IBM Crypto Education Community

Expand all | Collapse all

Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?

  • 1.  Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?

    Posted Tue January 19, 2021 08:16 PM
    Hi all,

    I am using RANDOM number generator for generating AES-MK within ICSF. Once RANDOM number is generated, it gets automatically populated into CHECKSUM menu okay.

    However, if I go to CEX card menu(1. COPRPCESSOR MGMT) and select card to enter Master Key and Checksum. Somehow I was under the impression that it would be auto populated from RANDOM number generator(like it did for CHECKSUM) - as it was described in RedBook as well as in Knowledge Center below, but it does NOT auto populate the value and just shows all ZEROs. 

    Was this always the case?

    Thanks for your help in advance!

    from: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.csfb300/cmxenr.htm

    Fill in the panel
    1. Enter the master key type in the Key Type field.

      In this example we are entering the DES-MK master key.

    2. Enter FIRST in the Part field.
    3. Enter the two-digit checksum and the two 16-digit key values (if you did not use random number generate).

    When you end the utility panels and access the Master Key Part Entry panel, the key parts you generated are transferred automatically to the Master Key Part Entry panels. For this reason, you will not need to enter the key parts on the Master Key Part Entry panels.

    Although the key parts are automatically transferred to the Master Key Entry panels, make sure you record the random numbers and store them in a safe place. You must have these numbers in case you ever need to reenter the master key values. If you ever need to restore a master key that has been cleared for any reason, you will need the key part values.



    ------------------------------
    ALEX KIM
    IBM Z/LinuxONE Solutions Architect
    IBM Champion for Z/Blockchain
    Vicom Infinity
    New York NY
    ------------------------------


  • 2.  RE: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?

    Posted Wed January 20, 2021 09:28 AM
    Take a look at your TSO Logon Proc and how the ISPF libraries are configured, following the instructions in the ICSF Systems Programmers Guide exactly.  Years ago, I had a similar issue, but in my case after the random number was generated, it was not populated into either the Checksum panel nor the master key entry panel.  I don't remember exactly what we had done wrong, but I think the ISPF variables were stored in the wrong place.

    ------------------------------
    Greg Boyd
    Consultant
    Mainframe Crypto
    Winchester, VA 22603
    240-772-1539
    ------------------------------



  • 3.  RE: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?

    Posted Fri January 22, 2021 08:42 PM
    Thank you Greg!

     - I could not find doc describing logon proc for enabling this yet(our sysprg says everything looks fine). Although, RANDOM to CHECKSUM auto population DOES work..(it's been working from the beginning). we opened a support ticket and the support said it's not supposed to pre-populate as something about protecting key value from someone stealing it so not sure it was a recent change. I do see this pre-population was mentioned from both Redbook and some of  the key PPTs out there online(at least 3~4 yrs old)...so wanted to check if this is a still valid behavior to get auto populated from RANDOM-CHECKSUM-MASTER KEY ENTRY or not. 



    ------------------------------
    ALEX KIM
    IBM Z/LinuxONE Solutions Architect
    IBM Champion for Z/Blockchain
    Vicom Infinity
    New York NY
    ------------------------------



  • 4.  RE: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?

    Posted Sat January 23, 2021 07:57 AM
    I just checked one of the systems that I have access to and it works as you described.  The random number is 'remembered' from the RNG panel to the Checksum panel, but not to the Master Key Entry panel.  This system is very current and I don't know when things changed.

    Back when I was first getting started with crypto, one of the POK folks did a presentation at Share, where they showed the behavior you expected ... random numbers were remembered from the RNG panel to the checksum panel to the key entry panel.  I was in the back of the room getting excited, because that was not the way it worked on my systems!  After the session we talked and she confirmed that was the way it was supposed to work, and that had been a relatively recent 'fix' based on a request from a customer.  I disagreed with the fix, because I didn't like the idea of my key material being stored as an ISPF variable.  However, in retrospect, whether it was remembered on a panel or not, I suspect it was (and still is) in an ISPF variable.  

    I later went back and looked at the TSO Logon proc and confirmed that mine was not set up as documented in the ICSF SPG.  I don't remember what the issue was, but by modifying it to match the SPG, I did get the same behavior that she had described.  There is a section in the SPG:  'Steps to provide access to the ICSF panels'.

    I like this new behavior (of not remembering my key part), but it does mean I have to do more typing!
    Greg


    ------------------------------
    Greg Boyd
    Consultant
    Mainframe Crypto
    Winchester, VA 22603
    240-772-1539
    gregboyd@mainframecrypto.com
    ------------------------------



  • 5.  RE: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?

    Posted Mon January 25, 2021 12:19 PM
    Thanks Greg for confirming the behavior of the panel! 

    I agree as well this would be better way to protect any potential exposure of leaking Master Key information. As this pandemic goes beyond our hope, the challenges have been called for using TKE for traditional key ceremonies (some data center can't even allow more than one person in facility as well as traveling to one location) and rotating of the master over virtual environment coming up frequently more than before.

    Thanks a lot,

    ------------------------------
    ALEX KIM
    IBM Z/LinuxONE Solutions Architect
    IBM Champion for Z/Blockchain
    Vicom Infinity
    New York NY
    ------------------------------