Encryption and decryption using RSA protection of data-encrypting key

When the PASSWORD option is not used, the dynamically generated data encryption key is protected by RSA encryption. In this section, we provide examples of the use of RSA to protect the data key.

5.4.1 Contents of the statistics report for encryption and decryption

Several reports are shown in this section, demonstrating a selection of options for encryption and decryption using RSA key protection of the data-encrypting key. The following figures show the statistics report for encryption and decryption in the following cases:

 System z9, ENCTDES, RSA with 2048-bit key. See Figure 5-9 and Figure 5-10 on page 67.

 System z9, CLRAES128, RSA with 2048-bit key. See Figure 5-11 on page 67 and Figure 5-12 on page 67.

 zSeries 900, ENCTDES, RSA with 1024-bit key. See Figure 5-13 on page 68 and Figure 5-14 on page 68.

 zSeries 900, CLRDES, RSA with 1024-bit key. See Figure 5-15 on page 68 and Figure 5-16 on page 69.

Figure 5-9 Encryption with RSA (2048) and ENCTDES on z9

CSDFILEN Encryption Utility 08/08/2006 (MM/DD/YYYY) 10:29:22 (HH:MM:SS) INPUT: DESC='Lennies test case with rsa keys' INPUT: ENCTDES INPUT: RSA=ITSOLD.TEST.RSA2048 CSDFILEN: RSA-PUB : ITSOLD.TEST.RSA2048 INPUT: LRECL 80 BLKSIZE 27920 RECFM FB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: ENCRYPTED TDES KEY USING CRYPTO COPROCESSOR RECORDS READ: 231 WRITTEN: 1 BYTES READ: 18,480 BYTES WRITTEN: 20,336 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): HIGH: 0.000235 DATA: 19872 LOW: 0.000235 DATA: 19872

TOTAL CIPHER TIME (IN SECONDS): 0.000235 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.02

Chapter 5. Encryption Services to Encryption Services or the Decryption Client 67

Figure 5-10 Decryption with RSA (2048) and ENCTDES on z9

Figure 5-11 Encryption with RSA (2048) and CLRAES128 on z9

Figure 5-12 Decryption with RSA (2048) and CLRAES128 on z9

CSDFILDE Decryption Utility 08/08/2006 (MM/DD/YYYY) 10:29:22 (HH:MM:SS) CSDFILDE: HEADER VERSION : 1 CSDFILDE: RSA-PUB : ITSOLD.TEST.RSA2048 INPUT: DESC = Lennies test case with rsa keys INPUT: LRECL 80 BLKSIZE 27920 RECFM FB INPUT: RSA=ITSOLD.TEST.RSA2048 RECORDS READ: 1 WRITTEN: 231 BYTES READ: 20,410 BYTES RECOVERED: 18,480 CIPHER TIMES (IN SECONDS): HIGH: 0.000287 DATA: 27536 LOW: 0.000287 DATA: 27536

TOTAL CIPHER TIME (IN SECONDS): 0.000287 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.03

CSDFILEN Encryption Utility 08/08/2006 (MM/DD/YYYY) 10:29:22 (HH:MM:SS) INPUT: DESC='Lennies test case with rsa keys' INPUT: CLRAES128 INPUT: RSA=ITSOLD.TEST.RSA2048 CSDFILEN: RSA-PUB : ITSOLD.TEST.RSA2048 INPUT: LRECL 80 BLKSIZE 27920 RECFM FB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: CLEAR AES KEY USING CPACF RECORDS READ: 231 WRITTEN: 1 BYTES READ: 18,480 BYTES WRITTEN: 20,336 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): HIGH: 0.000071 DATA: 19872 LOW: 0.000071 DATA: 19872

TOTAL CIPHER TIME (IN SECONDS): 0.000071 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.02

CSDFILDE Decryption Utility 08/08/2006 (MM/DD/YYYY) 10:29:23 (HH:MM:SS) CSDFILDE: HEADER VERSION : 1 CSDFILDE: RSA-PUB : ITSOLD.TEST.RSA2048 INPUT: DESC = Lennies test case with rsa keys INPUT: LRECL 80 BLKSIZE 27920 RECFM FB INPUT: RSA=ITSOLD.TEST.RSA2048 RECORDS READ: 1 WRITTEN: 231 BYTES READ: 20,390 BYTES RECOVERED: 18,480 CIPHER TIMES (IN SECONDS): HIGH: 0.000091 DATA: 27536 LOW: 0.000091 DATA: 27536

TOTAL CIPHER TIME (IN SECONDS): 0.000091 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.02

Figure 5-13 Encryption with RSA (1024) and ENCTDES on z900

Figure 5-14 Decryption with RSA (1024) and ENCTDES on z900

Figure 5-15 Encryption with RSA (1024) and CLRTDES on z900

CSDFILEN Encryption Utility 08/08/2006 (MM/DD/YYYY) 18:04:16 (HH:MM:SS) INPUT: DESC='Lennies test case with rsa keys' INPUT: ENCTDES INPUT: RSA=LENNIE.TEST.RSA1024 CSDFILEN: RSA-PUB : LENNIE.TEST.RSA1024 INPUT: LRECL 256 BLKSIZE 6233 RECFM VB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: ENCRYPTED TDES KEY USING CRYPTO COPROCESSOR RECORDS READ: 74 WRITTEN: 1 BYTES READ: 18,776 BYTES WRITTEN: 19,400 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): HIGH: 0.000794 DATA: 18936 LOW: 0.000794 DATA: 18936

TOTAL CIPHER TIME (IN SECONDS): 0.000794 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.27

CSDFILDE Decryption Utility 08/08/2006 (MM/DD/YYYY) 18:04:16 (HH:MM:SS) CSDFILDE: RSA-PUB : LENNIE.TEST.RSA1024 INPUT: DESC = Lennies test case with rsa keys INPUT: LRECL 256 BLKSIZE 6233 RECFM VB INPUT: RSA=LENNIE.TEST.RSA1024 RECORDS READ: 1 WRITTEN: 74 BYTES READ: 19,400 BYTES RECOVERED: 18,776 CIPHER TIMES (IN SECONDS): HIGH: 0.001102 DATA: 27536 LOW: 0.001102 DATA: 27536

TOTAL CIPHER TIME (IN SECONDS): 0.001102 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.11

CSDFILEN Encryption Utility 08/08/2006 (MM/DD/YYYY) 18:04:16 (HH:MM:SS) INPUT: DESC='Lennies test case with rsa keys' INPUT: CLRTDES INPUT: RSA=LENNIE.TEST.RSA1024 CSDFILEN: RSA-PUB : LENNIE.TEST.RSA1024 INPUT: LRECL 256 BLKSIZE 6233 RECFM VB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: CLEAR TDES KEY USING CCF RECORDS READ: 74 WRITTEN: 1 BYTES READ: 18,776 BYTES WRITTEN: 19,400 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): HIGH: 0.000846 DATA: 18936 LOW: 0.000846 DATA: 18936

TOTAL CIPHER TIME (IN SECONDS): 0.000846 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.14

Chapter 5. Encryption Services to Encryption Services or the Decryption Client 69

Figure 5-16 Decryption with RSA (1024) and CLRTDES on z900

5.4.2 Multiple RSA key support

With the use of RSA keys for the protection of the data-encrypting key comes another facility. It is possible to specify up to 16 RSA keys to be used when the data is encrypted; that is, the same encrypted data can be sent to up to 16 different recipients. In this case, the data is still encrypted under the same data-encrypting key, but multiple copies of the data-encrypting key are encrypted, each one with one of the RSA public keys.

This increases the length of the header block, which now contains the multiple encrypted versions of the data key.

If more than one RSA key is specified when the data is encrypted, it is mandatory to specify one RSA key label at decryption time.

Table 5-1 shows the available options. Table 5-1 Specification of the RSA key parameter

CSDFILDE Decryption Utility 08/08/2006 (MM/DD/YYYY) 18:04:17 (HH:MM:SS) CSDFILDE: RSA-PUB : LENNIE.TEST.RSA1024 INPUT: DESC = Lennies test case with rsa keys INPUT: LRECL 256 BLKSIZE 6233 RECFM VB INPUT: RSA=LENNIE.TEST.RSA1024 RECORDS READ: 1 WRITTEN: 74 BYTES READ: 19,400 BYTES RECOVERED: 18,776 CIPHER TIMES (IN SECONDS): HIGH: 0.001093 DATA: 27536 LOW: 0.001093 DATA: 27536

TOTAL CIPHER TIME (IN SECONDS): 0.001093 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.09

CSDFILDE - Decrypt No RSA key specified

CSDFILDE - Decrypt 1 RSA key specified

CSDFILEN Encrypt

1 RSA key label specified

Uses the label used at encryption time (taken from header record) to reference the PKDS private key to use.

Uses the label specified at decryption time to reference the PKDS private key to use.

CSDFILDE Decrypt

> 1 RSA key label specified at encryption

Fails with message: “**ERROR** EITHER THE PASSWORD= OR RSA= IS REQUIRED”

Uses the label specified at decryption time to reference the PKDS private key to use. Uses a specific logic to determine the header record entry to use. See second note.

In Figure 5-17 and in Figure 5-18 on page 71 you can see the resulting statistics report. Note that the key label used in CSDFILDE does not exactly match the name of any key label used during the CSDFILEN execution. However,

CSDFILDE has worked out which version of the RSA encrypted data key to use.

Figure 5-17 Encryption with RSA (2048) and ENCTDES, multiple RSA keys on z9 Notes

 Multiple RSA keys specified at decryption time results in the message ““**ERROR** SPECIFY ONE OF RSA/PASSWORD ONLY”.

 When multiple RSA keys are specified for CSDFILEN, a table is built in the header record showing all the RSA public keys labels that have been used to encrypt the data key. Each entry in the table also contains the data encrypting key encrypted with the designated RSA public key.

A tag is also stored in each entry of the table. It consists of a known string encrypted by the entry’s RSA public key. At decryption time, CSDFILDE uses the public key specified by the RSA parameter to encrypt the same known string and compares it with each tag in the table. A match indicates which encrypted data encrypting key entry has to go under decryption using the corresponding RSA private key.

CSDFILDE - Decrypt No RSA key specified

CSDFILDE - Decrypt 1 RSA key specified

CSDFILEN Encryption Utility 08/08/2006 (MM/DD/YYYY) 13:04:30 (HH:MM:SS) INPUT: DESC='Lennies test case with rsa keys' INPUT: ENCTDES INPUT: RSA=ITSOLD.TEST.RSA2048 INPUT: RSA=ITSOLD.TEST.RSA2048.COPY1 INPUT: RSA=ITSOLD.TEST.RSA2048.COPY2 CSDFILEN: RSA-PUB : ITSOLD.TEST.RSA2048 CSDFILEN: RSA-PUB : ITSOLD.TEST.RSA2048.COPY1 CSDFILEN: RSA-PUB : ITSOLD.TEST.RSA2048.COPY2 INPUT: LRECL 80 BLKSIZE 27920 RECFM FB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: ENCRYPTED TDES KEY USING CRYPTO COPROCESSOR RECORDS READ: 231 WRITTEN: 1 BYTES READ: 18,480 BYTES WRITTEN: 21,372 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): HIGH: 0.000243 DATA: 19872 LOW: 0.000243 DATA: 19872

TOTAL CIPHER TIME (IN SECONDS): 0.000243 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.42

Chapter 5. Encryption Services to Encryption Services or the Decryption Client 71

Figure 5-18 Decryption with RSA (2048) and ENCTDES on z9

In document Encryption Facility for z/os Version 1.10 (Page 82-87)