Keys - IBM z13s Technical Manual

When using a secret encryption method, it is possible that a back door has been designed
into it.
If an algorithm is public, many experts can form an opinion about it, and the method can
be more thoroughly investigated for potential weaknesses and vulnerabilities.

6.2.3 Keys

The keys that are used for the cryptographic algorithms usually are sequences of numbers
and characters, but can also be any other sequence of bits. The length of a key influences the
security of the cryptographic method. The longer the used key, the harder it is to compromise
a cryptographic algorithm. The prominent symmetric cryptographic algorithm DES uses keys
with a length of 56 bits. Triple-DES (TDES) uses keys with a length of 112 bits, and the
Advanced Encryption Standard (AES) uses keys with a length of 128, 192 or 256 bits. The
asymmetric RSA algorithm (named after its inventors Rivest, Shamir, and Adleman) uses
keys with a length of 1024 - 4096 bits.
As already mentioned, in modern cryptography keys must be kept secret. Depending on the
effort that is made to protect the key, keys are classified in three levels:
clear key
A
function. The key value is stored in the clear, at least briefly, somewhere in unprotected
memory areas, so under certain circumstances the key can be exposed by someone
accessing this memory area. This risk must be considered when using clear keys.
However, there are many applications where this risk can be accepted. For example, the
transaction security for the widely used encryption methods Secure Sockets Layer (SSL)
and Transport Layer Security (TLS) is based on clear keys.
The value of a
applications or users. The key value does not exist outside of the physical hardware,
although the hardware might not be tamper-resistant. The principle of protected keys is
unique to z Systems and is explained in more detail in 6.4.2, "CPACF protected key" on
page 209.
For a
called an HSM, which must be secure and tamper-resistant. A secure key is protected
from disclosure and misuse, and can be used for the trusted execution of cryptographic
algorithms on highly sensitive data. If used and stored outside of the HSM, a secure key
must be encrypted with a
the HSM.
202
IBM z13s Technical Guide
is a key that is transferred from the application in clear to the cryptographic
protected key
is only stored in clear in memory areas that cannot be read by
secure key
, the key value does not exist in clear outside of a special hardware device,
master key
, which is created within the HSM and never leaves