Home

FKME - User Manual

1. SYNOPSIS FKME User Manual 11 15 HELP FKME software emulation parameter PATH de limes RER OBJECT SYNTAX gt SWE KEY str DESCRIPTION Parameter of FKME library libfkme function SYMSWE for decryption EXAMPLE kml libfkme kmf SYMSWE kmp SWE ALGO TDES KEY 0123456789abcdeffedcba9876543210 ARGUMENTS e STRING KEY str Clear secret key value in HI eal x FKME User Manual 12 15 Chapter 6 FKME FUNCTION FKMEFILE The function FKMEFILE is an FKME which reads the secret FLAM key from a file This is useful if the secret key should not be printed to the logged output The file should only contain the key in its first record On ZOS this FKME is available like on all other platforms as function of the LIBFKME DLL and also as separate LE less load module FKMEFILE EXAMPLE kml libfkme kmf FKME FILE kmp filename 6 1 ENCRYPTION DECRYPTION FUNCTION FKMEFILE FIL SYNOPSIS HELP FKME read passw PATH de limes TIER OBJECT ord from file SYNTAX gt FIL FILENAM E str FKME User Manual 13 15 Chapter 7 FKME FUNCTION FKMEFILE DESCRIPTION The function FKMEFILE is an FKME which reads the secret FLAMO key from a file This is useful if the secret key should not be printed to the logged output The file should only contain the key in its first record
2. SYNOPSIS HELP FKME PKCS 11 parameter PATH de limes DOARE OBJECT SYNTAX gt PKCS11 LIBRARY str SLOT num PIN str TEMPLATE str DESCRIPTION Parameter of FKME library libfkme function SYMNP11 for decryption EXAMPLE kml libfkme kmf SYMNP11 kmp pkcs11 library cryptoky slot 0 pin 1234 template FKME x ARGUMENTS e STRING LIBRARY str PKCS 11 library name DLL SO e NUMBER SLOT num Slot number of PKCS 11 token 0 e STRING PIN str PKCS 11 pin for authentication 3 2 1 PARAMETER TEMPLATE SYNOPSIS HELP PKCS 11 key label templat PATH PKCS11 TYPE STRING SYNTAX TEMPLATE str DESCRIPTION The FKME template is used on write to determine the generation and version from a key label The replacement characters below are defined Generation Version Tax All other characters of the label can be substituted by to define the position of generation and version in the label The remaining characters must correspond to those in the label For example TEMPLATE TFMKY 35555353538 5555353 3 DATO xx On read only a key label template must be provided The generation and version is filled in by the FKME The wildcard is not allowed TEMPLATE TFMKY BV000000 GUD00000 DATO xx If the label is for example LABEL TFMKY BV000000 GUD00000 DAT04711 th
3. TDES KL24 192 Bit AES 168 Bit TDES KL32 256 Bit AES 3 1 1 PARAMETER LABEL SYNOPSIS HELP PKCS 11 key label PATH PKCS11 TENGE eh STRING SYNTAX LABEL str DESCRIPTION The fully qualified label is only required to reference the correct key value on write It must contain a generation and version 2 hex digits each which are determined based on the key label template 3 1 2 PARAMETER TEMPLATE SYNOPSIS HELP PKCS 11 key label templat PAI PRESI FEPER STRING SYNTAX TEMPLATE str DESCRIPTION The FKME template is used on write to determine the generation and version from a key label The replacement characters below are defined Generation Version Tax All other characters of the label can be substituted by to define the position of generation and version in the label The remaining characters must correspond to those in the label For example TEMPLATE TEMKY 555535338 5555333 DATO xx On read only a key label template must be provided The generation and version is filled in by the FKME The wildcard is not allowed TEMPLATE TFMKY BVO00000 GUD0O0000 DATO xx If the label is for example LABEL TFMKY BV000000 GUD00000 DAT04711 then the generation is 47 and the version is 11 FKME User Manual 6 15 3 2 DECRYPTION FUNCTION SYMNP11 PKCS11
4. login On other systems the userid and passphrase are optional If you don t provide them the default role is used On ZOS this FKME is available like on all other platforms as a function of the LIBFKME DLL and additionally as separate load module SYMNCCAO 4 1 ENCRYPTION FUNCTION SYMNCCA CCA SYNOPSIS HELP FKME CCA ICSF parameter PATH de limes ARNG ays OBJECT SYNTAX gt CCA LIBRARY str USERID str PASSWORD str ALGO AES TDES LABEL str TEMPLATE str KEYLENGTH num KL16 KL24 KL32 DESCRIPTION Parameter of FKME library libfkme function SYMNCCA for encryption EXAMPLE Kml 1ibfkme kmf SYMNCCA kmp cca library csunsapi user smith password 1234 ALGO AES label FKME4711 template FKME KEYLENGTH 16 FKME User Manual 8 15 ARGUMENTS e STRING LIBRARY str e STRING USERID str e STRING PASSWO e NU A B CCA library name DLL SO User ID for authentication optional RD str Password for authentication optional ER ALGO A ES TDES Algorithm used by FKME TDES ES A ES algorithm T 4 1 1 DES riple DES 3DES algorithm BER KEYL ENGTH num KL16 KL24 KL32 Key length of FMKY 1 6 L24 L32 128 Bit AES 112 Bit 192 Bit AES 168 Bit S D
5. specification was designed for PCIDSS conform ordering of credit cards and to exchange other card holder data in a secure and PCIDSS conform manner The specification can be found at http www flam de en technology download documentation On ZOS this FKME is available like on all other platforms as function of the LIBFKME DLL and also as separate load module SYMNPI1 10 3 1 ENCRYPTION FUNCTION SYMNP11 PKCS11 SYNOPSIS HELP FKME PKCS 11 parameter PATH de limes Liens OBJECT SYNTAX gt PKCS11 LIBRARY str SLOT num PIN str ALGO AES TDES LABEL str TEMPLATE str KEYLENGTH num KL16 KL24 KL32 DESCRIPTION Parameter of FKME library libfkme function SYMNP11 for encryption EXAMPLE Kml libfkme kmf SYMNP11 kmp pkcs11 1library p111ib slot 0 pin 1234 ALGO AES label FKME4711 template FKME xx KEYLENGTH 16 ARGUMENT NUMBER S S STRING LIBRARY str PKCS 11 library name DLL SO OT num Slot number of PKCS 11 token 0 e NUMBER A STRING PIN str PKCS 11 pin for authentication AES AE GO AES TDES Algorithm used by FKME TDES S algorithm FKME User Manual 5 15 TDES Triple DES 3DES algorithm e NUMBER KEYLENGTH num KL16 KL24 KL32 Key length of FMKY KL16 KL16 128 Bit AES 112 Bit
6. 000 GUD00000 DAT04711 then the generation is 47 and the version is 11 FKME User Manual 10 15 Chapter 5 FKME FUNCTION SYMSWE FKME function SYMSWE is an FKME which simulates the symmetric PKCS 11 or CCA implementations You can define the secret key as clear value Currently it supports two variants AES with SHA 256 and 3DES TDES with SHA 1 ATTENTION This FKME function extists only for testing purposes Don t use clear key values in production On ZOS this FKME is available like on all other platforms as function of the LIBFKME DLL and also as separate load module FKMESWEO 5 1 ENCRYPTION FUNCTION SWESYM SWE SYNOPSIS HELP FKME software emulation parameter BAN HE de limes ASPIRE OBJECT SYNTAX gt SWE ALGO AES TDES KEY str GENERATION str VERSION str DESCRIPTION Parameter of FKME library libfkme function SYMSWE for encryption EXAMPLE Kml 1ibfkme kmf SYMSWE kmp SWE ALGO AES KEY 0123456789abcdeffedcba9876543210 ARGUMENTS e NUMBER ALGO AES TDES Algorithm used by FKME TDES AES AES algorithm TDES Triple DES 3DES algorithm e STRING KEY str Clear secret key vale in HEX e STRING GENERATION str Key generation e STRING VERSION str Key version 5 2 DECRYPTION FUNCTION SWESYM SWE
7. D ES ES L 256 Bit A El PARAMETER LABEL SYNOPSIS HEL PAT TA nm D His CCA key label CCA STRING KL16 SYNTAX LABI EL str DESCRIPTION The fully qualified label is only required to reference the correct key value on write It must contain a generation and version 2 hex digits each which are determined based on the key label template 4 1 2 PARAMETER TEMPLATE SYNOPSIS HELP CCA key label templat PACO CCA AE STRING SYNTAX TEMPLATE str DESCRIPTION The FKME template is used on write to determine the generation and version from a key label The replacement characters below are defined er EE i Generation Version All other characters of the label can be substituted by to define the position of generation and version in the label The remaining characters must correspond to those in the label For example S DS S lek EN g Be Re 00 06600000 TEMPLAT DATO xx On read only a key label template must be provided The generation and version is filled in by the FKME The wildcard is not allowed TEMPLATE TFMKY BV000000 GUD00000 DATO xx If the label is for example LABEL TFMKY BV000000 GUD00000 DAT04711 then the generation is 47 and the version is 11 FKME User Manual 9 15 4 2 DECRYPTION FUNCTION SYMNCCA CCA SYNOPSI
8. FKME User Manual FKME User Manual FKME User Manual COLLABORATORS TITLE FKME User Manual ACTION NAME DATE SIGNATURE WRITTEN BY limes datentechnik Aug 21 2015 gmbh REVISION HISTORY NUMBER DATE DESCRIPTION NAME 5 1 8 Aug 21 2015 released LDG FKME User Manual iii 1 FKME overview 1 1 1 The use of FKME in FLAM 0 00000 a 2 2 FKME FUNCTION FKMESTDO 3 3 FKME FUNCTION SYMNP11 4 3 1 ENCRYPTION FUNCTION SYMNP11 PKCSI oonan 4 3 1 1 PARAMETER LABEL Con nn 5 3 1 2 PARAMETER TEMPLATE 2 eee ee 3 3 2 DECRYPTION FUNCTION SYMNP11 PKCSI 0 eee eee eee ee 6 3 2 1 PARAMETER TEMPLATE mn 6 4 FKME FUNCTION SYMNCCA 7 4 1 ENCRYPTION FUNCTION SYMNCCA CCA 2 nn 7 4 1 1 PARAMETER LABEL GEL JENS RE E krige ee fy 8 4 1 2 PARAMETER TEMPLATE 2 2 m onen 8 4 2 DECRYPTION FUNCTION SYMNCCA CCA 2 rn 9 4 2 1 PARAMETER TEMPLATE 0 000 ce en 9 5 FKME FUNCTION SYMSWE 10 5 1 ENCRYPTION FUNCTION SWESYM SWE 0 2 nn nn 10 5 2 DECRYPTION FUNCTION SWESYM SWE sooo 10 6 FKME FUNCTION FKMEFILE 12 6 1 ENCRYPTION DECRYPTION FUNCTION FKMEFILE FIL 12 7 FKME FUNCTION FKMEFILE 13 8 Index 14 FKME User Manual iv Frankenstein Limes Key Management Extension FKME Copyright limes datentechnik gmbh All rights reserved Trademarks Below you can find all trademarks or registered trad
9. On ZOS this FKME is available like on all other platforms as function of the LIBFKME DLL and also as separate LE less load module FKMEFILE EXAMPLE kml libfkme kmf FKMEFILE kmp filename ARGUMENTS e STRING FILENAME str File with key FKME User Manual 14 15 Chapter 8 Index A Argument LABEL 5 8 Argument TEMPLATE 5 6 8 9 D DECRYPTION FUNCTION SWESYM SWE 11 DECRYPTION FUNCTION SYMNCCA CCA 9 DECRYPTION FUNCTION SYMNP11 PKCS11 6 E ENCRYPTION FUNCTION SWESYM SWE 10 ENCRYPTION FUNCTION SYMNCCA CCA 8 ENCRYPTION FUNCTION SYMNP11 PKCS11 4 ENCRYPTION DECRYPTION FUNCTION FKMEFILE FIL 13 FKME User Manual 15 15 COLOPHON limes datentechnik R gmbh Louisenstrasse 21 D 61348 Bad Homburg v d H phone 49 0 6172 5919 0 BEDS PAO Gk DE SONDE OD mail info flam de web www flam de or www limes de Amtsgericht Bad Homburg vor der Hoehe HRB 3288 gegr 1985 Geschaeftsfuehrer Diplom Mathematiker Heinz Ulrich Wiebach limes datentechnik R efficiency at the limit of possibility
10. S HELP FKME CCA ICSF parameter PATH de limes TRER OBJECT SYNTAX gt CCA LIBRARY str USERID str PASSWORD str TEMPLATE str DESCRIPTION Parameter of FKME library libfkme function SYMNCCA for decryption EXAMPLE Kml libfkme kmf SYMNCCA kmp cca library 1ibcsufsapi user smith password 1234 template FKME xx ARGUMENTS e STRING LIBRARY str CCA library name DLL SO e STRING USERID str User ID for authentication optional e STRING PASSWORD str Password for authentication optional 4 2 1 PARAMETER TEMPLATE SYNOPSIS HELP CCA key label templat PATH CCA NAS STRING SYNTAX TEMPLATE str DESCRIPTION The FKME template is used on write to determine the generation and version from a key label The replacement characters below are defined Generation Version Tax All other characters of the label can be substituted by to define the position of generation and version in the label The remaining characters must correspond to those in the label For example TEMPLATE TFMKY 35555353538 5555353 3 DATO xx On read only a key label template must be provided The generation and version is filled in by the FKME The wildcard is not allowed TEMPLATE TFMKY BV000000 GUD00000 DATO xx If the label is for example LABEL TFMKY BV000
11. each kind of batch processing environment The CLE P library provides a lot of features including help and documentation For example We use this library to automatically create this document as part of our build process If we add a parameter to the CLE P tables and build the FLS project this manual will be regenerated as well in order to be always up to date This manual is generated with the INFO command of FLCL provided by CLE P library by calling the command below flcl info get fkme docu output fkmebook txt FKME User Manual 1 15 Chapter 1 FKME overview The FLAM key management extension FKME links between FLAM s cryptographic protection mechanisms privacy integrity completeness various cryptographic infrastructures KMIP x509 PKI FINPIN and various architectures of hardware security modules HSM IBM CCA ICSF PKCS 11 in order to provide a professional key management by which access to data can be controlled Of course FLAM also supports protection by a simple passphrase or an internal constant as keys but professional solutions are implemented by means of this service provider interface which has been available since FLAM version 4 BENEFITS e Use of existing cryptographic infrastructures for protecting flamb ed data e Processes for key management and permission granting can be re used e Top security due to support of various hardware security modules HSM e No downstream costs caused by
12. emarks of limes datentechnik gmbh These trademarked terms are marked with the appropriate symbol or indicating registered or common law trademarks owned by limes datentechnik gmbh at the time this information was published The following terms are trademarks of limes datentechnik gmbh in Germany other countries or both limes Short company name of the owner of this document limes datentechnik Company name of the owner of this document FLCL Frankenstein Limes Command Line FLCC Frankenstein Limes Control Center FLAM Frankenstein Limes Access Method FLUC Frankenstein Limes Universal Converter FLIES Frankenstein Limes Integrated Extended Security FLAMFILE A file based on FLAM syntax Abstract libfkme collects all FKME implementations of limes datentechnik in one library For each supported specification FINPIN KMIP PGP several implementations Software SWE PKCS 11 P11 IBM CCA are available This document describes all the currently available FKME functions The FLAM Key Management Extension FKME is a service provider interface to integrate FLAM into different cryptographic infrastructures FKME User Manual V PREFACE The FKME parameter list is parsed based on the CLE P library The CLE P library was developed by limes datentechnik and released as open source under the ZLIB license CLE P is a compiler to provide a platform independent command line interface for
13. en the generation is 47 and the version is 11 FKME User Manual 7 15 Chapter 4 FKME FUNCTION SYMNCCA FKME function SYMNCCA is an FKME which uses IBM CCA Common Cryptographic Architecture ICSF on ZOS to implement the FINPIN based specification for PCIDSS conform data exchange Currently it supports two variants AES with SHA 256 and 3DES TDES with SHA 1 This FKME function can be used with ICSF on ZOS or IBM47xx Cryptocards on Windows or UNIX platforms The specification was designed for PCIDSS conform ordering of credit cards and to exchange other card holder data in a secure and PCIDSS conform manner The specification can be found at URL below http www flam de en technology download documentation For ICSE the library to find the callable services must not be specified because all functions are simple load modules in the dataset CSF SCSFMODO These modules are fetched by libfkme If you would specify a library name libfkme would try to load a ZOS DLL which would not work To fetch the ICSF service routines the CSF SCSFMODO library must be in the STEPLIB concatenation for the program The default library name for SAPI on windows is csunsapi and on UNIX systems libcsulsapi The directory for this DLL SO must be defined in the library path environment variable On ICSF based CCA systems z OS authentication against the CCA HSM is not possible For such an environment please don t use the userid and passphrase
14. encryption reuse of key management e Compliance with security requirements and standards PCIDSS Implementation The following FLAM4 based solutions are currently available FIN PIN Symmetric Key Infrastructure for data exchange PKCS 11 HSM IBM CCA based HSM Software simulation e FKMESTDO Default FKME providing the default passphrase FKMEFILE Reads the key value passphrase from a file The FIN PIN implementation for PCIDSS is a specification for secure ordering of debit and credit cards that relies on the existing cryptographic infrastructure for the Financial PIN Support For this there are meanwhile two different specifications one for triple DES and also one for AES which exists in two versions transfer and storage The following FKMEs are planned as part of the FLAMS project e OpenPGP keyrings e x509 public key infrastructure e KMIP Key Management Interoperability Protocol In various other projects customers have developed their own specifications and implemented their own solutions FKME User Manual 2 15 1 1 The use of FKME in FLAM This chapter describes the usage of FKMEs developed by limes datentechnik Calling custom developed FKME works in the same way but mostly has another structure for the FKME parameter string The FLAM subsystem on ZOS has special LE less FKMEs developed in assembler implementing the FIN PIN specification against ICSF FKMECCAx These load modules are still avai
15. lable and must be used with the subsystem libfkme is an LE based DLL and cannot be used with this environment The parameter string of FKMECCAx differs from the libfkme parameter string of function SYMNCCA but it does the same thing Documentation for the FKMECCAx load modules can be found in the FLAMA user manual To call a simple load module on ZOS only the function name must be defined To call a function of libfkme on ZOS the library name of the DLL and function name must be defined On other platforms Windos UNIX the default library name is libfkme and the default function name is FKMESTDO FKMESTDO is also the default function name on z OS NOTE In some environments you have to escape quotation marks of the FKME parameter string with backslash FKME User Manual 3 15 Chapter 2 FKME FUNCTION FKMESTDO FKME function FKMESTDO is an FKME using the default password key and needs no parameter This FKME is called if no other function is defined EXAMPLE kml libfkme kmf FKMESTDO FKME User Manual 4 15 Chapter 3 FKME FUNCTION SYMNP11 FKME function SYMNP11 is an FKME which uses the PKCS 11 secure token interface to implement the FINPIN based spec ification for PCIDSS conform data exchange Currently it supports two variants AES with SHA 256 and 3DES TDES with SHA 1 This FKME function can be used with several PKCS 11 conform crypto devices on Windows Unix platforms or EP11 on ZOS The

FKME - User Manual

Contents

Download Pdf Manuals

Related Search

Related Contents