with the modification to get the full data file into the REXX script to test that as well.

If the key check value matches but the decrypted data does not, that tells me that it's most likely the initialization vector that is causing the difference. Can you confirm what API you are using on the distributed environment and that it is using the same IV?

Hi,
Thank you the script is working, but...
On z/OS the encrypt and decrypt works with confirmation that input/output is the same after the process.
For testing purposes I'm running the same encrypt/decrypt on a distributed machine.
The problem comes in that the correlating encrypted text from the REXX scripts when decrypted by the distributed environment does not correlate at all.
The same with the provided sample data.

Currently I'm specifying the key details as as follows:
aes_key_label = left('MY.CLEAR.KEY.V000001',64);
rule_array_count      = '00000003'X;               
rule_array            = 'AES     PKCS-PADKEYIDENT';
key_identifier_length = '00000040'X;
init_vector_length    = '00000010'X;                        
init_vector           = '00000000000000000000000000000000'X;

I've compared the Key check value in both environments and it matches.
Any idea where I'm going wrong or need to look further?

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

Someone just pointed out that if you encrypt printable text on z/OS, it would be EBCDIC, so it would still be EBCDIC (not ASCII) when decrypted on a distributed platform, which could cause an apparent mismatch.

Tested with both hex zeros and a null on the z/OS environment.
On distributed environment it just makes use of the key and IV=0.

The data and key are provided by a third party.
On distributed the key is used with IV=0 and can successfully decrypt the provided data and encrypt the clear text provided data successfully.
On z/OS we now have the script working and doing tests before running on the full data and already there's a conflict in the resulting encrypt/decrypt data.
Still busy with the modification to get the full data file into the REXX script to test that as well.

If the key check value matches but the decrypted data does not, that tells me that it's most likely the initialization vector that is causing the difference. Can you confirm what API you are using on the distributed environment and that it is using the same IV?

Hi,
Thank you the script is working, but...
On z/OS the encrypt and decrypt works with confirmation that input/output is the same after the process.
For testing purposes I'm running the same encrypt/decrypt on a distributed machine.
The problem comes in that the correlating encrypted text from the REXX scripts when decrypted by the distributed environment does not correlate at all.
The same with the provided sample data.

Currently I'm specifying the key details as as follows:
aes_key_label = left('MY.CLEAR.KEY.V000001',64);
rule_array_count      = '00000003'X;               
rule_array            = 'AES     PKCS-PADKEYIDENT';
key_identifier_length = '00000040'X;
init_vector_length    = '00000010'X;                        
init_vector           = '00000000000000000000000000000000'X;

I've compared the Key check value in both environments and it matches.
Any idea where I'm going wrong or need to look further?

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne

Thank you for the guidance,
We did test with conversion of the input and output to/from EBCIDIC to ASCII with none of the combinations matching. But working towards adapting and making use of the REXX from UNIX where the translated data would be in the full process which will then eliminate any encoding mismatches. Hopefully it is just an encoding issue and not an issue with the key itself residing in CKDS or how it's used in the REXX. 

Someone just pointed out that if you encrypt printable text on z/OS, it would be EBCDIC, so it would still be EBCDIC (not ASCII) when decrypted on a distributed platform, which could cause an apparent mismatch.

Tested with both hex zeros and a null on the z/OS environment.
On distributed environment it just makes use of the key and IV=0.

The data and key are provided by a third party.
On distributed the key is used with IV=0 and can successfully decrypt the provided data and encrypt the clear text provided data successfully.
On z/OS we now have the script working and doing tests before running on the full data and already there's a conflict in the resulting encrypt/decrypt data.
Still busy with the modification to get the full data file into the REXX script to test that as well.

If the key check value matches but the decrypted data does not, that tells me that it's most likely the initialization vector that is causing the difference. Can you confirm what API you are using on the distributed environment and that it is using the same IV?

Hi,
Thank you the script is working, but...
On z/OS the encrypt and decrypt works with confirmation that input/output is the same after the process.
For testing purposes I'm running the same encrypt/decrypt on a distributed machine.
The problem comes in that the correlating encrypted text from the REXX scripts when decrypted by the distributed environment does not correlate at all.
The same with the provided sample data.

Currently I'm specifying the key details as as follows:
aes_key_label = left('MY.CLEAR.KEY.V000001',64);
rule_array_count      = '00000003'X;               
rule_array            = 'AES     PKCS-PADKEYIDENT';
key_identifier_length = '00000040'X;
init_vector_length    = '00000010'X;                        
init_vector           = '00000000000000000000000000000000'X;

I've compared the Key check value in both environments and it matches.
Any idea where I'm going wrong or need to look further?

Regards,
Eugéne

Hi,

Has anyone implemented a ICSF Callable Services use for AES/CBC/PKCS5Padding?

I've tried adapting a sample found for GCM but it seems I'm struggling to setup the correct combination of rule_array and various length values for the call to CSNBSYE/CSNBSYD.

Any guidance would be much appreciated.

Regards,
Eugéne