Security and Cryptography

The fundamental security architecture of z/OS is built around the System Authorization Facility (SAF), the core interface used by z/OS components to validate access to resources. While SAF provides the interface, it is designed to work with an external security manager. The Resource Access Control Facility (RACF) is the IBM security product that integrates with SAF to provide access control, user identification and verification, and protection for installation-defined resources, forming a comprehensive security layer for the entire system.

Pervasive encryption is a capability integrated throughout the IBM z14 stack—including hardware, the operating system, and middleware—designed to enable the bulk encryption of sensitive business data. This encryption is transparent to applications and does not require code changes. The goal of pervasive encryption is to decouple data classification from the encryption process, allowing organizations to protect all digital assets and simplify the complex task of regulatory compliance.

IBM Z platforms include specialized hardware to accelerate and secure cryptographic operations:

• **CPACF**: The Central Processor Assist for Cryptographic Function (CPACF) is a feature on all general-purpose processors that performs hashing, random number generation, and symmetric cryptography using clear keys and protected keys. The performance of CPACF on the IBM z14 is six times faster than on the IBM z13, making pervasive encryption feasible at an enterprise scale.

• **Crypto Express**: This feature performs secure key symmetric and asymmetric cryptography, with models including the Crypto Express6S available on z14 and Crypto Express5S available on z13. It can be configured as a CCA cryptographic coprocessor, as an accelerator, or as a PKCS #11 cryptographic coprocessor to handle complex operations where key material must be protected within a tamper-responding hardware boundary.

Cryptography is divided into two main types based on how keys are used:

• **Symmetric cryptography**, also known as "secret key" cryptography, uses the same key to both encrypt and decrypt data. For the data to remain secure, this single key must be kept secret and shared securely only between authorized parties.

• **Asymmetric cryptography**, also known as "public key" cryptography, uses a mathematically related pair of keys: a public key and a private key. The public key is used to encrypt data, while only the corresponding private key can be used to decrypt it, allowing the public key to be shared openly.

The z/OS Integrated Cryptographic Service Facility (ICSF) is the component that manages cryptographic keys through three key data sets: the Cryptographic Key Data Set (CKDS), the PKA Cryptographic Key Data Set (PKDS), and the Token Data Set (TKDS). Keys stored in the CKDS and PKDS are themselves encrypted by master keys (DES, AES, RSA, and ECC). For maximum security, these master keys are stored in registers within the tamper-proof Crypto Express hardware, ensuring they are never exposed in the clear outside the cryptographic boundary.