Advanced  Crypto  Service  Provider     –  Cryptography  as  a  Service Warszawa,  16  marca  2015         Błażej  Pawlak   Crypto  Competence  Center,  Copenhagen  @  IBM  Denmark 

IBM  4765  PCIe  Cryptographic  Coprocessor 

Problem No  way  to  remotely  and  securely  access  strong  hardware  cryptography   on  API  and  web  service  levels. 

Solution • System  in  client  –  server  architecture,  where  the  server  on  behalf  of   the  client  communicates  with  the  cryptographic  coprocessor. ! ! ! ! ACSP  servers ACSP  client TLS 

Solution • RESTful  service  with  simple  API  –  “zCloud  ACSP  REST  service” ! ! ! ! ! REST   client ACSP  client ACSP  servers TLS TLS 

! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765 

Key  features • Remote  access  to  strong  and  secure  hardware  IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC) 

Benefits • Remote  access  to  strong  and  secure  hardware  IBM  cryptography.   • Cost  efficient  use  of  existing  cryptographic  adapters. 

iOS  ACSP  REST  Demo
 Message  encryption  with   iPhone  6 

! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765 5 4 3 2 1 

Key  features • Remote  access  to  strong  and  secure  hardware  IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC) 

Q&A? 

No content

1. Client protocol [cca] instantiated 2. Connecting [ssl on 127.0.0.1:-1] to [192.168.77.200:8994] 3. ACSP01250I Created TLS/SSL connection to [192.168.77.200:8994] using cipher suite [SSL_RSA_WITH_AES_128_CBC_SHA] with protocols [[TLSv1.2]]
 4. Connected for transport [ssl] protocol [cca] from own socket [ssl on 127.0.0.1:54211] to [192.168.77.200:8994]
 5. ACSP01110I Connected to [ssl:cca] on host [192.168.77.200] using service [$$acp-serv] 6. Connection [1] to [192.168.77.200] with transport [ssl] and protocol [cca] has been created 7. The connection pool now holds [1] connections. REST  client  –  server  connection 

POST  /zCloud-­‐JaxRS/crypto/cipher  HTTP/1.1   Content-­‐Type:  application/json   Host:  rest.cccc.dk.bal.ibm.com:29443   Connection:  close   User-­‐Agent:  Curl/2.1.1  (Macintosh;  OS  X/10.10.2)  GCDHTTPRequest   Content-­‐Length:  274   {          "cipherRequest":  {                  "operation":  "ENCRYPT",                  "text":  {                          "textType":  "BASE64",                          "textValue":  "QUNTUC5BRVMxMjguS0VZ"                  },                  "key":  {                          "keyLabel":  "ACSP.AES256.KEY",                          "keyType":  "AES"                  }          }   } REST  client  –  server.  JSON  request. 

1.        Submitting  [34]  bytes  for  [CSNBRNGL]  to  host  [192.168.77.200]  using  connection  [1]   2.        Submitting  [217]  bytes  for  [CSNBSAE]  to  host  [192.168.77.200]  using  connection  [1]   REST  –  AES  Encryption 

ACSP  client  –  server  connection 1.      extracting  user  from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   2.      extracting  user  from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   3.      Incoming  connect  for  [cca]  on  port  [8994]  from  client  [192.168.77.200:54247]   4.      ACSP01196I  Client  [192.168.77.200  /  192.168.77.200]  connect  to  port  8994  using  ssl  for  protocol  cca   5.      Socket  receive/send  buffer  sizes  [87379/330075]  with  Nagle's  algorithm  used  [false]   6.      ACSP01190I  Awaiting  connect  -­‐  name[ssl-­‐cca]  transport[ssl]  protocol[cca]  port[8994]  -­‐  Count[1]  Sessions[1]   7.      Identified  handler  of  class  [com.ibm.acsp.cca.ProtocolCcaServer]  for  port  number  [8994]   8.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   

ACSP  server  –  AES  Encryption 1.      Received  JCCA  call  for  verb  [CSNBRNGL]   2.      Adding  rule  [RANDOM]   3.      Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   4.      Number  of  connects  [1]  -­‐  requests  [1]]  -­‐  responses  [1]   5.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   6.      Received  JCCA  call  for  verb  [CSNBSAE]   7.      Adding  rule  [AES]   8.      Adding  rule  [PKCS-­‐PAD]   9.      Adding  rule  [KEYIDENT]   10.    Adding  rule  [INITIAL]   11.    Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   12.    Number  of  connects  [1]  -­‐  requests  [2]]  -­‐  responses  [2]   13.    Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   14.    ACSP01195I  Closed  scheme  [tcp:cca]  on  port  [8997]  with  name  [tcp-­‐cca]   

No content

Q&A?