Step-By-Step Guide to

Master Key Management Using ICSF

Eysha S. Powers
Enterprise Cryptography, IBM
CCM06
Master Keys

Master Keys are used to protect sensitive cryptographic keys that are active on your system.
Master Keys are stored in secure hardware in the cryptographic feature.
Master Keys are used only to encipher and decipher keys.
Master Keys should be changed periodically.
All Master Keys are optional. Load the master Keys that you need for your environment.

Master Key Key Size Protects

DES-MK 16-byte or 24-byte DES keys
AES-MK 32-byte AES and HMAC keys
RSA-MK 24-byte RSA private keys
ECC-MK 32-byte ECC and RSA keys
P11-MK 32-byte PKCS #11 keys
Background

 ICSF is installed
 Crypto Express cards are installed
 Key Data Sets are allocated
 Key Data Sets are defined in CSFPRMxx
 ICSF is started

Recommended Reading: Cryptographic Services

Integrated Cryptographic Service Facility Administrator’s Guide
The To-Do List…

Step 1: Generate a random number for the AES Master Key Part
Step 2: Generate a checksum for the AES Master Key Part
Step 3: Load the first AES Master Key Part
Step 4: Repeat Steps 1 - 3 for the desired number of middle key parts
Step 5: Load the final AES Master Key Part
Step 6: Initialize the CKDS
Step 7: Verify the AES Master Key is Active

Generate Load Load Final Verify the

Generate Initialize
Random Master Key Master Key AES MK is
Checksum CKDS
Number Part Part Active
Step 1 Step 2 Step 3 Step 5 Step 6 Step 7
Step 4
Step 1: Generate a random number for the AES Master Key Part (1 of 7)

From the ICSF Panels, choose Option 5 - Utility

Step 1: Generate a random number for the AES Master Key Part (2 of 7)

Choose Option 3 - Random

Step 1: Generate a random number for the AES Master Key Part (3 of 7)

View the Random Number Generator (RNG) Panel

Step 1: Generate a random number for the AES Master Key Part (4 of 7)

Press the <F1> key for Help

Step 1: Generate a random number for the AES Master Key Part (5 of 7)

Press <F3> to return to the RNG Panel

Step 1: Generate a random number for the AES Master Key Part (6 of 7)

Leave “RANDOM” and press <ENTER>

Save these
securely!

Save these
values securely!
What do you mean by “save these values securely”?

• Master Keys are high value keys that must be protected.

– Loading Master Keys on a panel means that the key is viewable to passersby!
– The most secure way to load a Master Key is to use the TKE Workstation with smart cards
• The P11 Master Key may ONLY be loaded using a TKE Workstation.
• If you plan to use the PPINIT or the Master Key Entry panels to manage Master Keys, consider how you would
save the key material for future re-entry (e.g. new Crypto Express adapter, disaster recovery).
• For disaster recovery, the same Master Keys must be loaded onto the backup system.

Option Details Pros Cons

Print Screen Use a Print Screen key or tool Sensitive material can be Cannot use copy / paste to
to capture the screen immediately printed and stored re-enter key material
in envelopes in a locked safe.
No need to save on a local
machine or USB stick.
Removable Copy and paste key material to Easy to copy / paste the key The key material is only as
Storage a text file that is saved on a material to the panels for re- secure as the storage
Media secure storage device (e.g. entry. media.
USB stick).
Other Ideas?
Step 1: Generate a random number for the AES Master Key Part (7 of 7)

Press <F3> to return to the Utilities Panel

Step 2: Generate a checksum for the AES Master Key Part (1 of 9)

Choose Option 4 - Checksum

Step 2: Generate a checksum for the AES Master Key Part (2 of 9)

View the Checksum Panel

Pre-populated from the RNG panel!

Step 2: Generate a checksum for the AES Master Key Part (3 of 9)

Press <F1> for Help

Step 2: Generate a checksum for the AES Master Key Part (4 of 9)

Choose Option 1 for Key Type

Step 2: Generate a checksum for the AES Master Key Part (5 of 9)

View the possible key type values and lengths

Step 2: Generate a checksum for the AES Master Key Part (6 of 9)

Press <F3> to return to the Checksum Panel

Step 2: Generate a checksum for the AES Master Key Part (7 of 9)

Type “AES-MK” for the key type and hit <ENTER>

Full 32 bytes (AES-MK length)

Checksum for MK Entry; Save all values

VP for verification securely!
Remember…

• Master Keys are high value keys that must be protected.

– Loading Master Keys on a panel means that the key is viewable to passersby!
– The most secure way to load a Master Key is to use the TKE Workstation with smart cards
• The P11 Master Key may ONLY be loaded using a TKE Workstation.
• If you plan to use the PPINIT or the Master Key Entry panels to manage Master Keys, consider how you would
save the key material for future re-entry (e.g. new Crypto Express adapter, disaster recovery).
• For disaster recovery, the same Master Keys must be loaded onto the backup system.

Option Details Pros Cons

Print Screen Use a Print Screen key or tool Sensitive material can be Cannot use copy / paste to
to capture the screen immediately printed and stored in re-enter key material
envelopes in a locked safe. No
need to save on a local machine
or USB stick.
Removable Copy and paste key material to Easy to copy / paste the key The key material is only as
Storage a text file that is saved on a material to the panels for re- secure as the storage
Media secure storage device (e.g. entry. media.
USB stick).
Other Ideas?
Step 2: Generate a checksum for the AES Master Key Part (8 of 9)

Press <F3> to return to the Utility Panel

Step 2: Generate a checksum for the AES Master Key Part (9 of 9)

Press <F3> to return to the Main ICSF Panel

Step 3: Load the AES Master Key Part (1 of 12)

Choose Option 1 – Coprocessor Mgmt

Step 3: Load the AES Master Key Part (2 of 12)

View the Coprocessor Management Panel

Step 3: Load the AES Master Key Part (3 of 12)

Press <F1> for Help, scroll down (i.e. press <ENTER>) to see the Master Key State definitions
Step 3: Load the AES Master Key Part (4 of 12)

Press <F3> to return to the Coprocessor Mgmt Panel

Step 3: Load the AES Master Key Part (5 of 12)

Type “s” next to both crypto features to view status

Step 3: Load the AES Master Key Part (6 of 12)

View the coprocessor hardware status panel

Step 3: Load the AES Master Key Part (7 of 12)

Press <F3> to return to the Coprocessor Mgmt Panel

Step 3: Load the AES Master Key Part (8 of 12)

Type “e” next to both crypto features to enter key parts

Step 3: Load the AES Master Key Part (9 of 12)

View the Master Key Entry panel

Pre-populated from checksum panel!

Step 3: Load the AES Master Key Part (10 of 12)

Enter “AES-MK” for key type and “FIRST” for part.

Pre-populated from checksum panel!

Step 3: Load the AES Master Key Part (11 of 12)

Enter “AES-MK” for key type and “FIRST” for part.

Step 3: Load the AES Master Key Part (12 of 12)

Check the new master key register status is PART FULL

Successful!

VP should match the

checksum panel
Step 4: Repeat Steps 1 - 3 for the desired number of key parts

Repeat the steps for each intermediate AES Master Key Part. Each key custodian would generate and
load (and securely save) their individual key part.

1. Generate a random key (and save the results)

– ICSF Option 5.3
2. Generate a checksum, VP (and save the results)
– ICSF Option 5.4
3. Load the key part into the new master key register
– ICSF Option 1.e (with part MIDDLE)

After all intermediate key parts have been generated and saved…
Step 5: Load the final AES Master Key Part (1 of 9)

Choose Option 1 - Coprocessor Mgmt Panel

Step 5: Load the final AES Master Key Part (2 of 9)

Type “e” next to both crypto features to enter the final key part
Step 5: Load the final AES Master Key Part (3 of 9)

View the Master Key Entry Panel

Step 5: Load the final AES Master Key Part (4 of 9)

Enter “AES-MK” for key type and “FINAL” for part.

Step 5: Load the final AES Master Key Part (5 of 9)

Check the new master key register status is FULL

Successful!
Step 5: Load the final AES Master Key Part (6 of 9)

Scroll down to verify the final Master Key VP.

Entered key part VP

should match the
checksum panel
Step 5: Load the final AES Master Key Part (7 of 9)

Press <F3> to return to the Coprocessor Mgmt Panel

Step 5: Load the final AES Master Key Part (8 of 9)

Type “s” next to both crypto features to view status

Step 5: Load the final AES Master Key Part (9 of 9)

View the coprocessor hardware status panel

Save the final

Master Key VP
(MKVP) value
Step 6: Initialize the CKDS (1 of 6)

Choose Option 2 – KDS Management

Step 6: Initialize the CKDS (2 of 6)

Choose Option 1 – CKDS Management

Step 6: Initialize the CKDS (3 of 6)

Choose Option 1 – CKDS Operations

Step 6: Initialize the CKDS (4 of 6)

Type in your CKDS data set name and choose Option 1

Step 6: Initialize the CKDS (5 of 6)

Check the status message

Success
Step 6: Initialize the CKDS (6 of 6)

Look for the MVS Console messages…

Step 7: Verify the AES Master Key is Active (1 of 6)

Choose Option 1 – Coprocessor Mgmt

Step 7: Verify the AES Master Key is Active (2 of 6)

View the Master Key Status

Step 7: Verify the AES Master Key is Active (3 of 6)

Press <F1> for Help, scroll down (i.e. press <ENTER>) to see the Master Key State definitions
Step 7: Verify the AES Master Key is Active (4 of 6)

Press <F3> to return to the Coprocessor Mgmt Panel

Step 7: Verify the AES Master Key is Active (5 of 6)

Type “s” next to both crypto features to view status

Step 7: Verify the AES Master Key is Active (6 of 6)

For the AES Master Key…

• The New Master Key register has become EMPTY.
• The Current Master Key register has become VALID.
IBM Crypto Education Community
https://www.ibm.com/developerworks/community/groups/community/crypto

Additional Master Key Management Materials

https://ibm.biz/BdiKRz
58 ©2017 Vanguard Integrity Professionals, Inc.